WA SFTP/SCP JOBS Fails with error "no common elements found"

book

Article ID: 37600

calendar_today

Updated On:

Products

DSERIES- SERVER CA Workload Automation DE - System Agent (dSeries)

Issue/Introduction

SFTP job fails after enabling strong encryption or disabling key exchange algorithm diffie-hellman-group1-sha1 in sshd_config file. When the sshd server is configured to restrict diffie-hellman-group1-sha1 key exchange algorithm, SFTP jobs fail with the following message:

java.util.NoSuchElementException: no common elements found

Users may also see the following error messages:

XX/XX/2020 00:00:12.345-0300 5 FtpPlugin.SCP Transfer thread for SFTP_TEST/APPL.1/MAIN.StreamEncoder.implFlush[:297] - XX.XX.2020 00:00:12 [WARNING] Operation error.
com.jscape.inet.ssh.protocol.v2.marshaling.algorithms.Algorithms$CommonAlgorithmsNotFoundException: Common algorithms not found.
at com.jscape.inet.ssh.protocol.v2.marshaling.algorithms.Algorithms.a(Unknown Source)
at com.jscape.inet.ssh.protocol.v2.marshaling.algorithms.Algorithms.algorithmsFor(Unknown Source)
at com.jscape.inet.ssh.protocol.v2.marshaling.Session.initAlgorithms(Unknown Source)
at com.jscape.inet.ssh.protocol.v2.transport.TransportConnection.handle(Unknown Source)
......

 

Cause

Upgrade to WA Agent to 11.5 or R12 version.

It is recommended to enable/add the following parameter in the agentparm.txt.  This will provide additional debug information for all SCP and SFTP key exchange communications between agent and remote SSH server.

ftp.scp.debug.enable=true

Restart agent.  When an SCP/SFTP job is executed by the WA Agent, a new log "ftp_scp_debug.log" will appear in log directory.

Environment

Release:  11.3-Workload Automation-Agent
OS: Any

Resolution

Upgrade the agent to version 11.4 or above which now supports the new ciphers and MACs.  See this link for more details.

To specify specific ciphers and MACs, modify the following agentparm.txt values:

security.ssh.ciphers=<list of ciphers to use>

security.ssh.macs=<list of MACs to use>


Note: In some rare cases the remote server may be expecting OpenSSH ciphers.  These are not supported by the WA Agent.

See this external link for more details on OpenSSH ciphers.  Broadcom is not responsible for the content in the external link.

Additional Information

Note: For encryption higher than 128-bits you must modify the JRE to use the JCE Unlimited Strength Jurisdiction Policy Files. Obtain the Jurisdiction Policy Files from the following providers:

Oracle Java
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

IBM Java
https://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.71.doc/security-component/sdkpolicyfiles.html

HP Java
Per HP documentation, obtain the files from Oracle. See the HP-UX Programmer's Guide for Java 2 for more information:
http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c02697864&lang=en-us&cc=us