SFTP strengthening for versions prior to Rhythmyx 7.3.1

Customers with versions prior to Rhythmyx 7.3.1(Rhythmyx version 6.7 to 7.3.0) which was when Rhythmyx was updated to Java 8 may run into issues with SFTP publishing to their destination.  The publish will be marked as a failure as if the login procedure using password or key had failed, and on the destination's SSH logs you may see "m_answer_moduli: bad parameters: 2048 2048 1024".  The SFTP support was introduced only from version 6.7 and therefore these intructions are only for Rhythmyx version from 6.7 to 7.3.0.  Customers running version prior to Rhythmyx 6.7 should upgrade to later version preferably lastest version for SFTP support.

The issue lies with Java 6 and 7 lack of support for 2048 key sizes, instead limiting to 1024.  Applying the Java Cryptographic extensions for Java 1.6 from oracle and the latest Bouncy Castle security provider for Java, effectively patches the 1.6 version of Java so that the new Key Size is supported.  

Note: Before modifying or removing any file, please shut down the Rhythmyx process and make a backup of any to be removed or modified file to a place outside of the Rhythmyx Install directory or sub directories. 

First, we will want to obtain the latest version of jsch Which is the SFTP client that Rhythmyx uses:

• Download the jar from their main site: http://www.jcraft.com/jsch/
• Copy it to the Rhythmyx WAR's lib directory: <Rhythmyx_directory>/Appserver/rx/deploy/rxapp.ear/rxapp.app/WEB-INF/lib
• Remove the older version of the jsch jar, so that only the new one remains in the lib directory.

Download the Java cryptography extensions:

• Java 6 : http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
• Copy local_policy.jar and US_export_policy.jar to the <Rhythmyx_install>/JRE64/lib/security directory; if using the 32 bit JRE (RhythmyxServer.lax will say whether the 64 bit or 32 bit is being used), copy it to Copy local_policy.jar and US_export_policy.jar to the <Rhythmyx_install>/JRE/lib/security directory

Download the latest version of bouncy castle provider jars for JDK5 and above.

• Download from: http://www.bouncycastle.org/latest_releases.html
• Install both jars to the <Rhythmyx_install>/JRE64/lib/ext directory; if using the 32 bit JRE copy it to Copy local_policy.jar and US_export_policy.jar to the <Rhythmyx_install>/JRE/lib/ext directory

Edit the JRE security profile

• Modify (if 64 bit) <Rhythmyx_Install>/JRE64/lib/security/java.security file or (if 32 bit) the <Rhythmyx_Install>/JRE/lib/security/java.security file
• Change the list of providers from 
  
  security.provider.1=sun.security.provider.Sun
  security.provider.2=sun.security.rsa.SunRsaSign
  security.provider.3=com.sun.net.ssl.internal.ssl.Provider
  security.provider.4=com.sun.crypto.provider.SunJCE
  security.provider.5=sun.security.jgss.SunProvider
  security.provider.6=com.sun.security.sasl.Provider
  security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
  security.provider.8=sun.security.smartcardio.SunPCSC
  security.provider.9=sun.security.mscapi.SunMSCAPI
  
  to
  
  security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
  security.provider.2=sun.security.provider.Sun
  security.provider.3=sun.security.rsa.SunRsaSign
  security.provider.4=com.sun.net.ssl.internal.ssl.Provider
  security.provider.5=com.sun.crypto.provider.SunJCE
  security.provider.6=sun.security.jgss.SunProvider
  security.provider.7=com.sun.security.sasl.Provider
  security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
  security.provider.9=sun.security.smartcardio.SunPCSC
  security.provider.10=sun.security.mscapi.SunMSCAPI
  

Start Rhythmyx again and do any SFTP publish, you should see the issue resolved.  If not, please contact support for assistance.