Automic Workload Automation

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

We need a newer RA FTP Solution

  • 1.  We need a newer RA FTP Solution

    Posted Apr 22, 2020 07:18 AM
    Hello 

    we need a newer RA FTP solutions then 4.0.8
    We have this problem

    o    Fixes:
    - bugfix: fixed bugs in the key-exchange for ecdsa-sha2-nistp384, ecdsa-sha2-nistp521.
    - bugfix: failed to generate the key pair from private keys, ecdsa 384 and 521.
    - bugfix: failed to load the ecdsa 521 key identity from ssh-add command.
    - feature: supporting key files on EBCDIC environment.

    The first answer from Broadcom Support:
    I checked the RA FTP agent 12.3.2+build.1581365220059'
    It also uses the same jsch 0.1.54 version
    20200323/033916.316 - jar : lib/jsch-0.1.54.jar Archiver-Version : Plexus Archiver
    20200323/033916.316 - Built-By : ymnk
    20200323/033916.316 - Created-By : Apache Maven
    20200323/033916.316 - Build-Jdk : 1.6.0_16
    20200323/033916.316 - Manifest-Version : 1.0
    I will check with our product management for any plans in future.


    The last answer from Broadcom Support:

    I created an internal defect with our engineering and got the following update.
    This is no defect in our product. Please open an enhancement request, or contact Product Management directly about the strategy of product development concerning third-party libraries.
    Please submit an idea in the communities and you will get a direct update from product management.



  • 2.  RE: We need a newer RA FTP Solution

    Posted Apr 22, 2020 07:32 AM
    Hi.

    We asked for updated jsch versions before as well, I totally agree they need to track "upstream" closely since this is both relevant to functionality but also security. This is one of the reasons we are replacing RA agent with alternative, non-automic solutions whereever possible. The answer they give here is especially disconcerting.

    But are you specificially trying to get PM attention via the community forum here (not blaming you, just asking), or to follow their advise to file this as an "idea"?​

    If the later, the actual "ideation" area is here:
    https://community.broadcom.com/enterprisesoftware/ideation

    Best regards,
    Carsten


  • 3.  RE: We need a newer RA FTP Solution

    Posted Apr 22, 2020 07:37 AM

    Hi,

     

    thank you fort he answer.

    I followed the advise from the Broadcom Support.

     

    Best regards,

    Debora

     

    Debora Flepp

    Inventx AG

    Automation / Monitoring Specialist

    Technology Services & Solutions

    +41 81 287 17 99


    ♥  Für einmal ist es Zeit, inne zu halten und DANKE zu sagen! Ganz besonders allen Fachkräften im Gesundheitswesen. Und wir danken auch allen anderen Mitmenschen, die tagtäglich die Versorgung unserer Gesellschaft sicherstellen. Inventx will einen Beitrag leisten und unterstützt deshalb die «Spendenaktion Coronavirus» der Glückskette.




    Original Message


  • 4.  RE: We need a newer RA FTP Solution
    Best Answer

    Broadcom Employee
    Posted Apr 22, 2020 12:01 PM
    Hi @Debora Flepp
    We do have it on our list of topics to be addressed but it is not currently scheduled.
    Please create an ideation ticket and encourage others to vote for it as it all helps us to prioritise.

    Thank You
    David


    ------------------------------
    Head of Product Management, Automic Automation
    CA Technologies, A Broadcom Company
    ------------------------------

    Original Message


  • 5.  RE: We need a newer RA FTP Solution

    Posted Apr 22, 2020 12:16 PM
    Edited by Carsten Schmitz Apr 22, 2020 12:16 PM
    Apologogies, but I can not let this without a remark:

    ​After a cursory glance at the patch on github, it looks to me (disclaimer: I may very well be wrong!) like this time it's just  fixing an implementation fault that prevents key exchanges with some ecdsa-sha2-nistp* algorithms, meaning this won't connect, and fall back to potentially less secure methods (if available). Which already likely weakens security.

    But this might just as well have been an actual exploit fix. Crypto is hard!

    Imho, tracking security fixes in upstream releases is not an issue that should have to be voted for!

    Thanks,
    Carsten


    ------------------------------
    # signature.sh --verbose=[true|false]
    # no configurables beyond this point, only signature

    Does using the slide show widget for posting individual images spread Corona? Don't take the risk, use the "insert image" button in the editor!

    Did you know? I will NOT respond to PM asking for help unless there's an actual reason to keep the discussion off of the public forums!

    "Efficient Solutions Monthly Magazine" says: These contain very good advise on asking good questions. No, you do not need StackExchange for Automic, but asking questions the right way never hurts:

    http://www.catb.org/~esr/faqs/smart-questions.html

    https://www.chiark.greenend.org.uk/~sgtatham/bugs.html
    ------------------------------

    Original Message


  • 6.  RE: We need a newer RA FTP Solution

    Broadcom Employee
    Posted Apr 22, 2020 12:53 PM
    Fair comment - agreed on that.
    I will raise it and we will look to prioritise. 
    As I said, not currently planned so I can't commit to a date.

    David

    ------------------------------
    Head of Product Management, Automic Automation
    CA Technologies, A Broadcom Company
    ------------------------------

    Original Message


  • 7.  RE: We need a newer RA FTP Solution

    Posted Apr 27, 2020 05:22 AM
    ​Hello,
    I fully agree: I asked for a FTP Agent upgrade since 2018 several times. I also created an ideation. Please vote here:
    FTP Agent should support "http with connect method" proxy protocol

    Kind regards
    Hartwig



    ------------------------------
    Systemadministrator
    VW Financial Services Digital Solutions GmbH
    ------------------------------

    Original Message


  • 8.  RE: We need a newer RA FTP Solution

    Posted Jun 10, 2020 07:45 AM
    Hi @David Ainsworth

    do you have news to this input?
    We have no news since April 2020.

    Thanks and regards
    Debora
    Original Message


  • 9.  RE: We need a newer RA FTP Solution

    Posted Apr 22, 2020 01:58 PM
    We are on 4.0.7 and it seems to be using SSH-2.0-JSCH-0.1.54 too.

    What sort of message text could I scan our reports for, to see if this is getting selected and causing a fallover?

    ------------------------------
    Pete
    ------------------------------

    Original Message


  • 10.  RE: We need a newer RA FTP Solution

    Posted Apr 27, 2020 06:46 AM
    I don't know if/how Automic RA agent logs this.

    The place where you could definetly see it​ is /var/log/secure or something like that on the remote side (possibly only after raising the debug level of sshd), but the caveat is that for this, you must either have access to the remote site, or know someone who does and takes a peak for you, or have access to a likelwise test system that you yourself control.

    Hth,


  • 11.  RE: We need a newer RA FTP Solution

    Posted May 20, 2020 04:08 AM
    The RA FTP Agent seems to be stuck at JDK 1.8 where as the rest of the product has moved to Adopt Open JDK 11.  SFTP works but FTPS does not.

    Also the point that HTTP proxy could be used is a good one that simplify and improve the security of many workflows.
    Original Message