|
Question |
This technote addresses the manner in which WebSphere®
Application Server handles a user registry outage, whether LDAP, customer
registry or Local OS (when using the Windows NT® Domain registry) is in
use. Registry outages can cause WebSphere Application Server processes to
hang, requiring them to be recycled to recover. |
|
Cause |
When WebSphere Security is enabled, each server must have
valid credentials. When the credentials for a particular server expire,
the server is required to communicate to the user registry to
reauthenticate. Nothing will work on this server unless the server has
valid credentials. |
|
Answer |
It is important to state that WebSphere Security requires
the user registry to be available at all times. What is being discussed
here is whether WebSphere can recover from user registry outages. There is
no guarantee that WebSphere Application Server will survive a user
registry outage.
One known scenario when this problem occurs is when the server LTPA token
expires during a user registry outage. Increasing the LTPA expiration time
will reduce the potential for the server Subject or Credential expiring at
the same time that the user registry is not available. Increasing this
value reduces the likelihood of the server going down for a user outage.
However, there is also increased risk since it also increases the period
during which a token is valid if it were somehow hijacked. However, this
is an unlikely event and is mentioned because this might be key
information in making decisions on server security policies.
Increasing the Security Cache Timeout, in addition to increasing the LTPA
expiration timeout, will give existing users more idle time on the system
before their Subjects (and effectively their ability to use the server if
the user registry is not available) are removed from the cache or expire.
The technote, Using
LDAP host virtualization techniques to leverage multiple LDAP servers,
might be relevant in this situation and could be used as a possible
solution.
With each product release, improvements are made in this area. For
example, improving the survivability of a Server when it cannot
reauthenticate without opening security holes. For version 5.1, fix PQ96046
can help WebSphere Application Server recover from a user registry outage,
but this still does not provide a 100% guarantee that WebSphere
Application Server will survive a user registry outage. |
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|
|