What ciphers, key exchange algorithms, key types/formats and lengths are supported by MFTs SSH/SFTP, and what ciphers, signature algorithms, and key exchange algorithms supported by Control-M Managed File Transfer (MFT) SSL?

Version 7
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Control-M Managed File Transfer


    COMPONENT:

    Control-M MFT


    APPLIES TO:

    Control-M Managed File Transfer 9.0.00, 9.0.18, 9.0.19



    QUESTION:

    What ciphers, key exchange algorithms, key types/formats and lengths are supported by Control-M Managed File Transfer when transferring files over encrypted data channels using SFTP (SSH) or FTP over TLS (FTPS)? 

    For AFT 8.0, refer to article 000143479
    For AFT 8.2, refer to article 000137186


    ANSWER:

     

    Control-M Managed File Transfer 9.0.00 supports the following:

    For SSH (SFTP), 

      

    - MAC algorithms:  hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, hmac-sha-256 
    - Ciphers: aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, 3des-cbc, 3des-ctr, blowfish-cbc, arcfour256, arcfour128, arcfour
    - Key EXchange: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
    - Generated keys: type=RSA,  sizes = 1024, 2048, 3072, 4096 

    Note: in JRE 1.8 u121, 3DES has been marked as a Legacy cipher and is thus disabled by default, causing MFT to not be able to use the 3dses-cbc and 3des-ctr ciphers. BMC recommends enabling stronger and more current cipher suites on the remote server to resolve Algorithm negotiation failures.

      

    For FTP over SSL/TLS (FTPS):

    Since MFT is using the standard Java security provider for SSL (over FTP), the complete list of ciphers, signature algorithms and key exchange algorithms supported can be found in the link: 
    http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
    Please look under “The SunJSSE Provider” section. The Signature Algorithm list is under the “Cipher Suites” section. The current version of Java used by MFT is JDK8, so look under that column. 

    Additional information: 
    Customers viewing this solution may find value in the following self-help Connect with Control-M video.

     


    Article Number:

    000130750


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles