Could Not Generate DH Keypair error when using Database Utility to Migrate KFS Database
Issue
Despite TLS.1.1 and TLS 1.2 being enabled in the registry on the KFS server and the DB server, the Kofax Front Office Server Database Utility fails to migrate the KFS database to a new instance of SQL Server, generating the following error in the DatabaseUtility.log:
2019-05-22 12:05:08,485 ERROR [6] Kofax.Common.Util.Automation.Tasks.ImportDataTask - com.microsoft.sqlserver.jdbc.SQLServerException -- The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.lang.RuntimeException: Could not generate DH keypair".
Cause
This issue is caused by a dependency on the old TLS 1.0 protocol in the Java Runtime Environment (JRE) version that is used by the KFS 4.1 Database Utility, which uses a Diffie-Hellman key length that is no longer supported by Windows. Most versions of Windows have been updated to disable TLS 1.0 and short Diffie-Hellman key lengths by default. Temporarily replacing the version of Java Runtime Environment installed by KFS with a new version that supports the newer TLS 1.2 protocol and enabling the Diffie-Hellman Key Exchange protocol (using the longer keys supported by TLS 1.2) will allow the KFS Database Utiltiy to connect to the database and perform the migration.
Solution
To resolve this issue in KFS 4.1.x:
- Download the latest version of Java 8 Runtime Environment for Windows x64 from https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
- Install Java 8 Runtime Environment using the downloaded executable
- Navigate to
C:\ProgramFiles (x86)\Kofax\Front Office Server 4.1
- Rename the existing
jre
folder tojre-OLD
- Navigate to
C:\Program Files\Java
and copy the newly installedjre1.8.0_xxx
folder (where xxx is the build number of the installed version of Java 8 Runtime Environment) - Paste the folder into
C:\Program Files (x86)\Kofax\Front Office Server 4.1
- Rename the newly pasted folder from
jre1.8.0_xxx
tojre
- Copy the
sqljdbc_auth.dll
file from thejre-OLD\bin
folder to thejre\bin
folder. - Run regedit.exe
- In the Registry Editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms
- Create a new key called
Diffie-Hellman
if one does not already exist - Right-click on the
Diffie-Hellman
key, create a new DWORD, and name itEnabled
- Right-click
Enabled
and select Modify - Set the Value data to
1
and click OK - Run the KFS Database Utility:
C:\Program Files (x86)\Kofax\Front Office Server 4.1\kfsService\Kofax.KFS.DatabaseUtility.exe
This issue has been documented in TFS 887299 and resolved in the general release of KFS 4.3
Level of Complexity
Moderate
Applies to
Product | Version | Build | Environment | Hardware |
---|---|---|---|---|
Kofax Front Office Server | 4.1 | All | N/A | N/A |
References
N/A
Article # 3031356