Fixes are available
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
The OpenId Connect (OIDC) Relying Party (RP) does not have a means for changing the jndi name of the cache instance it uses to store OIDC session data.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OpenID Connect Relying TAI is not * * honoring the jndiCacheName property. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OpenID Connect Relying Party Trust Association Interceptor is not honoring the jndiCacheName property. The TAI reads the property, but always uses a DynaCache DistributedMap instead of the specified JNDI cache.
Problem conclusion
The OpenID Connect TAI is updated so that it honors the value specified for the jndiCacheName property. In order for your named JNDI cache to be used, DynaCache must be enabled on the application server and the cache must be available to the naming service at the time the first request is made to the OpenID Connect TAI. Here are some warnings that you may receive when attempting to use the jndiCacheName property: ================= CWTAI2034W: The JNDI Cache name [services/cache/myCache] that is specified on the OpenID Connect custom property [jndiCacheName] does not appear to be accessible at this time [javax.naming.NameNotFoundException: Context: vmCell02/nodes/vmNode02/servers/server1, name: services/cache/myCache: First component in name myCache not found.]. The OIDC RP will continue to initialize because the cache may become available at a later time. The OIDC RP will attempt to access the JNDI cache again when the first request is received. If the JNDI cache is not available at that time, the RP will revert to using an alternate caching method instead of the JNDI cache requested. Explanation: During initialization, the OIDC TAI was unable to access the configured JNDI cache. If the cache is not available by the time the OIDC must put an entry in the cache, the OIDC TAI will create a DynaCache DistributedMap to ensure that requests will be processed. Action: Ensure that your named JNDI cache is available to the application server on which the OIDC TAI resides before the OIDC TAI starts receiving requests. ================= CWTAI2035W: A JNDI Cache name [services/cache/myCache] was specified on the OpenID Connect custom property [jndiCacheName] but DynaCache does not appear to be enabled on the application server. The OIDC RP will continue to initialize. The OIDC RP will attempt to access DynaCache again when the first request is received. If DynaCache is not available at that time, the RP will revert to using an alternate caching method instead of the JNDI cache requested. Explanation: DynaCache was not available to the OIDC TAI during initialization. If the DynaCache is not available by the time the OIDC must put an entry in the cache, the OIDC TAI will create a local map to ensure that requests will be processed. Action: Ensure that DynaCache is enabled and your named JNDI cache is available on the application server on which the OIDC TAI resides before the OIDC TAI starts receiving requests. ================= CWTAI2037W: The OpenID Connect relying party (RP) is unable to use the JNDI cache [services/cache/myCache] that was specified on the OpenID Connect custom property [jndiCacheName]. An alternate caching method will be used. [CWTAI2038I: DynaCache is not active on the application server.] Explanation: The OIDC TAI is not able to use the named JNDI cache. The reason is shown after the message. Action: See the action for the message appended to this one. ================= CWTAI2038I: DynaCache is not active on the application server. Explanation: The dynamic cache service (DynaCache) is not enabled on this application server. DynaCache is enabled on application servers by default. If DynaCache is not enabled, it has been disabled on purpose. Take care when deciding if you want to turn DynaCache back on. Action: Enable DynaCache on the application server if you want to use a named JNDI cache. ================= CWTAI2039I: Unable to locate the JNDI cache [services/cache/myCache]. javax.naming.NameNotFoundException: Context: vmCell02/nodes/vmNode02/servers/server1, name: services/cache/myCache: First component in name myCache not found. Explanation: The OIDC TAI was unable to access the named JNDI cache. The cause of this issue is appended to this message. Action: Ensure that the named JNDI cache is available when the OIDC TAI must put an entry in the cache. See the user action for the message appended to this one. ================= Additional updates made on this APAR: The definition of the clusterCaching property is updated to better account for the use of the jndiCacheName property: clusterCaching Default value: true Set this property to false if you want each cluster member to maintain their own session cache. If DynaCache is enabled on the server, it will always be used for cache management, but if this property is set to false, session data will not be shared among cluster members. When cluster caching is turned on, the number of cache entries is shared among all cluster members. When cluster caching is turned off, each cluster member can store up to the maximum number of entries. The value for this property is ignored if a value is specified for the jndiCacheName property. ================= The sessionCacheSize property is updated to allow you to set the size of the session cache when the cache is managed by DynaCache. Previously, this property only applied when a local cache was in use. The new definition of the sessionCacheSize property is: sessionCacheSize Default values: -1/10000 Minimum value: 1 Specifies the size of the cache the OpenID Connect RP uses for session data. When DynaCache is enabled on the server: 1) the default value is [-1], 2) setting the value to [-1] will make the OIDC TAI inherit the active DynaCache default maximum cache size, 3) when the cache limit is reached, old entries are evicted from the cache by DynaCache to add new entries. When DynaCache is not enabled on the server: 1) the default value is [10000], 2) if [-1] is specified, the value will revert to the non-DynaCache default: [10000], 3) when the cache limit is reached, all subsequent requests to the RP are rejected with an HTTP response code 503 (service unavailable) and the application server cannot take new requests until sessions that time out are removed from the cache. ================= An alternate value of -1 is added to the maxStateCacheSize property. maxStateCacheSize Default value: 10000 Minimum value: 25 Alternate value: -1 (use active DynaCache default maximum) Alternate value: 0 (off) Maximum number of state objects that can be in the local state cache. Setting the value to 0 (zero) turns off the local state cache. Setting the value to -1 will make the OIDC TAI inherit the active DynaCache default maximum cache size. When DynaCache is not enabled on the application server, if -1 is specified, this property will revert to its default. ================= The explanation and user action for the message CWTAI2009I is updated: CWTAI2009I: The OpenID Connect relying party (RP) did not find an entry for session cookie {0} in the Session cache. Explanation: The request received by the OpenID Connect relying party (RP) had a session cookie in it, but a corresponding entry for that cookie was not found in the session cache. Possible causes for this are 1) you are running in a cluster environment, you do not have session affinity and not enough time has elapsed for DynaCache to replicate across the cluster, 2) you are running in a cluster environment and the volume of active users is causing OIDC sessions to be evicted from DynaCache. Action: You can do the following to resolve this problem: 1) If you are running in a cluster environment, enable session affinity, then set -clusterCaching=false, 2) Create a custom JNDI cache definition to tailor the behavior of the TAI's session cache and provide its name on the -jndiCacheName TAI custom property, 3) Remove the OIDC class, com.ibm.ws.security.oidc.client.RelyingParty, from the base security custom property com.ibm.websphere.security.InvokeTAIbeforeSSO. Refer to the 'Configuring an OpenID Connect Relying Party' article in the Knowledge Center for the ramifications of this action. The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.14, 8.5.5.12, and 9.0.0.4. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI78336
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-03-16
Closed date
2017-05-04
Last modified date
2017-05-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
04 May 2022