PQ96574: WSAS Security Hung if LDAP hung | |||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||
APAR status Closed as program error. Error description websphere needs to have a mechanism to implement ldap socket_tim . The LDAP processing hangs which leads to an application or AppServer hang. Analysis of the javacore (thread dumps) shows that there are numerous threads in this state "Thread-3697" (TID:0x324D87B0, sys_thread_t:0x3A892500, state:R, native ID:0x22AA) prio=5 at java.net.SocketInputStream.socketRead(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java(Compiled Code)) at java.io.BufferedInputStream.fill(BufferedInputStream.java(Compil ed Code)) at java.io.BufferedInputStream.read1(BufferedInputStream.java(Compi led Code)) at java.io.BufferedInputStream.read(BufferedInputStream.java(Compil ed Code)) at com.sun.jndi.ldap.Connection.run(Connection.java(Compiled Code)) at java.lang.Thread.run(Thread.java(Compiled Code)) . Recreation steps: Please note: 1. you need modify, ldaphost, dn and password to point to the LDAP you use. 2. edit property, com.sun.jndi.ldap.connect.pool, to enable or disable pooling for jdk 1.4.1 or jdk 1.4.2 (this property is not available for jdk 1.3.1). How to test: scenario 1: enable pooling with 1.4.x jdk, compile and run the test program, use netstat(if running in windows), ldap port opened by client is cleared. Scenario 2: disable pool, recompile it with 1.4.x or 1.3.1 jdk, run test program, run netstat, you will see the ldap client port is still there in "Time_Wait" status, and it takes about 2 to 3 minutess to be cleaned out. . . This is the WAS5.0 fix for PQ93851. There is no WAS 5.0.x fix equivalent to PQ96046. There is no fix for the recovery issue, as there is in WAS 5.1.x.Local fix none. Lowering the tcpip timeouts may alleviate it somewhatProblem summary **************************************************************** * USERS AFFECTED: WebSphere Application Server users who have * * enabled security and configured LDAP as the * * user registry. * **************************************************************** * PROBLEM DESCRIPTION: When a JNDI search hangs, the thread * * does not return. * **************************************************************** * RECOMMENDATION: * **************************************************************** The search timeout mechanism in JNDI does not always function as documented. A search call may never return even though the timeout value is exceeded. This JNDI defect can cause a request involving user authentication or searching for users or groups to add them to roles via the Administration Console to hang.Problem conclusion Code was implemented to work-around this defect in the JNDI timeout function. A service thread now monitors all JNDI search calls. Threads in search calls are now interrupted if a call is not completed within the configured search timeout value. This APAR only applies to search operations. BIND operations may still experience this problem. Connection/BIND timeout is not interruptable, and a JNDI connection timeout property does not exist in java 1.3.1.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: PQ93851 APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 00A
Software edition:
Reference #: PQ96574
IBM Group: Software Group
Modified date: Apr 1, 2005
(C) Copyright IBM Corporation 2000, 2008. All Rights Reserved.