APAR status |
Closed as suggestion for future release.
| Error description
AIX4.3.3, WAS3.5.4AE +pq45770
Customer is getting the message looping in stdout. The orb
request timeout must be lower then the LTPA Token Expiration
time by at least the amount of the time you expect a request
to complete. There could be problems if the (LTPA Token
expiration - orb request timeout) is less than 10 minutes in
R3.5.4 of WAS. Local fixProblem summaryProblem conclusionTemporary fixComments
Configuration validation to avoid this problem may be added
in a future release. Below is a basic description of the
involved parameters and how they relate:
This document addresses the relationship between two security
parameters and one ORB parameter which are related. It is
important to know how these parameters are related to each
other when changing them. The security parameters are the
Security Cache Timeout and Token Expiration. The orb parameter
is the ORB Request Timeout.
Security Cache Timeout
WebSphere maintains a cache of user credentials to improve
performance. This cache allows WebSphere to authenticate a
user without having to communicate with an LDAP server after
the user has been previously authenticated and the user's
credential was placed in the cache. The Security Cache
Timeout parameter determines how long the credential will
remain in the cache after the last request made by the user.
This parameter is set in the Global Security Settings on the
General tab.
Token Expiration
This is the maximum length of time a user can be logged on to
a WebSphere server before being re-authenticate on the next
request. This parameter is set in the Global Security
Settings on the Authentication Mechanism tab.
ORB Request Timeout
This is the maximum length of time the ORB will wait for an
IIOP request to complete. This parameter mainly affects any
calls to EJBs which are not made to instances that exist in
the same Java process.
How these parameters relate to one another
The current calculation of the Credential Refresh Period is
80% of the credential expiration time. There is a hard
coded minimum of 10 minutes. There is a calculated maximum
based on the ORB Request Timeout.
The basic algorithm for 3.02 or 3.5:involved parameters and how they relate:This document addresses the relationship between two securityparameters and one ORB parameter which are related. It isimportant to know how these parameters are related to eachother when changing them. The security parameters are theSecurity Cache Timeout and Token Expiration. The orb parameteris the ORB Request Timeout.Security Cache TimeoutWebSphere maintains a cache of user credentials to improveperformance. This cache allows WebSphere to authenticate auser without having to communicate with an LDAP server afterthe user has been previously authenticated and the user'scredential was placed in the cache. The Security CacheTimeout parameter determines how long the credential willremain in the cache after the last request made by the user.This parameter is set in the Global Security Settings on theGeneral tab.Token ExpirationThis is the maximum length of time a user can be logged on toa WebSphere server before being re-authenticate on the nextrequest. This parameter is set in the Global SecuritySettings on the Authentication Mechanism tab.ORB Request TimeoutThis is the maximum length of time the ORB will wait for anIIOP request to complete. This parameter mainly affects anycalls to EJBs which are not made to instances that exist inthe same Java process.How these parameters relate to one anotherThe current calculation of the Credential Refresh Period is80% of the credential expiration time. There is a hardcoded minimum of 10 minutes. There is a calculated maximumbased on the ORB Request Timeout.
Credential Refresh Period =
Token Expiration * 0.80
Minimum Credential Refresh Period (min) =
10 minutes
Maximum Credential Refresh Period (max) =
Token Expiration - ORB Request Timeout
if (Credential Refresh Period < min)
Credential Refresh Period = min
else if (Credential Refresh Period > max)
Credential Refresh Period = max
The Credential Refresh Period is used to determine how often
credentials in the cache have their expiration times reset if
they have been referenced since the previous Credential
Refresh check. The Security Cache Timeout value is not
available at the time this calculation is made. This is the
reason for the hard coded 10 minute minimum refresh period. The basic algorithm for 3.02 or 3.5:Credential Refresh Period =Token Expiration * 0.80Minimum Credential Refresh Period (min) =10 minutesMaximum Credential Refresh Period (max) =Token Expiration - ORB Request Timeout, if (Credential Refresh Period<, min)Credential Refresh Period = min, else if (Credential Refresh Period>, max)Credential Refresh Period = maxThe Credential Refresh Period is used to determine how oftencredentials in the cache have their expiration times reset ifthey have been referenced since the previous CredentialRefresh check. The Security Cache Timeout value is notavailable at the time this calculation is made. This is thereason for the hard coded 10 minute minimum refresh period.
APAR information | APAR number | PQ51953 | Reported component name | WAS ADVANCED AI | Reported component ID | 5648C8400 | Reported release | 350 | Status | CLOSED SUG | PE | NoPE | HIPER | NoHIPER | Submitted date | 2001-08-29 | Closed date | 2001-11-29 | Last modified date | 2001-11-29 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:srouted FROM one or more of the following:
Modules/Macros APAR is sysrouted TO one or more of the following:Modules/Macros
Applicable component levels |
|
Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General Software version: 350 Reference #: PQ51953 IBM Group: Software Group Modified date: 2001-11-29
(C) Copyright IBM Corporation 2000, 2004. All Rights Reserved.
|