| Explanation | Initialization of the Trust Association Interceptor has started. |
| Action | None, informational only. |
| Explanation | The exception occurred while attempting to run the negotiateValidateandEstablishTrust() operation. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | Initialization of the Trust Association Interceptor has completed. |
| Action | None, informational only. |
| Explanation | The configuration properties used to initialize the interceptor are not valid. The error condition that caused the failure is indicated. |
| Action | Verify and correct the configuration properties. If you are not using the TAI, you can ignore this message. |
| Explanation | The token used to authenticate the request is not valid. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | A null string was used as the argument of the init() operation of the HTTPHeaderFilter. |
| Action | Correct the filtering rule and restart the application server. |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | None, informational only. |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | None, informational only. |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | None, informational only. |
| Explanation | The initialization state of the Trust Association Interceptor is shown. |
| Action | None, informational only. |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | The TAI property added to the security configuration and its value are shown. |
| Action | None, informational only. |
| Explanation | The TAI property modified in the security configuration and its current and previous values are shown. |
| Action | None, informational only. |
| Explanation | The TAI property removed from the security configuration is shown. |
| Action | None, informational only. |
| Explanation | All TAI properties have been removed from the security configuration. |
| Action | None, informational only. |
| Explanation | The spnId value must be non-negative. |
| Action | Specify a non-negative value for the given spnId. |
| Explanation | The specified filter rules are not valid. |
| Action | Verify the filter rules conform to the syntax supported by the default HTTPHeaderFilter class. |
| Explanation | A MalformedURLException was encountered parsing one of the specified URLs. |
| Action | Verify the URL syntax is correct. |
| Explanation | This exception is unexpected. The cause is not immediately known. |
| Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: https://ibm.biz/BdztgV WebSphere Application Server for z/OS Support page: https://ibm.biz/Bdqd4J . |
| Explanation | Conversion error occurred while converting IP string to an IP address |
| Action | Validate the IP string provided. |
| Explanation | Bad IP range specfied. Must contain only wildcards after the first range. |
| Action | Ensure everything after the first range specified is a wildcard. |
| Explanation | Could not obtain the IP address. |
| Action | Validate that the IP address range is specified. |
| Explanation | Authentication Error: There is no valid access token. Please login to the OAuth service provider, and try again. |
| Action | Please login to the OAuth service provider, and try again. |
| Explanation | The custom property string is not formatted correctly. The format needs to be a comma separated string of attribute=value pairs, each pair should be in quotes. |
| Action | Ensure the custom property string is formatted correctly. |
| Explanation | The security configuration does not exist. |
| Action | Run the command with a pre-existing security configuration. |
| Explanation | The request failed because the Oauth Provider does not exist. |
| Action | Please check your configuraton and make sure that the provider is configured. |
| Explanation | The OpenID Connect relying party (RP) could not be initialized correctly because either the mandatory property shown in the message has not been specified or it does not have a value. |
| Action | Specify the mandatory property and restart the server. |
| Explanation | The OpenID Connect relying party (RP) failed to initialize because the value of the optional property redirectToRPHostAndPort is not valid. The valid value should be of format [protocol://host:port] |
| Action | Please provide the value for redirectToRPHostAndPort in correct format. It is an optional property. Restart the server and try again. |
| Explanation | The OpenID Connect relying party (RP) failed to initialize because the value of optional property signatureAlgorithm is not valid or is not currently supported. The value defaults to HS256 if not provided. |
| Action | Provide a valid value for signatureAlgorithm. The value defaults to HS256 if not provided. Restart the server and try again. |
| Explanation | The OpenID Connect relying party (RP) failed to initialize because the value of optional property opServerConnectionTimeout is not a valid number. The value defaults to 20000 (20 seconds) if not provided. |
| Action | Provide a valid value for opServerConnectionTimeout. The value defaults to 20000 if not provided. Restart the server and try again. |
| Explanation | The OpenID Connect relying party (RP) failed to initialize because the property that is specified in the message is encoded by using an encoding algorithm that is not supported. The value can be in plain text or encoded by using the XOR algorithm. |
| Action | Provide a valid plain text or XOR encoded value for the property that is specified in the message. |
| Explanation | The OpenID Connect relying party (RP) received a callback to an invalid uri during the login sequence, which indicates that it is not configured properly. It could also indicate an inappropriate attempt to access the protected resources. |
| Action | No action is expected from the user. This warning has been logged. |
| Explanation | The OpenID Connect relying party (RP) encountered a failure during the login sequence. The reasons could be internal errors which could be seen in the logs or the server is overloaded to process this flow |
| Action | Please turn on the trace and retry after sometime, if the problem persists see the problem determination information on the WebSphere Application Server Support web page: https://ibm.biz/BdztgV. |
| Explanation | The OpenID Connect relying party (RP) received an error from the OpenID Connect provider (OP) during login sequence, which indicates that the user was not able to successfully authenticate to the OP. |
| Action | This is a user error, and user can attempt to authenticate to the OpenID Connect provider (OP) using valid userid and password. |
