This should be taken as an opportunity to recognize that there are some security incompatibilities in the environment that need to be resolved, and it may in fact be a bigger issue than first experienced, with possible similar issues found outside of the Gateway. With this knowledge, changes can be made on the clients to the backend to improve security to meet the requirements of the backend, or changes can be made on the backend to improve compatibilities with the clients. This ultimately depends on what the impact is, what the current security settings are, and if security is either considered to be too tight or too loose for the environment.
If changes are desired to be completed on the Gateway (client), the following changes are recommended to be made:
- Make the following changes/additions to /etc/ssh/sshd_config on the Gateway:
- KexAlgorithms diffie-hellman-group-exchange-sha256
- Ciphers aes256-ctr,aes192-ctr,aes128-ctr
- MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
- Restart the sshd service.
It should be understood that ultimately the key algorithms and ciphers need to have at least one overlapping with the backend. The above is an example of a strong set of ciphers and keys recommended by CA API Management and may not be the defaults on the Gateway depending on the version used. These ciphers and keys can always be used as a recommendation for backends too if they are currently using weaker encryption methods.