SFTP backup failure due to Inability to exchange SSH encryption keys between VCF Identity Broker and SFTP Server
Article ID: 440131
Updated On:
Products
VCF Operations
Issue/Introduction
- VCF Identity Broker (vIDB) backup operations to an external SFTP server were failing during the VCF patching workflow. Backup attempts generated the following error:
Performing synthetic ... LCMVMSP10035 Error Code: LCMVMSP10035 Synthetic checker on the application platform failed. Synthetic check failed. Please refer to Broadcom Knowledge Base Article https://knowledge.broadcom.com/external/article/389510 for remediation details.,"platform-package : 1 of 1 resources are not ok: vmsp-platform: wrong resource state: InProgress - failed to generate helmrelease for template synthetic-checker-vO.40.13-1: failed to unmarshal to helmrelease: error converting YAML to JSON: yaml: line 362: could not find expected '.'." - Further investigation identified that the SSH connection from the Identity Broker nodes could not negotiate a compatible MAC algorithm with the target SFTP server. As a result, secure SFTP connectivity could not be established, causing backup failures.
Environment
- VCF Operations 9.0.x
Cause
- The issue occurred because the SSH client configuration on the vIDB nodes did not support the hmac-sha2-256 MAC algorithm required by the SFTP server.
- The SFTP server allowed only hmac-sha2-256, while the vIDB client offered only hmac-sha1 and [email protected], resulting in a MAC negotiation mismatch and connection failure.
Resolution
Note: Please secure a backup of the VCF Identity Broker component before performing any action. |
To resolve the issue, add the required MAC algorithm to all vIDB nodes as below:
- Establish an SSH session to the primary vIDB node using the
vmware-system-useraccount. - Switch to
rootuser:sudo su - - Execute the following command to modify the MAC algorithms in the SSH configuration file:
sed -i 's/MACs hmac-sha1, [email protected]/MACs hmac-sha2-256, hmac-sha1, [email protected]/g' /etc/ssh/ssh_config - Repeat the same changes on all Identity Broker nodes.
Feedback
Yes
No
Powered by
