- RSA Governance & Lifecycle 8.0.0 P03 and later
Clicking on Test Connector Settings button to test the connection for a RACF-SSH connector fails with the following error on the UI. A similar error is also logged in the connector log file.
Connection error: Unable to negotiate key exchange for server host key algorithms
(client: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
ssh-ed25519, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, rsa-sha2-512,
rsa-sha2-256, ssh-rsa / server: ssh-dss)
The RACF server, that the RACF-SSH Connector is connecting to, is configured with algorithms deprecated in RSA Governance & Lifecycle.
As part of continued security improvements, RSA Governance & Lifecycle version 8.0.0 P03 includes an upgrade to cryptographic standards. As part of the upgrade, support for weaker algorithms has been removed. The following ciphers are no longer supported in RSA Governance & Lifecycle 8.0.0 P03 and later for RACF-SSH connectors:
- ssh-dss (DSA authentication)
- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
If the RACF-SSH server is configured to use weaker ciphers such as ssh-dss, authentication or key exchange will fail. The RACF server's SSH configuration must be updated to use stronger, supported ciphers. Please work with your RACF server's administrator to update the ciphers as recommended below.
Strong Ciphers Supported in RSA Governance & Lifecycle 8.0 P03 and later:
Customers should ensure that the RACF endpoint supports at least one of the following secure algorithms:
- rsa-sha2-512
- rsa-sha2-256
- ssh-ed25519
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
Recommended strong ciphers when using OpenSSH certificates:
- ecdsa-sha2-nistp256-cert-v01@openssh.com
- ecdsa-sha2-nistp384-cert-v01@openssh.com
- ecdsa-sha2-nistp521-cert-v01@openssh.com
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
- rsa-sha2-256-cert-v01@openssh.com
Related Articles
How to retrieve content files - Client Number of Views RSA Governance & Lifecycle Exchange SSH Connector Datasheet Number of Views RSA Governance & Lifecycle Exchange 2013 Connector Datasheet Number of Views RSA Governance & Lifecycle Exchange 2007 Connector Datasheet Number of Views Microsoft Exchange Management Console/PowerShell error with RSA Authentication Agent 8.0 for Web for IIS Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
