IBM Support

PH41453: API requester requests cannot reuse JWTs with jti claims because the JWTs are not cached.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as unreproducible in next release.

Error description

  • When an authentication server is set up to limit the number of
calls a client can make in a given time period to request a JWT,
the first request succeeds but subsequent requests fail to get a
JWT until the time period has expired.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All users of z/OS Connect EE V3.0 API        *
*                 requesters with JWTs containing a jti claim  *
*                 obtained from an authorization server.       *
****************************************************************
* PROBLEM DESCRIPTION: API requester requests cannot reuse     *
*                      JWTs with jti claims because the JWTs   *
*                      are not cached.                         *
****************************************************************
z/OS Connect EE did not cache JWTs that contained a jti claim.
This caused z/OS Connect EE to request a new JWT from the
authorization server for each request. The authorization server
was configured to limit the rate at which it would issue JWTs
for the same client. This resulted in API requester requests
failing because they could not get a JWT until the time period
had expired.

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • z/OS Connect EE has been changed to allow caching of JWTs with a
jti claim by setting the new cacheTokensWithJti attribute on the
zosconnect_authToken element to true. The default setting of
cacheTokensWithJti is false.

The fix for this APAR is expected to be delivered by the PTF for
z/OS Connect EE V3.0.51.0 (PH41351).

    



APAR Information




    

  • APAR number
    PH41453
    • 

  • Reported component name
    Z/OS CONNECT EE
    • 

  • Reported component ID
    5655CE300
    • 

  • Reported release
    000
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-10-20
    • 

  • Closed date
    2021-11-10
    • 

  • Last modified date
    2021-11-10
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    Z/OS CONNECT EE
    • 

  • Fixed component ID
    5655CE300
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNPJM","label":"IBM z\/OS Connect"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.0"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            14 February 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback