IBM Support

PH40544: LTPA token expiration message (SECJ0371W) was intermittently thrown with the old expiraton time in year 1970.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Intermittently SECJ00371W with the expiration time (Date: Thu
Jan 01 01:00:00 CET 1970) was thrown

-- Sample error message ---
[5/11/20 19:48:34:364 CEST] 000000b0 LTPAServerObj W
SECJ0371W: Validation of the LTPA token failed because the
token expired with the following info: Token expiration Date:
Thu Jan 01 01:00:00 CET 1970, current Date: Mon May 11
19:48:34 CEST 2020. This warning might indicate expected
behavior. Please refer to technote at
http://www-01.ibm.com/support/docview.wss?uid=swg21594981.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  The users of IBM WebSphere Application      *
*                  Server                                      *
****************************************************************
* PROBLEM DESCRIPTION: The server intermittently throws        *
*                      SECJ0371W (LtpaToken expiration         *
*                      warning)                                *
*                      with the expiration Date: Thu Jan 01    *
*                      01:00:00 CET 1970                       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
There was a request that came with a valid LtpaToken and
invalid AuthzPropToken with the expiration time set to Java
epoch time. The error is thrown from the AuthzPropToken
validation.
Since AuthzPropToken is a legacy token that WebSphere v8.5.5
and v9.0 no longer require to check its expiration, this APAR
introduced a custom property to turn off its expiration check.
To activate APAR code, the following custom property needs to
be set. From adminconsole, Global security > Custom properties >
New óÔé¼ ª
Name: com.ibm.websphere.security.skipAuthzPropTokenCheck
Value: true
The default value is false.
To confirm this apar is a match for the issue, the trace
(com.ibm.ws.security.*=all) shows "validateTokenBytes() ->
com.ibm.ws.security.ltpa.AuthzPropTokenFactory" just before the
SECJ0371W. This indicates the error comes from the
AuthzPropToken validation.
-----------------------------
[6/3/20 12:20:45:648 CEST] 000009d2 LTPAServerObj 3   Calling
tokenFactory[2].validateTokenBytes() ->
com.ibm.ws.security.ltpa.AuthzPropTokenFactory
[6/3/20 12:20:45:648 CEST] 000009d2 AuthzPropToke >
AuthzPropToken from byte[] Entry
[6/3/20 12:20:45:649 CEST] 000009d2 AuthzPropToke 3   Before
parsing, length: 300
[6/3/20 12:20:45:649 CEST] 000009d2 AuthzPropToke <
AuthzPropToken from byte[] Exit
[6/3/20 12:20:45:649 CEST] 000009d2 AuthzPropToke 3   token
expired
[6/3/20 12:20:45:649 CEST] 000009d2 LTPAServerObj W   SECJ0371W:
Validation of the LTPA token failed because the token expired
with the following info: Token expiration Date: Thu Jan 01
01:00:00 CET 1970, current Date: Wed Jun 03 12:20:45 CEST 2020.
This warning might indicate expected behavior. Please refer to
technote at http://www-01.ibm.com/support/docview.wss?
uid=swg21594981.
--------------------------------

    



Problem conclusion


    

  • The bug has been fixed.

To activate APAR code, the following custom property needs to
be set. From adminconsole:
Global security > Custom properties >  New óÔé¼ ª

Name: com.ibm.websphere.security.skipAuthzPropTokenCheck
Value: true

The default value is false.

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.22 and 9.0.5.11. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH40544
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-09-13
    • 

  • Closed date
    2021-12-20
    • 

  • Last modified date
    2021-12-20
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            21 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback