APAR status
Closed as program error.
Error description
Scenario :
- User "A" logs into the WebSphere Application Server
admin console at 10:17.
- User "A" clicks "logout" on the WebSphere Application
Server admin console at 10:27
- They then switch browsers and log back into the
WebSphere Application server console with user "A" at 10:28
- User "A" is kicked out of the Admin console at 10:44 because
LTPA token validation failed.
Stack Trace :
[6/24/06 10:17:11:284 SGT] 6775e0b1 FormLoginServ d Form based
login: userid/password present in the form. User is: A
...
[6/24/06 10:27:43:945 SGT] 6775e0b1 FormLogoutSer > formLogout
[6/24/06 10:27:43:945 SGT] 6775e0b1 FormLogoutSer d LTPA
Enabled, clearing LTPA Cookie
...
[6/24/06 10:28:41:114 SGT] 1e9da0a9 FormLoginServ d Form based
login: userid/password present in the form. User is: A
...
[6/24/06 10:44:11:827 SGT] 2ec26098 WebAuthentica < validate:
LTPA token validation failed
So we can see the user logged in for 10 minutes before logging
out Then logged back in again for another 16 minutes before
being kicked out for a total of 27 minutes. The LTPA timeout is
set to 33 minutes
so it looks like it is using the original LTPA token. From the
trace, I never see this LTPA token's timeout updated:
Conclusion.
LTPA Token expiration time is taken from the WSCredential that
resides in the cache
Local fix
Disable the authCache value. Define a custom JVM property as
follows.
Name: com.ibm.websphere.security.util.authCacheEnabled
Value: false
Use the following link to enable custom property
http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp
?topic=/com.ibm.websphere.nd.doc/info/ae/ae/urun_rconfproc_jvm.h
tml
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server *
* who utilize the FormLogout function *
****************************************************************
* PROBLEM DESCRIPTION: When you log out of WebSphere *
* Application Server, either via *
* application or administrative console, *
* the user credentials are not properly *
* removed from the AuthCache. This *
* causes a user, who logs back in, to *
* obtain the previous credential expire *
* time. This may cause users to be *
* force logged out sooner than expected. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
WebSphere Application Server was incorrectly leaving the user
credential in the AuthCache when a user was logged out.
Problem conclusion
WebSphere Application Server has been modified to correctly
remove the AuthCache credential entry when a user is logged out.
The fix for this APAR is currently targeted for inclusion
in cumulative fix 5.1.1.13 and fixpacks 6.0.2.17 and 6.1.0.5.
Please refer to the recommended updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix Comments
APAR information |
APAR number |
PK28460 |
Reported component name |
WAS NETWRK DEPL |
Reported component ID |
5630A3601 |
Reported release |
00W |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2006-07-21 |
Closed date |
2006-10-04 |
Last modified date |
2006-12-20 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PK34164
Modules/Macros
Publications Referenced
|
Fix information |
Fixed component name |
WAS NETWRK DEPL |
Fixed component ID |
5630A3601 |
Applicable component levels |
R00A PSY |
UP |
R00H PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|