Security Vulnerability - Diffie-Hellman group smaller than 2048 bits


Article ID: 223482


Updated On:


CA Identity Manager


CA-IDM Application Server has the following vulnerability 

Vulnerability details:

The TLS server uses a Diffie-Hellman group with a prime modulus of less than 2048 bits in length. Current estimates are that that an academic team can break a 768-bit prime and that a state-level actor can break a 1024-bit prime.

Recommended solution:

Use a Stronger Diffie-Hellman Group

Please refer to this  guide to deploying Diffie-Hellman for TLS (  for instructions on how to configure the server to use 2048-bit or stronger Diffie-Hellman groups with safe primes.

How to remediate this vulnerability.




This is due to Diffie-Hellman group encipher vulnerability 


Release : Identity Manger 14.3

Component : Wildfly 8.2 

                      Windows 2016


This can be done through Application or JVM level

For application level, please refer solution from Redhat ( Subscription required)

From JVM level

by update 

Or adding -Djdk.tls.ephemeralDHKeySize=2048 as a JVM option argument and restart IDM