Outbound Web Service Calls Fail With "Could not generate DH keypair"
Problem
Web Services are becoming more secure. When TLS 1.1 or 1.2 is required by the web service that is being called, an exception is thrown if ServiceNow is using the default SSLv3 or TLS 1.0. When creating or testing an Outbound SOAP or REST Message, a message indicating that the WSDL is unable to load.
Symptoms
Symptoms include.
The loaded Java version (i.e. 1.6 or 1.8) does not allow for TLS 1.1 or 1.2.
Resolution
ServiceNow Customer Support can upgrade the Java version of your instance. Open an incident with ServiceNow Customer Support. Include the exact error message you received and your Java version (obtained from xmlstats.do).
Symptoms include.
- Outbound web service calls fail
- javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
- Searching for the Java version in the page /xmlstats.do will show lines like the following, depending on the instance version:
<system.java.version type="info">1.6.0_xx</system.java.version>
<system.java.version type="info">1.8.0_152-snc2</system.java.version>
Cause
The loaded Java version (i.e. 1.6 or 1.8) does not allow for TLS 1.1 or 1.2.
For example, on the latest Jakarta patch the expected Java version should be:
<system.java.version type="info">1.8.0_161-snc1</system.java.version>
Resolution
ServiceNow Customer Support can upgrade the Java version of your instance. Open an incident with ServiceNow Customer Support. Include the exact error message you received and your Java version (obtained from xmlstats.do).
After the incident has been received and reviewed, a Change record is created and can be processed at the time of your choice.
| Warning: The instance is not taken down to implement the change, however, each node in the instance requires a restart. Any users currently logged into the node must re-authenticate, so it is best to schedule the change during a low use time period. |