Keyring Behavior between HCL Domino 12.0.1 and HCL Domino 11.0.1

Mindwatering Incorporated

Author: Tripp W Black

Created: 11/25/2022 at 08:54 PM

 

Category:
Domino Server Issues Troubleshooting
Web/HTTP

Issue:
After upgrade from HCL Domino 11.0.1 to HCL Domino 12.0, the setting SSL_KYR_CACHE_MAX_SIZE=x no longer functioned the same way as in R11.0.1. Similar to the R11.0.1 issue where increasing the cache setting was necessary for the new SNI single IP support.
The HCL Domino app server upgraded to HCL 12.0, was no longer using the MidPoints LE4D and MW Sidecar, or the new built-in Certificate Manager and its CertStore.nsf app.

In R11, we ran the notes.ini parameter, SSL_KYR_CACHE_MAX_SIZE=x. (See HCL KB article KB0080313 for more information.)
x = the number of keyring files.

Just as in the article, we ran the following DEBUG parameters:
- DEBUG_SSL_ALL=3
- SSL_TRACE_KEYFILEREAD=1
- DEBUG_SSL_KYRCACHE=1

Sure enough, even though we had set the notes.ini to 64, well above the number of keyring files, we saw the error message "KYRCACHE is full, cannot add new KYR file in cache".
The parameter was not working the same after the upgrade. We set it to SSL_KYR_CACHE_MAX_SIZE=84, the number of exact domains, rather than the number of keyrings. It did not help. According the HCL, the default maximum size is 50 keyring files unless this SSL_KYR_CACHE_MAX_SIZE is used. This is a bit different than the old HCL Domino R11.0.1 behavior.


Solution:
1. In the notes.ini, perform the following.
$ su - notes
<enter pwd>
$ vi /local/notesdata/notes.ini
. . .
#SSL_KYR_CACHE_MAX_SIZE=84
SSL_DISABLE_KYR_CACHE=1
. . .
To save:
<esc>:wq


2. Back in the HCL Domino Administrator client.
- Switch to the Domino server desired
- Switch to the Server (tab) --> Server Console (menu option on left) --> Click the Live button (green triangle Play icon).
- In the console, enter:
> tell http quit
<wait until you see Domino return that HTTP shut down>
> load http
<watch Domino start, and wait for the HTTP started message>

Probably Unnecessary:
> tell certmgr process
<read results>

To restart Certificate Manager:
> tell certmgr q
and
> load certmgr

Note:
In Domino 12.0.2 FP1, the shutdown option is not working, but the q or quit option does work.

3. Test all the web domains.
Bring every domain up including all aliases.
e.g. www.mindwatering.net and just mindwatering.net

All should now be working.

Background Information:
We found one HCL note to simply remove the SSL_KYR_CACHE_MAX_SIZE notes.ini parameter, as Domino 12 no longer uses it. That did not work. In fact, instead of missing just a couple domains, we were missing almost a third of them.
We opened a HCL support ticket. After a few rounds of back-and-forth, and testing, the HCL Tech support confirmed that Cert Manager doesn't need the maximum size setting, but it can still be used to increase over 50 and, at the same time, limit the number of keyring files that can be active.

They suggest adding the following:
SSL_DISABLE_KYR_CACHE=1

We added the SSL_DISABLE_KYR_CACHE=1 setting, but it didn't work. We then decided to "merge" both pieces of information and also commented out the SSL_KYR_CACHE_MAX_SIZE=84 notes.ini entry. We shutdown and restarted HTTP, and all was well.

So we had to both disable the keyring cache and also remove the maximum size entry, for the issue to be resolved.


Note:
Setting SSL_Trace_KeyFileRead=1, will also output the password for the kyr / sth files. Be aware.




previous page