Resolving Weak Diffie-Hellman Public Key Warning in Elasticsearch (ES)
Issue description
When performing a security scan or SSL configuration check on the EventLog Analyzer server, you may encounter the warning message:
Weak Diffie-Hellman Public Key in ES
This indicates that the default ephemeral Diffie-Hellman (DH) key size used by Elasticsearch (ES) is lower than the recommended level, potentially reducing the strength of the SSL/TLS connection.
Possible causes
- The `ephemeralDHKeySize` used by the Java Virtual Machine (JVM) in Elasticsearch is set below 2048 bits.
- Default ciphers in use are considered weak under certain security standards.
Prerequisites
Before applying the workaround:
- Ensure to have elevated permission to access EventLog Analyzer or Elasticsearch node installed server to modify the wrapper.conf file.
- Stop the application and Backup the configuration file before editing.
- Ensure sufficient CPU is available in the machine or Consult with the internal team regarding CPU implications (larger key sizes increase CPU utilization).
Resolution
To enhance the DH key strength to 2048 bits, follow these steps:
Step 1: Locate the wrapper.conf File
Based on the deployment, the file is present at one of the following paths:
For build below 13000,
- For Local ES installation path:
<Installation Directory>\<EventLog Analyzer>\ES\config\wrapper.conf
- For Common ES installation path:
<Installation Directory>\elasticsearch\ES\config\wrapper.conf
Some setup may use both the elastic-search nodes. ES directory location can be checked in System Diagnostics. Refer image below
For build 13000 and above,
- For ES installation path:
<Installation Directory>\Log360\ES\config\wrapper.conf
The above path is applicable for both Primary installation and for log processors.
Step 2: Take the file back up.
- Copy the wrapper.conf file from the <Installation Directory>\Log360\ES\config\ folder and paste it in some other location to have the backup of the file.
Step 3: Add the DH Key Size Property
Open the primary wrapper.conf file in a text editor with admin rights and add the following entry at the end of the file:
wrapper.java.additional.22=-Djdk.tls.ephemeralDHKeySize=2048
Sample Image:
NOTE: Ensure there are no duplicate or conflicting entries for `ephemeralDHKeySize`.
Step 3: Save and Restart Services
1. Save your changes.
2. Restart the EventLog Analyzer or Log360 service to take effect.
Validation and Testing
- Re-run the security scan or SSL check.
- Confirm that the “Weak Diffie-Hellman Public Key” warning no longer appears.
- Monitor CPU usage during peak hours to ensure performance stability.
Notes
- Weak Diffie-Hellman or weak ciphers represent low-risk vulnerabilities in the EventLog Analyzer setup, as internal communication is still encrypted.
- Increasing the key size to 2048 bits will improve security but may slightly increase CPU load.
- Discuss performance implications internally before applying the change.
Related topics and articles
How to reach support
If you face performance issues or configuration challenges after applying this change, contact ManageEngine Support via the Support Portal.
Summary:
To resolve the *Weak Diffie-Hellman Public Key* warning, increase the DH key size to **2048 bits** in the `wrapper.conf` file and restart the EventLog Analyzer or Elasticsearch service. Always validate post-change and confirm CPU overhead before deployment.
New to ADSelfService Plus?
Related Articles
How to Disable TLS 1.0 and 1.1 and enforce TLSv1.2 in in EventLog Analyzer
Objective EventLog Analyzer offers predefined support for TLSv1, TLSv1.1 and TLSv1.2 by default to offer compatibility in connection. Disabling the deprecated protocols enhances security by ensuring that only secure transport layers (TLS 1.2 and ...Changing the location of Elasticsearch index data
Follow the steps below to move the log indices to a different location: Stop the EventLog Analyzer service. Open the command prompt with admin privileges. Navigate to <dir>:\ManageEngine\elasticsearch\ES\bin and execute stopES.bat. Make a backup of ...Error: Low memory detected on Log360's Elasticsearch
Issue description When using build version 12411 and below, you may get this in-product critical notification: Low memory detected on Log360's elasticsearch, increase the memory to at least X GB. This article explains the error message and what ...How to migrate live Data (ES data) from one location to another | Linux
Objective This article provides a detailed step-by-step guide to migrate EventLog Analyzer live data or data stored in Elasticsearch (ES) to a different location or server. Prerequisites Access to the EventLog Analyzer console as an admin Access to ...How to migrate live data (ES Data) from one location to another - Windows
Objective This article provides a detailed step-by-step guide to migrate EventLog Analyzer live data / data stored in Elasticsearch to different location or server. Prerequisites Access to EventLog Analyzer console as an administrator. Server user ...