Monday, December 29, 2014

A little more on the Poodle (IBM Domino 9.0.1 and the Poodle Vulnerability)

In my last post, I discussed the steps required to get your Domino 9.0.1 server patched against the poodle bug which exists in both SSL 3.0 and TLS.  At the end of the post, I mentioned that I still had one server which was refusing to apply the patch.

This is how I got around the problem. 

The Server that Wouldn't
After taking the patches all the way back to Fix Pack 1 and slowly patching forward one-by-one with reboots in between, I realised that whatever was affecting my server had been installed for a long time.

There was no easy way to resolve the problem and obviously I couldn't roll back forever.  I just had to accept the fact that the server would not take the patch and take some more drastic measures.

Backup First
Of course, before taking any drastic measures, you should always backup first. Personally, I like to have a proper backup as well as a local copy of the main domino files.  That way I don't have to worry about streaming and tapes.

I manually took a copy of the D:\Lotus\Domino folder on the server (but not sub-folders) and saved it elsewhere.  Then, being careful to overwrite only obvious program and library files, EXE, DLL plus any other non-data files, I copied the files from a server which was otherwise at the same level (64 bit Domino 9.0.1) but had been successfully patched.

After the copy, I restarted the server and retested for the poodle problem. Luckily, the file-copy procedure had resolved it.

Yet again, I'm thankful for the low tech nature of domino and the fact that it doesn't go crazy with registry entries. 

What if I don't have a working Server?
So, if you don't have a working poodle-proof server and you're faced with a similar issue to mine, then one of the simplest options is to install a brand new Domino 9.0.1 server and patch it, then try copying the files across.  There's a pretty good chance that it will do the job.

No comments: