RA_FTP agent fails with error "Algorithm negotiation fail"
Article ID: 138591
Updated On:
Products
Issue/Introduction
RA_FTP SFTP agent jobs fail with error "Algorithm negotiation fail"
Error Message :
Algorithm negotiation fail
com.uc4.ftpjob.DataTransferException: Connection exception.
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:583)
or
java.lang.RuntimeException: java.lang.RuntimeException: com.jcraft.jsch.JSchException: Algorithm negotiation fail
Connecting to an FTP Server that only accepts diffie-hellman-group14-sha1 as the key exchange algorithm fails with the following errors.
com.uc4.ftpjob.DataTransferException: Connection exception.
at com.uc4.transfer.CITSFTPImpl.<init>(CITSFTPImpl.java:214)
at com.uc4.ftpjob.connections.ConnectionFactory$1.run(ConnectionFactory.java:61)
at java.lang.Thread.run(Unknown Source)
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:583)
at com.jcraft.jsch.Session.connect(Session.java:320)
at com.jcraft.jsch.Session.connect(Session.java:183)
at com.uc4.transfer.CITSFTPImpl.<init>(CITSFTPImpl.java:194)
... 2 more
- In the AWI, go to the Administration perspective
- Right-click the agent and choose "Advanced Options"
- Change ra to 9 and tcp/ip to 9 and click Apply
- Open the job definition in Process Assembly
- Go to the Rapid Automation tab and be sure that Write agent log to job report is checked; save the changes
- Run the job, reproducing the error
- Turn off agent traces by following steps 1 through 3, but changing the ra and tcp/ip settings to 0
shows something like this in the job report:
ciphers that are required on the server side in the job report:
2022-05-17 14:56:23 kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
2022-05-17 14:56:23 kex: server: ssh-rsa
2022-05-17 14:56:23 kex: server: aes256-ctr,aes256-cbc,arcfour256
2022-05-17 14:56:23 kex: server: aes256-ctr,aes256-cbc,arcfour256
2022-05-17 14:56:23 kex: server: hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-96,hmac-sha256
2022-05-17 14:56:23 kex: server: hmac-sha256,hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-96
and which are available with the current setup on the RA FTP (client) side:
2022-05-17 14:56:23 kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
2022-05-17 14:56:23 kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2022-05-17 14:56:23 kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
2022-05-17 14:56:23 kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
2022-05-17 14:56:23 kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2022-05-17 14:56:23 kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2022-05-17 14:56:23 kex: client: [email protected],zlib,none
2022-05-17 14:56:23 kex: client: [email protected],zlib,none
Environment
Release : 3.X, 4.X
Component : RA FTP agent
Resolution
Make sure you have Java Cryptography Extension (JCE) installed in order for the agent to run.
Link to Java Cryptography Extension (JCE): http://www.jcraft.com/jsch/
NOTE: all of the algorithms listed on the following page are supported: http://www.jcraft.com/jsch/
Additional Information
If Oracle Java 1.8 update 151 (8u151) or later is being used, JCE does not require a separate installation.
In this case, set the following Security property in the java.security file:
crypto.policy=unlimited
Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page under Additional Resources.
Unzip the downloaded file.
Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.
Once this is done you can set the following Security property in the java.security file:
crypto.policy=unlimited
Feedback
