PK06351: SECJ0371W: VALIDATION OF THE LTPA TOKEN FAILED BECAUSE THE TOKENEXPIRED. FOLLOWED BY SECJ0222E,SECJ0306E,ICH408I,SECJ0305I

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
While communicating with the Deployment Manager, the Node agent
sends an expired LTPA Token instead of acquiring a new token
before the LTPA token expiration timeout is reached.

As a result, the Deployment Manager will fail to authenticate
the request from the Node agent causing further exceptions in
both the node agent and the deployment manager regions.

Exceptions in DMGR...

Trace: 2005/04/27 15:10:30.522 01 t=ACFE88 c=UNK key=P2 (1300700
FunctionName: com.ibm.ws.security.ltpa.LTPAToken
SourceId: com.ibm.ws.security.ltpa.LTPAToken
Category: DEBUG
ExtendedMessage: token expired u: [Ljava.lang.String;@be8294a,
Expiration time: 05.04.27 15:03:36:227 CDT

Trace: 2005/04/27 15:10:32.815 01 t=ACFE88 c=UNK key=P2 (1300700
FunctionName: com.ibm.ws.security.ltpa.LTPAServerObject
SourceId: com.ibm.ws.security.ltpa.LTPAServerObject
Category: WARNING
ExtendedMessage: SECJ0371W: Validation of the LTPA token failed
because the token expired with the following info: Token
expiration Date: Wed Apr 27 15:03:36 CDT 2005, current Date: Wed
Apr 27 15:10:30 CDT 2005.

Trace: 2005/04/27 15:10:38.906 01 t=ACFE88 c=UNK key=P2 (1300700
FunctionName: com.ibm.ws.security.auth.JaasLoginHelper
SourceId: com.ibm.ws.security.auth.JaasLoginHelper
Category: AUDIT
ExtendedMessage: SECJ0222E: An unexpected exception occurred
when trying to create a LoginContext. The LoginModule alias is
system .DEFAULT and the exception is .

Trace: 2005/04/27 15:10:46.100 01 t=ACFE88 c=UNK key=P2 (1300700
FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
Category: ERROR
ExtendedMessage: SECJ0306E: No received or invocation credential
exist on the thread. The Role based authorization check will not
have an accessId of the caller to check. The parameters are:
access check method getRepositoryEpoch on resource Config
Repository and module ConfigRepository. The stack trace is
java.lang.Exception: dump thread stack for debugging
Local fix
Recycle of the Node Agent.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Access check failures are registered    *
*                      in controllers. These are preceded      *
*                      by Active Authentication Mechanism      *
*                      expired messages (LTPA ICSF).           *
*                      An example follows:                     *
*                      BBOO0221W SECJ0371W: Validation of      *
*                      the LTPA token failed because the       *
*                      token expired ....                      *
*                                                              *
*                      followed by :                           *
*                      BBOO0220E SECJ0306E: No received or     *
*                      invocation credential exist on the      *
*                      thread. The Role based  authorization   *
*                      check will not have an accessId of the  *
*                      caller to check. The parameters are:    *
*                      access check method methodname on       *
*                      resource resourcename and module        *
*                      modulename. The stack trace is          *
*                      java.lang.Exception: dump thread        *
*                      stack for debugging                     *
*                      at com.ibm.ws.security.role.            *
*                      RoleBasedAuthorizerImpl.checkAccess     *
*                      (RoleBasedAuthorizerImpl.java()         *
*                      at com.ibm.ws.maninvoke                 *
*                      (AdminServiceImpl.java()) ....          *
*                                                              *
*                      After this occurs important             *
*                      administration functions                *
*                      may fail to complete such as node       *
*                      synchronization, stopping a server,     *
*                      and many others.                        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When localOS is the Active User Registry, a server's identity
is not initialized correctly in JAVA.  This error causes servers
to use stale Active Authentication Mechanism tokens
(LTPA, ICSF). When these tokens are processed they may cause
access check failures to be registered at the recipient,
that are preceded by Active Authentication Mechanism
expired messages.  This problem has a particularly detrimental
effect on system administration.  It causes Node Agents to
sever communications with the Deployment Manager and
application servers.  When this occurs
important administration functions fail to complete such as,
node synchronization, stopping a server, and many others.
Problem conclusion
When localOS is the Active User Registry, a server's identity
is now correctly initialized in JAVA.

APAR PK06351 is associated with SERVICE LEVEL W502032 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PK06351
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2005-05-25
Closed date 2005-07-25
Last modified date 2005-08-02

APAR is sysrouted FROM one or more of the following:
PK06349

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UK05697    UP05/07/29 P F507

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PK06351.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PK06351
IBM Group: Software Group
Modified date: Aug 2, 2005