Setting Security Cache Timeout and LTPA Token Timeout

Technote (FAQ)
Problem
How should the security cache timeout be set relative to the LTPA token timeout?
Solution
Overview of LTPA Token Expiration
The LTPA token expiration time is determined when configuring global security and the value specified is an absolute value. This determines the amount of time that an LTPA token is valid for. Once the token expires, if a user tries to access a resource that access will require re-authentication. But re-authentication might not mean that the user is re-challenged for userid/password. If the challenge type is Basic Authentication, then the browser would have cached the userid/password and hence will resubmit it to the server without user's intervention. In the case of custom login, the user will be redirected to the logon page (not the relogin page) and asked to re-enter userid/password.

An LTPA token is generated when using the LTPA authentication mechanism. If the challenge type is Basic, a userid/password is required to authenticate with an LDAP server after which an LTPA Credential is created for the user. The LTPA token resides inside the LTPA credential object. The LTPA token is digitally signed and encrypted and must be validated each time it is used for resource access.

Overview of Security Cache
The WebSphere security cache follows a mark and sweep algorithm for determining how long an entry stays in the cache hash tables. For each cache type, there are two cache tables holding entries, a primary and secondary cache. In the AdminGUI there's a cache timeout value (default 10 minutes) which indicates the amount of time before it triggers a mark and sweep of the cache. The mark occurs at 1/2 the timeout period which allows the sweep to occur at approximately the timeout period.

When the cache alarm is triggered, the first thing it does it clear the secondary table so all entries in the secondary table are gone. After this, it enumerates through all entries in the primary table. If an entry is not marked the cache will mark it, if however an entry is already marked it moves that entry to the secondary table. Anytime an entry in the cache is used, it is unmarked and placed in the primary table, in effect, lengthening the amount of time that object will remain in the cache.

The cache timeout value set in the Global Security Settings determines the frequency of cache refresh. The refresh, as described above, will determine how often the cache gets purged based on usage frequency.

Setting the values
One should be very careful modifying the Configuration related to WebSphere AppServer security. Please call WAS Customer Support if you need help with this. In particular, if you need to modify the timeout settings for the Security Cache or the LTPA Token, follow these guidelines:

The LTPA token expiration time must be greater than the security cache timeout. This will prevent the cache from containing an expired token. If the LTPA token expiration time is set to be less than the security cache timeout, error messages such as the following will appear in the tracefile and the application server's standard out file:

[2002-08-04 18:29:41.722], [ServerID: 868610269], [CredentialsImpl.run]:
The expiration time for ltpa credentials is too short relative to the ORB
request timeout and/or the security cache timeout; a method request could take
longer than the period over which the credentials will remain valid, or the crede -
ntials could expire while in the server cache.

The security cache is set as follows:
1. In WebSphere Application Server version 3.5.x, in Global Security Settings, on the General tab.
2. In WebSphere Application Server version 4.0.x, in the Security Center, on the General tab.

The LTPA Token Expiration is set as follows:
1. In WebSphere Application Server version 3.5.x, in the Global Security Settings, on the Authentication Mechanism tab.
2. In WebSphere Application Server version 4.0.x, in the Security Center, on the Authentication tab.











    Document Information

    Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Security
    Operating system(s): Multi-Platform
    Software version: 3.5, 4.0
    Software edition: Advanced, Enterprise
    Reference #: 1058785
    IBM Group: Software Group
    Modified date: 2004-09-06