ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Old ciphers not restored in CA PAM 3.3.1 or 3.3.2 after hotfix 01

book

Article ID: 187865

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Hotfix 01 has been applied to CA PAM 3.3.1 or 3.3.2 (3.3.1.01 or 3.3.2.01 respectively) to manage old Cisco devices with no support for newer ciphers.

The instructions in the hotfix readme were followed:

  •  Clear the java caches (if connecting through the browser), or
  •  Restart the CA PAM Client and clear the client cache (if using this means to connect to CA PAM)

However, whenever trying to connect they  the following error is still present 

Couldn't agree on kex algorithm (our: 'ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistpEven256,diffie-hellman-group-exchange-sha256', peer: 'diffie-hellman-group14-sha1')

It need not be exactly this one, but another implying there is still a mismatch in ciphers/kex algorithms supported by PAM and the remote device

Cause

Even though clearing the java cache or the CA PAM Client cache should suffice, sometimes this is not enough and the CA PAM client needs to be reinstalled

Environment

CA PAM 3.3.1 and 3.3.2

Resolution

  • Uninstall the client from the Control Panel (or delete it accordingly if working in Mac or Linux) and make sure it is completely uninstalled
  • Install it back by connecting to CA PAM using the browser and downloading it in the initial screen.