PH37872: LTPA TOKEN GETTING REFRESHED USING THE CUSTOM CACHEKEY INSTEAD HAVING TO RELOGIN

APAR status

Closed as new function.

Error description

Customer is getting the following error

com.ibm.websphere.security.auth.WSLoginFailedException:
Credential or Subject has expired, must login again.

but he wants the LTPA token getting refreshed using the Custom
CacheKey instead having to re-login

That functionality is implemented in this APAR.

Following custom property must be set to false (server restart
needed):

com.ibm.websphere.security.useCachedSubjectForCustomToken=false

To set the security custom properties, administrative console.
Click Security > Global security >

Custom properties. Then click New to add a new custom property
and its associated value.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  The users of IBM WebSphere Application      *
*                  Server                                      *
*                  who handles LtpaToken in their              *
*                  applications                                *
****************************************************************
* PROBLEM DESCRIPTION: This APAR introduce an option to skip   *
*                      some LtpaToken condition check.         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When WebSphere sends a request to another server, it perform
following two checks on the LtpaToken that is sent with the
request.
(1) The LtpaToken has the sufficient time (Longer than the Ltpa
cushion time) until it expire. It is to ensure the request will
be processed successfully. If token does not have enough
lifetime, the server throws WSLoginFailedException.
(2) The LtpaToken does not contain the custom cache key. If the
LtpaToken contains the cache key, the server throws
WSLoginFailedException as the target server does not have a way
to reconstruct the custom Subject.
This APAR introduced an option to skip the above two checks.
It is for advanced application developers who would like more
control over the LtpaToken handling.

Problem conclusion

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.21 and 9.0.5.10.
For more information, see 'Recommended Updates for WebSphere
Application Server': https://www.ibm.com/support/pages/node/7155

Temporary fix

Comments

APAR Information

APAR number
PH37872
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-06-04
Closed date
2021-09-22
Last modified date
2021-09-22

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R850 PSY
UP
R900 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
02 November 2021

Tips

PH37872: LTPA TOKEN GETTING REFRESHED USING THE CUSTOM CACHEKEY INSTEAD HAVING TO RELOGIN

Subscribe to this APAR

APAR status

Closed as new function.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R850 PSY

R900 PSY

Document Information

Share your feedback

Need support?