IBM Support

Traveler server not connecting to Microsoft SQL Server using only TLS 1.2

Troubleshooting


Problem

Customers have reported that their Traveler servers are unable to communicate with their Microsoft SQL Servers after applying security updates to their Microsoft SQL Server environment to prevent any communication besides TLS 1.2.
 

Symptom

There are three main symptoms encountered with this problem.

  1. The Traveler server will fail to start with the following error message:  

    Traveler: SEVERE *system Error starting a Transaction Exception Thrown: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption.
     
  2. The Traveler servlet will start, but the Traveler Web Administration interface will be empty, no data will be shown.  The following error message can be found in the OSGI error and trace logs:

    Error starting a Transaction:  com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption.
     
  3. Using the travelerUtil command to set or update the database configuration will result in a similar Secure Socket Layer error message when testing the connection to the database.
     

Cause

The root cause of this issue is the IBM JVM being used by the Domino server for both the HTTP and Traveler tasks.  By default, the IBM JVM tries to use TLS 1.0 and does not retry using TLS 1.2 unless certain JVM options are specified.
 
 

Resolving The Problem

This issue can be mitigated by following these steps on each Traveler server to force the IBM JVM to use TLS 1.2 as the default communication protocol.   

Resolving for the servlet (Web Admin)

  1. Download the attached jvmOptions.properties file to an appropriate directory such as the Traveler config directory, typically domino_data/traveler/cfg/

    Note:  Any file name and location is acceptable; the attached sample is provided as a convenience.  The file must contain the setting:
    -Dcom.ibm.jsse2.overrideDefaultTLS=true
     
  2. Set the following notes.ini property on all Traveler servers.

    JavaUserOptionsFile=Fully qualified file name from step 1

    ex: JavaUserOptionsFile=/local/notesdata/traveler/cfg/jvmOptions.properties
    ex: JavaUserOptionsFile=C:\Program Files\Domino\data\traveler\cfg\jvmOptions.properties

    Note: If JavaUserOptionsFile parameter already specifies a JVM Options file, simply append this setting the JVM Options file already being used:  -Dcom.ibm.jsse2.overrideDefaultTLS=true
     
  3. Restart the Domino server on each Traveler server to pick up the configuration changes.
     

Resolving for the server


  1. Set the following notes.ini property on all Traveler servers.

    NTS_JAVA_PARMS=-Dcom.ibm.jsse2.overrideDefaultTLS=true

    Note:  If NTS_JAVA_PARMS is already defined, add a space and -Dcom.ibm.jsse2.overrideDefaultTLS=true to the existing value.  
     
  2. Restart the Domino server on each Traveler server to pick up the configuration changes.
 

Resolving for the travelerUtil command


  1. Open for edit the travelerUtil file from the data/traveler/util directory.
     
  2. Add -Dcom.ibm.jsse2.overrideDefaultTLS=true before the -cp property.  There should be a space before and after the parameter.  

    For example:  D:\Lotus\Domino\jvm\bin\java.exe" -Dcom.ibm.jsse2.overrideDefaultTLS=true -cp "D:\Lotus\Domino\Traveler\lib\*"
     
  3. Save and close the travelerUtil file.

Note:  There are two alternative methods available for working around the issue with the travelerUtil command.

  1. You can use the force option -f, which will set the database configuration even if the connection test fails.  Use travelerUtil with no arguments to see a complete list of options.

    For example:  travelerUtil db set -f
     
  2. You can use notes.ini parameters to set the DB configuration information thus bypassing the travelerUtil command.   See the NTS_DB* commands from this article:  https://www.ibm.com/support/knowledgecenter/en/SSYRPW_10.0.0/List_of_Notes_ini_settings.html#List_of_Notes_ini_settings



Related information

Traveler Server Fixes By Release
Traveler Product Documentation

Document information

More support for: IBM Traveler

Component: Server

Software version: All Versions

Operating system(s): AIX, IBM i, Linux, Windows

Software edition: All Editions

Reference #: 0871764

Modified date: 15 April 2019