How does WebSphere Application Server handle a User Registry outage?
 Technote (FAQ)
 
Question
This technote addresses the manner in which WebSphere® Application Server handles a user registry outage, whether LDAP, customer registry or Local OS (when using the Windows NT® Domain registry) is in use. Registry outages can cause WebSphere Application Server processes to hang, requiring them to be recycled to recover.
 
Cause
When WebSphere Security is enabled, each server must have valid credentials. When the credentials for a particular server expire, the server is required to communicate to the user registry to reauthenticate. Nothing will work on this server unless the server has valid credentials.
 
Answer
It is important to state that WebSphere Security requires the user registry to be available at all times. What is being discussed here is whether WebSphere can recover from user registry outages. There is no guarantee that WebSphere Application Server will survive a user registry outage.

One known scenario when this problem occurs is when the server LTPA token expires during a user registry outage. Increasing the LTPA expiration time will reduce the potential for the server Subject or Credential expiring at the same time that the user registry is not available. Increasing this value reduces the likelihood of the server going down for a user outage. However, there is also increased risk since it also increases the period during which a token is valid if it were somehow hijacked. However, this is an unlikely event and is mentioned because this might be key information in making decisions on server security policies.

Increasing the Security Cache Timeout, in addition to increasing the LTPA expiration timeout, will give existing users more idle time on the system before their Subjects (and effectively their ability to use the server if the user registry is not available) are removed from the cache or expire.

The technote, Using LDAP host virtualization techniques to leverage multiple LDAP servers, might be relevant in this situation and could be used as a possible solution.

With each product release, improvements are made in this area. For example, improving the survivability of a Server when it cannot reauthenticate without opening security holes. For version 5.1, fix PQ96046 can help WebSphere Application Server recover from a user registry outage, but this still does not provide a 100% guarantee that WebSphere Application Server will survive a user registry outage.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Windows
Software version: 6.0.2
Software edition:
Reference #: 1193606
IBM Group: Software Group
Modified date: Jun 15, 2006