A fix is available
APAR status
Closed as program error.
Error description
The OIDC session cache timeout is not set properly when initial login is via introspection. When OIDC initial login is via introspection, its session cache entry is never removed from the cache. The session cache timeout should the value for the provider_(id).sessionCacheTimeoutMinutes property, or the access token timeout if the provider_(id).sessionCacheTimeoutMinutes property is not specified.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server and the * * OIDC * * TAI * **************************************************************** * PROBLEM DESCRIPTION: When OIDC RP initial login is via * * introspection, its session cache entry * * is * * never removed from the cache * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix for this * * APAR * **************************************************************** The OIDC relying party (RP) session cache timeout is not set properly when initial login is via introspection. When initial login is via introspection, its session cache entry is never removed from the cache.
Problem conclusion
When the OIDC RP initial login is via introspection, the session cache timeout is always being set to zero and therefore the entry never expires and is never removed from the cache. The OIDC RP Trust Association Interceptor (TAI) is updated so that the session cache timeout is set properly when initial logi is via introspection. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.21 and 9.0.5.10. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH39847
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-08-13
Closed date
2021-09-07
Last modified date
2021-09-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021