Control Compliance Suite 11: Solaris 11 agent-less data collection fails: Couldn't agree a client-to-server cipher

Article:TECH196470  |  Created: 2012-09-11  |  Updated: 2012-11-08  |  Article URL
Article Type
Technical Solution



Targeting a Agent-less Solaris v11 x64 asset - an error shows for the data collection: Couldn't agree a client-to-server cipher.

Note:  agent and agent-less data collection from Oracle Solaris 11 assets is supported by the latest Symantec Control Compliance Suite 11 and 10.5.1 versions.



{Date Time},Unix Data Collector: query returned with message(s).,"{solaris11_asset_host_name}: Couldn't agree a client-to-server cipher (available: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour)",Error,{solaris11_asset_host_name}:{IP_Address},UNIX Machine,,



Symantec Control Compliance Suite 10.5.1

Symantec Control Compliance Suite 11 GA

Oracle Solaris 11 (both X64 and SPARC)



The ssh handshake attempt between CCS and the Solaris 11 system fails to agree on a cipher.

By default Solaris 11 only supports the following ciphers: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour.

CCS requires 3des-cbc.



The current workaround is to add the "3des-cbc" to the list of accepted ciphers in the Solaris 11 sshd configuration file.


Step 1. Add the following line in /etc/ssh/sshd_config (We are adding 3des-cbc to the default ciphers)

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,3des-cbc

Step 2. Restart the sshd daemon on Solaris system.

    svcadm restart ssh

At this point the CCS agent-less data collection will work.


Supplemental Materials


Article URL

Terms of use for this information are found in Legal Notices