When you deploy eDiscovery Manager the deployment script changes some security settings in the WebSphere Application server that causes an issues that you cannot stop the WebSphere Application Server and also no SOAP connection is possible.
To solve this you need to apply the following settings BEFORE you install eDiscovery Manager.
This issue is known to occur with the 22.214.171.124 or later JDKs.
To work around it in WebSphere, disable the RSAPSS and RSASSA-PSS algorithms by adding them to the list of com.ibm.websphere.tls.disabledAlgorithms for the server.
ou can see NullPointerException errors reported in FFDC files, or directly in the SystemOut.log
Avoid Trouble: If you customized the com.ibm.websphere.tls.disabledAlgorithms property so that it is set with a value of “none”, then instead of the following steps the only change needed is to append “RSAPSS, RSASSA-PSS“ to the comma-separated list value of the jdk.tls.disabledAlgorithms property in the JAVA_HOME/jre/lib/security/java.security file.
- In standalone WebSphere Application Server environments, there’s a good chance that the WebSphere Administrative Console is inaccessible when this issue occurs. To access the Administrative Console, first disable security by following the technite https://www.ibm.com/support/pages/node/127659.
- Next, obtain the current list of disabled algorithms in use from the logs. By default, WebSphere Application Server maintains an up-to-date list of algorithms that are disabled due to known vulnerabilities. To determine the current value of this list, check the SystemOut.log from the server for the CWPKI0051I message right after startup for a message like the following example:
SSLConfigMana I CWPKI0051I: The process has the java security property jdk.tls.disabledAlgorithms set to [SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL]. The WebSphere Application server is setting the java security property jdk.tls.disabledAlgorithms to [SSLv3, RC4, DH keySize < 768, MD5withRSA].
Note: The list may be different depending on the WebSphere Application Server fixpack level, the contents of the java.security file, and the value of the com.ibm.websphere.tls.disabledAlgorithms property.
- Once you have the current value of the list from the CWPKI0051I message, navigate to the Security > Global Security > Custom Properties section of the WebSphere Administrative Console.
- If there is already a property defined with the name com.ibm.websphere.tls.disabledAlgorithms click it, and add RSAPSS, RSASSA-PSS to the comma-separated list in the value field.
— OR —
If the property is not defined, then click New… and create a property named com.ibm.websphere.tls.disabledAlgorithms with a value equal to the comma-separated list from the CWPKI0051I message, with RSAPSS, RSASSA-PSS appended to the comma-separated list. For example, looking at the CWPKI0051I documented in step (1), the new comma-separated list would be
SSLv3, RC4, DH keySize < 768, MD5withRSA, RSAPSS, RSASSA-PSS
- Click “OK” and save the changes.
- If you disabled security, re-enable security from the Security > Global Security panel, then Click OK and Save again.
- Synchronize any nodes if you are running a Network Deployment environment, and then restart the environment for the changes to take effect.