Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Encrypting cache in adclient

11 April,19 at 11:50 AM

Some customers have asked about what they can do to encrypt the cache in adclient in their environment and, if they do it, what are some of the implications of doing so.

 

Enabling adclient cache encryption
To start with, in order to enable the adclient cache encryption, you'll have to edit the /etc/centrifydc/centrifydc.conf file and locate the following parameter:

 

adclient.cache.encryption.type

 

and add in the encryption types you plan to use for your environment. If you enable this setting but don't add any encryption types to it, the parameter will default to arcfour-hmac-md5. In other words, it will read this line as:

 

adclient.cache.encryption.type: arcfour-hmac-md5

 

If you prefer to use other encryption types in addition to arcfour-hmac-md5, like aes256-cts or aes128-cts, you'll want to ensure they are all specified in the parameter like this:

 

adclient.cache.encryption.type: arcfour-hmac-md5 aes256-cts aes128-cts

 

Notice they are separated by spaces and not commas or semi-colons.

 

If you don't want to use the arcfour-hmac-md5 encryption type, you'll definitely have to specify the type, or types, you want to use like this:

 

adclient.cache.encryption.type: aes256-cts aes128-cts

 

Centrify supports all 5 encryption types listed in adclient.krb5.tkt.encryption.types.

 

arcfour-hmac-md5, des-cbc-md5, des-cbc-crc, aes256-cts and aes128-cts


We also support aes256-cts-hmac-sha1-96 and, if you are using FIPS mode, this encryption is mantadory.

 

After making the change to this parameter, please be sure to save the file and restart the centrifydc service in order for the change to take effect.

 

Things to consider before making the change

Please be aware there are a couple of things to consider before encrypting the cache in adclient.

 

1) If the cache is encrypted, every operation retrieving objects from, or writing objects to, the cache has to be decrypted or encrypted, respectively. This makes the process slower and is more CPU intensive and, unfortunately, it doesn't really provide much more security. Password hashes stored in the cache are already encrypted. So credentials are already safe in the cache. The only vulnerability this protects against is retrieving user information from the cache but the adquery user command provides that information anyway.

 

2) The cache is encrypted with a one-time key that is stored in adclient memory. So if adclient crashes, the key is gone and the next time adclient starts, it has to completely rebuild the cache with a new key. This also means that every machine reboot or stopping and re-starting of adclient will completely rebuild the cache which can be time consuming, especially in a large environment.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.