IBM Support

JR30018; 6.2.0.0: A LTPA Token Timeout is Observed for SCA Messages

Download


Abstract

TokenExpiredException is thrown by Service Component Architecture (SCA) if messages use LTPA token authentication.

Download Description

JR30018 resolves the following problem:

ERROR DESCRIPTION:
SCA messages use the LTPA token provided by WebSphere Application Server. This token has an expiration time with a default of 2 hours. If the LTPA token living time is exceeded, LTPA token timeout value, TokenExpiredException will be observed

LOCAL FIX:
A local fix is to increase the LTPA token timeout. But be aware that this may lead to security concerns, because the token is also used in other cases, like for browser cookies. All usages of the LTPA token need to be considered and your system needs to be correspondingly hardened.


USERS AFFECTED:
WebSphere Process Server 6.1 and 6.2 users.

PROBLEM DESCRIPTION:
The problem occurs with SCA messages that use the LTPA token authentication. The asynchronous SCA messages use the LTPA token provided by WebSphere Application Server to authenticate the messages. The LTPA timeout value is a part of the security configuration for WebSphere Application Server, which you can assign a desired value. The default expiration time is 120 minutes.

For asynchronous messages there can be a situation where messages stay in a queue more than the LTPA Token expiration time. For example, in the SCA internal queue, there can be SCA asynchronous messages that are not processed by SCA due to high workload and at this time, WebSphere Process Server is shutdown for a long time due to maintenance reason. If this condition happens, the SCA server will not be able to process these messages as the tokens in the messages will be expired by then.

Note:
Timeout leniency is only one option for addressing timeouts. Assessing whether an appropriate timeout configuration (maxCacheCushion and LTPA token timeout) have been set and adjusting the timeout settings accordingly is another and the recommended approach. The technote listed above explains the steps to configure those respective settings.

Apply this interim fix JR30018 and configure the leniency timeout only when you have deemed your timeout settings are properly set as per your internal enterprise security standards and cannot be changed.


RECOMMENDATION:
None

PROBLEM CONCLUSION:
The official fix for JR30018 includes changes to the SCA design, which allows support to consume the messages even for expired LTPA tokens. A new WebSphere variable, TIMEOUTLENIENCY, is introduced to leverage this behavior. Using this official fix, the incoming messages with expired LTPA tokens will continue to be processed by SCA within the TIMEOUTLENIENCY window.


If WebSphere Process Server security is enabled the following configurations are set::
• LTPA Token Timeout = 120 minutes
• SCA Timeout Leniency = 60 minutes
An asynchronous SCA call happens at 12:00. Then an asynchronous SCA messages is created with LTPA token created at 12:00. The asynchronous message remains in the queue because target service is not available. More than two hours later, target service is started up at 14:30 and continues to process the asynchronous SCA messages,
If the official Fix JR30018 is not installed, the target will issue an LTPA Timeout Exception.
If the official Fix JR30018 is installed, SCA can consume the asynchronous SCA message between 14:30 – 15:00 without LTPA Timeout Exception (Until the Leniency Time is elapsed).
Leniency time can postpone the LTPA token timeout time, which SCA can process the message in given leniency time after the LTPA token in message is expired.

NOTE:
This example represents the "maximum effective expiration possible".

All of the existing old SCA messages that were submitted prior to applying the fix will fail with the LTPA exception. The leniency will not have an effect on the messages submitted prior to applying the fix.

Instructions to apply the official Fix:

  1. Stop WebSphere Process Server or Network Deployment Environment
  2. Launch the UpdateInstaller wizard.
  3. Install the fix in each WebSphere Process Server installation
  4. Start the WebSphere Process Server or cluster
  5. Configure the TIMEOUTLENIENCY
    • Launch the administrative console
    • Environment -> WebSphere Variables -> New
    • Select the desired scope (Cell or Cluster for Network Deployment Environment; Cell, Node or Server for standalone server)
      Name (case sensitive): TIMEOUTLENIENCY
      Value (in minutes): any integer value greater than 0 as desired. This value will determine the time starting from the LTPA expiration, within which the expired tokens will be processed. If an invalid value is input, the fix will not take effect.

Because JR30018 had been integrated to WPS V7, Customer do not need install JR30018 ifix for V7. The TIMEOUTLENIENCY Configuration steps here can be applied to V7.

Limits for TIMEOUTLENIENCY value:
For all WPS versions that are lower than 7.0.0.3 the maximum value of TIMEOUTLENIENCY is 35791(about 24 days). From 7.0.0.3, the TIMEOUTLENIENCY maximum value is enlarged to 2147483647(more than 100 years).

Note:
This is a “must required” property for the fix to work.


The interim fix introduces the Memory Leak issue which is fixed by JR33131. Install JR33131 after applying JR30018. You can download JR33131 for your environment from the following Fix Central links:
http://delivery04.dhe.ibm.com/sar/CMA/WSA/00km3/1/6.2.0.1-WS-WBI-IFJR33131.pak
http://delivery04.dhe.ibm.com/sar/CMA/WSA/00km2/2/6.2.0.0-WS-WBI-IFJR33131.pak
http://delivery04.dhe.ibm.com/sar/CMA/WSA/00ljf/0/6.1.2.3-WS-WBI-IFJR33131.pak
http://delivery04.dhe.ibm.com/sar/CMA/WSA/00km0/2/6.1.2.2-WS-WBI-IFJR33131.pak
http://delivery04.dhe.ibm.com/sar/CMA/WSA/00klz/2/6.1.2.1-WS-WBI-IFJR33131.pak
http://delivery04.dhe.ibm.com/sar/CMA/WSA/00kly/3/6.1.2.0-WS-WBI-IFJR33131.pak
http://delivery04.dhe.ibm.com/sar/CMA/WSA/00klx/1/6.0.2.5-WS-WBI-IFJR33131.pak
http://delivery04.dhe.ibm.com/sar/CMA/WSA/00klw/2/6.0.2.4-WS-WBI-IFJR33131.pak
http://delivery04.dhe.ibm.com/sar/CMA/WSA/00klv/2/6.0.2.3-WS-WBI-IFJR33131.pak

Prerequisites

You must go to the table below to download the required prerequisite interim fixes for your environment. Click on the interim fix in the URL column to download the fix.