| Explanation | The request received by the OpenID Connect relying party (RP) had a session cookie in it, but a corresponding entry for that cookie was not found in the session cache. Possible causes for this are 1) you are running in a cluster environment, you do not have session affinity and not enough time has elapsed for dynacache to replicate across the cluster, 2) you are running in a cluster environment and the volume of active users is causing OIDC sessions to be evicted from dynacache. |
| Action | You can do the following to resolve this problem: 1) If you are running in a cluster environment, enable session affinity, then set -clusterCaching=false, 2) Create a custom JNDI cache definition to tailor the behavior of the TAI"s session cache and provide its name on the -jndiCacheName TAI custom property, 3) Remove the OIDC class, com.ibm.ws.security.oidc.client.RelyingParty, from the base security custom property com.ibm.websphere.security.InvokeTAIbeforeSSO. Refer to the "Configuring an OpenID Connect Relying Party" article in the Knowledge Center for the ramifications of this action. |
| Explanation | The OpenID Connect relying party (RP) could not refresh the expired access token. This is not considered a problem, and the flow continues with the assumption that relying party does have an access token |
| Action | No action is required. |
| Explanation | The OpenID Connect relying party (RP) could not authenticate the token using implicit client authentication. The OpenID Connect provider (OP) returned a specific error or an exception was thrown during this authentication. |
| Action | Most probable cause of this error was that the OpenID Connect provider (OP) could not authenticate with the token provided. Ensure that the token is correct and try again. |
| Explanation | The OpenID Connect relying party (RP) received bearer token in the authorization header of the http request but the token is incorrectly formatted or missing. |
| Action | Resend the request in proper format. |
| Explanation | The OpenID Connect relying party (RP) failed to authenticate the user using access token because of an exception. |
| Action | Turn on the trace and retry. If the problem persists see the problem determination information on the WebSphere Application Server Support web page: https://ibm.biz/BdztgV. |
| Explanation | The OpenID Connect relying party (RP) failed to initialize because the value of this property is not a valid number. |
| Action | Provide a numeric value for this property. Restart the server and try again. |
| Explanation | The OpenID Connect relying party (RP) failed to perform authentication because it has reached the maximum capacity of its internal cache. The TAI will respond with HTTP response code 503 (service unavailable) until the cache is made available by the periodic cleanup. |
| Action | Adjust the values of the TAI properties [sessionCacheCleanupFrequency] and [sessionCacheSize] to tune the internal cache. Restart the server to load the property updates. |
| Explanation | The interceptedPathFilter OpenID Connect (OIDC) relying party (RP) custom property has a value that contains an operator that is not recognized. The operator is displayed in the message. |
| Action | Specify a value for the interceptedPathFilter OIDC RP custom property that uses only supported operators: {==, !=, %=, >, <}. |
| Explanation | The value of the TAI custom property shown in the message has a value specified that is not supported by the OpenID Connect RP. The format of the value for the property must be in the format shown. |
| Action | Make sure the custom property has a value that is in the format that is supported. |
| Explanation | The OpenID Connect RP is configured to use a certificate from the default trust store to verify the signature of the message. The RP was unable to retrieve the certificate from the default trust store. The reason for the error is displayed in the message. For a stand-alone server, the default trust store is the NodeDefaultTrustStore. For a server that is part of a cell, the default trust store is the CellDefaultTrustStore. |
| Action | See the user action for the cause of the error displayed in the message. |
| Explanation | When you receive this message, the OIDC TAI is using cookies to retrieve the state data for the request either because the state data was not found in the local cache or local caching was disabled. The stateId is created by the OIDC TAI when the client makes a request. This stateId is sent to the OP and the OP returns this stateId to the OIDC TAI. This stateId is used to associate the authentication response from the OP with the client"s original request data to the protected resource. This message means that the stateId in the authentication response from the OP is different than the stateId in the OIDC TAI state cookie, therefore the client"s original request data cannot be restored. The most likely cause for this problem is that the client initiated a request to a protected resource, then, before completing the login with the OP, the client initiates a login to another protected resource and the cookie written by the first request was overwritten by the second. |
| Action | There are several things that you can do about this issue: 1) To ensure that you are more likely to find the state data in the cache, tailor how long the state data remains in the cache using the -maxStateCacheSize and -stateIdTimeoutSeconds properties, 2) Ensure that each login is completed before starting a new one, 3) Ensure that each provider_<id>.clientId property is set to a unique value across all application servers that are running the OIDC TAI, 4) Change the OIDC TAI configuration to use unique cookie names for each request instead of a single cookie name for all requests; you can do this by setting useUniqueStateCookies to true. |
| Explanation | The OIDC state cookie holds information about the original request while the user is redirected to the OpenID provider for login. This information includes, but is not limited to the request method, URI, and parameters. Normally, requests will produce cookies that are less than 300 bytes. However, if you have requests with very large URIs or many parameters, it is possible that the OIDC runtime could calculate the value for a cookie that is larger than the maximum cookie size allowed. When this happens, in order for the request to complete successfully, you must be using a state cache in addition to the cookies; this is the default setting. |
