Outbound Web Service Calls Fail With "Could not generate DH keypair"

Web Services are becoming more secure. When TLS 1.1 or 1.2 is required by the web service that is being called, an exception is thrown if ServiceNow is using the default SSLv3 or TLS 1.0. When creating or testing an Outbound SOAP or REST Message, a message indicating that the WSDL is unable to load. 

Symptoms

Symptoms include:

• Outbound web service calls fail:

  javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair

• Searching for the Java version in the page /xmlstats.do will show lines like the following, depending on the instance version:
  

  <system.java.version type="info">1.6.0_xx</system.java.version>
  <system.java.version type="info">1.8.0_152-snc2</system.java.version>

The loaded Java version (i.e. 1.6 or 1.8) does not allow for TLS 1.1 or 1.2.

For example, on the latest Jakarta patch the expected Java version should be:

<system.java.version type="info">1.8.0_161-snc1</system.java.version>

ServiceNow Customer Support can upgrade the Java version of your instance. Open a case with Technical Support. Include the exact error message you received and your Java version (obtained from xmlstats.do). 

After the case has been received and reviewed, a Change record is created and can be processed at the time of your choice.

Warning: The instance is not taken down to implement the change, however, each node in the instance requires a restart. Any users currently logged into the node must re-authenticate, so it is best to schedule the change during a low use time period.