Control Compliance Suite 11: Solaris 11 agent-less data collection fails: Couldn't agree a client-to-server cipher

book

Article ID: 157018

calendar_today

Updated On:

Products

Control Compliance Suite Exchange Control Compliance Suite Unix Control Compliance Suite Windows

Issue/Introduction

Targeting a Agent-less Solaris v11 x64 asset - an error shows for the data collection: Couldn't agree a client-to-server cipher.

Note:  agent and agent-less data collection from Oracle Solaris 11 assets is supported by the latest Symantec Control Compliance Suite 11 and 10.5.1 versions.

 

{Date Time},Unix Data Collector: query returned with message(s).,"{SOLARIS11_ASSET_HOST_NAME.EN_US}: Couldn't agree a client-to-server cipher (available: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour)",Error,{SOLARIS11_ASSET_HOST_NAME.EN_US}:{IP_ADDRESS.EN_US},UNIX Machine,,

 

Cause

The ssh handshake attempt between CCS and the Solaris 11 system fails to agree on a cipher.

By default Solaris 11 only supports the following ciphers: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour.

CCS requires 3des-cbc.

 

Resolution

The current workaround is to add the "3des-cbc" to the list of accepted ciphers in the Solaris 11 sshd configuration file.

 

Step 1. Add the following line in /etc/ssh/sshd_config (We are adding 3des-cbc to the default ciphers)

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,3des-cbc
 

Step 2. Restart the sshd daemon on Solaris system.

    svcadm restart ssh

At this point the CCS agent-less data collection will work.

 


Applies To

Symantec Control Compliance Suite 10.5.1

Symantec Control Compliance Suite 11 GA

Oracle Solaris 11 (both X64 and SPARC)