- RSA Governance & Lifecycle 8.0.0 P03 and later
Clicking on Test Connector Settings button to test the connection for a RACF-SSH connector fails with the following error on the UI. A similar error is also logged in the connector log file.
Connection error: Unable to negotiate key exchange for server host key algorithms
(client: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
ssh-ed25519, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, rsa-sha2-512,
rsa-sha2-256, ssh-rsa / server: ssh-dss)
The RACF server, that the RACF-SSH Connector is connecting to, is configured with algorithms deprecated in RSA Governance & Lifecycle.
As part of continued security improvements, RSA Governance & Lifecycle version 8.0.0 P03 includes an upgrade to cryptographic standards. As part of the upgrade, support for weaker algorithms has been removed. The following ciphers are no longer supported in RSA Governance & Lifecycle 8.0.0 P03 and later for RACF-SSH connectors:
- ssh-dss (DSA authentication)
- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
If the RACF-SSH server is configured to use weaker ciphers such as ssh-dss, authentication or key exchange will fail. The RACF server's SSH configuration must be updated to use stronger, supported ciphers. Please work with your RACF server's administrator to update the ciphers as recommended below.
Strong Ciphers Supported in RSA Governance & Lifecycle 8.0 P03 and later:
Customers should ensure that the RACF endpoint supports at least one of the following secure algorithms:
- rsa-sha2-512
- rsa-sha2-256
- ssh-ed25519
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
Recommended strong ciphers when using OpenSSH certificates:
- ecdsa-sha2-nistp256-cert-v01@openssh.com
- ecdsa-sha2-nistp384-cert-v01@openssh.com
- ecdsa-sha2-nistp521-cert-v01@openssh.com
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
- rsa-sha2-256-cert-v01@openssh.com
Related Articles
Microsoft Exchange 2010 AFX Connector Enable-mailbox command fails with 'Value cannot be null' in RSA Identity Governance … Number of Views Error "Key negotiation exchange failed. Server response was CRED_MISMATCH" with RSA Authentication Agent SDK 8.6 for Java Number of Views The Evolution of CAS in Exchange Server versions Number of Views RSA Governance & Lifecycle Integration: Microsoft Exchange Summary Number of Views Error "Key negotiation exchange failed. Server response was CANCELLED" with RSA Authentication Agent API 8.5 and later Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA Authentication Manager 8.9 Release Notes (January 2026) How to create and configure certificates for HTTPS access when using intermediate CA certs in RSA Identity Governance & Li…
