Article Number
000067932
Applies To
- RSA Identity Governance & Lifecycle 7.2.1, 7.5.0
- SecurID Governance & Lifecycle 7.5.2
Issue
AFX Connectors that use SSH, including but not limited to the Generic SSH Connector and the PowerShell Connector, generate the following error message when using or testing the connector:
java.io.IOException: Session.connect: java.security.InvalidAlgorithmParameterException: Accepted DH prime length is 2048 or higher
at net.sf.commons.ssh.jsch.JschConnectionFactory.connectUsingPassword(JschConnectionFactory.java:82)
Cause
This is a known issue in AFX Connectors that use SSH connections in the following versions:
- RSA Identity Governance & Lifecycle 7.2.1 P12
- RSA Identity Governance & Lifecycle 7.5.0 P07
- SecurID Governance & Lifecycle 7.5.2
The latest versions and patches of SecurID Governance & Lifecycle include updated versions of BSAFE crypto libraries (6.2.5.x) that enforce a minimum key length of 2048-bit for DH (Diffie-Hellman) Key Exchange keys during SSL connections to remote endpoints. Older versions allowed 1024-bit keys which are known to be insecure.
This issue error occurs when a remote endpoint (remote SSH server) attempts to negotiate an SSL connection using a DH Key Exchange with keys less than 2048-bit in size.
Resolution
It is not possible to reduce the security of SecurID Governance & Lifecycle to allow insecure SSL connections.
The version of the SSL libraries on the target machines should be updated to later (more secure) versions that support and enforce 2048-bit DH keys.
For example, if you are using the OpenSSL version of SSH it is recommended you upgrade to openSSL 3.1 (or later) which supports 2048 bit DH keys and disallows 1024 bit keys. At minimum you should upgrade to openSSL 1.0.1r which supports 2048 bit DH keys. For other SSL implementations, refer to the respective vendor.
Notes
For more information on the security vulnerability with 1024 bit DH keys, search for the Logjam and FREAK vulnerabilities or refer to CVE-2015-4000.
