RA_FTP agent fails with error "Algorithm negotiation fail"
search cancel

RA_FTP agent fails with error "Algorithm negotiation fail"

book

Article ID: 138591

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

RA_FTP SFTP agent jobs fail with error "Algorithm negotiation fail"

Error Message :
Algorithm negotiation fail
com.uc4.ftpjob.DataTransferException: Connection exception.
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:583)

or

java.lang.RuntimeException: java.lang.RuntimeException: com.jcraft.jsch.JSchException: Algorithm negotiation fail



Connecting to an FTP Server that only accepts diffie-hellman-group14-sha1 as the key exchange algorithm fails with the following errors.
 

Algorithm negotiation fail
com.uc4.ftpjob.DataTransferException: Connection exception.
at com.uc4.transfer.CITSFTPImpl.<init>(CITSFTPImpl.java:214)
at com.uc4.ftpjob.connections.ConnectionFactory$1.run(ConnectionFactory.java:61)
at java.lang.Thread.run(Unknown Source)
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:583)
at com.jcraft.jsch.Session.connect(Session.java:320)
at com.jcraft.jsch.Session.connect(Session.java:183)
at com.uc4.transfer.CITSFTPImpl.<init>(CITSFTPImpl.java:194)
... 2 more
 
Turning on tracing as per below:
  1. In the AWI, go to the Administration perspective
  2. Right-click the agent and choose "Advanced Options"
  3. Change ra to 9 and tcp/ip to 9 and click Apply
  4. Open the job definition in Process Assembly
  5. Go to the Rapid Automation tab and be sure that Write agent log to job report is checked; save the changes
  6. Run the job, reproducing the error
  7. Turn off agent traces by following steps 1 through 3, but changing the ra and tcp/ip settings to 0

shows something like this in the job report:

ciphers that are required on the server side in the job report:

2022-05-17 14:56:23             kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
2022-05-17 14:56:23             kex: server: ssh-rsa
2022-05-17 14:56:23             kex: server: aes256-ctr,aes256-cbc,arcfour256
2022-05-17 14:56:23             kex: server: aes256-ctr,aes256-cbc,arcfour256
2022-05-17 14:56:23             kex: server: hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-96,hmac-sha256
2022-05-17 14:56:23             kex: server: hmac-sha256,hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-96

and which are available with the current setup on the RA FTP (client) side:
2022-05-17 14:56:23             kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
2022-05-17 14:56:23             kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2022-05-17 14:56:23             kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
2022-05-17 14:56:23             kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
2022-05-17 14:56:23             kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2022-05-17 14:56:23             kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2022-05-17 14:56:23             kex: client: [email protected],zlib,none
2022-05-17 14:56:23             kex: client: [email protected],zlib,none

Environment

Release : 3.X, 4.X

Component : RA FTP agent

Resolution

Make sure you have Java Cryptography Extension (JCE) installed in order for the agent to run. 

Link to Java Cryptography Extension (JCE): http://www.jcraft.com/jsch/

 

NOTE: all of the algorithms listed on the following page are supported: http://www.jcraft.com/jsch/

Additional Information

If Oracle Java 1.8 update 151 (8u151) or later is being used, JCE does not require a separate installation.
In this case, set the following Security property in the java.security file:
crypto.policy=unlimited

Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page under Additional Resources.
Unzip the downloaded file.
Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.

Once this is done you can set the following Security property in the java.security file:
crypto.policy=unlimited