PQ96574: WSAS Security Hung if LDAP hung

APAR status
Closed as program error.

Error description
websphere needs to have a mechanism to implement ldap socket_tim
.
The LDAP processing hangs which leads to an application or
AppServer hang.  Analysis of the javacore (thread dumps) shows
that there are numerous threads in this state
"Thread-3697" (TID:0x324D87B0, sys_thread_t:0x3A892500, state:R,
native
ID:0x22AA) prio=5
    at java.net.SocketInputStream.socketRead(Native Method)
    at
java.net.SocketInputStream.read(SocketInputStream.java(Compiled
Code))
    at
java.io.BufferedInputStream.fill(BufferedInputStream.java(Compil
ed
Code))
    at
java.io.BufferedInputStream.read1(BufferedInputStream.java(Compi
led
Code))
    at
java.io.BufferedInputStream.read(BufferedInputStream.java(Compil
ed
Code))
    at com.sun.jndi.ldap.Connection.run(Connection.java(Compiled
Code))
    at java.lang.Thread.run(Thread.java(Compiled Code))
.
Recreation steps:
Please note:
1.  you need modify, ldaphost, dn and password to point to the
LDAP you
use.
2.  edit property, com.sun.jndi.ldap.connect.pool, to enable or
disable
pooling for jdk 1.4.1 or jdk 1.4.2 (this property is not
available for
jdk 1.3.1).
How to test:
scenario 1: enable pooling with 1.4.x jdk, compile and run the
test
program, use netstat(if running in windows), ldap port opened by
client
is cleared.
Scenario 2: disable pool, recompile it with 1.4.x or 1.3.1 jdk,
run test
program, run netstat, you will see the ldap client port is still
there
in "Time_Wait" status, and it takes about 2 to 3 minutess to be
cleaned
out.
.
.
This is the WAS5.0 fix for PQ93851.
There is no WAS 5.0.x fix equivalent to 
PQ96046.  There is
no fix for the recovery issue, as there is in WAS 5.1.x.
Local fix
none.  Lowering the tcpip timeouts may alleviate it somewhat
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who have  *
*                 enabled security and configured LDAP as the  *
*                 user registry.                               *
****************************************************************
* PROBLEM DESCRIPTION: When a JNDI search hangs, the thread    *
*                      does not return.                        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The search timeout mechanism in JNDI does not always function
as documented.  A search call may never return even though
the timeout value is exceeded.  This JNDI defect can cause a
request involving user authentication or searching for users
or groups to add them to roles via the Administration Console
to hang.
Problem conclusion
Code was implemented to work-around this defect in the JNDI
timeout function. A service thread now monitors all JNDI
search calls.  Threads in search calls are now interrupted
if a call is not completed within the configured search
timeout value.

This APAR only applies to search operations.  BIND operations
may still experience this problem.  Connection/BIND
timeout is not interruptable, and a JNDI connection timeout
property does not exist in java 1.3.1.
Temporary fix Comments
APAR information
APAR number PQ96574
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00A
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-11-01
Closed date 2004-12-02
Last modified date 2005-04-01

APAR is sysrouted FROM one or more of the following:
PQ93851

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information

Applicable component levels
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00A
Software edition:
Reference #: PQ96574
IBM Group: Software Group
Modified date: Apr 1, 2005