| Action | Do one of the following: 1) Adjust the maximum state cookie size with the OIDC property -maxStateCookieSize. The maximum value for this property is 4093. This value is also the default. 2) Turn off OIDC cookie processing by setting -useStateCookies to false, 3) Reduce the URI and parameter size of the client requests, or 4) Ignore the warning. |
| Explanation | The OpenID Connect TAI custom properties that are configured may cause problems at run time. The issue found is appended to this message. |
| Action | Verify that the custom properties specified for the OpenID Connect RP TAI are correct. If you make adjustments, restart the server and try again. |
| Explanation | The OpenID Connect TAI is not configured correctly. The issue found is appended to this message. |
| Action | Adjust the custom properties specified for the OpenID Connect RP TAI to meet minimum requirements, restart the server and try again. |
| Explanation | The combination of custom properties shown in the message may prevent the OpenID Connect RP from functioning properly. The settings may need to be adjusted. |
| Action | See the user action for the message in which this one is embedded. |
| Explanation | The combination of custom properties shown in the message may prevent the OpenID Connect RP from functioning properly. The settings may need to be adjusted. |
| Action | See the user action for the message in which this one is embedded. |
| Explanation | The combination of custom properties shown in the message may prevent the OpenID Connect RP from functioning properly. The settings may need to be adjusted. |
| Action | See the user action for the message in which this one is embedded. |
| Explanation | This means several things: 1) You have a test fix for an APAR in the OpenID Connect component in WebSphere Application Server installed. 2) The test fix has been classified as "tightly controlled" by IBM WebSphere L3 security support, 3) If you"ve been given a tightly controlled test fix, WebSphere L3 security support intends for you to install the fix, test it, then immediately uninstall it. 4) If a test fix is tightly controlled, this message will be emitted at the Warning level when the OIDC interceptor is initialized by the Trust Manager. When the fix will stop taking requests is not customizable, 5) When the date/time in the message has passed, RelyingParty.isTargetInterceptor will always return false. This means that resources will no longer be protected by the OIDC TAI. You will get this message each time RelyingParty.isTargetInterceptor is invoked. |
| Action | Uninstall the fix as soon as you have completed testing the fix. If the date in the message is in the past, the fix must be removed in order to make the OIDC TAI operational again. If you need more time, you must request a new build of the fix from WebSphere L3 security support. |
| Explanation | The custom property shown in the message is set to a value that is less than the minimum value. |
| Action | Set the property to a value that is greater than the minimum value. If the parameter is not required, you may also remove the property. Restart the server and try again. |
| Explanation | When you receive this message as part of CWTAI2007E, the OIDC TAI is using only local storage for state data with no cookie backup. The stateId is created by the OIDC TAI when the client makes a request. This stateId is sent to the OP and the OP returns this stateId to the OIDC TAI. This stateId is used to associate the authentication response from the OP with the client"s original request data to the protected resource. This message means that the OIDC TAI was unable to retrieve the data for the client"s original request from local storage using the stateId that was returned from the OP. This can be caused by serveral things: 1) The stateId was created on a different application server, 2) The OP has replayed an authentication response; stateIds can only be used once, 3) stateIdTimeoutSeconds is lower than the number of seconds that the user spent to login to the OP; the default is 600, 4) maxStateCacheSize is too small for the server"s load; the default is 10,000. If you see this message in a log without it being part of a CWTAI2007E error, the OIDC TAI has logged this message before attempting to use the cookie. No action is required in this case unless you also get an error with the cookie. |
| Action | If you are running in a cluster environment, ensure that 1) session affinity is enabled and 2) provider_<id>.createSession is set to true if you are using IBM HTTP Server (IHS) as your front-end. When both cookies and local state caching is enabled, the TAI will use local storage first, then use the cookie as a backup. If you receive many of these errors and you have cookies turned off, you may want to consider turning cookies back on by setting -useStateCookies=true (the default). If you set -maxStateCookieSize=0, -useStateCookies will default to false. -maxStateCookieSize defaults to the setting for -maxCookieSize. If you don"t want to change your configuration to use state cookies and you are receiving this message many times when users are logging in in a timely manner, use a combination of -maxStateCacheSize and -stateIdTimeoutSeconds that will handle the server"s load. |
| Explanation | When you get this message, the OIDC TAI was unable find its state cookie on the HTTP request. When you receive this message as part of CWTAI2007E, the OIDC TAI was unable to retrieve the state information from the local cache, so it must use cookies for state data instead of local storage and then the state cookie was not found on the HTTP request. The stateId is created by the OIDC TAI when the client makes a request. This stateId is sent to the OP and the OP returns this stateId to the OIDC TAI. This stateId is used to associate the authentication response from the OP with the client"s original request data to the protected resource. This message means that there was either no OIDC state cookie or no data in the OIDC state cookie with which to restore the client"s original request data. This problem can occur if 1) your OP redirects back to a hostname that is not exactly the same as the hostname in the original client request. For instance, using an IP address instead of a hostname or a cluster member hostname instead of the general cluster hostname, 2) the end user"s login request has timed out, or the following sequence of events on the same browser implementation on the same workstation: a) access to a protected resource is requested, but the login to the OP is not completed, b) you then access and complete the login for the same or another protected resource in the same, or another WebSphere Application Server instance where the resource is associated with the same OIDC TAI clientId as the first, c) when you go back and complete the login flow for the first request, you will get this error because the OIDC cookie will have been deleted in step b. |
