- RSA Governance & Lifecycle 8.0.0 P03 and later
Clicking on Test Connector Settings button to test the connection for a RACF-SSH connector fails with the following error on the UI. A similar error is also logged in the connector log file.
Connection error: Unable to negotiate key exchange for server host key algorithms
(client: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
ssh-ed25519, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, rsa-sha2-512,
rsa-sha2-256, ssh-rsa / server: ssh-dss)
The RACF server, that the RACF-SSH Connector is connecting to, is configured with algorithms deprecated in RSA Governance & Lifecycle.
As part of continued security improvements, RSA Governance & Lifecycle version 8.0.0 P03 includes an upgrade to cryptographic standards. As part of the upgrade, support for weaker algorithms has been removed. The following ciphers are no longer supported in RSA Governance & Lifecycle 8.0.0 P03 and later for RACF-SSH connectors:
- ssh-dss (DSA authentication)
- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
If the RACF-SSH server is configured to use weaker ciphers such as ssh-dss, authentication or key exchange will fail. The RACF server's SSH configuration must be updated to use stronger, supported ciphers. Please work with your RACF server's administrator to update the ciphers as recommended below.
Strong Ciphers Supported in RSA Governance & Lifecycle 8.0 P03 and later:
Customers should ensure that the RACF endpoint supports at least one of the following secure algorithms:
- rsa-sha2-512
- rsa-sha2-256
- ssh-ed25519
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
Recommended strong ciphers when using OpenSSH certificates:
- ecdsa-sha2-nistp256-cert-v01@openssh.com
- ecdsa-sha2-nistp384-cert-v01@openssh.com
- ecdsa-sha2-nistp521-cert-v01@openssh.com
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
- rsa-sha2-256-cert-v01@openssh.com
Related Articles
RSA Governance & Lifecycle Exchange SSH Connector Datasheet Number of Views How to retrieve content files - Client Number of Views RSA Governance & Lifecycle Exchange 2007 Connector Datasheet Number of Views RSA Governance & Lifecycle Exchange 2013 Connector Datasheet Number of Views Microsoft Exchange 2010 AFX Connector Enable-mailbox command fails with 'Value cannot be null' in RSA Identity Governance … Number of Views
Trending Articles
RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 Troubleshooting RSA MFA Agent for Microsoft Windows How to download and install the AFX Server Archive in RSA Identity Governance & Lifecycle The Template ({Connector Template Name}) has missing file content error when creating AFX Connectors in RSA Identity Gover…
