PQ98205: EXCESSIVE NUMBER OF ACEE CONTROL BLOCKS CREATED DURING WEB AUTHENTICATION MAY CAUSE MEMORY LEAK IN THE WEBSPHERE V5.0 | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Customers may notice a large number of init acee requests in WebSphere during web authentication. These acee control blocks do not get cleaned up until a specific time in the day, this may cause a potential storage leak before they get cleaned up. This apar addresses this problem.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Memory leak of BBOOOPIs with client * * certificate logins for Web * * Applications. * * * * Excessive initACEEs may be observed as * * SMF records generated by the system * * security product. For RACF, this is * * SMF record type 80, event code 67. * * For ACF2, this is SMF record type 230, * * ACF2 subtype SMFOR. Other security * * products will be different. * **************************************************************** * RECOMMENDATION: * **************************************************************** A server is configured with security using the localOS registry A browser, with cookies disabled, accesses a web application with an SSL client certificate. An initACEE is done and an SMF record is cut. Multiple requests to the same page result in an initACEE and SMF record on each request. An initACEE is issued with the client certificate. The initACEE maps the client certificate to a SAF userid and the WebSphere Application Server creates a security token that it uses to identify the user. The userid is then added to the security cache using the userid and realm as the key. Another request with client certificate results in a new initACEE and a new security token. However, the certificate may be mapped to the same userid. The userid is then found in the cache since the cache lookup was done by userid and realm. The new security token that was created on the most recent initACEE is then added to the cache, overwriting the original. When it is time to delete the initACEE data, only the last security token is kno and therefore freed.Problem conclusion The code was changed to "free" the data associated with the previous security token before replacing it with the new one. Note that the "free" does not result in an immediate release, bu relys on java garbage collection. APAR PQ98205 is associated with SERVICE LEVEL W502022 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ98205.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ98205
IBM Group: Software Group
Modified date: Feb 1, 2005
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.