How to resolve the “com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail ” error while using the BusinessWorks Plugin for SFTP

Emmanuel Marchiset
3 min readNov 5, 2024

--

If you are using old releases of the SFTP Plugin, release 1.1 for BusinessWorks 5.X or release 6.1.x for BusinessWorks 6.X and BusinessWorks Container Edition, you likely need to upgrade to the latest version that is, as of this writing, release 1.1.1 for BusinessWorks 5.X and release 6.2.0 for BusinessWorks 6.X and BusinessWorks Container Edition.

But you may also face issues with the recent versions of the BusinessWorks Plugin for SFTP that are based on a fork of the JSCH open source library that disables signature algorithms that are no longer considered secure by the general cryptographic community (including RSA/SHA1).

The problem in the context of an integration platform is that you often need to connect to multiple SFTP servers, some recent ones where old algorithms like ssh-rsa are disabled and some old ones that do not support newer protocols.

While using a recent version of the Plugin for SFTP you will get an error message like the one below while trying to connect to an old server willing to use ssh-rsa:

com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName=”server_host_key” jschProposal=”ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2–512,rsa-sha2–256" serverProposal=”ssh-rsa”

The good news is that it is possible to re-enable older protocols using some properties managed by the JSCH open source library.

Available properties to change JSCH behavior

The properties to use are the following:
jsch.server_host_key
jsch.client_pubkey

In the example below we keep all the protocols enabled by default and add the ssh-rsa protocol (at the end):

jsch.server_host_key=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2–512,rsa-sha2–256,ssh-rsa

jsch.client_pubkey=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2–512,rsa-sha2–256,ssh-rsa

You may also add the ssh-dss protocol in the same way if needed.

Note that there are other properties available to configure the behavior of the JSCH library and those properties may help to address other issues encountered with some SFTP servers (jsch.kex, jsch.cipher, etc…).

They are listed in the FAQ section of the JSCH open source page:
https://github.com/mwiede/jsch

Setting the properties in BusinessWorks 6.X context

In BusinessWorks 6.X context the properties can be set in different ways:

. They can be added in an appnode config.ini file to apply for a specific appnode

. They can also be added in the appnode_config.ini_template file of a given server from the <TIBCO_HOME>/bw/6.X/config directory to apply as default to all the appnodes of the server

Setting the properties in BusinessWorks 5.X context

In BusinessWorks 5.X they can be added in the bwengine.tra file using the java.property prefix like below:

java.property.jsch.server_host_key=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2–512,rsa-sha2–256,ssh-rsa
java.property.jsch.client_pubkey=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2–512,rsa-sha2–256,ssh-rsa

Once the bwengine.tra file has been updated, applications need to be redeployed for the changes to be taken into account.

They can also be set specifically for an application at deployment time using the solution described in the BusinessWorks 5.X documentation:
https://docs.tibco.com/pub/activematrix_businessworks/5.15.1/doc/html/wwhelp/wwhimpl/js/html/wwhelp.htm#href=tib_bw_administration/admin.4.64.htm

Other elements

The BusinessWorks Plugin for SFTP, release 1.1.1 for BusinessWorks 5.X is using JSCH version 0.2.13.

The BusinessWorks Plugin for SFTP, release 6.2.0 for BusinessWorks 6.X is using JSCH version 0.2.15.

Elements on the JSCH library used in the recent versions are available here:
https://github.com/mwiede/jsch/blob/master/ChangeLog.md

Elements on the JSCH library used in the older versions are available here:
http://www.jcraft.com/jsch/

--

--

Emmanuel Marchiset
Emmanuel Marchiset

Written by Emmanuel Marchiset

I work as an Architect at TIBCO Software on Integration products. Opinions here are my own.

No responses yet