Scenario 1. As part of normal WebSphere Application Server and Java patching where ICN application is deployed
2. After patching, Attempt for viewing documents in Daeja ViewONE virtual viewer results in "Unable to deploy document: Annotations failed to load" error.
3. Sometimes document renders only in thumbnails after closing above error popup.
I also gathered following daeja log in server.
Daeja log analysis
ViewOnePlatform.navigator.tile> WebContainer : 9 14 Sep 2022, 16:27:21, BST (000005630/000000134): Unable send proxied annotation data
ViewOnePlatform.navigator.tile> WebContainer : 9 14 Sep 2022, 16:27:21, BST (000005631/000000001): Socket output is already shutdown
java.net.SocketException: Socket output is already shutdown
at com.ibm.jsse2.bj.getOutputStream(bj.java:128)
at com.ibm.ws.ssl.config.WSSocket.getOutputStream(WSSocket.java:193)
...
ViewOnePlatform.navigator.tile> WebContainer : 9 14 Sep 2022, 16:27:21, BST (000005633/000000001): 172.31.12.13
a768e50c-dc43-40ce-9326-dbf3b7827631 ViewOnePlatform.navigator.tile> WebContainer : 3 14 Sep 2022, 16:27:22, BST (000005724/000000091): jiURLUtils.parseURL: filename=https://myserver.internal.myorg.com:9445/navigator/jaxrs/cm/getDocument?docid=90%203%20ICM8%20ls03inte10%20BPM_Normal59%2026%20A1001001A19F25A92919I0000418%20A19F25A92919I000041%2014%201039&template_name=BPM_Normal&repositoryId=LS03INTE&version=current&security_token=-3094208152348265275, baseUrl=<None>, URL= https://myserver.internal.myorg.com:9445/navigator/jaxrs/cm/getDocument?docid=90%203%20ICM8%20ls03inte10%20BPM_Normal59%2026%20A1001001A19F25A92919I0000418%20A19F25A92919I000041%2014%201039&template_name=BPM_Normal&repositoryId=LS03INTE&version=current&security_token=-3094208154818265275
a768e50c-dc43-40ce-9326-dbf3b7827631 ViewOnePlatform.navigator.tile> WebContainer : 3 14 Sep 2022, 16:27:22, BST (000005727/000000003): traceNet: Client configuration processed.
a768e50c-dc43-40ce-9326-dbf3b7827631 ViewOnePlatform.navigator.tile> WebContainer : 9_unredacted+LS03INTE-90 3 ICM8 ls03inte10 BPM_Normal59 26 A1001001A19F25A92919I0000418 A19F25A92919I000041 14 1039-current- 14 Sep 2022, 16:27:22, BST (000005950/000000223): traceNet: AutoRedactionManager: GET Connected to icn://localhost/getContent?originalDocURL=https%3A%2F%2Fmyserver.internal.myorg.com%3A9445%2Fnavigator%2Fjaxrs%2Fcm%2FgetDocument%3Fdocid%3D90%25203%2520ICM8%2520ls03inte10%2520BPM_
50c-dc43-40ce-9326-dbf3b7827631 ViewOnePlatform.navigator.tile> WebContainer : 9 14 Sep 2022, 16:27:22, BST (000006091/000000141): Unable to retrieve document due to repository access error.
a768e50c-dc43-40ce-9326-dbf3b7827631 ViewOnePlatform.navigator.tile> WebContainer : 9 14 Sep 2022, 16:27:22, BST (000006117/000000026): 172.31.12.13
Cause
This issue is known to occur with the 8.0.x JDKs. To work around it in WebSphere, disable the RSAPSS and RSASSA-PSS algorithms by adding them to the list of com.ibm.websphere.tls.disabledAlgorithms for the server.
Resolution
- By default, WebSphere Application Server maintains an up-to-date list of algorithms that are disabled due to known vulnerabilities. To determine the current value of this list, check the SystemOut.log from the server right after startup for a message like the following example:
SSLConfigMana I CWPKI0051I: The process has the java security property jdk.tls.disabledAlgorithms set to [SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL]. The WebSphere Application server is setting the java security property jdk.tls.disabledAlgorithms to [SSLv3, RC4, DH keySize < 768, MD5withRSA].
Note: The list may be different depending on the WebSphere Application Server fixpack level, the contents of the java.security file, and the value of the com.ibm.websphere.tls.disabledAlgorithms property.
- Once you have the current value of the list from the CWPKI0051I message, navigate to the Security > Global Security > Custom Properties section of the WebSphere Administrative Console.
- If there is already a property defined with the name com.ibm.websphere.tls.disabledAlgorithms click it, and add RSAPSS, RSASSA-PSS to the comma-separated list in the value field.
If the property is not defined, then click New... and create a property named com.ibm.websphere.tls.disabledAlgorithms with a value equal to the comma-separated list from the CWPKI0051I message, with RSAPSS, RSASSA-PSS appended to the comma-separated list. For example, looking at the CWPKI0051I documented in step (1), the new comma-separated list would be SSLv3, RC4, DH keySize < 768, MD5withRSA, RSAPSS, RSASSA-PSS.
- Click "OK", Save the change. Re-enable security from the Security > Global Security panel, then Click OK and Save again. Synchronize any nodes if you are running a Network Deployment environment, and then restart the environment for the changes to take effect.
- Now verify documents open properly using Daeja ViewONE Virtual in ICN environment.