| Action | First, make sure that your end users complete the login process within the time frame required by your -stateIdTimeoutSeconds OIDC TAI setting (default=600). Make sure one login sequence is complete in each browser implementation on a workstation before starting a new one. When both cookies and local state caching are enabled, the TAI will use local storage first, then use the cookie as a backup. If you receive many of these errors and you have local storage turned off, you may want to consider turning local storage back on by setting -maxStateCacheSize to a value other than 0 (zero). If you already have local storage enabled or you do not want to enable local storage then make that the hostname from the user"s initial request to the page that the TAI intercepted is the same as the hostname that the OP is redirecting the user back to after the OP login so that the browser will send the cookie to WebSphere Application Server. If the OP is sending the cookie, but the OIDC TAI still isn"t receiving it, ensure that your load balancer or proxy server is not stripping off cookies. |
| Explanation | The combination of custom properties shown in the message may prevent the OpenID Connect RP from functioning properly. The settings may need to be adjusted. |
| Action | See the user action for the message in which this one is embedded. |
| Explanation | The custom property shown in the message is set to the value that is defined to mean "use the DynaCache default maximum cache size". Since DynaCache is not enabled on the server, this setting cannot be used. In order to ensure that the OIDC TAI will be operable, the default local cache size shown in the message will be used. |
| Action | Do one of the following: 1) Enable DynaCache on the server, 2) Remove the custom property shown in the message, 3) Set the custom property in the message to a different value, or 4) Ignore the warning if you are satisfied with using the default setting. |
| Explanation | During initialization, the OIDC TAI was unable to access the configured JNDI cache. If the cache is not available by the time the OIDC must put an entry in the cache, the OIDC TAI will create a DynaCache DistributedMap to ensure that requests will be processed. |
| Action | Ensure that your named JNDI cache is available to the application server on which the OIDC TAI resides before the OIDC TAI starts receiving requests. |
| Explanation | DynaCache was not available to the OIDC TAI during initialization. If the DynaCache is not available by the time the OIDC must put an entry in the cache, the OIDC TAI will create a local map to ensure that requests will be processed. |
| Action | Ensure that DynaCache is enabled and your named JNDI cache is available on the application server on which the OIDC TAI resides before the OIDC TAI starts receiving requests. |
| Explanation | The OIDC TAI is not able to use the named JNDI cache. The reason is shown after the message. |
| Action | See the action for the message appended to this one. |
| Explanation | The dynamic cache service (DynaCache) is not enabled on this application server. DynaCache is enabled on application servers by default. If DynaCache is not enabled, it has been disabled on purpose. Take care when deciding if you want to turn DynaCache back on. |
| Action | Enable DynaCache on the application server if you want to use a named JNDI cache. |
| Explanation | The OIDC TAI was unable to access the named JNDI cache. The cause of this issue is appended to this message. |
| Action | Ensure that the named JNDI cache is available when the OIDC TAI must put an entry in the cache. See the user action for the message appended to this one. |
| Explanation | The custom property shown in the message is set to a value that is greater than the maximum value. |
| Action | Set the property to a value that is less than or equal to the maximum value. If the parameter is not required, you may also remove the property. Restart the server and try again. |
| Explanation | The custom property shown in the message is set to a value that is only allowed when the dynamic cache service is available on the application server, but the dynamic cache service is not available. |
| Action | Do at least one of the following actions: 1) enable the dynamic cache service, 2) set the property to a different value that is in the valid range or 3) remove the property. Restart the server and try again. |
| Explanation | The OpenID Connect (OIDC) TAI requires that the application server be running with Java version 7 or later. The OpenID Connect TAI cannot intercept requests when the application server is running with Java version 6. |
| Action | Install Java version 7 and configure the application server to use it. |
| Explanation | The OpenID Connect (OIDC) TAI requires that the application server be running with Java version 7 or later. The OpenID Connect TAI cannot intercept requests because it cannot determine what version the application server is running. The java.specification.version system property must exist and be a value that is 1.7 or higher. |
| Action | Check the value of the java.specification.version system property in the message. |
| Explanation | The OpenID Connect (OIDC) TAI requires that the application server be running with Java version 7 or later. The OpenID Connect TAI cannot intercept requests because it cannot determine what version the application server is running. The java.specification.version system property must exist and be a value that is 1.7 or higher. |
| Action | Check the value of the java.specification.version system property in the message. |
| Explanation | To perform authentication, a JWT must be included in the Authorization header by using the Bearer authorization scheme. |
| Action | Ensure that a JWT is included in the Authorization header of the request. |
| Explanation | The provided JWT does not contain the specified claim. The runtime cannot continue with the authentication process. |
| Action | Do at least one of the following actions: 1) Verify that the OpenID Connect TAI custom property specifies the correct claim name. 2) Ensure that the JWT is created with the specified claim. |
| Explanation | A signing key could not be found, or a key that uses the configured signature algorithm could not be found. This missing key could be due to missing, malformed, or inaccurate information in the OIDC TAI configuration or the JSON Web Token. |
