Question & Answer
Question
How to determine the client that is causing the SECJ0371W message?
Cause
SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Fri Mar 15 22:16:00 UTC 2019, current Date: Fri Mar 15 22:18:35 UTC 2019.
Answer
LTPA (Lightweight Third Party Authentication) is the default single-sign-on implementation for the WebSphere product. LTPA tokens expire by design. When a client attempts to access a protected resource with an expired token, an informational message is logged. Most SECJ0371W messages are harmless, and can be safely ignored. If the frequency of the messages makes the logs difficult to read, you can remedy the situation by increasing the token timeout or by disabling the message entirely by setting com.ibm.websphere.security.ltpa.disableSECJ0371W to true. However, the following procedures will assist you in identifying the client which sent an expired LTPA Token.
- Identify host/port of a client
To identify a client which sent an expired LTPAToken, the security auditing function can be used. Please refer to the following YouTube video for instruction on enabling and configuring security auditing.
Here is the sample output of default binary audit:
Seq = 17 | Event Type = SECURITY_AUTHN | Outcome = UNSUCCESSFUL | OutcomeReason = DENIED | OutcomeReasonCode = 15 | SessionId = 6zDVDmGObEPAjtTFIouIbT- | RemoteHost = 1.1.1.1 | RemoteAddr = 1.1.1.1 | RemotePort = 44708 | ProgName = /snoop | Action = webAuth | AppUserName = /UNAUTHENTICATED | ResourceName = GET | RegistryUserName = null | AccessDecision = denied | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Mar 15 22:18:36 UTC 2019 | GlobalInstanceId = 0 | EventTrailId = null | FirstCaller = /UNAUTHENTICATED | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | AuthnType = challengeResponse | Provider = WebSphere | ProviderStatus = providerSuccess
Correlate the timestamp of the SECJ0371W message observed in the WebSphere log with the corresponding entry in the audit log. Once the audit entry is located, the client information can be found in keys of RemoteHost, RemoteAddr and RemotePort.
- Identify a user
To identify a user of an expired LTPAToken, the following trace specification needs to be enabled.
*=info:com.ibm.ws.security.ltpa.LTPAToken2=all
This trace option logs contents of LTPAToken2 cookie, the following shows you a sample output:
[3/15/19 22:18:35:895 UTC] 00000090 LTPAServerObj W SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Fri Mar 15 22:16:00 UTC 2019, current Date: Fri Mar 15 22:18:35 UTC 2019 Token attributes: port=8878, username=user:defaultWIMFileBasedRealm/uid=testuser,o=defaultWIMFileBasedRealm, hostname=server1.. This warning might indicate expected behavior. Please refer to technote at http://www-01.ibm.com/support/docview.wss?uid=swg21594981. To discontinue logging of this message, see property com.ibm.websphere.security.ltpa.disableSECJ0371W description.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.5","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]
Product Synonym
tWAS; WAS; WSAS
Was this topic helpful?
Document Information
Modified date:
15 March 2019
UID
swg21594981