- RSA Governance & Lifecycle 8.0.0 P03 and later
Clicking on Test Connector Settings button to test the connection for a RACF-SSH connector fails with the following error on the UI. A similar error is also logged in the connector log file.
Connection error: Unable to negotiate key exchange for server host key algorithms
(client: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
ssh-ed25519, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, rsa-sha2-512,
rsa-sha2-256, ssh-rsa / server: ssh-dss)
The RACF server, that the RACF-SSH Connector is connecting to, is configured with algorithms deprecated in RSA Governance & Lifecycle.
As part of continued security improvements, RSA Governance & Lifecycle version 8.0.0 P03 includes an upgrade to cryptographic standards. As part of the upgrade, support for weaker algorithms has been removed. The following ciphers are no longer supported in RSA Governance & Lifecycle 8.0.0 P03 and later for RACF-SSH connectors:
- ssh-dss (DSA authentication)
- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
If the RACF-SSH server is configured to use weaker ciphers such as ssh-dss, authentication or key exchange will fail. The RACF server's SSH configuration must be updated to use stronger, supported ciphers. Please work with your RACF server's administrator to update the ciphers as recommended below.
Strong Ciphers Supported in RSA Governance & Lifecycle 8.0 P03 and later:
Customers should ensure that the RACF endpoint supports at least one of the following secure algorithms:
- rsa-sha2-512
- rsa-sha2-256
- ssh-ed25519
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
Recommended strong ciphers when using OpenSSH certificates:
- ecdsa-sha2-nistp256-cert-v01@openssh.com
- ecdsa-sha2-nistp384-cert-v01@openssh.com
- ecdsa-sha2-nistp521-cert-v01@openssh.com
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
- rsa-sha2-256-cert-v01@openssh.com
Related Articles
RSA Governance & Lifecycle Exchange SSH Connector Datasheet Number of Views Error "Key negotiation exchange failed. Server response was CRED_MISMATCH" with RSA Authentication Agent SDK 8.6 for Java Number of Views FIM - Can FIM create SAML assertions signed with SHA256 instead of SHA1? Number of Views How to SSH to an RSA Authentication Manager version 8.x server Number of Views How to retrieve content files - Client Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
