SRM 4.7: Scheduled Report Remote Location SSH transfer fails with "Cannot negotiate, proposals do not match" error
Summary : The transfer of scheduled reports to remote hosts using SSH fails due to incompatible key exchange algorithms offered by the
SRM client and remote ssh server.
Detailed Article
Symptoms:
SRM may fail to transfer Scheduled Reports to Remote Locations using SSH. The relevant taskRun-0-0.log file shows the following error messages:
220201 10:29:13 : SEVERE: Error while sending file: SolutionPacks identified New_2022-02-01_10h29.pdf
220201 10:29:13 : org.apache.commons.vfs.FileSystemException: Could not resolve file "<given URL>".
(…)
220201 10:29:13 : Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
220201 10:29:13 : at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:92)
220201 10:29:13 : at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
220201 10:29:13 : at com.trilead.ssh2.Connection.connect(Connection.java:743)
220201 10:29:13 : ... 32 more
220201 10:29:13 : Caused by: java.io.IOException: Cannot negotiate, proposals do not match.
220201 10:29:13 : at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:413)
220201 10:29:13 : at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:754)
220201 10:29:13 : at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:469)
220201 10:29:13 : at java.lang.Thread.run(Thread.java:748)
The/var/log/messages log for the remote SSH server host shows corresponding messages indicating an inability to negotiate Key Exchange
(kex) methods with the client (such as SRM Report Scheduler):
2022-02-01T10:29:13.540127+00:00 srmsuitecsfe sshd[4549]: fatal: Unable to negotiate with xx.xx.xx.xx port yyyyy: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1 sha1 [preauth]
Cause:
The SRM SSH client as implemented uses a limited number of MAC and Key Exchange (kex) algorithms which are not compatible with the algorithms that are enabled by
default on recent SSH server implementations.
Resolution:
SRM Engineering is evaluating the requirements to address this issue in an upcoming product release. A workaround is available as described in this article.
Notes:
Apply the workaround only when the task log contains the above mentioned errors, i.e. "Key exchange was not finished, connection is closed" and "Cannot negotiate, proposals do not match". Do not apply the workaround in any other circumstances.
Apply the workaround on the receiving remote host only. Do not apply the workaround on the sending component, i.e. the SRM Frontend host. The only exception is where the SRM Frontend host itself is specified as the "remote" host. Only in this special case should the workaround be applied on the Frontend host.
The workaround is to enable older Key Exchange (kex) and MAC methods on the remote host's SSH server in order to accommodate the limited options that the SRM
client offers.
The following instructions apply to an OpenSSH 7.x server on Linux:
Edit the sshd config file /etc/ssh/sshd_config:
1. Ensure PasswordAuthentication is set to yes.
2. Add hmac-sha1-96 to the MACS section as follows:
# Lists the available MACs algorithms
# Edited to allow hmac-sha1-96 for use by SRM client
MACS hmac-sha1-96,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
3. Add diffie-hellman-group-exchange-sha1 to the kexalgorithms section as follows:
#Edited to allow diffie-hellman-group-exchange-sha1 for use by SRM client
kexalgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
4. Save the configuration file and restart the SSH daemon:
systemctl restart sshd
Consult the relevant documentation for different SSH servers and operating systems for details on how to enable the relevant MAC and Key Exchange (kex) algorithms (hmac-sha1-96 and diffi e-hellman-group-exchange-sha1) in order to allow connection from the SRM SSH client.
Affected Products
SRM
Related Articles
SRM 5.x :: How do I configure SRM to change authentication from LDAP to LDAPS
Summary: What are the steps to configure SRM to change the authentication from LDAP to LDAPS Detailed Article Instructions Below are the steps to configure SRM to change the authentication from LDAP to LDAPS over SSL port 636 1. Log in to the SRM ...SRM 6.0.0.0 | Automated Script to Copy MYSQL libraries to System Directories and Copy apg-services script file to systemd
Summary : This script will copy the required MySQL Libraries and apg-services script file to System directories for SRM/SMR Binary Linux ( RHEL and SUSE ) deployments . The script should be executed at SRM/SMR Pre-upgrade level. Steps to Execute the ...ViPR SRM Windows binary 5.x: Backend services may fail to start automatically
Summary: Backend services may fail to start automatically due to elongated start-up times of the MySQL service. Add the mysql service as a dependency to the APGBackendApg1 service to fix the issue. Detailed Article Symptoms: The Backend (apg) service ...SRM 6.0.0.0 | CIAM Environment Setup Configuration for Single sign-on (SSO)
Summary: Steps to generate a secret key and configure the CIAM server environment for Linux (vApp and Binary) and Windows Binary SRM deployments. Instructions Follow the steps below on the SRM Frontend CLI/PuTTY to configure and start the CIAM ...SRM 6.0.0.0 | Fresh vAPP - PowerCycle and Reboot
Issue Description: APG services remained in a stopped state after a power cycle or reboot of the VM. Summary: The APG service softlink was removed during the latest security updates. This caused the service to be set to a disabled state, preventing ...