Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

Daniel Nashed – 3 April 2015 06:15:05
As posted before there is a compatibility for the jconsole / Java server controller introduced in 9.0.1 FP3.
IBM shipped a newer JVM in 9.0.1 FP3 with SSLv3 disabled. Previous versions used SSLv3 only even the JVM would have supported TLS 1.0.

So once you update your server but not your client you cannot access your server over the server controller.
If you update your server but not your client you are running in the same issue the other way round.

The only solution was to have two separate clients for patched and unpatched servers.

Ben Rose got a solution for this issue from IBM after escalating the problem.

According to Ben there is a way to re-enable SSLv3 on your Notes client.

You can set the following system variable on your workstation to pass the parameter to the embedded JVM used for the jconsole.

Variable: JAVA_TOOL_OPTIONS
Value: -Dcom.ibm.jsse2.disableSSLv3=false

This should allow you to connect again from a 9.0.1FP3 jconsole to both 85x , 9.0.1 and 9.0.1FP3 servers.

Don't forget to remove the parameter once all your servers have been updated!

Thanks Ben for insisting getting a solution and posting how to work-around the issue!

-- Daniel



Comments

1Ben Rose  23.06.2015 8:44:25  Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

FYI, this breaks again in R9.0.1 FP4

2Ben Rose  17.07.2015 9:03:31  Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

IBM now working on a fix for this in FP4 - more regression.

3Ben Rose  20.07.2015 9:55:31  Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

Fix found.

remove this line in the file JVM/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]