PK15682: SECURITY CREDENTIAL CACHE MAY BE MISSED

 Fixes are available

6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for AIX platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for HP-UX platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for OS/400 platform
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for Solaris
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for Windows platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for AIX platforms
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for HP-UX platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for HP-UX platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for AIX platforms
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Solaris
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Windows
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Windows
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for AIX
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for AIX platforms
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for HP-UX platforms
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for Linux platforms
V6.0.2: Java SDK 1.4.2 SR11 Cumulative Fix for IBM WebSphere Application Server
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for Solaris
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for Windows platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for Linux platforms
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for HP-UX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for AIX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Linux
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for HP-UX
6.0.2.9: WebSphere Application Server V6.0.2 Fix Pack 9 for Windows platforms
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Linux
6.0.2.11: WebSphere Application Server V6.0.2 Fix Pack 11 for Solaris platforms
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for Solaris
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for Windows
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for HP-UX
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for AIX
6.0.2.13: WebSphere Application Server V6.0.2 Fix Pack 13 for AIX platforms
6.0.2.13: WebSphere Application Server V6.0.2 Fix Pack 13 for HP-UX platforms
6.0.2.11: WebSphere Application Server V6.0.2 Fix Pack 11 for Windows platforms
6.0.2.11: WebSphere Application Server V6.0.2 Fix Pack 11 for HP-UX platforms
6.0.2.11: WebSphere Application Server V6.0.2 Fix Pack 11 for Linux platforms
6.0.2.13: WebSphere Application Server V6.0.2 Fix Pack 13 for Windows platforms
6.0.2.13: WebSphere Application Server V6.0.2 Fix Pack 13 for Linux platforms
6.0.2.15: WebSphere Application Server V6.0.2 Fix Pack 15 for OS/400
6.0.2.15: WebSphere Application Server V6.0.2 Fix Pack 15 for HP-UX
6.0.2.9: WebSphere Application Server V6.0.2 Fix Pack 9 for Solaris platforms
6.0.2.9: WebSphere Application Server V6.0.2 Fix Pack 9 for AIX platforms
6.0.2.9: WebSphere Application Server V6.0.2 Fix Pack 9 for HP-UX platforms
6.0.2.9: WebSphere Application Server V6.0.2 Fix Pack 9 for Linux platforms
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for Linux platforms
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for Solaris
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for Windows platforms
6.0.2.15: WebSphere Application Server V6.0.2 Fix Pack 15 for AIX
6.0.2.15: WebSphere Application Server V6.0.2 Fix Pack 15 for Solaris
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for AIX platforms
6.0.2.17: WebSphere Application Server V6.0.2 Fix Pack 17 for OS/400 platform
6.0.2.17: WebSphere Application Server V6.0.2 Fix Pack 17 for Solaris
6.0.2.17: WebSphere Application Server V6.0.2 Fix Pack 17 for Windows platforms
6.0.2.17: WebSphere Application Server V6.0.2 Fix Pack 17 for HP-UX platforms
6.0.2.17: WebSphere Application Server V6.0.2 Fix Pack 17 for AIX platforms
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for Linux
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Solaris
6.0.2.11: WebSphere Application Server V6.0.2 Fix Pack 11 for AIX platforms
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for HP-UX platforms
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for Windows platforms
6.0.2.13: WebSphere Application Server V6.0.2 Fix Pack 13 for Solaris platform
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for OS/400 platform
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for HP-UX platforms
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for Linux platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for Windows platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for Solaris
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for OS/400 platform
6.0.2.15: WebSphere Application Server V6.0.2 Fix Pack 15 for Windows
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for Linux platforms
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for AIX platforms
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for Windows platforms
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for Solaris platforms
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for Solaris
6.0.2.17: WebSphere Application Server V6.0.2 Fix Pack 17 for Linux platforms
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for Linux platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for AIX platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for HP-UX platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for OS/400 platform
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for Linux platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for Solaris
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for Windows platforms
V6.0.2: Java SDK 1.4.2 SR11 Cumulative Fix for IBM WebSphere Application Server



APAR status
Closed as program error.

Error description
If login name does not extactly match what is in registry, the
cache lookup will be missed, and user is forced to go to
to validate itself repeatly. Say user login with bob, and LDAP
store and return Bob, before this fix, cache key is based on
not bob, so bob is not cached. With this fix, both bob and Bob
would be cached if they belong to the same user object. Another
example would that user login with email address, and registry
is configured to display uid, before this fix only uid is
cached, after this fix, both uid and email would be cached
if they mapped to the same user object.
 -
Running with WebSeal with TAI. Looks like the LDAP is getting
called too often to authenticate the fed_trade_tai id.
Caching is not being done.

The security.xml file shows:
 name="com.ibm.websphere.security.webseal.id" value="iv-user"
 name="com.ibm.websphere.security.webseal.loginId"
  value="fed_trade_tai"
 name="com.ibm.websphere.security.webseal.mutualSSL"
  value="false"
 groupMemberIdMap="accessGroup:member"
Analysis shows:
The reason why authcache is missed is that the case of ID in
TAI is different from the case of ID in LDAP server. In trace,
we can see that TAI login with lower case like "fed_trade_tai",
however "fed_trade_tai" in LDAP is saved as "FED_TRADE_TAI".
Current authentication cache use the value from LDAP as look-up
key, which is "FED_TRADE_TAI". So login with "fed_trade_tai"
will
not match cache key.

Since LDAP is not case sensitive, and treat both
"fed_trade_tai" and "FED_TRADE_TAI" as the same, so I decide to
make a fix to cache both  loginid provided by user
("fed_trade_tai") and loginID normalized by LDAP
(""FED_TRADE_TAI"), if they are indeed the same in LDAP.
Local fix
Since the juction in WebSeal is using uppercase she changed the
Websphere Id in TAI to be uppercase and that resolved the
problem.
KEYWORDS:
LDAP security slow performance hang nocache slowdown
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security users  *
****************************************************************
* PROBLEM DESCRIPTION: Security credential cache may be missed *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Security cache lookup was based on security name in security
subject. If login name does not exactly match the security
name in subject, the login name was forced to be mapped to
user registry again to regenerate a new security credential
eventhough they both belong to the same subject.
For example, in a case insensitive user registry, user login
with bob does not match BOB in user registry, bob would be
forced to be re-mapped to user registry each time when bob
login again within cache timeout. Another example would be,
user login with email address, and if the security name in
credential is uid, we would never retrieve this user from cache.
Problem conclusion
Fixed the cache lookup to include both login name and its
credential's security name as cache lookup key.
The fix for this APAR is currently targeted for inclusion in
fixpack 5.0.2.17 and 5.1.1.10. Please refer to the Recommended
Updates page for delivery dates:

http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP
&uid=swg27004980
Temporary fix Comments
APAR information
APAR number PK15682
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 10S
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2005-11-22
Closed date 2006-02-10
Last modified date 2006-03-29

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information
Fixed component name WAS BASE 5.0
Fixed component ID 5630A3600

Applicable component levels
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 10S
Software edition:
Reference #: PK15682
IBM Group: Software Group
Modified date: Mar 29, 2006