After updating sshd_config on Linux servers to only use SHA-2 kex algorithms, Shared Account Manager can no longer connect to them to rotate the passwords. An error similar to the one below, may occur.
SAM uses a third-party jar file to make the connections to SSH devices. This file is limited to SHA-1 kex algorithms.
Privileged Identity Manager 12.8, 12.9, 14.0
As this is caused by a third-party jar file, we cannot modify the code to use SHA-2 algorithms. This would be addressed in a future release, but SAM is set to be end of life and will have no future releases. The solution would be to migrate to Privileged Access Manager 4.0 , which has SHA-2 capabilities and integrates with PIM or PAMSC endpoints.
To maintain SAM functionality until the migration to PAM, add diffie-hellman-group14-sha1 to the kex algorithms in sshd_config to allow SAM to connect while minimizing what SHA-1 algorithms are accepted by the server.
Shared Account Manager End Of Life Announcement: https://support.broadcom.com/external/content/product-advisories/End-of-Life-Announcement-for-CA-Shared-Account-Manager/18109
Documentation to Migrate From PIM or PAMSC to PAM 4.0: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0/pam-server-control/MIgrate-From-PIM-or-PAM-SC-to-PAM.html