Fix (APAR): PI55697 Status: Fix Release: 8.0.0.12,8.0.0.11,8.0.0.10 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: PI25298 PI33449 PI37687 PI47460 PI52604 PI56331 PI59831 CMVC Defect: xxxxxx Byte size of APAR: 8719141 Date: 2016-05-26 Abstract: openid connect relying party: no entry in cache for stateid Description/symptom of problem: PI55697 resolves the following problem: ERROR DESCRIPTION: OpenID Connect Relying Party: No entry in cache for stateid happens in a cluster environment. LOCAL FIX: None PROBLEM SUMMARY USERS AFFECTED: Administrators of IBM WebSphere Application Server and OpenID Connect PROBLEM DESCRIPTION: CWTAI2007E OpenID Connect error may occur in a cluster environment RECOMMENDATION: Install a fix pack that contains this APAR. When a resource is protected by the OpenID Connect Relying Party TAI in a cluster environment, an error like the following may occur during login: [1/4/16 14:05:21:107 CET] 00000057 WebAuthentica E SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: TheOpenID Connect replying party (RP) encountered a failure during the login. The exception is [No entry in cache for stateid: [6r0sco232ft5cstviumgm6i8fe]. Check the logs for details that lead to this exception. PROBLEM CONCLUSION: When a request is made to a resource producted by the OpenID Connect Relying Party TAI, a login is initiated to the OpenID Connect Provider (OP). After login, the OP sends a response back to the TAI. Before login, the TAI saves state information about the login request in a cache using the 6r0sco232ft5cstviumgm6i8fe as the key. When the response is received from the OP, the TAI retrieves the request information from the cache. In a cluster environment, when the OP responds, the individual cluster member that receives the response is indeterminate. If the cluster member that retrieved the response is not the member that cached the login request, the CWTAI2007E error will occur. This issue can normally be resolved by using session affinity. However, if you are using some front-end application to load balance the cluster member resources, using session affinity won't work. The OpenID Connect TAI is updated in the following ways: 1) The dynacache put is set to PUSH 2) The session data that is stored in the cache is added to the request sent to the OP so that any cluster member that receives the response from the OP has access to it. This means that if a server that receives the response cannot find the key in the cache, it can find the information it needs from the response. The fix for this APAR is currently targeted for inclusion in fix packs 8.0.0.13 and 8.5.5.10. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Keywords: IBMWL3WSS, OIDC Directions to apply fix: Fix applies to Editions: Release 8.0 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) __ Edge Components __ Developer Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: