Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

    Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

    Daniel Nashed  3 April 2015 08:15:05
    As posted before there is a compatibility for the jconsole / Java server controller introduced in 9.0.1 FP3.
    IBM shipped a newer JVM in 9.0.1 FP3 with SSLv3 disabled. Previous versions used SSLv3 only even the JVM would have supported TLS 1.0.

    So once you update your server but not your client you cannot access your server over the server controller.
    If you update your server but not your client you are running in the same issue the other way round.

    The only solution was to have two separate clients for patched and unpatched servers.

    Ben Rose got a solution for this issue from IBM after escalating the problem.

    According to Ben there is a way to re-enable SSLv3 on your Notes client.

    You can set the following system variable on your workstation to pass the parameter to the embedded JVM used for the jconsole.

    Variable: JAVA_TOOL_OPTIONS
    Value: -Dcom.ibm.jsse2.disableSSLv3=false

    This should allow you to connect again from a 9.0.1FP3 jconsole to both 85x , 9.0.1 and 9.0.1FP3 servers.

    Don't forget to remove the parameter once all your servers have been updated!

    Thanks Ben for insisting getting a solution and posting how to work-around the issue!

    -- Daniel



    Comments

    1Ben Rose  23.06.2015 10:44:25  Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

    FYI, this breaks again in R9.0.1 FP4

    2Ben Rose  17.07.2015 11:03:31  Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

    IBM now working on a fix for this in FP4 - more regression.

    3Ben Rose  20.07.2015 11:55:31  Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

    Fix found.

    remove this line in the file JVM/lib/security/java.security

    jdk.tls.disabledAlgorithms=SSLv3

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]