| Action | Do one of the following actions: 1) If you are using a JSON Web Key (JWK) to sign and validate tokens, ensure that the [jwkEndpointUrl] OIDC TAI property is configured properly and that the JWT and JWK claims are correct. 2) If you use X.509 certificates to sign and validate tokens, ensure that the [signVerifyAlias] property is configured properly. 3) If you use shared keys to sign and validate tokens, ensure that the [clientSecret] property is configured properly. |
| Explanation | An error occurred while processing the signature of the provided token string. |
| Action | See the user action for the error specified in the message. Verify that the token was signed with the correct signature algorithm and key. |
| Explanation | The JSON Web Token (JWT) expiration time must be set to either the current time or a time in the future. A time in the past was specified. |
| Action | Set the token expiration time to the current time or a time in the future. |
| Explanation | A token is valid only if its [iat] claim specifies a time in the past. The [iat] claim of the provided token is a time in the future. The token is not yet valid. |
| Action | Wait until after the time specified in the [iat] claim before using this token or obtain a new token with an [iat] value that specifies a date in the past. |
| Explanation | The provided token includes a [jti] claim that uniquely identifies the token. Another token with the same [iss] value and [jti] value was previously received and processed. Duplicate claims might indicate a possible replay attack. |
| Action | Make sure that the token issuer provides a new token with a unique [jti] claim. |
| Explanation | Retrieving the JWK through the indicated URL had failed. The status code and content of the response also displayed in the error message. |
| Action | Ensure that the network is set up properly. Verify the JWK URL in the OIDC TAI configuration. |
| Explanation | An error occurrend when the OIDC TAI attempted to obtain the JWK through the indicated URL. The reason for the error is shown in the message. |
| Action | Ensure that the network is set up properly. Verify the JWK URL in the OIDC TAI configuration. |
| Explanation | The iss claim in the JWT must be in the list of trusted issuers that is configured in the provider_(id).issuerIdentifier property in the OIDC TAI configuration. This property helps ensure that you process tokens only from trusted issuers. |
| Action | See the action for the error message that is referenced in this message. |
| Explanation | The OIDC TAI configuration specifies which audiences are trusted when you validate JWTs. Because the token is not configured for a trusted audience, it cannot be validated. |
| Action | Take one of the following actions: 1) Obtain a new token that is configured for one of the trusted audiences that is specified in your OIDC TAI configuration. 2) Add the audience that is specified in the JWT as a trusted audience in your OIDC TAI configuration. The [provider_<id>.audiences] OIDC TAI property is a comma-separated list of trusted audiences. 3) Set the [provider_<id>.audiences] OIDC TAI property to the ALL_AUDIENCES value. |
| Explanation | The token is not valid because it was issued after its own expiration date. |
| Action | Obtain a new token with a valid [iat] claim that specifies a time earlier than the time specified by the [exp] claim. |
| Explanation | Tokens that are expired or do not specify an [exp] claim are not valid. |
| Action | Obtain a new token that contains an [exp] claim and is not expired. Synchronize the clock times between the token issuer and the consumer, or increase the clock skew in your OIDC TAI configuration. |
| Explanation | The token has a [nbf] (not-before) claim that specifies a time when the token becomes valid. The current time is before the [nbf] time., so The token is not yet valid. |
| Action | Wait until after the time specified by the [nbf] claim before you use this token, or obtain a new token with an [nbf] claim set to a time before the current time. Synchronize the clock times between the token issuer and the consumer, or increase the clock skew in your OIDC TAI configuration. |
| Explanation | Tokens are required to be signed by the algorithm specified in the message. Tokens that are signed with any other signature algorithm cannot be validated. |
| Action | Obtain a new token that is signed by using the required algorithm specified in the message, or update your OIDC TAI configuration to allow tokens that are signed by using the other signature algorithm. |
| Explanation | The provided JWT cannot be verified because the [iss] claim in the JWT is not in the list of allowed issuers. Therefore, the runtime cannot continue with the authentication process. The OIDC TAI property and the list of allowed issuers are shown in the message. |
| Action | Verify that the OIDC TAI property shown in the message contains the value for the [iss] claim in the JWT. |
| Explanation | The OpenID Connect relying party (RP) failed to initialize because the value of the optional property in the message is not valid or is not currently supported. The supported values are shown in the message. |
| Action | Provide a supported value for the property shown in the message, restart the server and try again. |
| Explanation | The OIDC TAI is not able to make a request to the provider. The reason is shown after the message. |
| Action | See the action for the message that is appended to this one. |
| Explanation | The OIDC TAI must use the WebSphere SSL socket factory to make a secure connection to a provider. The OIDC TAI cannot obtain the WebSphere SSL socket factory if the default SSL socket factory is set to a different socket factory in the java.security file or by an application. |
| Action | Check if the ssl.SocketFactory.provider and ssl.ServerSocketFactory.provider properties in the java.security file are set to anything other than com.ibm.websphere.ssl.protocol.SSLSocketFactory. Check if any applications set these two properties to anything other than com.ibm.websphere.ssl.protocol.SSLSocketFactory. |
| Explanation | The OIDC TAI is not able to obtain an SSL socket factory for connection to the provider. The reason is shown after the message. |
| Action | See the action for the message that is appended to this one. |
| Explanation | The iss claim in the ID token must match the value for the provider_(id).issuerIdentifier property in the OIDC TAI configuration to ensure that you only process tokens from trusted issuers. |
