SSH Weak Algorithms
search cancel

SSH Weak Algorithms


Article ID: 96753


Updated On:


CA Performance Management - Usage and Administration


The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all. It has been detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.


CAPM 3.5 RHEL 7.3



There is an option in 3.x+ version of karaf in the file that seems to have an option for what ciphers to allow.Unfortunately, going to a newer version of karaf is a huge endeavor which we have not been able to do.  It requires many 3rd party component updates.

The only way around this is to lock access to port 8501 on DA and 8601 on DC to local machine ONLY.  These ports are not needed by anyone to access to run the app.They are purely for debugging karaf only.


On the DA and each DC, edit the following file

Add this line:

Now re-scan and validate.


Note : These changes will be done by upgrade in 21.2.2 &  the ciphers=aes256-ctr,aes192-ctr,aes128-ctr will be updated.


Additional Information

​validated that it works on CAPM 3.5 on RedHat 7.4 (and 3.6 on RedHat 6.8)