Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Notes/Domino 9.0.1 FP3 - Java Console/Controller Incompatibility

Daniel Nashed  18 February 2015 10:35:44
As discussed before, it's not a good idea to completely disable SSLv3 too soon.
Notes/Domino 9.0.1 FP3 ships with a newer JVM version that completely disables SSLv3.
The Oracle team disabled SSLV3 by default but the IBM JVM team completely removed SSLv3.

The Domino server controller and Server Console are based on Java and use the SSL/TLS stack for communication.
Domino before FP3 uses SSLv3 only -- I don't want to start any theories about why ...

The newer version with FP3 and higher use TLS 1.0 only.

That means once you updated your client you cannot communicate via server controller with an older server.
And also means that you cannot communicate from an older client once you updated your server.

There is no easy work-around beside running two different clients.
Just using a different exe does not help because the main change is in the IBM JVM.
You could keep the old client binaries and clone the data directory and run the jconsole from two different directories to avoid using two different workstations.

-- Daniel


References:

http://www.ibm.com/support/docview.wss?uid=swg21695943

And information from the release notes:

9.0.1 Fix Pack 3 updates the embedded Notes/Domino JVM to 1.6 SR16 FP2 to address security vulnerabilities. This release has all of the content from the recently released POODLE and POODLE on TLS vulnerabilities in one easy to install package that includes the content from Domino 9.0.1 Fix Pack 2 Interim Fix 3 and Notes 9.0.1 Fix Pack 2 Interim Fix 4.

JVM 1.6 SR16 FP2 disabled SSLv3 and instead communicates only over TLS. If the Domino server is upgraded to 9.0.1 Fix Pack 3 (which contains JVM 1.6 SR16 FP2), the Java Console attempts to connect over SSLv3 to the JVM layer on the Domino server, which will accept only TLS connections. Applying 9.0.1 Fix Pack 3 on both the Domino server and the Java Console client will remedy the situation. For additional information, see technote 1695943 - Domino Console fails to connect to remote server after upgrading Notes or Domino to 9.0.1 Fix Pack 3


Comments

1Ben Rose  01.04.2015 16:34:06  Notes/Domino 9.0.1 FP3 - Java Console/Controller Incompatibility

Two months, many escalations and one critsit later, we discover there was a solution available all along.

From support:

Per 9.0.1 FP3 SSL is disabled in the JVM, it is possible to enable this by setting the following the system property:

com.ibm.jsse2.disableSSLv3=false

This is documented in

{ Link }

The jconsole application uses an embedded JVM invoked via JNI so it is not possible to pass the above via the command line when starting jconsole. However, there is a general parameter that can be used to specify additional arguments when invoking embedded JVMs via JNI and one can set this as environment variable. Set the following as system variable on the workstation used to administer the servers:

Variable: JAVA_TOOL_OPTIONS

Value: -Dcom.ibm.jsse2.disableSSLv3=false

Tested and am able to connect from a 9.0.1FP3 jconsole to both 85x , 9.0.1 and 9.0.1FP3 servers.


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]