| Action | Do one of the following steps: 1) Update the provider_(id).issuerIdentifier property to match the iss claim in the ID token, 2) Investigate why you are receiving ID tokens from your OpenID provider with an unexpected iss claim. |
| Explanation | When performing JWT authentication and the value of the provider_(id).verifyIssuerInIat property is false, the iss claim must not be present in the JWT. |
| Action | Either obtain a new token that does not contain the iss claim, or change the value for the provider_(id).verifyIssuerInIat property to true. |
| Explanation | An OIDC ID token must contain an iat (issued at) claim. |
| Action | Obtain a valid token from the OpenId Connect provider. |
| Explanation | The audience in the ID token must match the client ID. In this case, the (aud) audience in the ID token does not match the client ID, so the ID token did not validate. |
| Action | Make sure that the value for the [provider_(id).clientId] property specified in OIDC TAI configuration is correct. The value is case-sensitive. |
| Explanation | The authorized party in the ID token must match the client id. In this case, the (azp) authorized party in the ID token does not match the client id, so the ID token did not validate. |
| Action | Make sure that the [provider_(id).clientId] property that is specified in OIDC TAI configuration is correct. The value is case-sensitive. |
| Explanation | The OIDC TAI is configured with the provider_(id).audiences property to trust certain audiences, so tokens must contain an aud claim. The aud claim in the token must also match one of the audiences that are configured to be trusted by the TAI in the provider_(id).audiences property. |
| Action | Make sure the token that is provided to your OpenID Connect client contains an aud claim. If you do not wish to validate token audiences, remove the provider_(id).audiences property from your OIDC TAI configuration. |
| Explanation | The runtime is unable to verify a JWT. The reason for the error is provided in the message. |
| Action | See the action for the error message that is referenced in this message. |
| Explanation | The runtime must have an issuer that is available to verify a JWT. The JWT has no "iss" claim and a default issuer was not provided to the method as a parameter. |
| Action | Take one of the following actions: 1) Obtain a new token that includes an "iss" claim. 2) Provide a default issuer parameter to the method. |
| Explanation | A method that requires an OIDC TAI configuration cannot find an OIDC TAI configuration entry by using the information that was provided to the method. |
| Action | Take one of the following actions: 1) Make sure that an OIDC TAI configuration entry exists with an issuer that matches the "iss" claim in the JWT. 2) Provide a default issuer parameter to the method that matches an issuer in the OIDC TAI configuration. 4) Make sure that only one OIDC TAI configuration entry for the issuer has the provider_(id).useIssuer property set to true, which is the default for that property. 5) Use a JWT verification method that does not require the issuer to be in the OIDC TAI configuration. |
| Explanation | The iss claim in the JWT must match the issuer of the OP. |
| Action | Take one of the following actions: 1) Investigate why you received a JWT from your OpenID provider with an unexpected iss claim. 2) Remove the iss claim from the JWT. |
| Explanation | The token has an nbf (not-before) claim that specifies a time when the token becomes valid. The current time is before the nbf time, so the token is not yet valid. |
| Action | Take one or more of the following actions: 1) Wait until after the time that is specified by the nbf claim to use this token. 2) Obtain a new token with an nbf claim that is set to a time before the current time. 3) Synchronize the clock times between the token issuer and the consumer. |
| Explanation | The OIDC TAI cannot decrypt a JWT or ID token. |
| Action | See the action for the error message that is referenced in this message. |
| Explanation | The OIDC TAI received an encrypted token. Either the TAI is not configured to decrypt tokens, or an error occurred when the TAI attempted to load the key. |
| Action | Check the OIDC TAI configuration. Verify that the properties that are specified in the message are present and that the values are correct. |
| Explanation | The OIDC TAI was able to decrypt an encrypted JWT token. To complete the processing, a JsonWebEncryption part is required in the token and is not present. |
| Action | Ensure that the JWTs sent to the OIDC TAI contain the JsonWebEncryption part and the JsonWebSignature part. |
| Explanation | The TAI received an error when decoding the XOR encoded value for the property specified in the message. |
| Action | Refer to the action part of the referenced message for the actions to perform. |
| Explanation | The token on the authorization header of the HTTP request appears to be an encrypted JWT, but the OIDC TAI is not configured to process encrypted JWTs. |
| Action | If you want to process encrypted JWTs, ensure that you configure the OIDC TAI properties correctly, as specified in the message. |
| Explanation | OpenID Connect RP requests require the nonce to be handled properly during the request flow to mitigate replay attacks. The nonce that is included in the token does not match the nonce that is associated with this request, therefore the request is not valid. |
| Action | Ensure that the OpenID Connect provider generates tokens using the nonce that is specified in the initial OpenID Connect client request. |
| Explanation | The OIDC TAI cannot load the keystore specified in the message. |
| Action | See the action for the error message that is referenced in this message. |
| Explanation | An error occurred when the OIDC TAI attempted to retrieve a decrypting key for an alias from the identified keystore. Any encrypted JWTs that the TAI receives are rejected. |
| Action | See the action for the error message that is referenced in this message. |
| Explanation | An error occurred when the OIDC TAI attempted to retrieve a decrypting key for an alias from the identified keystore. |
| Action | See the action for the error message that is referenced in this message. |
| Explanation | The entry type for a decrypting key for an alias in a keystore must be KeyEntry or SecretKeyEntry. |
| Action | In the keystore identified in the provider_<id>.keyStore property, ensure that the value specified for the provider_<id>.decrytpingAlias OIDC TAI property is KeyEntry or SecretKeyEntry. |
