PQ72041: Admin server is trying to use expired tokens from cache - invalid tokens.

A fix is available
Cumulative Security Interim fix for 4.0.2/4.0.3/4.0.4/4.0.5/4.0.6 /4.0.7

APAR

APAR status
Closed with unknown close code.

Error description
After going to a secured resource and authenticating the ltpa
token is allowed to expire. Trying to access the secured
resource causes user to reauthenticate, as expected. After
attempting to reauthenticate the browser shows an "invalid
credential" message.
Local fix
Increase token timeout
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application server security        *
*                 users with multiple secured application      *
*                 servers.                                     *
****************************************************************
* PROBLEM DESCRIPTION: After LTPA Token has expired,           *
*                      re-authenticated users may not be able  *
*                      to access EJBs on a different server.   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Immediately after LTPA Token expired, re-authenticated users
may not be authenticated to access secured EJBs on a remote
application server even they can access servlets successfully.
Problem conclusion
Authorization to access secured EJB is based on SAS sessions,
and sessions are mapped to credentials. The session id did
not include crdential expiration time, so an old session was
used even after a new credential was created if session is not
expired.  With the fix, new session will be created with
new credential token.
Temporary fix
provided test fix
Comments
APAR information
APAR numberPQ72041
Reported component nameWEBSPHERE AE SO
Reported component ID5648C8400
Reported release350
StatusCLOSED
PENoPE
HIPERNoHIPER
Submitted date2003-03-13
Closed date2003-03-13
Last modified date2003-03-13

APAR is sysrouted FROM one or more of the following:
PQ71397

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:PQ71397


Modules/Macros
security
APAR is sysrouted TO one or more of the following:Modules/Macros

Fix information
Fixed component nameWEBSPHERE AE SO
Fixed component ID5648C8400

Applicable component levels
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ72041
IBM Group: Software Group
Modified date: 2003-03-13