Configuration of weaker key exchange algorithms, ciphers, macs and host key algorithms in Aria Operations for Networks
search cancel

Configuration of weaker key exchange algorithms, ciphers, macs and host key algorithms in Aria Operations for Networks

book

Article ID: 324431

calendar_today

Updated On:

Products

VCF Operations for Networks

Issue/Introduction

In the Aria Operations for Networks GUI:

  1. Users are unable to add data sources with weaker SSH algorithms.

    Refer to screenshots below:

      

  2. Existing added data source has some collection issue due to either change in algorithm of the device or after upgrade as seen in below screenshot from GUI.



    Note:
    Above 2 Screenshot shows for physical device Arista Switch, however, this issue can happen with any other supported physical device when added as datasource in Aria Operations for Networks GUI


  3. From collector/proxy logs, Issue can be confirmed if it is because of  weaker SSH Key Exchange Algorithm:

        Check the collector logs present in collector VM, /home/ubuntu/logs/collector/latest.log by doing a grep for the keyword Algorithm negotiation fail

2022-11-14T05:19:29.181Z INFO vnera.common.LinuxCommandExecutor DataProviderManager::maintenance executeCommand:24 Running:[/usr/bin/iostat -dzx dm-6 2 2]
2022-11-14T05:19:29.745Z ERROR dataprovider.utils.ResultCodeUtils collector-process-msg-exec-16 getDPResultCode:704 Could not determine exact error code for: ARISTASWITCH
com.jcraft.jsch.JSchException: Algorithm negotiation fail
        at com.jcraft.jsch.Session.receive_kexinit(Session.java:593) _[jsch-0.1.58.jar:0.1.58]
        at com.jcraft.jsch.Session.connect(Session.java:323) _[jsch-0.1.58.jar:0.1.58]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity_SSHChannelWrapper.getSession(AbstractDPSSHConnectionEntity.java:363) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity_SSHChannelWrapper.access_000(AbstractDPSSHConnectionEntity.java:298) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity.getConnectionChannelWrapper(AbstractDPSSHConnectionEntity.java:167) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity.createUnderlyingConnection(AbstractDPSSHConnectionEntity.java:284) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity.createUnderlyingConnection(AbstractDPSSHConnectionEntity.java:57) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPConnectionEntity.<init>(AbstractDPConnectionEntity.java:70) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPConnectionEntity.<init>(AbstractDPConnectionEntity.java:51) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity.<init>(AbstractDPSSHConnectionEntity.java:86) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.impl.arista.eosswitch.southbound.AristaConnectionEntity.<init>(AristaConnectionEntity.java:21) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.DataProviderFactory.createConnectionEntity(DataProviderFactory.java:1099) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.DataProviderFactory.validateCredentials(DataProviderFactory.java:530) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.DataProviderFactory.validateCredentials(DataProviderFactory.java:389) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.collector.core.engine.SaasCommandProcessor.processMessage(SaasCommandProcessor.java:346) _[collector-0.001-SNAPSHOT.jar:_]
        at com.vnera.collector.core.saascommunication.SaasListener.lambda_receiveMessage_0(SaasListener.java:116) _[collector-0.001-SNAPSHOT.jar:_]
        at java.util.concurrent.FutureTask.run(FutureTask.java:264) [_:_]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [_:_]
        at java.util.concurrent.ThreadPoolExecutor_Worker.run(ThreadPoolExecutor.java:628) [_:_]
        at java.lang.Thread.run(Thread.java:829) [_:_]
2022-11-14T05:19:29.746Z ERROR core.common.DataProviderFactory collector-process-msg-exec-16 validateCredentials:1015 Validation failed with: Error in connecting to: XX.XX.XX.XXX for: ARISTASWITCH Root Cause: com.jcraft.jsch.JSchException: Algorithm negotiation fail retErrorCode: FAILED
com.vnera.dataproviders.dsconnectionmanagement.exceptions.ConnectionStartException: Error in connecting to: XX.XX.XX.XXX
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity_SSHChannelWrapper.getSession(AbstractDPSSHConnectionEntity.java:368) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity_SSHChannelWrapper.access_000(AbstractDPSSHConnectionEntity.java:298) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity.getConnectionChannelWrapper(AbstractDPSSHConnectionEntity.java:167) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity.createUnderlyingConnection(AbstractDPSSHConnectionEntity.java:284) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity.createUnderlyingConnection(AbstractDPSSHConnectionEntity.java:57) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPConnectionEntity.<init>(AbstractDPConnectionEntity.java:70) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPConnectionEntity.<init>(AbstractDPConnectionEntity.java:51) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity.<init>(AbstractDPSSHConnectionEntity.java:86) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.impl.arista.eosswitch.southbound.AristaConnectionEntity.<init>(AristaConnectionEntity.java:21) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.DataProviderFactory.createConnectionEntity(DataProviderFactory.java:1099) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.DataProviderFactory.validateCredentials(DataProviderFactory.java:530) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.dataproviders.core.common.DataProviderFactory.validateCredentials(DataProviderFactory.java:389) _[dataproviders-0.001-SNAPSHOT.jar:_]
        at com.vnera.collector.core.engine.SaasCommandProcessor.processMessage(SaasCommandProcessor.java:346) _[collector-0.001-SNAPSHOT.jar:_]
        at com.vnera.collector.core.saascommunication.SaasListener.lambda_receiveMessage_0(SaasListener.java:116) _[collector-0.001-SNAPSHOT.jar:_]
        at java.util.concurrent.FutureTask.run(FutureTask.java:264) [_:_]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [_:_]
        at java.util.concurrent.ThreadPoolExecutor_Worker.run(ThreadPoolExecutor.java:628) [_:_]
        at java.lang.Thread.run(Thread.java:829) [_:_]
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
        at com.jcraft.jsch.Session.receive_kexinit(Session.java:593) _[jsch-0.1.58.jar:0.1.58]
        at com.jcraft.jsch.Session.connect(Session.java:323) _[jsch-0.1.58.jar:0.1.58]
        at com.vnera.dataproviders.core.common.impl.dataprovider.southbound.AbstractDPSSHConnectionEntity_SSHChannelWrapper.getSession(AbstractDPSSHConnectionEntity.java:363) _[dataproviders-0.001-SNAPSHOT.jar:_]
        ... 17 more
2022-11-14T05:19:29.747Z WARN core.common.DataProviderFactory collector-process-msg-exec-16 validateCredentials:1031 Total time for validation in millis: 643 for: ARISTASWITCH

