PQ53051: PERFORMANCE PROBLEMS WITH TRUST ASSOCIATION AUTHORIZATIONS.


APAR

APAR status
Closed as program error.

Error description
When trust association is enabled on a 3.5.x system, there are
performance problems with authorization since it seems the
credentials are recreated, re-mapped, and re-validated for every
request from the same user (instead of going through this just
for the first request). Federal Reserve is reporting that they
see a 15-20 second response for every request.
Local fix
A temporary fix has been sent to the customer to test. This fix
requires customer to enable SSO and we then use the LtpaToken
cookie to communicate with the client and bypass the path taken
for credential validation by the trust association code.
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users       *
*                 using Trust Association.                     *
****************************************************************
* PROBLEM DESCRIPTION: Potential performance issues for web    *
*                      based (browser) clients if Trust        *
*                      Association is configured and LDAP      *
*                      response times are excessively long.    *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
If Trust Association is configured, the WebSphere credential
caches were not being used to cache users credentials.  As a
result, LDAP was called for each user request.
Problem conclusion
The concentration of this APAR was to provide a mechanism for
properly caching user credentials.  By applying this APAR
performance will not improve for the initial web request,
however, each subsequent request will be substantially
improved unless one of the following two conditions occurs.
.
1.  The users credentials have expired from the cache as the
user has not made a request within the security cache timeout
setting.
2.  The users LTPA Token has expired.
Temporary fix
There is an efix available for this issue.
Comments
APAR information
APAR numberPQ53051
Reported component nameWAS ADVANCED SU
Reported component ID5648C8402
Reported release350
StatusCLOSED PER
PENoPE
HIPERNoHIPER
Submitted date2001-10-03
Closed date2001-10-29
Last modified date2001-12-17

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:


Modules/Macros
SECURITY
APAR is sysrouted TO one or more of the following:Modules/Macros

Fix information
Fixed component nameWAS ADVANCED SU
Fixed component ID5648C8402

Applicable component levels
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ53051
IBM Group: Software Group
Modified date: 2001-12-17