| Explanation | The OpenID Connect relying party (RP) cannot validate the ID token successfully. This might have been caused by a failure in the process of required claims validation. Some of the ID token required claims include issuer, audience, issued time. |
| Action | Ensure that OpenID Connect client (RP) system clock is in sync with OpenID Connect provider (OP) system clock (in case they are on two different systems). Also see the user action for the error that appears after this error. |
| Explanation | The OIDC TAI cannot validate the JSON Web Token. This might have been caused by a failure while validating required claims. Some of the JSON Web Token required claims include issuer, audience, and issued time. |
| Action | See the user action for the error that appears in the message. |
| Explanation | The OpenID Connect relying party (RP) cannot validate the response from the endpoint that is shown in the message. The reason is shown after the message. |
| Action | See the action for the error message that is referenced in this message. |
| Explanation | The OIDC TAI received a response that is not in JSON format from an endpoint that is required to respond with a JSON string. |
| Action | Perform the following actions: 1) Make sure that you set the correct endpoint in the OIDC TAI properties, 2) Make sure that your OpenID provider returns a value that is a valid JSON string. |
| Explanation | The value for the sub claim in the ID token and UserInfo response must match. |
| Action | Make sure that the sub claim for the ID token matches the sub claim for the UserInfo response. Alternatively, you can set the OIDC property provider_(id).userinfoEndpointEnabled to false to prevent the TAI from retrieving the UserInfo information. |
| Explanation | The ID token and UserInfo response must have sub claims with matching values. |
| Action | Make sure that the UserInfo response contains a sub claim and that it matches the sub claim in the ID token. Alternatively, you can set the OIDC property provider_(id).userinfoEndpointEnabled to false to prevent the TAI from retrieving the UserInfo information. |
| Explanation | The ID token and UserInfo response must have sub claims with matching values. |
| Action | Make sure that the ID token contains a sub claim and that it matches the sub claim in the UserInfo response. Alternatively, you can set the OIDC property provider_(id).userinfoEndpointEnabled to false to prevent the TAI from retrieving the UserInfo information. |
| Explanation | The OIDC TAI configuration includes both the custom properties that are shown in the message. These properties cannot be configured together. |
| Action | Update your OIDC TAI configuration to include either of the properties that are shown in the message, but not both properties. |
| Explanation | The value for the property that is shown in the message is a list. The list includes a value that is not supported. |
| Action | Update your OIDC TAI configuration to remove the unsupported value from the list. |
| Explanation | The OpenID Connect provider configuration that is shown in the message is missing properties that are required for the OIDC TAI to process HTTP requests. At least one of the properties that is shown in the message is required. This error prevents the TAI from processing requests for a specific provider configuration but does not prevent the OIDC TAI from processing requests for provider configurations that load successfully. |
| Action | Add one or more of the missing properties to the OIDC TAI provider configuration that is shown in the message. Consult the OIDC TAI documentation for the description of each property. |
| Explanation | The OpenID Connect configuration is missing properties that are required for the OIDC TAI to process HTTP requests. At least one of the properties that is shown in the message is required. |
| Action | Add one or more of the missing properties to the OIDC TAI configuration. Consult the OIDC TAI documentation for the description of each property. |
| Explanation | Conversion error occurred while converting the IP string to an IP address. |
| Action | Validate the IP string provided. |
| Explanation | The OIDC TAI uses scheme://host:port part of the inbound request to construct the callback URL to send to the OpenID provider (OP). If the scheme is not HTTP or HTTPS, the OP cannot redirect the request back to the WebSphere server. |
| Action | Either protect only requests that include the HTTP or HTTPS scheme or configure the provider_<id>.redirectToRPHostAndPort OIDC TAI property to override the scheme://host:port part of the callback URL. |
| Explanation | The OIDC TAI cannot load the method from the class that is identified in the message. The reason for this inability to load the method is displayed after the message. |
| Action | See the action for the error that appears after this message. |
| Explanation | The OIDC TAI attempted, but failed to apply the SameSite attribute to the cookie in that is displayed in the message. The reason for this failure is displayed after the message. |
| Action | See the action for the error message that appears after this message. |
| Explanation | The OIDC TAI attempted, but failed to apply the SameSite attribute string to the JavaScript that is displayed in the message. The reason for this failure is displayed after the message. |
| Action | See the action for the error message that appears after in this message. |
| Explanation | The OIDC TAI failed in evaluating the value for the JWT claim that is displayed in the message. The reason for this failure is displayed after the message. |
| Action | See the action for the error message that appears after in this message. |
| Explanation | The OIDC TAI attempted, but failed to retrieve the SessionData object from DynaCache using the alias that is displayed in the message. The reason for this failure is displayed after the message. |
| Action | See the action for the error message that appears after in this message. |
| Explanation | The OIDC TAI configuration contains more than one provider that has the provider_(id).grantType property set to the same value. The first provider identified with the provider_(id).grantType value is used, and the remaining are ignored. |
| Action | Update the OIDC TAI configuration to include only one provider with the provider_(id).grantType property that is set the value that is displayed in the message. |
| Explanation | The OIDC TAI configuration includes a provider s that has the provider_(id).grantType set the value all, and the configuration also contains another provider with the provider_(id).grantType property set to either client_credentials or password. |
