Old ciphers not restored in CA PAM 3.3.1 or 3.3.2 after hotfix 01
Article ID: 187865
Updated On:
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
Hotfix 01 has been applied to CA PAM 3.3.1 or 3.3.2 (3.3.1.01 or 3.3.2.01 respectively) to manage old Cisco devices with no support for newer ciphers.
The instructions in the hotfix readme were followed:
However, whenever trying to connect they the following error is still present
Couldn't agree on kex algorithm (our: 'ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistpEven256,diffie-hellman-group-exchange-sha256', peer: 'diffie-hellman-group14-sha1')
It need not be exactly this one, but another implying there is still a mismatch in ciphers/kex algorithms supported by PAM and the remote device
The instructions in the hotfix readme were followed:
- Clear the java caches (if connecting through the browser), or
- Restart the CA PAM Client and clear the client cache (if using this means to connect to CA PAM)
However, whenever trying to connect they the following error is still present
Couldn't agree on kex algorithm (our: 'ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistpEven256,diffie-hellman-group-exchange-sha256', peer: 'diffie-hellman-group14-sha1')
It need not be exactly this one, but another implying there is still a mismatch in ciphers/kex algorithms supported by PAM and the remote device
Environment
CA PAM 3.3.1 and 3.3.2
Cause
Even though clearing the java cache or the CA PAM Client cache should suffice, sometimes this is not enough and the CA PAM client needs to be reinstalled
Resolution
- Uninstall the client from the Control Panel (or delete it accordingly if working in Mac or Linux) and make sure it is completely uninstalled
- Install it back by connecting to CA PAM using the browser and downloading it in the initial screen.
Feedback
Yes
No
Powered by
