Skip to main content

Could Not Generate DH Keypair error when using Database Utility to Migrate KFS Database

Article # 3031356 - Page views: 863


Despite TLS.1.1 and TLS 1.2 being enabled in the registry on the KFS server and the DB server, the Kofax Front Office Server Database Utility fails to migrate the KFS database to a new instance of SQL Server, generating the following error in the DatabaseUtility.log:

2019-05-22 12:05:08,485 ERROR [6] Kofax.Common.Util.Automation.Tasks.ImportDataTask - -- The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.lang.RuntimeException: Could not generate DH keypair".



This issue is caused by a dependency on the old TLS 1.0 protocol in the Java Runtime Environment (JRE) version that is used by the KFS 4.1 Database Utility, which uses a Diffie-Hellman key length that is no longer supported by Windows.  Most versions of Windows have been updated to disable TLS 1.0 and short Diffie-Hellman key lengths by default. Temporarily replacing the version of Java Runtime Environment installed by KFS with a new version that supports the newer TLS 1.2 protocol and enabling the Diffie-Hellman Key Exchange protocol (using the longer keys supported by TLS 1.2) will allow the KFS Database Utiltiy to connect to the database and perform the migration.



To resolve this issue in KFS 4.1.x:

  1. Download the latest version of Java 8 Runtime Environment for Windows x64 from
  2. Install Java 8 Runtime Environment using the downloaded executable
  3. Navigate to C:\ProgramFiles (x86)\Kofax\Front Office Server 4.1
  4. Rename the existing jre folder to jre-OLD
  5. Navigate to C:\Program Files\Java and copy the newly installed jre1.8.0_xxx folder (where xxx is the build number of the installed version of Java 8 Runtime Environment)
  6. Paste the folder into C:\Program Files (x86)\Kofax\Front Office Server 4.1
  7. Rename the newly pasted folder fromjre1.8.0_xxx to jre
  8. Copy the sqljdbc_auth.dll file from the jre-OLD\bin folder to the jre\bin folder.
  9. Run regedit.exe
  10. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms
  11. Create a new key called Diffie-Hellman if one does not already exist
  12. Right-click on the Diffie-Hellman key, create a new DWORD, and name it Enabled 
  13. Right-click Enabled and select Modify
  14. Set the Value data to 1 and click OK
  15. Run the KFS Database Utility:  C:\Program Files (x86)\Kofax\Front Office Server 4.1\kfsService\Kofax.KFS.DatabaseUtility.exe


This issue has been documented in TFS 887299 and resolved in the general release of KFS 4.3


Level of Complexity 



Applies to  

Product Version Build Environment Hardware
Kofax Front Office Server 4.1 All N/A N/A




Article # 3031356