Enhanced Server-Side KCD Cipher Option
This article relates to LoadMaster firmware version 7.2.52.
In LoadMaster firmware version 7.2.52, a new option for server-side Kerberos Constrained Delegation (KCD) authentication improves the security of the LoadMaster's server-side KCD connections to meet evolving security policies.
In previous releases, KCD was configured to use RC4, DES, and DES3 ciphers for server connections; these ciphers could not be modified. With this release, you can now enable the Use AES 256 SHA1 KCD cipher option on the Virtual Services > Manage SSO User Interface (UI) page to specify that the RC4, DES, and DES3 ciphers be disabled for server-side KCD and that the aes256-cts-hmac-sha1-96 cipher be used instead. This is a global option and applies across all server-side SSO configurations.
Application Programming Interface (API) Details
A new parameter has been added to the API - kcdciphersha1.
You can retrieve the current value of the parameter by running the get command:
/access/get?param=kcdciphersha1
You can configure the value of the parameter by running the set command:
/access/set?param=kcdciphersha1&value=1
0 - Disabled
1 - Enabled
For further details on the RESTful API in general, refer to the RESTful API Interface Description document.
For PowerShell help, run the Get-Help command for the relevant commands.