fighting for truth, justice, and a kick-butt lotus notes experience.

Traveler HA running on MS SQL Server issue with TLS 1.2 and travelerutil command

 5 April 2019 17:57:17
Last week I installed a new Traveler HA environment at customer side.

We started with Traveler 10.0.1.1 on Domino 10.0.1 from scratch with a Microsoft SQL Server in the back.


When running the travelerutil command to configure the MS SQL connection, we were not able to connect to the MS SQL system seeing the following error:


com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption


The reason for the error, was quickly found and IBM published a matching Technote 2 day earlier on 27th of March.


https://www-01.ibm.com/support/docview.wss?uid=ibm10871764&myns=swglotus&mynp=OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E

The MS SQL server is now using TLS 1.2 by default.

The root cause of the issue is the IBM JVM being used by the Domino server for both the HTTP and Traveler tasks.  By default, the IBM JVM tries to use TLS 1.0 and does not retry using TLS 1.2 unless certain JVM options are specified.


If you have an existing Traveler service pool and MS SQL server in the back and your MS SQL admin enabled TLS 1.2, you will be in trouble.


You will have to launch the Domino JVM with an additional JVM option:


-Dcom.ibm.jsse2.overrideDefaultTLS=true


The IBM Technote explains the three needed steps in detail:

Step 1:

Create a new jvmOptions.properties file in the domino_data/traveler/cfg folder containing:


-Dcom.ibm.jsse2.overrideDefaultTLS=true


Step 2:

Set the following notes.ini JavaUserOptionsFile property to point to the new file created in Step 1

Example:


Linux:  JavaUserOptionsFile=/local/notesdata/traveler/cfg/jvmOptions.properties
Windows:   JavaUserOptionsFile=C:\Program Files\Domino\data\traveler\cfg\jvmOptions.properties


Note: If JavaUserOptionsFile parameter already specifies a JVM Options file, simply append this setting the JVM Options file already being used:  -Dcom.ibm.jsse2.overrideDefaultTLS=true


Step 3:


Set the notes.ini NTS_JAVA_PARMS property on all Traveler servers.


NTS_JAVA_PARMS=-Dcom.ibm.jsse2.overrideDefaultTLS=true

Note:  If NTS_JAVA_PARMS is already defined, add a space and -Dcom.ibm.jsse2.overrideDefaultTLS=true to the existing value.  


So we created the jvmOptions.properties file and added the JavaUserOptionsFile and NTS_JAVA_PARMS notes.ini properties, restarted the server,  but the travelerutil tool still did not work.

The traveler util is a simple commandline script executing a Java program.

To get it working you will have to add the
-Dcom.ibm.jsse2.overrideDefaultTLS=true option to the travelerutil script, too.

Here is an example:  Red marked - what and where we add the option



@echo off

pushd "E:\Lotus\Domino\data"

setlocal

set PATH=D:\Lotus\Domino;D:\Lotus\Domino;%PATH%

"D:\Lotus\Domino\jvm\bin\java.exe"
-Dcom.ibm.jsse2.overrideDefaultTLS=true -cp "D:\Lotus\Domino\Traveler\lib\*" -Ddomino.data.dir="E:\Lotus\Domino\data" com.lotus.sync.util.OfflineUtilities "D:\Lotus\Domino" "E:\Lotus\Domino\data" "D:\Lotus\Domino\notes.ini" %*
endlocal

popd



After the changes all works fine :-)

Kommentare
noch keine Kommentare vorhanden
  •  
  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu

Archive