IBM Support

PI78336: WebSphere Application Server OpenID connect Relying Party jndiCacheName Property does not work

Fixes are available

9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenId Connect (OIDC) Relying Party (RP) does not have
    a means for changing the jndi name of the cache instance it
    uses to store OIDC session data.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OpenID Connect Relying TAI is not   *
    *                      honoring the jndiCacheName property.    *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The OpenID Connect Relying Party Trust Association Interceptor
    is not honoring the jndiCacheName property.  The TAI reads the
    property, but always uses a DynaCache DistributedMap instead
    of the specified JNDI cache.
    

Problem conclusion

  • The OpenID Connect TAI is updated so that it honors the value
    specified for the jndiCacheName property.
    
    In order for your named JNDI cache to be used, DynaCache must
    be enabled on the application server and the cache must be
    available to the naming service at the time the first request
    is made to the OpenID Connect TAI.
    
    Here are some warnings that you may receive when attempting to
    use the jndiCacheName property:
    
    =================
    CWTAI2034W: The JNDI Cache name [services/cache/myCache] that
    is specified on the OpenID Connect custom property
    [jndiCacheName] does not appear to be accessible at this time
    [javax.naming.NameNotFoundException: Context:
    vmCell02/nodes/vmNode02/servers/server1, name:
    services/cache/myCache: First component in name myCache not
    found.]. The OIDC RP will continue to initialize because the
    cache may become available at a later time.  The OIDC RP will
    attempt to access the JNDI cache again when the first request
    is received.  If the JNDI cache is not available at that time,
    the RP will revert to using an alternate caching method
    instead of the JNDI cache requested.
    
    Explanation: During initialization, the OIDC TAI was unable to
    access the configured JNDI cache.  If the cache is not
    available by the time the OIDC must put an entry in the cache,
    the OIDC TAI will create a DynaCache DistributedMap to ensure
    that requests will be processed.
    
    Action: Ensure that your named JNDI cache is available to the
    application server on which the OIDC TAI resides before the
    OIDC TAI starts receiving requests.
    
    =================
    CWTAI2035W: A JNDI Cache name [services/cache/myCache] was
    specified on the OpenID Connect custom property
    [jndiCacheName] but DynaCache does not appear to be enabled on
    the application server.  The OIDC RP will continue to
    initialize.  The OIDC RP will attempt to access DynaCache
    again when the first request is received.  If DynaCache is not
    available at that time, the RP will revert to using an
    alternate caching method instead of the JNDI cache requested.
    
    Explanation: DynaCache was not available to the OIDC TAI
    during initialization.  If the DynaCache is not available by
    the time the OIDC must put an entry in the cache, the OIDC TAI
    will create a local map to ensure that requests will be
    processed.
    
    Action: Ensure that DynaCache is enabled and your named JNDI
    cache is available on the application server on which the OIDC
    TAI resides before the OIDC TAI starts receiving requests.
    
    =================
    CWTAI2037W: The OpenID Connect relying party (RP) is unable to
    use the JNDI cache [services/cache/myCache] that was specified
    on the OpenID Connect custom property [jndiCacheName]. An
    alternate caching method will be used. [CWTAI2038I: DynaCache
    is not active on the application server.]
    
    Explanation: The OIDC TAI is not able to use the named JNDI
    cache.  The reason is shown after the message.
    
    Action: See the action for the message appended to this one.
    
    =================
    CWTAI2038I: DynaCache is not active on the application server.
    
    Explanation: The dynamic cache service (DynaCache) is not
    enabled on this application server.  DynaCache is enabled on
    application servers by default.  If DynaCache is not enabled,
    it has been disabled on purpose.  Take care when deciding if
    you want to turn DynaCache back on.
    
    Action: Enable DynaCache on the application server if you want
    to use a named JNDI cache.
    
    =================
    CWTAI2039I: Unable to locate the JNDI cache
    [services/cache/myCache]. javax.naming.NameNotFoundException:
    Context:
    vmCell02/nodes/vmNode02/servers/server1, name:
    services/cache/myCache: First component in name myCache not
    found.
    
