PK06351: SECJ0371W: VALIDATION OF THE LTPA TOKEN FAILED BECAUSE THE TOKENEXPIRED. FOLLOWED BY SECJ0222E,SECJ0306E,ICH408I,SECJ0305I | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description While communicating with the Deployment Manager, the Node agent sends an expired LTPA Token instead of acquiring a new token before the LTPA token expiration timeout is reached. As a result, the Deployment Manager will fail to authenticate the request from the Node agent causing further exceptions in both the node agent and the deployment manager regions. Exceptions in DMGR... Trace: 2005/04/27 15:10:30.522 01 t=ACFE88 c=UNK key=P2 (1300700 FunctionName: com.ibm.ws.security.ltpa.LTPAToken SourceId: com.ibm.ws.security.ltpa.LTPAToken Category: DEBUG ExtendedMessage: token expired u: [Ljava.lang.String;@be8294a, Expiration time: 05.04.27 15:03:36:227 CDT Trace: 2005/04/27 15:10:32.815 01 t=ACFE88 c=UNK key=P2 (1300700 FunctionName: com.ibm.ws.security.ltpa.LTPAServerObject SourceId: com.ibm.ws.security.ltpa.LTPAServerObject Category: WARNING ExtendedMessage: SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Wed Apr 27 15:03:36 CDT 2005, current Date: Wed Apr 27 15:10:30 CDT 2005. Trace: 2005/04/27 15:10:38.906 01 t=ACFE88 c=UNK key=P2 (1300700 FunctionName: com.ibm.ws.security.auth.JaasLoginHelper SourceId: com.ibm.ws.security.auth.JaasLoginHelper Category: AUDIT ExtendedMessage: SECJ0222E: An unexpected exception occurred when trying to create a LoginContext. The LoginModule alias is system .DEFAULT and the exception is . Trace: 2005/04/27 15:10:46.100 01 t=ACFE88 c=UNK key=P2 (1300700 FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl Category: ERROR ExtendedMessage: SECJ0306E: No received or invocation credential exist on the thread. The Role based authorization check will not have an accessId of the caller to check. The parameters are: access check method getRepositoryEpoch on resource Config Repository and module ConfigRepository. The stack trace is java.lang.Exception: dump thread stack for debuggingLocal fix Recycle of the Node Agent.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Access check failures are registered * * in controllers. These are preceded * * by Active Authentication Mechanism * * expired messages (LTPA ICSF). * * An example follows: * * BBOO0221W SECJ0371W: Validation of * * the LTPA token failed because the * * token expired .... * * * * followed by : * * BBOO0220E SECJ0306E: No received or * * invocation credential exist on the * * thread. The Role based authorization * * check will not have an accessId of the * * caller to check. The parameters are: * * access check method methodname on * * resource resourcename and module * * modulename. The stack trace is * * java.lang.Exception: dump thread * * stack for debugging * * at com.ibm.ws.security.role. * * RoleBasedAuthorizerImpl.checkAccess * * (RoleBasedAuthorizerImpl.java() * * at com.ibm.ws.maninvoke * * (AdminServiceImpl.java()) .... * * * * After this occurs important * * administration functions * * may fail to complete such as node * * synchronization, stopping a server, * * and many others. * **************************************************************** * RECOMMENDATION: * **************************************************************** When localOS is the Active User Registry, a server's identity is not initialized correctly in JAVA. This error causes servers to use stale Active Authentication Mechanism tokens (LTPA, ICSF). When these tokens are processed they may cause access check failures to be registered at the recipient, that are preceded by Active Authentication Mechanism expired messages. This problem has a particularly detrimental effect on system administration. It causes Node Agents to sever communications with the Deployment Manager and application servers. When this occurs important administration functions fail to complete such as, node synchronization, stopping a server, and many others.Problem conclusion When localOS is the Active User Registry, a server's identity is now correctly initialized in JAVA. APAR PK06351 is associated with SERVICE LEVEL W502032 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: PK06349 APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PK06351.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PK06351
IBM Group: Software Group
Modified date: Aug 2, 2005
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.