- RSA Governance & Lifecycle 8.0.0 P03 and later
Clicking on Test Connector Settings button to test the connection for a RACF-SSH connector fails with the following error on the UI. A similar error is also logged in the connector log file.
Connection error: Unable to negotiate key exchange for server host key algorithms
(client: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
ssh-ed25519, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, rsa-sha2-512,
rsa-sha2-256, ssh-rsa / server: ssh-dss)
The RACF server, that the RACF-SSH Connector is connecting to, is configured with algorithms deprecated in RSA Governance & Lifecycle.
As part of continued security improvements, RSA Governance & Lifecycle version 8.0.0 P03 includes an upgrade to cryptographic standards. As part of the upgrade, support for weaker algorithms has been removed. The following ciphers are no longer supported in RSA Governance & Lifecycle 8.0.0 P03 and later for RACF-SSH connectors:
- ssh-dss (DSA authentication)
- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
If the RACF-SSH server is configured to use weaker ciphers such as ssh-dss, authentication or key exchange will fail. The RACF server's SSH configuration must be updated to use stronger, supported ciphers. Please work with your RACF server's administrator to update the ciphers as recommended below.
Strong Ciphers Supported in RSA Governance & Lifecycle 8.0 P03 and later:
Customers should ensure that the RACF endpoint supports at least one of the following secure algorithms:
- rsa-sha2-512
- rsa-sha2-256
- ssh-ed25519
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
Recommended strong ciphers when using OpenSSH certificates:
- ecdsa-sha2-nistp256-cert-v01@openssh.com
- ecdsa-sha2-nistp384-cert-v01@openssh.com
- ecdsa-sha2-nistp521-cert-v01@openssh.com
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
- rsa-sha2-256-cert-v01@openssh.com
Related Articles
How to retrieve content files - Client Number of Views RSA Governance & Lifecycle Exchange 2013 Connector Datasheet Number of Views RSA Governance & Lifecycle Exchange SSH Connector Datasheet Number of Views RSA Governance & Lifecycle Exchange 2007 Connector Datasheet Number of Views The Evolution of CAS in Exchange Server versions Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
