Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Notes & Domino 9.0.1 FP7 shipped

Daniel Nashed – 14 September 2016 10:07:02
Notes and Domino 9.0.1 FP7 has shipped with quite a number of important fixes.

- The JVM was updated to the current quarterly release replacing the JVM patches that came out since FP6.

- There are stability fixes which include many areas including Compact, Archiving API, iNotes, DXL and also some important security fixes.


In one client SPR even ADFS 3.0 is mentioned so maybe we can hope that we get full ADFS 3.0 at some point in one of the next FPs - which is high on my priority list since most new ADFS customer installations require ADFS 3.0.


Oh I almost missed an important platform update. Citrix XenApp 7.7 is now supported since FP7 which was missing for many customers!



Beside all those fixes which are a good reason to deploy FP7 there are two SPRs that I want to highlight.

-- Important Linux 64bit Fix --


The first SPR deals with a really bad issue that made IBM ship a separate new build of 9.0.1 to customers who ran into the issue.

The fix needed a complete rebuild all Domino binaries/core components (because a central structure was affected) and could not be shipped in a normal FP. IBM found a way to address this issue in a FP!

It is listed in the Fixlist under "Sametime" but the issue occurred in most cases in high load HTTP environments.

In case you are running the special downloaded new 64bit compile you can now switch back to the standard builds (see more detailed information below).

SPR# KBRN9Q7EZW - Fixed a Domino Linux 64-bit server crash or instability caused by duplicate thread ids.
This is described in technote #1976013 and previously required a special Domino Linux 64-bit build to be provided.
Now applying this Fixpack on Domino 9.0.1 will address the issue. Customers who previously received the special Domino Linux 64-bit build should uninstall it, re-install 9.0.1 Gold, followed by 9.0.1 FP7 or higher.



-- AES and SHA-2 Support for Network Port Encryption --


Dave Kern presented in Orlando already plans to update NRPC port encryption which have been planned for at that point 9.0.2.


The new port encryption made it into FP7. If your client and server are both running FP7 or higher.

Update 14.9.2016 19:00

There is a new Technote describing all the details including two new settings plus one new debug setting.

TN -> http://www.ibm.com/support/docview.wss?uid=swg21990283

PORT_ENC_ADV
controls the level of port encryption and enables the use of AES tickets.

TICKET_ALG_SHA
controls which cryptographic algorithm to use when constructing tickets. HMAC-SHA 256 is enabled by default.

There is also one new debug setting DEBUG_PORT_ENC_ADV=1 which will enable debug for the new port encryption.


I have upgraded my client and server and got the following with PORT_ENC_ADV on server side.
In my previous test I wasn't aware that I had this parameter already in my notes.ini.
But the parameter is required for the new encryption. The SH256 based signature algorithms are enabled by default.


SPR# DKEN9N5PVK
- Network port encryption now supports AES and SHA-2


FP 6


Authenticate {1B3F0009}: CN=xyz/OU=Srv/O=NashCom-Net

T:
RC2:128 E:1:  P:c:e S:RC4:128 A:4:1 L:N:N:N FS:

FP 7


Authenticate {1B3F0002}: CN=xzy/OU=Srv/O=NashCom-Net

T:
AES:128 E:1:  P:c:e S:AES-GCM:256 A:2:1 L:N:N:N FS:DHE-2048

So it looks like the cipher implemented is: DHE-RSA-AES128-GCM-SHA256 with a DHE size of 2048.


(You see the output with notes.ini log_authentication=1)


-- Daniel

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]