Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Notes & Domino 9.0.1 FP7 shipped

Daniel Nashed  14 September 2016 10:07:02
Notes and Domino 9.0.1 FP7 has shipped with quite a number of important fixes.

- The JVM was updated to the current quarterly release replacing the JVM patches that came out since FP6.

- There are stability fixes which include many areas including Compact, Archiving API, iNotes, DXL and also some important security fixes.


In one client SPR even ADFS 3.0 is mentioned so maybe we can hope that we get full ADFS 3.0 at some point in one of the next FPs - which is high on my priority list since most new ADFS customer installations require ADFS 3.0.


Oh I almost missed an important platform update. Citrix XenApp 7.7 is now supported since FP7 which was missing for many customers!



Beside all those fixes which are a good reason to deploy FP7 there are two SPRs that I want to highlight.

-- Important Linux 64bit Fix --


The first SPR deals with a really bad issue that made IBM ship a separate new build of 9.0.1 to customers who ran into the issue.

The fix needed a complete rebuild all Domino binaries/core components (because a central structure was affected) and could not be shipped in a normal FP. IBM found a way to address this issue in a FP!

It is listed in the Fixlist under "Sametime" but the issue occurred in most cases in high load HTTP environments.

In case you are running the special downloaded new 64bit compile you can now switch back to the standard builds (see more detailed information below).

SPR# KBRN9Q7EZW - Fixed a Domino Linux 64-bit server crash or instability caused by duplicate thread ids.
This is described in technote #1976013 and previously required a special Domino Linux 64-bit build to be provided.
Now applying this Fixpack on Domino 9.0.1 will address the issue. Customers who previously received the special Domino Linux 64-bit build should uninstall it, re-install 9.0.1 Gold, followed by 9.0.1 FP7 or higher.



-- AES and SHA-2 Support for Network Port Encryption --


Dave Kern presented in Orlando already plans to update NRPC port encryption which have been planned for at that point 9.0.2.


The new port encryption made it into FP7. If your client and server are both running FP7 or higher.

Update 14.9.2016 19:00

There is a new Technote describing all the details including two new settings plus one new debug setting.

TN -> http://www.ibm.com/support/docview.wss?uid=swg21990283

PORT_ENC_ADV
controls the level of port encryption and enables the use of AES tickets.

TICKET_ALG_SHA
controls which cryptographic algorithm to use when constructing tickets. HMAC-SHA 256 is enabled by default.

There is also one new debug setting DEBUG_PORT_ENC_ADV=1 which will enable debug for the new port encryption.


I have upgraded my client and server and got the following with PORT_ENC_ADV on server side.
In my previous test I wasn't aware that I had this parameter already in my notes.ini.
But the parameter is required for the new encryption. The SH256 based signature algorithms are enabled by default.


SPR# DKEN9N5PVK
- Network port encryption now supports AES and SHA-2


FP 6


Authenticate {1B3F0009}: CN=xyz/OU=Srv/O=NashCom-Net

T:
RC2:128 E:1:  P:c:e S:RC4:128 A:4:1 L:N:N:N FS:

FP 7


Authenticate {1B3F0002}: CN=xzy/OU=Srv/O=NashCom-Net

T:
AES:128 E:1:  P:c:e S:AES-GCM:256 A:2:1 L:N:N:N FS:DHE-2048

So it looks like the cipher implemented is: DHE-RSA-AES128-GCM-SHA256 with a DHE size of 2048.


(You see the output with notes.ini log_authentication=1)


-- Daniel

Comments

1Uwe Brahm  15.09.2016 8:00:16  Notes & Domino 9.0.1 FP7 shipped

FP7 seems to break iNotes. Can someone confirm this?

2David Schiffer  15.09.2016 11:38:54  Notes & Domino 9.0.1 FP7 shipped

I can confirm

You can use an old forms9.nsf from any fixpack 6 installation (or backup)

I did it that way.

Probably the issue only occurs on German OS (decimal separator , instead of .)

see here: { Link }

3Lars Berntrop-Bos  16.09.2016 6:49:04  Notes & Domino 9.0.1 FP7 shipped

Uhm, David, lots of locales besides German have a comma instead of a period as decimal separator.

4Daniel Nashed  16.09.2016 8:50:55  Notes & Domino 9.0.1 FP7 shipped

@Lars, from my testing I can only say that German is broken. I did not test other languages.

Yes of course if the comma is the problem, many other languages are also affected!

-- Daniel

5Jan Böjeryd  18.09.2016 19:22:19  Notes & Domino 9.0.1 FP7 shipped

I can confirm that the bug affects the Swedish locale as well. Reverted to FP6 and eagerly waiting for a fix.

6Beat  21.09.2016 8:17:42  Notes & Domino 9.0.1 FP7 shipped

After installing on 2 different clients I had both times the error 'Error loading use or uselsx: *javacon' when starting Notes and again when opening mail, closing etc - one client was German FP6 other was English admin&designer. Tried with renaming workspace, didn't work, reverted to FP6.

7Daniel Nashed  22.09.2016 20:13:06  Notes & Domino 9.0.1 FP7 shipped

@Beat, works for me. My client just started. I have no customer yet who updated.

Anyone?

8Alex Novak  11.10.2016 14:15:42  Notes & Domino 9.0.1 FP7 shipped

A Customer last week informed me of another BUG with FP7. If you have activated the AES port encryption (PORT_ENC_ADV=1+) - registering of new users into the ID Vault is no longer possible. You get an error message that the IDs could not be upload to vault (all other register processes are finished w/o errors). This is reproducable - just deactivate AES port encryption and try the register process again. Do not use AES port encryption on your vault servers until fix is presented.

9Franz Stadler  24.11.2016 8:12:33  Notes & Domino 9.0.1 FP7 shipped

@Alex Novak, does there already exist a APAR / SPR for this problem?

10Franz Stadler  24.11.2016 8:14:16  Notes & Domino 9.0.1 FP7 shipped

@Alex Novak, just saw the post from Daniel from 12 October 2016 12:45:24.

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]