|
Problem |
How should the security cache timeout be
set relative to the LTPA token timeout? |
|
|
|
Solution |
Overview of LTPA Token Expiration
The LTPA token expiration time is determined when configuring global
security and the value specified is an absolute value. This determines the
amount of time that an LTPA token is valid for. Once the token expires, if
a user tries to access a resource that access will require
re-authentication. But re-authentication might not mean that the user is
re-challenged for userid/password. If the challenge type is Basic
Authentication, then the browser would have cached the userid/password and
hence will resubmit it to the server without user's intervention. In the
case of custom login, the user will be redirected to the logon page (not
the relogin page) and asked to re-enter userid/password.
An LTPA token is generated when using the LTPA authentication mechanism.
If the challenge type is Basic, a userid/password is required to
authenticate with an LDAP server after which an LTPA Credential is created
for the user. The LTPA token resides inside the LTPA credential object.
The LTPA token is digitally signed and encrypted and must be validated
each time it is used for resource access.
Overview of Security Cache
The WebSphere security cache follows a mark and sweep algorithm for
determining how long an entry stays in the cache hash tables. For each
cache type, there are two cache tables holding entries, a primary and
secondary cache. In the AdminGUI there's a cache timeout value (default 10
minutes) which indicates the amount of time before it triggers a mark and
sweep of the cache. The mark occurs at 1/2 the timeout period which allows
the sweep to occur at approximately the timeout period.
When the cache alarm is triggered, the first thing it does it clear the
secondary table so all entries in the secondary table are gone. After
this, it enumerates through all entries in the primary table. If an entry
is not marked the cache will mark it, if however an entry is already
marked it moves that entry to the secondary table. Anytime an entry in the
cache is used, it is unmarked and placed in the primary table, in effect,
lengthening the amount of time that object will remain in the cache.
The cache timeout value set in the Global Security Settings determines the
frequency of cache refresh. The refresh, as described above, will
determine how often the cache gets purged based on usage frequency.
Setting the values
One should be very careful modifying the Configuration related to
WebSphere AppServer security. Please call WAS Customer Support if you need
help with this. In particular, if you need to modify the timeout settings
for the Security Cache or the LTPA Token, follow these guidelines:
The LTPA token expiration time must be greater than the security cache
timeout. This will prevent the cache from containing an expired token. If
the LTPA token expiration time is set to be less than the security cache
timeout, error messages such as the following will appear in the tracefile
and the application server's standard out file:
[2002-08-04 18:29:41.722], [ServerID: 868610269], [CredentialsImpl.run]:
The expiration time for ltpa credentials is too short relative to the ORB
request timeout and/or the security cache timeout; a method request could
take
longer than the period over which the credentials will remain valid, or
the crede -
ntials could expire while in the server cache.
The security cache is set as follows:
1. In WebSphere Application Server version 3.5.x, in Global Security
Settings, on the General tab.
2. In WebSphere Application Server version 4.0.x, in the Security Center,
on the General tab.
The LTPA Token Expiration is set as follows:
1. In WebSphere Application Server version 3.5.x, in the Global Security
Settings, on the Authentication Mechanism tab.
2. In WebSphere Application Server version 4.0.x, in the Security Center,
on the Authentication tab. |
|
|
|
|
|
|