IBM Support

LTPA Token Expiration Warning Message (SECJ0371W): Additional Information

Question & Answer


Question

How to determine the client that is causing the SECJ0371W message?

Cause

SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Fri Mar 15 22:16:00 UTC 2019, current Date: Fri Mar 15 22:18:35 UTC 2019.

Answer

LTPA (Lightweight Third Party Authentication) is the default single-sign-on implementation for the WebSphere product. LTPA tokens expire by design. When a client attempts to access a protected resource with an expired token, an informational message is logged. Most SECJ0371W messages are harmless, and can be safely ignored. If the frequency of the messages makes the logs difficult to read, you can remedy the situation by increasing the token timeout or by disabling the message entirely by setting com.ibm.websphere.security.ltpa.disableSECJ0371W to true. However, the following procedures will assist you in identifying the client which sent an expired LTPA Token.
  1. Identify host/port of a client

    To identify a client which sent an expired LTPAToken, the security auditing function can be used. Please refer to the following YouTube video for instruction on enabling and configuring security auditing.

    Here is the sample output of default binary audit:

    Seq = 17 | Event Type = SECURITY_AUTHN | Outcome = UNSUCCESSFUL | OutcomeReason = DENIED | OutcomeReasonCode = 15 | SessionId = 6zDVDmGObEPAjtTFIouIbT- | RemoteHost = 1.1.1.1 | RemoteAddr = 1.1.1.1 | RemotePort = 44708 | ProgName = /snoop | Action = webAuth | AppUserName = /UNAUTHENTICATED | ResourceName = GET | RegistryUserName = null | AccessDecision = denied | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Mar 15 22:18:36 UTC 2019 | GlobalInstanceId = 0 | EventTrailId = null | FirstCaller = /UNAUTHENTICATED | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | AuthnType = challengeResponse | Provider = WebSphere | ProviderStatus = providerSuccess

    Correlate the timestamp of the SECJ0371W  message observed in the WebSphere log with the corresponding entry in the audit log. Once the audit entry is located, the client information can be found in keys of RemoteHost, RemoteAddr and RemotePort.
     
  2. Identify a user

    To identify a user of an expired LTPAToken, the following trace specification needs to be enabled.

    *=info:com.ibm.ws.security.ltpa.LTPAToken2=all
    This trace option logs contents of LTPAToken2 cookie, the following shows you a sample output:

    [3/15/19 22:18:35:895 UTC] 00000090 LTPAServerObj W   SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Fri Mar 15 22:16:00 UTC 2019, current Date: Fri Mar 15 22:18:35 UTC 2019 Token attributes:  port=8878, username=user:defaultWIMFileBasedRealm/uid=testuser,o=defaultWIMFileBasedRealm, hostname=server1.. This warning might indicate expected behavior. Please refer to technote at http://www-01.ibm.com/support/docview.wss?uid=swg21594981. To discontinue logging of this message, see property com.ibm.websphere.security.ltpa.disableSECJ0371W description.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.5","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB15","label":"Integration"}}]

Product Synonym

tWAS; WAS; WSAS

Document Information

Modified date:
15 March 2019

UID

swg21594981