Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Domino 9.0.1 FP6

Daniel Nashed  22 May 2016 21:55:43
Domino 9.0.1 FP6 has been released a while ago. I have installed it and I got positive feedback from customers already.

FP6 contains all the fixes from previous IFs and also the updated JVM Java60SR16FP20 which addresses a couple of security fixes.
Also the server controller interoperability issue is fixed. But for a client based connection you also need to update your admin client!

All the TLS fixes are also included and there is an additional fix for an issue in a TLS handshake.

SPR# MKINA3SPYN - Fixes an intermittent Domino Server crash in crypto code when VerifyMAC() is passed a bogus length.


There are many other potential crash issues and security issues that have been also fixed.
So it makes a lot of sense to install it on Server side.


In additional there are fixes that need notes.ini parameters.

The first fix is to bring back the pre Domino 9 behaviour for removing documents from the trash folder after the threshold expiered.
In Domino 8.5.x was checked on database open. With Domino 9 it is only checked with updall.

There is a new notes.ini parameter CHECK_EXPIRED_SOFT_DELETES_ON_DBOPEN=1 which brings back the previous behaviour.

SPR# HYYH9DF5GR - Fixes situation where emails in trash are not  removed even if "Permanently delete documents after X hours" is set. This fix introduced a new Notes.ini CHECK_EXPIRED_SOFT_DELETES_ON_DBOPEN=1. This is off be default.


There is also an ID-Vault fix which needs a notes.ini parameter. The notes.ini parameter is missing in the SPR description.

The fix introduced needs the this notes.ini parameter IDV_RefreshCerts=1
By default the parameter is disabled for performance reasons. You should only enable it when you are in a key-rollover project.

SPR# KLYH9ZDQNC -- IDVault Key Rollover State Can Be Incorrect Due to Timing Issue

http://www.ibm.com/support/docview.wss?uid=swg21976659&myns=swglotus&mynp=OCSSKTMJ&mync=E&cm_sp=swglotus-_-OCSSKTMJ-_-E




Comments

1Ben Rose  23.05.2016 16:05:24  Domino 9.0.1 FP6

I wouldn't say the server controller interoperability issue is fixed - it's very broken for me.

FP6 forces JVM Java60SR16FP20 to be installed on both server and client. This is fine if you have an FP6 client talking to an FP6 server but it doesn't work for anything else.

Once you upgrade your first server to FP6, you cannot connect to its console until you upgrade your admin client to FP6. Then you can't talk to your older servers.

I have a large server infrastructure with dozens of servers that simply cannot be upgraded overnight. In the interim period I can choose to be compatible with FP6 servers or pre-FP6 servers, but not both. FP6 isn't even compatible with FP5.

2Daniel Nashed  24.05.2016 6:29:08  Domino 9.0.1 FP6

@@Ben, there have been multiple issues with the controller. "Fixed" means that now it works again if you have the same version on client and server.

The issue is that MD5 has been disabled and should not be enabled again for security reasons. So there is no way that different versions can speak to each other.

You have to have two versions of clients until you updated all your servers. Before FP6 you had to be very carefully which update to install the JVM broke the server controller multiple times.

Now if you have the same version on client and server it works again without and additional tweaks. That's what I refer to when I say it is "fixed".

A work-around would be to use the remote console in some places.And yes I agree that this should have been coordinated in a better way, even the JVM is maintained by a completely different team in IBM.

3Daniel Nashed  24.05.2016 10:03:43  Domino 9.0.1 FP6

@Mike, the notes.ini settings are server side.

ID-Vault setting is on the vault server. And soft delete setting is on every server.

4Mike Ipkendanz  24.05.2016 10:06:27  Domino 9.0.1 FP6

Hi, if the setting for the server and client ? Or only on the server ?

5Miro Tankovic  24.05.2016 11:17:03  Domino 9.0.1 FP6

@Ben, I had exactly same problem with multiple server that cannot be upgraded at same time.

I copied jvm folder, dconsole*.*, java.policy and jconsole.exe files from upgraded FP6 client to my computer to different directory than my FP3 client installation.

Now I have two java consoles. One for FP6 servers and one for pre-FP6 servers.

6Lars Berntrop-Bos  24.05.2016 11:35:57  Domino 9.0.1 FP6

Any experience with the console on IBM i? At our site the admins have turned it off after several instances where the console process on the server would start hogging the CPU. I would love to be able to use it again...

7Daniel Nashed  24.05.2016 15:31:28  Domino 9.0.1 FP6

@Miro, great workaround ;-)

Thanks for sharing!


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]