IBM Support

PI82342: EACH ORB/EJB REQUEST IS MAKING 3 LDAP SEARCH REQUESTS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • This apar provides an option to look up Authentication Cache wit
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server who configured certificate           *
    *                  authentication                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: This apar provides an option to         *
    *                      perform Authentication Cache lookup     *
    *                      with the username mapped from           *
    *                      certificate.                            *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    By default, WebSphere does not perform Authentication Cache
    look up with certificate object for certificate login. This is
    because a new certificate object is created for each login and
    no cache hit is expected anyway.
    The initial certificate login would trigger multiple user
    registry lookups in order to
    1. Validate the username that is parsed from certificate
    2. Confirm the user is unique in the registry
    3. Look up groups the user belongs to.
    For web login, LTPA token is created and returned in the http
    response to the browser.  The subsequent requests will have
    authentication cache hit by the ltpa token lookup.
    However, in case of EJB/ORB login, there is no mechanism to
    return ltpa token.  The subsequent certificate logins still
    require multiple user registry access each time.
    This apar introduces an option for WebSphere to perform auth
    cache lookup by parsing the certificate object and mapping to
    username, then look up the authentication cache with
    the mapped username.
    For EJB/ORB certificate login,  when the same set of
    certificates are expected to be used for authentication,  this
    option will increase the chance of cache hit and help improve
    the performance.
    For web certificate login, or the scenario when new certificate
    are expected to come in most of the time, this option does not
    make much difference.
    

Problem conclusion

  • This apar introduces an option to look up Authentication
    Cache with username mapped from certificate.  See "Problem
    details" section for further information.
    
    To enable this option,  set following security custom property
    to true.
    ---------------------------------
    Custom property:
      com.ibm.websphere.security.cert.authCache.lookup
    Value:
      true (enables this APAR)
      false(default)
    ----------------------------------
    
    Note: When the option is enabled, any change in user registry
    will not be reflected until the authentication cache entries
    time out.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.13 and 9.0.0.5.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI82342

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-05-31

  • Closed date

    2017-07-14

  • Last modified date

    2017-07-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021