Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3
Daniel Nashed – 3 April 2015 06:15:05
As posted before there is a compatibility for the jconsole / Java server controller introduced in 9.0.1 FP3. IBM shipped a newer JVM in 9.0.1 FP3 with SSLv3 disabled. Previous versions used SSLv3 only even the JVM would have supported TLS 1.0.
So once you update your server but not your client you cannot access your server over the server controller.
If you update your server but not your client you are running in the same issue the other way round.
The only solution was to have two separate clients for patched and unpatched servers.
Ben Rose got a solution for this issue from IBM after escalating the problem.
According to Ben there is a way to re-enable SSLv3 on your Notes client.
You can set the following system variable on your workstation to pass the parameter to the embedded JVM used for the jconsole.
Variable: JAVA_TOOL_OPTIONS
Value: -Dcom.ibm.jsse2.disableSSLv3=false
This should allow you to connect again from a 9.0.1FP3 jconsole to both 85x , 9.0.1 and 9.0.1FP3 servers.
Don't forget to remove the parameter once all your servers have been updated!
Thanks Ben for insisting getting a solution and posting how to work-around the issue!
-- Daniel
- Comments [3]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}
1Ben Rose 23.06.2015 8:44:25 Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3
FYI, this breaks again in R9.0.1 FP4
2Ben Rose 17.07.2015 9:03:31 Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3
IBM now working on a fix for this in FP4 - more regression.
3Ben Rose 20.07.2015 9:55:31 Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3
Fix found.
remove this line in the file JVM/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3