SFTP strengthening for versions prior to Rhythmyx 7.3.1

Customers with versions prior to Rhythmyx 7.3.1 which was when Rhythmyx was updated to Java 8 may run into issues with SFTP publishing to their destination.  The publish will be marked as a failure as if the login procedure using password or key had failed, and on the destination's SSH logs you may see "m_answer_moduli: bad parameters: 2048 2048 1024".

The issue lies with Java 6 and 7 lack of support for 2048 key sizes, instead limiting to 1024.  Applying the Java Cryptographic extensions for Java 1.6 from oracle and the latest Bouncy Castle security provider for Java, effectively patches the 1.6 version of Java so that the new Key Size is supported.  

Note: Before modifying or removing any file, please shut down the Rhythmyx process and make a backup of any to be removed or modified file to a place outside of the Rhythmyx Install directory or sub directories.

First, we will want to obtain the latest version of jsch Which is the SFTP client that Rhythmyx uses:

  • Download the jar from their main site: http://www.jcraft.com/jsch/
  • Copy it to the Rhythmyx WAR's lib directory: <Rhythmyx_directory>/Appserver/rx/deploy/rxapp.ear/rxapp.app/WEB-INF/lib
  • Remove the older version of the jsch jar, so that only the new one remains in the lib directory.

Download the Java cryptography extensions:

Download the latest version of bouncy castle provider jars for JDK5 and above.

  • Download from: http://www.bouncycastle.org/latest_releases.html
  • Install both jars to the <Rhythmyx_install>/JRE64/lib/ext directory; if using the 32 bit JRE copy it to Copy local_policy.jar and US_export_policy.jar to the <Rhythmyx_install>/JRE/lib/ext directory

Edit the JRE security profile

  • Modify (if 64 bit) <Rhythmyx_Install>/JRE64/lib/security/java.security file or (if 32 bit) the <Rhythmyx_Install>/JRE/lib/security/java.security file
  • Change the list of providers from 

    security.provider.1=sun.security.provider.Sun
    security.provider.2=sun.security.rsa.SunRsaSign
    security.provider.3=com.sun.net.ssl.internal.ssl.Provider
    security.provider.4=com.sun.crypto.provider.SunJCE
    security.provider.5=sun.security.jgss.SunProvider
    security.provider.6=com.sun.security.sasl.Provider
    security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
    security.provider.8=sun.security.smartcardio.SunPCSC
    security.provider.9=sun.security.mscapi.SunMSCAPI

    to

    security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
    security.provider.2=sun.security.provider.Sun
    security.provider.3=sun.security.rsa.SunRsaSign
    security.provider.4=com.sun.net.ssl.internal.ssl.Provider
    security.provider.5=com.sun.crypto.provider.SunJCE
    security.provider.6=sun.security.jgss.SunProvider
    security.provider.7=com.sun.security.sasl.Provider
    security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
    security.provider.9=sun.security.smartcardio.SunPCSC
    security.provider.10=sun.security.mscapi.SunMSCAPI

Start Rhythmyx again and do any SFTP publish, you should see the issue resolved.  If not, please contact support for assistance.

Leave a comment

*
*