Control Compliance Suite 11: Solaris 11 agent-less data collection fails: Couldn't agree a client-to-server cipher

Article:TECH196470  |  Created: 2012-09-11  |  Updated: 2012-11-08  |  Article URL http://www.symantec.com/docs/TECH196470
Article Type
Technical Solution


Environment

Issue



Targeting a Agent-less Solaris v11 x64 asset - an error shows for the data collection: Couldn't agree a client-to-server cipher.

Note:  agent and agent-less data collection from Oracle Solaris 11 assets is supported by the latest Symantec Control Compliance Suite 11 and 10.5.1 versions.

 


Error



{Date Time},Unix Data Collector: query returned with message(s).,"{solaris11_asset_host_name}: Couldn't agree a client-to-server cipher (available: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour)",Error,{solaris11_asset_host_name}:{IP_Address},UNIX Machine,,

 


Environment



Symantec Control Compliance Suite 10.5.1

Symantec Control Compliance Suite 11 GA

Oracle Solaris 11 (both X64 and SPARC)

 


Cause



The ssh handshake attempt between CCS and the Solaris 11 system fails to agree on a cipher.

By default Solaris 11 only supports the following ciphers: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour.

CCS requires 3des-cbc.

 


Solution



The current workaround is to add the "3des-cbc" to the list of accepted ciphers in the Solaris 11 sshd configuration file.

 

Step 1. Add the following line in /etc/ssh/sshd_config (We are adding 3des-cbc to the default ciphers)

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,3des-cbc
 

Step 2. Restart the sshd daemon on Solaris system.

    svcadm restart ssh

At this point the CCS agent-less data collection will work.

 


Supplemental Materials

SourceETrack
Value2927081


Article URL http://www.symantec.com/docs/TECH196470


Terms of use for this information are found in Legal Notices