Rhapsody is required to manage the following SSH algorithms when an SSH connection is established:

  • The cipher suite used for encryption.
  • The key exchange algorithm used for exchanging SSH keys.
  • The key generation algorithm.
  • The message authentication algorithm for verifying the integrity of the channel.
  • The compression algorithm.

Rhapsody treats the compression algorithm separately from the authentication algorithms, allowing it to be configured independently on the (S)FTP Client communication point. The remainder of the SSH algorithms are configured using the Cipher Suites configuration property.

SSH Cipher Suites

The following table shows which ciphers are included in each category:

Cipher Suite Level SSH Algorithms

Very Strong Cipher Suites
  • AES-256 (CBC) only for the cipher.
  • DH Group 14 Exchange (SHA256).
  • DSA/RSA for the key generation.
  • HMAC SHA2-256, and HMAC SHA2-512 for message authentication.

FIPS Cipher Suites
  • AES-128 (CBC), AES-192 (CBC), and AES-256 (CBC) for the cipher.
  • DH Group 14 Exchange (SHA-256) / DH Group 14 Exchange (SHA-1).
  • DSA/RSA for the key generation.
  • HMAC SHA1, HMAC SHA2-256, and HMAC SHA2-512 for message authentication.

Strong Cipher Suites
  • AES-128 (CBC/CTR), AES-192 (CBC/CTR), AES-256 (CBC/CTR), and Blowfish-128 for the cipher.
  • DH Group 14 Exchange (SHA-256) / DH Group 14 Exchange (SHA-1).
  • DSA/RSA for the key generation.
  • HMAC SHA1, HMAC SHA2-256, and HMAC SHA2-512 for message authentication.

Weak Cipher Suites
  • 3DES-168 (CBC), AES-128 (CBC/CTR), AES-192 (CBC/CTR), AES-256 (CBC/CTR), and Blowfish-128 for the cipher.
  • DH Group 14 Exchange (SHA-256) / DH Group 14 Exchange (SHA-1) / DH Group Exchange / DH Group 1 Exchange.
  • DSA/RSA for the key generation.
  • HMAC SHA1, HMAC SHA2-256, HMAC SHA2-512, HMAC SHA1-96, HMAC MD5, HMAC MD5 96 for message authentication.

Configuring SSH Cipher Suites

As with the SSL cipher suites, it is possible to configure which SSH algorithms are included in each category in the rhapsody.properties file. Such changes require a Rhapsody restart in order to take effect. The following table lists the keys in the rhapsody.properties file that can be set: 

Key Description

SshService.Ciphers.<strength>

The ciphers to use:

  • AES_256_CBC
  • AES_256_CTR
  • AES_192_CBC
  • AES_192_CTR
  • AES_128_CBC
  • AES_128_CTR
  • DES_168_CBC3
  • BLOWFISH_128_CBC

SshService.KeyExchange.<strength>

The key exchange algorithms to use:

  • DH_GROUP_EXCHANGE
  • DH_GROUP_14_EXCHANGE
  • DH_GROUP_1_EXCHANGE

SshService.KeyGeneration.<strength>

The key generation algorithms to use:

  • DSA
  • RSA

SshService.MessageAuthentication.<strength>

The message authentication algorithms to use:

  • HMAC_SHA1
  • HMAC_SHA2_256
  • HMAC_SHA2_512
  • HMAC_SHA1_96
  • HMAC_MD5
  • HMAC_MD5_96

Refer to the following examples:

  • SshService.Ciphers.VeryStrong=AES_256_CBC
  • SshService.KeyExchange.Fips=DH_GROUP_EXCHANGE DH_GROUP_14_EXCHANGE
  • SshService.KeyGeneration.Strong=RSA DSA
  • SshService.MessageAuthentication.Weak=HMAC_SHA1 HMAC_SHA1_96 HMAC_MD5 HMAC_MD5_96

The following excerpt shows the default properties in rhapsody.properties file for modifying the SSH algorithms: 

# SSH Cipher Suites
# Note that each cipher suite group wraps over multiple lines. All the lines for a particular group
# should be uncommented if it is going to be modified. Wrapping requires that the last character on
# the previous line is a backslash.
#SshService.Ciphers.VeryStrong=AES_256_CBC
#SshService.KeyExchange.VeryStrong=DH_GROUP_EXCHANGE_SHA256
#SshService.KeyGeneration.VeryStrong=DSA RSA
#SshService.MessageAuthentication.VeryStrong=HMAC_SHA2_256 HMAC_SHA2_512
#
#SshService.Ciphers.Fips=AES_256_CBC AES_192_CBC AES_128_CBC
#SshService.KeyExchange.Fips=DH_GROUP_EXCHANGE_SHA256 DH_GROUP_14_EXCHANGE
#SshService.KeyGeneration.Fips=DSA RSA
#SshService.MessageAuthentication.Fips=HMAC_SHA2_256 HMAC_SHA2_512 HMAC_SHA1
#
#SshService.Ciphers.Strong=AES_256_CBC AES_256_CTR AES_192_CBC AES_192_CTR AES_128_CBC AES_128_CTR \
#    BLOWFISH_128_CBC
#SshService.KeyExchange.Strong=DH_GROUP_EXCHANGE_SHA256 DH_GROUP_14_EXCHANGE
#SshService.KeyGeneration.Strong=DSA RSA
#SshService.MessageAuthentication.Strong=HMAC_SHA2_256 HMAC_SHA2_512 HMAC_SHA1
#
#SshService.Ciphers.Weak=AES_256_CBC AES_256_CTR AES_192_CBC AES_192_CTR AES_128_CBC AES_128_CTR \
#    DES_168_CBC3 BLOWFISH_128_CBC RC4_128
#SshService.KeyExchange.Weak=DH_GROUP_EXCHANGE_SHA256 DH_GROUP_14_EXCHANGE DH_GROUP_EXCHANGE DH_GROUP_1_EXCHANGE
#SshService.KeyGeneration.Weak=DSA RSA
#SshService.MessageAuthentication.Weak=HMAC_SHA2_256 HMAC_SHA2_512 HMAC_SHA1 HMAC_SHA1_96 HMAC_MD5 HMAC_MD5_96
You must include a backslash at the end of a line if that property wraps onto the next line. The SSH algorithms are separated by whitespace or commas.