fighting for truth, justice, and a kick-butt lotus notes experience.

Traveler HA running on MS SQL Server issue with TLS 1.2 and travelerutil command

 April 5 2019 03:57:17 PM
Last week I installed a new Traveler HA environment at customer side.

We started with Traveler 10.0.1.1 on Domino 10.0.1 from scratch with a Microsoft SQL Server in the back.


When running the travelerutil command to configure the MS SQL connection, we were not able to connect to the MS SQL system seeing the following error:


com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption


The reason for the error, was quickly found and IBM published a matching Technote 2 day earlier on 27th of March.


https://www-01.ibm.com/support/docview.wss?uid=ibm10871764&myns=swglotus&mynp=OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E

The MS SQL server is now using TLS 1.2 by default.

The root cause of the issue is the IBM JVM being used by the Domino server for both the HTTP and Traveler tasks.  By default, the IBM JVM tries to use TLS 1.0 and does not retry using TLS 1.2 unless certain JVM options are specified.


If you have an existing Traveler service pool and MS SQL server in the back and your MS SQL admin enabled TLS 1.2, you will be in trouble.


You will have to launch the Domino JVM with an additional JVM option:


-Dcom.ibm.jsse2.overrideDefaultTLS=true


The IBM Technote explains the three needed steps in detail:

Step 1:

Create a new jvmOptions.properties file in the domino_data/traveler/cfg folder containing:


-Dcom.ibm.jsse2.overrideDefaultTLS=true


Step 2:

Set the following notes.ini JavaUserOptionsFile property to point to the new file created in Step 1

Example:


Linux:  JavaUserOptionsFile=/local/notesdata/traveler/cfg/jvmOptions.properties
Windows:   JavaUserOptionsFile=C:\Program Files\Domino\data\traveler\cfg\jvmOptions.properties


Note: If JavaUserOptionsFile parameter already specifies a JVM Options file, simply append this setting the JVM Options file already being used:  -Dcom.ibm.jsse2.overrideDefaultTLS=true


Step 3:


Set the notes.ini NTS_JAVA_PARMS property on all Traveler servers.


NTS_JAVA_PARMS=-Dcom.ibm.jsse2.overrideDefaultTLS=true

Note:  If NTS_JAVA_PARMS is already defined, add a space and -Dcom.ibm.jsse2.overrideDefaultTLS=true to the existing value.  


So we created the jvmOptions.properties file and added the JavaUserOptionsFile and NTS_JAVA_PARMS notes.ini properties, restarted the server,  but the travelerutil tool still did not work.

The traveler util is a simple commandline script executing a Java program.

To get it working you will have to add the
-Dcom.ibm.jsse2.overrideDefaultTLS=true option to the travelerutil script, too.

Here is an example:  Red marked - what and where we add the option



@echo off

pushd "E:\Lotus\Domino\data"

setlocal

set PATH=D:\Lotus\Domino;D:\Lotus\Domino;%PATH%

"D:\Lotus\Domino\jvm\bin\java.exe"
-Dcom.ibm.jsse2.overrideDefaultTLS=true -cp "D:\Lotus\Domino\Traveler\lib\*" -Ddomino.data.dir="E:\Lotus\Domino\data" com.lotus.sync.util.OfflineUtilities "D:\Lotus\Domino" "E:\Lotus\Domino\data" "D:\Lotus\Domino\notes.ini" %*
endlocal

popd



After the changes all works fine :-)

Archive