RA_FTP agent fails with error "Algorithm negotiation fail"
search cancel

RA_FTP agent fails with error "Algorithm negotiation fail"

book

Article ID: 138591

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

RA_FTP SFTP agent jobs fail with error "Algorithm negotiation fail"

Error Message :
Algorithm negotiation fail
com.uc4.ftpjob.DataTransferException: Connection exception.
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:583)

or

java.lang.RuntimeException: java.lang.RuntimeException: com.jcraft.jsch.JSchException: Algorithm negotiation fail



Connecting to an FTP Server that only accepts diffie-hellman-group14-sha1 as the key exchange algorithm fails with the following errors.
 

Algorithm negotiation fail
com.uc4.ftpjob.DataTransferException: Connection exception.
at com.uc4.transfer.CITSFTPImpl.<init>(CITSFTPImpl.java:214)
at com.uc4.ftpjob.connections.ConnectionFactory$1.run(ConnectionFactory.java:61)
at java.lang.Thread.run(Unknown Source)
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:583)
at com.jcraft.jsch.Session.connect(Session.java:320)
at com.jcraft.jsch.Session.connect(Session.java:183)
at com.uc4.transfer.CITSFTPImpl.<init>(CITSFTPImpl.java:194)
... 2 more
 
Turning on tracing as per below:
  1. In the AWI, go to the Administration perspective
  2. Right-click the agent and choose "Advanced Options"
  3. Change ra to 9 and tcp/ip to 9 and click Apply
  4. Open the job definition in Process Assembly
  5. Go to the Rapid Automation tab and be sure that Write agent log to job report is checked; save the changes
  6. Run the job, reproducing the error
  7. Turn off agent traces by following steps 1 through 3, but changing the ra and tcp/ip settings to 0

shows something like this in the job report:

ciphers that are required on the server side in the job report:

2022-05-17 14:56:23             kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
2022-05-17 14:56:23             kex: server: ssh-rsa
2022-05-17 14:56:23             kex: server: aes256-ctr,aes256-cbc,arcfour256
2022-05-17 14:56:23             kex: server: aes256-ctr,aes256-cbc,arcfour256
2022-05-17 14:56:23             kex: server: hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-96,hmac-sha256
2022-05-17 14:56:23             kex: server: hmac-sha256,hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-96

and which are available with the current setup on the RA FTP (client) side:
2022-05-17 14:56:23             kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
2022-05-17 14:56:23             kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2022-05-17 14:56:23             kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
2022-05-17 14:56:23             kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
2022-05-17 14:56:23             kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2022-05-17 14:56:23             kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2022-05-17 14:56:23             kex: client: [email protected],zlib,none
2022-05-17 14:56:23             kex: client: [email protected],zlib,none

Environment

Release : 3.X, 4.X

Component : RA FTP agent

Resolution

If you are using the RA FTP agent (4.x), upgrade to the latest FTP Integration agent.  This agent will have the newest jsch that has been released with an FTP solution.

Make sure you have Java Cryptography Extension (JCE) installed in order for the agent to run. 

Link to Java Cryptography Extension (JCE): http://www.jcraft.com/jsch/

 

NOTE: all of the algorithms listed on the following page are supported: http://www.jcraft.com/jsch/

Additional Information

If Oracle Java 1.8 update 151 (8u151) or later is being used, JCE does not require a separate installation.
In this case, set the following Security property in the java.security file:
crypto.policy=unlimited

Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page under Additional Resources.
Unzip the downloaded file.
Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.

Once this is done you can set the following Security property in the java.security file:
crypto.policy=unlimited

Powered by Wolken Software