

Last date modified: September 30 2025
This document provides troubleshooting steps for common pre-requisites like port configuration and Secret Store access.
The following table summarizes the default ports used by the Elastic Stack and Environment Watch components.
Component | Port | Protocol | Inbound | Outbound | Purpose |
---|---|---|---|---|---|
Elasticsearch | 9200 | HTTP/HTTPS | ✅ | ✅ | Client communication and REST API |
9300 | TCP | ✅ | ✅ | Inter-node communication | |
Kibana | 5601 | HTTP/HTTPS | ✅ | Kibana web interface | |
APM Server | 8200 | HTTP/HTTPS | ✅ | APM agent data ingestion | |
OTEL Collector | 4318 | HTTP | OTLP data reception (HTTP) for local traffic (localhost). This deployment uses the agent model, with a collector on each server. See the OpenTelemetry agent documentation for more details. |
Check if Ports are in Use: Verify that ports 9200 and 9300 are listening.
netstat -an | findstr ":9200"
netstat -an | findstr ":9300"
TCP 0.0.0.0:9200 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9300 0.0.0.0:0 LISTENING
Identify Conflicting Processes: If a port is in use by another application, identify the process.
Get-NetTCPConnection -LocalPort 9200 -State Listen
Get-NetTCPConnection -LocalPort 9300 -State Listen
Test Elasticsearch Connectivity:
curl.exe -k -u <username>:<password> -X GET "https://<hostname_or_ip>:9200/"
Verify Network Binding:
Check C:\elastic\elasticsearch\config\elasticsearch.yml
configuration:
network.host: 0.0.0.0 # For all interfaces
Check if Port is in Use:
netstat -an | findstr ":5601"
TCP 0.0.0.0:5601 0.0.0.0:0 LISTENING
Test Kibana Connectivity:
(curl.exe -s -k -u <username>:<password> -X GET "http://<hostname_or_ip>:5601/api/status" | ConvertFrom-Json).status.overall | ConvertTo-Json -Depth 10
Verify Network Binding:
Check C:\elastic\kibana\config\kibana.yml
configuration:
server.host: "0.0.0.0" # For all interfaces
Check if Port is in Use:
netstat -an | findstr ":8200"
TCP 0.0.0.0:8200 0.0.0.0:0 LISTENING
Test APM Server Connectivity:
curl.exe -k "http://<hostname_or_ip>:8200/"
{
"build_date": "...",
"build_sha": "...",
"publish_ready": true,
"version": "8.17.3"
}
Verify Network Binding:
Check C:\elastic\apm-server\apm-server.yml
configuration:
host: "0.0.0.0:8200"
otelcol-relativity.exe
process is running, but no data is being sent.Check if Port is in Use:
This port is used by the OpenTelemetry Collector to receive data. The Relativity Environment Watch
service must be running.
netstat -an | findstr ":4318"
TCP 0.0.0.0:4318 0.0.0.0:0 LISTENING
You can also use Get-NetTCPConnection
:
Get-NetTCPConnection -LocalPort 4318 -State Listen
Ensure that Windows Firewall or any other network security software is not blocking the required ports. You may need to create inbound rules to allow traffic on these ports.
Example for Kibana (port 5601):
New-NetFirewallRule -DisplayName "Kibana Web Interface" -Direction Inbound -Protocol TCP -LocalPort 5601 -Action Allow
Use Test-NetConnection
to verify that a remote server can reach the port.
Test-NetConnection -ComputerName <hostname_or_ip> -Port <port_number>
ComputerName : <hostname_or_ip>
RemoteAddress : <ip>
RemotePort : <port_number>
TcpTestSucceeded : True
Verify that the Secret Store host is reachable on port 443.
Test-NetConnection -ComputerName <hostname_or_ip> -Port 443
ComputerName : <hostname_or_ip>
RemoteAddress : <ip>
RemotePort : 443
TcpTestSucceeded : True
Open an elevated PowerShell and run the following command to list secrets and retrieve connection details:
C:\Program Files\Relativity Secret Store\Client\secretstore.exe secret list /
The output will look similar to:
Secret Store URL: https://<hostname_or_ip>:9090/
Client Certificate Thumbprint: 20F8F2516EC86EBF993075F64B0C6EA6777A4F83
Copy the Client Certificate Thumbprint and Secret Store URL from the output.
To check the seal status of the Secret Store, run the following script in an elevated PowerShell ISE.
<insert-secret-store-client-certificate-thumbprint-here>
with the thumbprint you copied.<insert-secret-store-url-here>
with the URL you copied.$thumbprint = "<insert-secret-store-client-certificate-thumbprint-here>"
$url = "<insert-secret-store-url-here>"
# Find the client certificate
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
$store.Open("ReadOnly")
$cert = $store.Certificates | Where-Object { $_.Thumbprint -eq $thumbprint }
if (-not $cert) {
Write-Error "Certificate with thumbprint $thumbprint not found."
return
}
# Check the seal status
$response = Invoke-RestMethod -Uri "$url/v1/sys/seal-status" -Certificate $cert
$response | ConvertTo-Json
{
"type": "shamir",
"initialized": true,
"sealed": false,
"t": 3,
"n": 5,
"progress": 0,
"nonce": "",
"version": "1.6.2",
"migration": false,
"cluster_name": "secret-store",
"cluster_id": "...",
"recovery_seal": false,
"storage_type": "raft"
}
Verify Secure URL
Install SSL Certificate in Trusted Store
If your browser shows a "not secure" warning when accessing the Elasticsearch URL, you may need to install the certificate into your trusted store.
In your browser, view the certificate details and export the root certificate authority (CA) certificate. Save it to a local directory.
Double-click the downloaded certificate file and click Install Certificate.
Select Place all certificates in the following store, click Browse, and select Trusted Root Certification Authorities. Click OK, then Next, and Finish.
To confirm, open the Microsoft Management Console (MMC):
mmc.exe
.
Expand Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates and verify your certificate is listed.
Close your browser and reopen the Elasticsearch URL. It should now show as secure.
Verify Certificate Path in elasticsearch.yml
Ensure the elasticsearch.yml
file points to the correct certificate files.
C:\elastic\elasticsearch\config\elasticsearch.yml
:
xpack.security.transport.ssl:
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
Check Elasticsearch Logs for SSL Errors
C:\elastic\elasticsearch\logs\
.elasticsearch.log
file for any SSL-related errors.The HTTP request submitted to the server https://<hostname>:9200/
failed because of an unexpected error. Verify the server is accessible and URL is correct. Check the logs for more details or refer to the following troubleshooting guide.
The machine's .NET Framework is not configured to use strong cryptography, preventing it from negotiating a secure connection with modern servers that require TLS 1.2 or higher. By default, some .NET applications may attempt to use older, insecure TLS versions. Default TLS version supported by Elasticsearch is TLSv1.2 and TLSv1.3, hence causing issue
To resolve this, the .NET Framework on the machine must be configured to use the system's default security protocols, which allows it to use newer versions like TLS 1.2/1.3.
Verify TLS Settings:
Open Registry Editor:
Win + R
, type regedit
, and press Enter.Navigate to .NET Framework Registry Keys: A new value will need to be added in two locations.
Create the SchUseStrongCrypto
Value:
SchUseStrongCrypto
.1
. Click OK.Note: This registry key forces .NET 4.x applications to use strong cryptography, enabling support for newer TLS versions.
Reboot the System:
Verify the Fix:
Why was this not helpful?
Check one that applies.
Thank you for your feedback.
Want to tell us more?
Great!