Note:

The preceding log excerpts are only examples. date, time, and environmental variables will vary depending on your environment.

This issue can happen with any supported physical device which has weaker key exchange algorithms, ciphers, macs and host key algorithms.

Environment

Aria Operations for Networks 6.13.0
Aria Operations for Networks 6.14.0
Aria Operations for Networks 6.14.1

Cause

Since Aria Operations for Networks 6.9 onwards, we have stronger SSH algorithms configured in the data sources. This upgraded library does not support weaker SSH key exchange algorithms, ciphers, macs and host key algorithms configured in the data source.

Resolution

To workaround this, the weaker  key exchange algorithms, ciphers, macs and host key algorithms must be supported.

Aria Operations for Networks collector appliance configuration can be configured to enable weak key exchange algorithms, ciphers, macs and host key algorithms and accept them.

In future the configuration support for SSH weaker algorithms will be removed.

For further assistance on the available workaround, please open a Broadcom Support case. For more information, see Creating and managing Broadcom support cases.

Additional Information

Please find the below list of Algorithms, Ciphers and MACS that are by default supported, can be configured and not supported.

Supported Algorithms

Supported Kex Algorithm

Supported Cipher

Supported MACS

Supported Host key

[email protected]
 curve25519-sha256
 ecdh-sha2-nistp256
 ecdh-sha2-nistp384
 ecdh-sha2-nistp521
 diffie-hellman-group-exchange-sha256
 diffie-hellman-group16-sha512
 diffie-hellman-group18-sha512
 diffie-hellman-group14-sha256

 aes128-ctr
 aes192-ctr
 aes256-ctr
 [email protected]
 [email protected]

 [email protected]
 [email protected]
 [email protected]
 hmac-sha2-256
 hmac-sha2-512
 hmac-sha1

ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
rsa-sha2-512
rsa-sha2-256
rsa-sha2-512
ssh-rsa


Configurable Algorithms                                                                                                            

Configurable Kex Algorithm

Configurable Cipher

Configurable MACS

diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
3des-ctr
arcfour
arcfour128
arcfour256

hmac-md5
hmac-md5-96
hmac-sha1-96 

 
Unsupported Algorithms

Unsupported Ciphers

Unsupported Host Key
blowfish-ctr
blowfish-cdc		 ssh-dss


The configurable algorithms and unsupported algorithms are compiled based on the documentation below:

https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations-for-networks/6-14/vrealize-network-insight-ug-4-1-and-later-6-14/adding-a-data-source-in-vrealize-network-insight/supported-products-and-versions/encryption-algorithms-and-ciphers.html#GUID-02B7DC96-66A6-4CDF-9E3E-E25D4C0A8DEC-en

 

Powered by Wolken Software