SFTP Connection Failure : com.jcraft.jsch.JSchException: Algorithm negotiation fail

Hi All,

We are trying to connect an SFTP server outside the Firewall.
When we connect to the server using Putty,WinSCP, Filezilla , able to login to the server and see the files.
When we test the connection from SFTP user Alias from IS Admin, it is giving the below error.

[ISS.0147.9011] Test of SFTP user alias TestUser1 failed. Details: Algorithm negotiation fail
Caused by: com.wm.app.b2b.server.sftp.client.SFTPClientException: [ISS.0147.9011] Test of SFTP user alias TestUser1 failed. Details: Algorithm negotiation fail
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail

I understand that the hostkey format is supported by SFTP module. Thats the reason , we have also installed the below fix from SAG also, but no luck.

SCG_9.6_TPL_Fix4

If you come across the same issue and have a solution, Please share with us.

Thanks,
Renuka

Can you explore the SCG_9.6_TPL_Fix4 and provide the .jar file names?

Go to :\SoftwareAG\common\lib\ext check for jsch.jar and look for the jar version (from manifest.mf) is it Implementation-Version: 0.1.51?

As per the fix it must be 0.1.53.

Also check you JVM have the unrestricted policy files installed. sometimes, lacking of it will reduce the number of algorithms that can be used.

Thank you Mahesh & Tong Wong for your valuable inputs.

As per your suggestions, I have verified the points that you highlighted.

1. Verified the manifest.mf for jsch.jar that was installed in Common/ext folder and its 0.1.53
   Implementation-Version: 0.1.53

2. JVM contains the the unrestricted policy files installed

     E:\SoftwareAG\WEBM96\jvm\jvm\jre\lib\security\local_policy.jar
     E:\SoftwareAG\WEBM96\jvm\jvm\jre\lib\security\US_export_policy.jar
   

SFTP host is using rsa2 type algorithm for the host key. When webMethods client is trying to establish the connection for the first time itself,
giving the error.

Not sure wM is able to support this RSA2 algorithms for the key(1024/2048). Here are the standard algorithms supported by WM.

  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSAMD5" />
  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSARIPEMD160" />
  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256" />
  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA384" />
  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA512" />
  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA1" />

  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-md5"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacMD5" />
  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacRIPEMD160" />
  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA256" />
  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA384" />
  <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"
                      JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA512" />

Thanks,
Renuka

Whether you are using any compression while connecting to the server,

Try connecting to remote-host SSH without compression. Pass the -o “Compression no” to the ssh client to resolve the problem

ssh -o “Compression no” -l krish remote-host

There are a couple of places that SSH clients and servers try and agree on a common implementation. Two I know of are encryption and compression. The server and client produce a list of available options and then the best available option in both lists is chosen.

Two things you could try are to increase the available encryption libraries on the server, install unrestricted policy files on your client, (make sure the message saying it is disabled goes away, those policy files are notoriously easy to install on the wrong JVM) from the Sun Java 6 download site, or try and disable encryption.

Thank you Krishna, your input really helped us to resolve the issue.
Earlier we were not using compression. Now we enabled the compression and the connection started working.

You made my day…

Thank you so much.
Renuka

Glad to hear issue is resolved

HTH,
RMG

Krishna – I am interested to understand more on → ssh -o “Compression no”.

Can you please share more details or any URL which highlights above topic. Thanks for your insight on this.

Thanks,

Please check this URL: Getting started with SSH

Hello Renuka

I am also facing the same problem. Could you please tell me how and where you made the changes in wm for this?

Thanks
Anish

Could someone please brief me the steps to configure the pub key type for sftp.

I have tried with private key but no luck.Below is the error.

[ISS.0147.9011] Test of SFTP user alias PrecedaUser1 failed. Details: Algorithm negotiation fail