Fix (APAR): PH21827 Status: Fix Release: 9.0.5.4,9.0.5.3,9.0.5.2,9.0.5.1,9.0.5.0,9.0.0.11,9.0.0.10,9.0.0.9,9.0.0.8,9.0.0.7,9.0.0.6,9.0.0.5,9.0.0.4,9.0.0.3,9.0.0.2,9.0.0.1,9.0.0.0 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: PI59831 PI63906 PI64573 PI64924 PI65751 PI73318 PI74857 PI75095 PI78336 PI80543 PI80549 PI80317 PI82308 PI84244 PI86752 PI87354 PI88253 PI88896 PI90373 PI92210 PI92332 PI94538 PI96403 PI96508 PH00569 PH02192 PH03525 PH07297 PH08804 PH10503 PH10892 PH11107 PH11684 PH12520 PH13175 PH14676 PH15248 PH15626 PH17304 PH18150 PH19189 PH19333 PH19907 PH20118 PH21008 PH21178 PH21611 PH22038 PH22195 PH22621 PH23572 PH23697 PH24737 PH25547 PH25697 PH25774 PH26523 PH26925 PH27173 PH27213 PH27827 PH27971 CMVC Defect: xxxxxx Byte size of APAR: 3945095 Date: 2020-08-05 Abstract: oidc tai: notserializableexception for jwtclaims error may occur Description/symptom of problem: PH21827 resolves the following problem: ERROR DESCRIPTION: When using the Open ID Connect (OIDC) trust association interceptor in WebSphere Application Server traditional, an error may be reported by the DynaCache component that the JwtClaims object is not serializable: DYNA0052E: The cached object can not be replicated or saved to disk. CacheID=1618033989 ClassName=com.ibm.ws.security.oidc.client.SessionData Type=cache-value Exception=java.io.NotSerializableException: org.jose4j.jwt.JwtClaims LOCAL FIX: PROBLEM SUMMARY: USERS AFFECTED: All users of IBM WebSphere Application Server and OIDC PROBLEM DESCRIPTION: java.io.NotSerializableException may occur when using the OIDC TAI RECOMMENDATION: Install a fix pack or interim fix that contains this APAR. When using the OpenID Connect (OIDC) trust association interceptor (TAI), a java.io.NotSerializableException error for the org.jose4j.jwt.JwtClaims object may occur. When this problem happens, an entry like this will appear in the log: DYNA0052E: The cached object can not be replicated or saved to disk. CacheID=1618033989 ClassName=com.ibm.ws.security.oidc.client.SessionData Type=cache-value Exception=java.io.NotSerializableException: org.jose4j.jwt.JwtClaims PROBLEM CONCLUSION: By default, the OIDC TAI stores data in a DynaCache object. When used in a cluster envioronment, if the cache that OIDC is configured to use is a shared with all the servers in the cluster, then all the objects in the cache must be serializable. The SessionData object that OIDC stores in DynaCache includes a org.jose4j.jwt.JwtClaims object. This object is not serializable. When the DynaCache component attempts to replicate a cache that contains a JwtClaims object, a java.io.NotSerializableException error will occur. The OIDC TAI is updated so that the org.jose4j.jwt.JwtClaims object is no longer included in the OIDC session data. As a result of this change, when using the OIDC TAI to perform JWT authentication: * The SessionData associated with each request is no longer stored. Since the JWT is verified for each request when performing JWT authentication, the SessionData is not needed. * An org.jose4j.jwt.JwtClaims object is no longer stored on the runAs Subject. However, the access token from the request is stored on the runAs Subject and is accessible via the com.ibm.websphere.security.oidc.util.OidcClientHelper.getJwtFrom Subject() API. See the OIDCClientHelper Javadoc article in the Knowledge Center for additional information: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.5 /com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/se curity/oidc/util/OidcClientHelper.html The following methods are added to the com.ibm.websphere.security.oidc.util.OidcClientHelper API: getJwtClaimsAsString(String) getJwtClaimsAsMap(String) json2map(String) getJwtFromSubject() getJwtFromSubject(Subject) /** * Get the JWT claims from a JWT as a JSON String. * * For example: * {"sub":"1234567890","name":"John Doe", "admin": true, * "exp":1588806453} * * @return The JWT claims JSON String * @throws Exception if an error occurs decoding the JWT */ public static String getJwtClaimsAsString(String jwtString) throws Exception /** * Get the JWT claims from a JWT as a Map. * * The Map will have value types that correspond to the * values in the claims string. For instance, * the following claims string: * {"sub":"1234567890","name":"John Doe", "admin": true, * "exp":1588806453} * * will produce the map entries with the value types: * String, String, Boolean, Long * * @return The JWT claims JSON represented as a Map * @throws Exception if an error occurs decoding the JWT */ public static Map getJwtClaimsAsMap(String jwtString) throws Exception /** * Convert a JSON String to a Map. * * The Map will have value types that correspond to the * values in the JSON string. For instance, * the following JSON string: * {"sub":"1234567890","name":"John Doe", "admin": true, * "exp":1588806453} * * will produce the map entries with the value types: * String, String, Boolean, Long * * @return A Map created from the JSON String * @throws Exception if an error occurs creating the Map */ public static Map json2map(String jsonString) throws Exception /** * Retrieve the JWT Authentication token from the current * runAs Subject. * * @return The JWT Authentication token String or null if * there is no JWT Authentication token on the Subject * @throws Exception if an error occurs either while * obtaining the runAs Subject or accessing the private * credentials. */ public static String getJwtFromSubject() throws Exception /** * Retrieve the JWT Authentication token from the input * Subject. * * @return The JWT Authentication token String or null if * there is no JWT Authentication token on the Subject * @throws Exception if an error occurs when accessing the * private credentials in the Subject. */ public static String getJwtFromSubject(Subject subj) throws Exception The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.5. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss? rs=180&uid=swg27004980 Directions to apply fix: Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.8.5 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: