We are receiving the following error message on our security scan report relating to port 5250: 

"SSL Certificate Chain Contains RSA Keys Less Than 2048 bits"

Release : 4.3

If it is for ports 5250 and/or 509, then that is EEM connection and you would need to address following these steps:

You would need to regenerate the EEM certificates with 2048 length and reregister the PAM application with EEM.

Steps to regenerate the EEM certificate:
https://techdocs.broadcom.com/us/en/ca-enterprise-software/other/Embedded-Entitlements-Manager/12-6/configuring/certificates-with-custom-key-length-for-ca-eem-server/how-to-generate-the-certificates/generate-the-certificates.html

Steps to reregister the PAM with EEM:
1. Stop Orchestrator service
2. Run the PAM installer 
3. Select "Configure existing installation"
4. In the EEM settings, register the application again.
5. Once the installation completed successfully, start Orchestrator service.

These steps you need to perform on all the nodes if it is cluster environment.

Please note that If you have any CP patches applied, then after performing the above steps (1-4), need to apply the CP prior to start the Orchestrator service.

As best practice, please first test these in your Dev/Test environment prior to production.