A fix is available
APAR status
Closed as program error.
Error description
In a cluster environment, the OpenID Connect (OIDC) TAI may redirect back to the OpenID provider (OP) after successful login. You can see this error in SystemOut.log: CWTAI2009I: The OpenID Connect relying party (RP) did not find an entry for session cookie OIDCSESSIONID_client1 In an OIDC trace, you will see: [9/1/20 10:04:25:153 UTC] 000000ce DynaCacheUtil 3 getCache() returns [not null] [9/1/20 10:04:25:156 UTC] 000000ce SystemErr R java.lang.ClassNotFoundException: org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI may redirect back to the * * OP * * after successful login in a cluster * * environment * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains * * this APAR. * **************************************************************** When the OpenID Connect (OIDC) relying party (RP) Trust Association Interceptor (TAI) is used in a cluster environment and more than one cluster member is active, after a user logs in to an OpenID provider (OP), they may be redirected back to the OP to login again. The following entry can be found in an OIDC trace when you have this issue: [9/1/20 10:04:25:156 UTC] 000000ce SystemErr R java.lang.ClassNotFoundException: org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap
Problem conclusion
The OIDC TAI stores the data for a user login in a SessionData object in DynaCache. This SessionData object contains a Map of the claims in the idToken that was returned from the OP after login. The Map that is stored in the SessionData object is obtained fro a jose4j JwtClaims object. If the Map contains embedded Maps, the jos4j code creates them as org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap objects The DynaCache component can serialize the DupeKeyDisallowingLinkedHashMap object, but since the OIDC runtime does not expose the jose4j classes, the DynaCache component cannot deserialize the DupeKeyDisallowingLinkedHashMap object. The DynaCache component will only attempt to serialize/deserialize entries in the cache when running in a cluster and more than one cluster member is active. The OIDC TAI is updated to ensure that the SessionData object that is stored in DynaCache does not include any org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap objects they are converted to java.util.LinkHashMap objects. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.19 and 9.0.5.6. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH29099
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-09-02
Closed date
2020-09-18
Last modified date
2020-09-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021