PQ98205: EXCESSIVE NUMBER OF ACEE CONTROL BLOCKS CREATED DURING WEB AUTHENTICATION MAY CAUSE MEMORY LEAK IN THE WEBSPHERE V5.0

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customers may notice a large number of init acee requests in
WebSphere during web authentication. These acee control blocks
do not get cleaned up until a specific time in the day, this
may cause a potential storage leak before they get cleaned up.
This apar addresses this problem.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Memory leak of BBOOOPIs with client     *
*                      certificate logins for Web              *
*                      Applications.                           *
*                                                              *
*                      Excessive initACEEs may be observed as  *
*                      SMF records generated by the system     *
*                      security product. For RACF, this is     *
*                      SMF record type 80, event code 67.      *
*                      For ACF2, this is SMF record type 230,  *
*                      ACF2 subtype SMFOR. Other security      *
*                      products will be different.             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
A server is configured with security using the localOS registry
A browser, with cookies disabled, accesses a web application
with an SSL client certificate. An initACEE is done and an SMF
record is cut. Multiple requests to the same page result in an
initACEE and SMF record on each request.

An initACEE is issued with the client certificate. The
initACEE maps the client certificate to a SAF userid and the
WebSphere Application Server creates a security token that it
uses to identify the user. The userid is then added to the
security cache using the userid and realm as the key. Another
request with client certificate results in a new initACEE and a
new security token. However, the certificate may be mapped to
the same userid. The userid is then found in the cache since
the cache lookup was done by userid and realm. The new security
token that was created on the most recent initACEE is then
added to the cache, overwriting the original. When it is time
to delete the initACEE data, only the last security token is kno
and therefore freed.
Problem conclusion
The code was changed to "free" the data associated with the
previous security token before replacing it with the new one.
Note that the "free" does not result in an immediate release, bu
relys on java garbage collection.

APAR PQ98205 is associated with SERVICE LEVEL W502022 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ98205
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-12-09
Closed date 2005-01-21
Last modified date 2005-02-01

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ97067    UP05/01/26 P F501

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ98205.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ98205
IBM Group: Software Group
Modified date: Feb 1, 2005