    Explanation: The OIDC TAI was unable to access the named JNDI
    cache.  The cause of this issue is appended to this message.
    
    Action: Ensure that the named JNDI cache is available when the
    OIDC TAI must put an entry in the cache.  See the user action
    for the message appended to this one.
    
    =================
    Additional updates made on this APAR:
    
    The definition of the clusterCaching property is updated to
    better account for the use of the jndiCacheName property:
    
    clusterCaching
    Default value: true
    
    Set this property to false if you want each cluster member to
    maintain their own session cache.  If DynaCache is enabled on
    the server, it will always be used for cache management, but
    if this property is set to false, session data will not be
    shared among cluster members.  When cluster caching is turned
    on, the number of cache entries is shared among all cluster
    members.  When cluster caching is turned off, each cluster
    member can store up to the maximum number of entries. The
    value for this property is ignored if a value is specified for
    the jndiCacheName property.
    
    =================
    The sessionCacheSize property is updated to allow you to set
    the size of the session cache when the cache is managed by
    DynaCache.  Previously, this property only applied when a
    local cache was in use.  The new definition of the
    sessionCacheSize property is:
    
    sessionCacheSize
    Default values: -1/10000
    Minimum value: 1
    
    Specifies the size of the cache the OpenID Connect RP uses for
    session data. When DynaCache is enabled on the server: 1) the
    default value is [-1], 2) setting the value to [-1] will make
    the OIDC TAI inherit the active DynaCache default maximum
    cache size, 3) when the cache limit is reached, old entries are
    evicted from the cache by DynaCache to add new entries. When
    DynaCache is not enabled on the server: 1) the default value
    is [10000], 2) if [-1] is specified, the value will revert to
    the non-DynaCache default: [10000], 3) when the cache limit is
    reached, all subsequent requests to the RP are rejected with
    an HTTP response code 503 (service unavailable) and the
    application server cannot take new requests until sessions
    that time out are removed from the cache.
    
    =================
    An alternate value of -1 is added to the maxStateCacheSize
    property.
    
    maxStateCacheSize
    Default value: 10000
    Minimum value: 25
    Alternate value: -1 (use active DynaCache default maximum)
    Alternate value: 0 (off)
    
    Maximum number of state objects that can be in the local state
    cache. Setting the value to 0 (zero) turns off the local state
    cache.  Setting the value to -1 will make the OIDC TAI inherit
    the active DynaCache default maximum cache size.  When
    DynaCache is not enabled on the application server, if -1 is
    specified, this property will revert to its default.
    
    
    
    =================
    The explanation and user action for the message CWTAI2009I is
    updated:
    
    CWTAI2009I: The OpenID Connect relying party (RP) did not find
    an entry for session cookie {0} in the Session cache.
    
    Explanation: The request received by the OpenID Connect
    relying party (RP) had a session cookie in it, but a
    corresponding entry for that cookie was not found in the
    session cache.  Possible causes for this are 1) you are
    running in a cluster environment, you do not have session
    affinity and not enough time has elapsed for DynaCache to
    replicate across the cluster, 2) you are running in a cluster
    environment and the volume of active users is causing OIDC
    sessions to be evicted from DynaCache.
    
    Action: You can do the following to resolve this problem: 1)
    If you are running in a cluster environment, enable session
    affinity, then set -clusterCaching=false, 2) Create a custom
    JNDI cache definition to tailor the behavior of the TAI's
    session cache and provide its name on the -jndiCacheName TAI
    custom property, 3) Remove the OIDC class,
    com.ibm.ws.security.oidc.client.RelyingParty, from the base
    security custom property
    com.ibm.websphere.security.InvokeTAIbeforeSSO.  Refer to the
    'Configuring an OpenID Connect Relying Party' article in the
    Knowledge Center for the ramifications of this action.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.0.0.14, 8.5.5.12, and 9.0.0.4.  Please refer to
    the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI78336

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-03-16

  • Closed date

    2017-05-04

  • Last modified date

    2017-05-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
03 December 2021