| Action | Either remove the provider with provider_(id).grantType=all, or remove the provider with the provider_(id).grantType property set to any other value. |
| Explanation | The OIDC TAI cannot to extract claims from the id_token. There are no claims in the id_token or the id_token is improperly formatted. |
| Action | Make sure that your id_token has claims and that they are formatted correctly. |
| Explanation | At least one of the claims that is shown in the message must be present in the JWT. |
| Action | Make sure that your JWT has at least one of the claims that is shown in the message. |
| Explanation | The OIDC TAI cannot obtain the claim that is shown in the message from the JWT. The reason is shown after the message. |
| Action | See the action for the error message that is referenced in this message. |
| Explanation | The iss claim in the JWT must be in the list of trusted issuers that is configured in the provider_(id).issuerIdentifier property in the OIDC TAI configuration. The provider_(id).issuerIdentifier property ensures that you process tokens from only trusted issuers. |
| Action | Take one of the following actions: 1) Update the value for the provider_(id).issuerIdentifier property to include the value for the iss claim in the JWT. 2) Ensure that your OpenID provider sends a JWT that includes an iss claim whose value is in the list of trusted issuers. |
| Explanation | The SAML web inbound TAI could not be initialized because either the required property shown in the message has not been specified or it does not have a value. |
| Action | Specify the property in the message, restart the server and try again. |
| Explanation | The SAML web inbound TAI failed to initialize because the signatureAlgorithm property is set to a value that is not supported. The value defaults to SHA128 if not specified. |
| Action | Either provide a valid value for the signatureAlgorithm property or remove the property then restart the server and try again. |
| Explanation | The SAML Assertion received by the SAML web inbound Trust Association Interceptor (TAI) could not be decoded. The reason for the decoding failure is shown in the message. |
| Action | See the user action for the error embedded in this message. If the SAML Assertion in the inbound request is compressed in gzip format, make sure that the compressedHeader TAI property is set to true. |
| Explanation | The SAML web inbound Trust Association Interceptor (TAI) expects the RSA-SHA256 signature algorithm, but the SAML Assertion was signed using the RSA-SHA1 signature algorithm. |
| Action | Check the value of the signatureAlgorithm TAI custom property and if it is set to SHA256, make sure the SAML Assertion in the inbound request is signed using the RSA-SHA256 signature algorithm. |
| Explanation | The validation of SAML Assertion failed because none of the audience URIs specified by the SAML web inbound Trust Association Interceptor custom property audiences were found in the intended list of audiences in the SAML Assertion. |
| Action | Check the value of the SAML web inbound Trust Association Interceptor custom property audiences and make sure it matches the list of audience URIs specified by the <AudienceRestriction> element in the SAML Assertion. |
| Explanation | The SAML web inbound TAI was not able to find the user name due to one of the following: 1) the NameID element is missing from the assertion, 2) the Attribute element configured to obtain the user name is not present in the assertion, 3) the attribute configured to obtain the user name does not have a value, 4) the attribute configured to obtain the user name has more than one value. |
| Action | See the user action for the error that appears after this message. |
| Explanation | The SAML web inbound TAI was not able to find the realm name due to one of the following: 1) the Issuer element is missing from the assertion, 2) the Attribute element configured to obtain the realm name is not present in the assertion, 3) the attribute configured to obtain the realm name does not have a value, 4) the attribute configured to obtain the realm name does has more than one value. |
| Action | See the user action for the error that appears after this message. |
| Explanation | The SAML web inbound TAI was not able to find the unique identity due to one of the following: 1) the NameID element is missing from the assertion, 2) the Attribute element configured to obtain the unique identity is not present in the assertion, 3) the attribute configured to obtain the unique identity does not have a value, 4) the attribute configured to obtain the unique identity has more than one value. |
| Action | See the user action for the error that appears after this message. |
| Explanation | The SAML web inbound TAI configuration contains the property name and value pair shown in the message. |
| Action | No action is required. |
| Explanation | The SAML web inbound TAI is unable to find the attribute specified in the SAML Assertion. |
| Action | Ensure that the creator of the SAML Assertion emits an assertion that contains an element with the attribute and value shown in the message. |
| Explanation | The SAML web inbound TAI is unable to determine the value for the attribute because the attribute contains none of the specified sub-elements. |
| Action | Ensure that the creator of the SAML Assertion emits an assertion that includes the missing sub-element. |
| Explanation | The SAML web inbound TAI is unable to determine the value for the attribute because the Attribute element contains more than one AttributeValue sub-elements. |
| Action | Ensure that the creator of the SAML Assertion emits an assertion that includes only one AttributeValue sub-element for the Attribute element shown in the message. |
| Explanation | The SAML web inbound TAI did not initialize because one or more errors occurred. The reason for this error will be displayed after this message. |
| Action | See the user action for the error that appears after this message. |
| Explanation | The properties shown in the message are part of a required set. This means that at least one of the set of properties must be specified and have a value. One of the following has occurred: 1) None of the properties in the required set were specified. 2) One or more of the properties in the required set were specified, but none of the properties have a value. |
| Action | Specify a value for a least one of the the properties in the message, restart the server and try again. |