IBM Support

PH35299: A CUSTOM CACHE KEY IS NOT RETURNED CORRECTLY WHEN THE SUBJECT HAS MORE THAN ONE HASHTABLE IN THE CREDENTIAL

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When the Subject contains two ore more Credentials that are
    hashtables, the custom cache key
    (com.ibm.wsspi.security.cred.cacheKey) may not be retrieved
    correctly. As a result, expected cache hit does not happen
    potentially causing the performance issue.
    
    In the following example,
    there is a public credential
    Public Credential:{com.ibm.wsspi.security.cred.groups=[cn=...]}
    and a private credential
    Private Credential: {com.ibm.wsspi.security.cred..}
    Both are hashtables for WebSphere to construct a custom Subject.
    
    ----------------------------------
    [3/11/21
    10:00:31:938 CET] 0000027b WebCollaborat 3 URI -
    /services/wineandappetizer/.GET is protected
    [3/11/21
    10:00:31:938 CET] 0000027b WebCollaborat 3 Saving previous
    subject Subject:
    Principal: TestUser
    Principal:TestRealm/TestUser
    Public Credential: OIDCAppId = [TestAppId]
    Public Credential:{com.ibm.wsspi.security.cred.groups=[cn=...]}
    Public Credential:
    com.ibm.ws.security.auth.WSCredentialImpl@42fa4a13
    Private
    Credential: {com.ibm.wsspi.security.cred.securityName=TestUser,
    com.ibm.wsspi.security.cred.cacheKey=ROSEXK2V5sVuL6QXENj8Q8BGg4i
    VbMokVo0L+h5WUyE=-2093348853, token_type=,
    access_token=0001e2XwAIwWDuCVf4W7OcsP67PB, id_token=,
    scope=openid offline_access, refresh_token=}
    Private Credential:
    com.ibm.ws.security.token.SingleSignonTokenImpl@9b611478
    Private Credential:
    com.ibm.ws.security.token.AuthenticationTokenImpl@5ab70dbb
    Private Credential:
    com.ibm.ws.security.token.AuthorizationTokenImpl@e39eda60
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  who use custom login module and/or custom   *
    *                  trust association interceptor               *
    ****************************************************************
    * PROBLEM DESCRIPTION: WebSphere may not retrieve the custom   *
    *                      cache key from Subject if the Subject   *
    *                      contains multiple hashtables.           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    WebSphere may not retrieve the custom cache key from Subject if
    the Subject contains multiple hashtables. As a result, cache
    miss
    could lead performance degradation.
    

Problem conclusion

  • The bug was fixed.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.8. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH35299

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-03-12

  • Closed date

    2021-03-23

  • Last modified date

    2021-03-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
24 March 2021