Prerequisites for WebSphere Process Server 6.1.0.2:

APAR
Prereq APARs
JR30018
PK74297(6.1.0.9-WS-WAS-IFPK74297C)
JR30708;JR30107;JR30699

Prerequisites for WebSphere Process Server 6.1.2.0:
APAR
Prereq APARs
JR30018
PK74297(6.1.0.9-WS-WAS-IFPK74297C)
JR30708;JR31972

Prerequisites for WebSphere Process Server 6.1.2.1:
APAR
Prereq APARs
JR30018
PK74297(6.1.0.9-WS-WAS-IFPK74297C)

Prerequisites for WebSphere Process Server 6.1.2.2:
APAR
Prereq APARs
JR30018
PK74297(6.1.0.9-WS-WAS-IFPK74297C)

Prerequisites for WebSphere Process Server 6.2.0.0.:
APAR
Prereq APARs
JR30018
PK74297(6.1.0.9-WS-WAS-IFPK74297CE)

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?uid=swg21205991"}]

Installation Instructions

Review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"4341","INURL":"ftp://public.dhe.ibm.com/software/websphere/cw/support/fixes/JR30018/readme.txt"}]
Off
[{"DNLabel":"6.0.2.4-WS-WBI-IFJR30018","DNDate":"12-22-2008","DNLang":"US English","DNSize":"141683","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/cw/support/fixes/JR30018/6.0.2.4-WS-WBI-IFJR30018.pak","DNURL_FTP":" ","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;cw/support/fixes/JR30018/6.0.2.4-WS-WBI-IFJR30018.pak"},{"DNLabel":"6.0.2.3-WS-WBI-IFJR30018.pak","DNDate":"1/8/2009","DNLang":"US English","DNSize":"130319","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/cw/support/fixes/JR30018/6.0.2.3-WS-WBI-IFJR30018.pak","DNURL_FTP":" ","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;cw/support/fixes/JR30018/6.0.2.3-WS-WBI-IFJR30018.pak"},{"DNLabel":"6.0.2.5-WS-WBI-IFJR30018.pak","DNDate":"3/17/2009","DNLang":"US English","DNSize":"129579","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/cw/support/fixes/JR30018/6.0.2.5-WS-WBI-IFJR30018.pak","DNURL_FTP":" ","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;cw/support/fixes/JR30018/6.0.2.5-WS-WBI-IFJR30018.pak"},{"DNLabel":"6.1.0.2-WS-WBI-IFJR30018.pak","DNDate":"3/17/2009","DNLang":"US English","DNSize":"139803","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/cw/support/fixes/JR30018/6.1.0.2-WS-WBI-IFJR30018.pak","DNURL_FTP":" ","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;cw/support/fixes/JR30018/6.1.0.2-WS-WBI-IFJR30018.pak"},{"DNLabel":"6.1.2.0-WS-WBI-IFJR30018.pak","DNDate":"3/17/2009","DNLang":"US English","DNSize":"139814","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/cw/support/fixes/JR30018/6.1.2.0-WS-WBI-IFJR30018.pak","DNURL_FTP":" ","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;cw/support/fixes/JR30018/6.1.2.0-WS-WBI-IFJR30018.pak"},{"DNLabel":"6.1.2.1-WS-WBI-IFJR30018.pak","DNDate":"3/17/2009","DNLang":"US English","DNSize":"139135","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/cw/support/fixes/JR30018/6.1.2.1-WS-WBI-IFJR30018.pak","DNURL_FTP":" ","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;cw/support/fixes/JR30018/6.1.2.1-WS-WBI-IFJR30018.pak"},{"DNLabel":"6.1.2.2-WS-WBI-IFJR30018.pak","DNDate":"3/17/2009","DNLang":"US English","DNSize":"138635","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/cw/support/fixes/JR30018/6.1.2.2-WS-WBI-IFJR30018.pak","DNURL_FTP":" ","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;cw/support/fixes/JR30018/6.1.2.2-WS-WBI-IFJR30018.pak"},{"DNLabel":"6.2.0.0-WS-WBI-IFJR30018.pak","DNDate":"3/17/2009","DNLang":"US English","DNSize":"113816","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/cw/support/fixes/JR30018/6.2.0.0-WS-WBI-IFJR30018.pak","DNURL_FTP":" ","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;cw/support/fixes/JR30018/6.2.0.0-WS-WBI-IFJR30018.pak"}]

Technical Support

Contact IBM Support using ESR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Process Server Support Web site (http://www.ibm.com/support/entry/portal/Overview/Software/WebSphere/WebSphere_Process_Server), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSQH9M","label":"WebSphere Process Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Service Component Architecture","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.2;6.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7J6S","label":"WebSphere Enterprise Service Bus"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"SCA","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.2;6.1;6.0.2;6.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24021799

Page Feedback