PI78336: WebSphere Application Server OpenID connect Relying Party jndiCacheName Property does not work

Fixes are available

APAR status

Closed as program error.

Error description

The OpenId Connect (OIDC) Relying Party (RP) does not have
a means for changing the jndi name of the cache instance it
uses to store OIDC session data.

Local fix

```
N/A
```

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  OpenID Connect                              *
****************************************************************
* PROBLEM DESCRIPTION: The OpenID Connect Relying TAI is not   *
*                      honoring the jndiCacheName property.    *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  contains this APAR.                         *
****************************************************************
The OpenID Connect Relying Party Trust Association Interceptor
is not honoring the jndiCacheName property.  The TAI reads the
property, but always uses a DynaCache DistributedMap instead
of the specified JNDI cache.

Problem conclusion

The OpenID Connect TAI is updated so that it honors the value
specified for the jndiCacheName property.

In order for your named JNDI cache to be used, DynaCache must
be enabled on the application server and the cache must be
available to the naming service at the time the first request
is made to the OpenID Connect TAI.

Here are some warnings that you may receive when attempting to
use the jndiCacheName property:

=================
CWTAI2034W: The JNDI Cache name [services/cache/myCache] that
is specified on the OpenID Connect custom property
[jndiCacheName] does not appear to be accessible at this time
[javax.naming.NameNotFoundException: Context:
vmCell02/nodes/vmNode02/servers/server1, name:
services/cache/myCache: First component in name myCache not
found.]. The OIDC RP will continue to initialize because the
cache may become available at a later time.  The OIDC RP will
attempt to access the JNDI cache again when the first request
is received.  If the JNDI cache is not available at that time,
the RP will revert to using an alternate caching method
instead of the JNDI cache requested.

Explanation: During initialization, the OIDC TAI was unable to
access the configured JNDI cache.  If the cache is not
available by the time the OIDC must put an entry in the cache,
the OIDC TAI will create a DynaCache DistributedMap to ensure
that requests will be processed.

Action: Ensure that your named JNDI cache is available to the
application server on which the OIDC TAI resides before the
OIDC TAI starts receiving requests.

=================
CWTAI2035W: A JNDI Cache name [services/cache/myCache] was
specified on the OpenID Connect custom property
[jndiCacheName] but DynaCache does not appear to be enabled on
the application server.  The OIDC RP will continue to
initialize.  The OIDC RP will attempt to access DynaCache
again when the first request is received.  If DynaCache is not
available at that time, the RP will revert to using an
alternate caching method instead of the JNDI cache requested.

Explanation: DynaCache was not available to the OIDC TAI
during initialization.  If the DynaCache is not available by
the time the OIDC must put an entry in the cache, the OIDC TAI
will create a local map to ensure that requests will be
processed.

Action: Ensure that DynaCache is enabled and your named JNDI
cache is available on the application server on which the OIDC
TAI resides before the OIDC TAI starts receiving requests.

=================
CWTAI2037W: The OpenID Connect relying party (RP) is unable to
use the JNDI cache [services/cache/myCache] that was specified
on the OpenID Connect custom property [jndiCacheName]. An
alternate caching method will be used. [CWTAI2038I: DynaCache
is not active on the application server.]

Explanation: The OIDC TAI is not able to use the named JNDI
cache.  The reason is shown after the message.

Action: See the action for the message appended to this one.

=================
CWTAI2038I: DynaCache is not active on the application server.

Explanation: The dynamic cache service (DynaCache) is not
enabled on this application server.  DynaCache is enabled on
application servers by default.  If DynaCache is not enabled,
it has been disabled on purpose.  Take care when deciding if
you want to turn DynaCache back on.

Action: Enable DynaCache on the application server if you want
to use a named JNDI cache.

=================
CWTAI2039I: Unable to locate the JNDI cache
[services/cache/myCache]. javax.naming.NameNotFoundException:
Context:
vmCell02/nodes/vmNode02/servers/server1, name:
services/cache/myCache: First component in name myCache not
found.

Explanation: The OIDC TAI was unable to access the named JNDI
cache.  The cause of this issue is appended to this message.

Action: Ensure that the named JNDI cache is available when the
OIDC TAI must put an entry in the cache.  See the user action
for the message appended to this one.

=================
Additional updates made on this APAR:

The definition of the clusterCaching property is updated to
better account for the use of the jndiCacheName property:

clusterCaching
Default value: true

Set this property to false if you want each cluster member to
maintain their own session cache.  If DynaCache is enabled on
the server, it will always be used for cache management, but
if this property is set to false, session data will not be
shared among cluster members.  When cluster caching is turned
on, the number of cache entries is shared among all cluster
members.  When cluster caching is turned off, each cluster
member can store up to the maximum number of entries. The
value for this property is ignored if a value is specified for
the jndiCacheName property.

=================
The sessionCacheSize property is updated to allow you to set
the size of the session cache when the cache is managed by
DynaCache.  Previously, this property only applied when a
local cache was in use.  The new definition of the
sessionCacheSize property is:

sessionCacheSize
Default values: -1/10000
Minimum value: 1

Specifies the size of the cache the OpenID Connect RP uses for
session data. When DynaCache is enabled on the server: 1) the
default value is [-1], 2) setting the value to [-1] will make
the OIDC TAI inherit the active DynaCache default maximum
cache size, 3) when the cache limit is reached, old entries are
evicted from the cache by DynaCache to add new entries. When
DynaCache is not enabled on the server: 1) the default value
is [10000], 2) if [-1] is specified, the value will revert to
the non-DynaCache default: [10000], 3) when the cache limit is
reached, all subsequent requests to the RP are rejected with
an HTTP response code 503 (service unavailable) and the
application server cannot take new requests until sessions
that time out are removed from the cache.

=================
An alternate value of -1 is added to the maxStateCacheSize
property.

maxStateCacheSize
Default value: 10000
Minimum value: 25
Alternate value: -1 (use active DynaCache default maximum)
Alternate value: 0 (off)

Maximum number of state objects that can be in the local state
cache. Setting the value to 0 (zero) turns off the local state
cache.  Setting the value to -1 will make the OIDC TAI inherit
the active DynaCache default maximum cache size.  When
DynaCache is not enabled on the application server, if -1 is
specified, this property will revert to its default.



=================
The explanation and user action for the message CWTAI2009I is
updated:

CWTAI2009I: The OpenID Connect relying party (RP) did not find
an entry for session cookie {0} in the Session cache.

Explanation: The request received by the OpenID Connect
relying party (RP) had a session cookie in it, but a
corresponding entry for that cookie was not found in the
session cache.  Possible causes for this are 1) you are
running in a cluster environment, you do not have session
affinity and not enough time has elapsed for DynaCache to
replicate across the cluster, 2) you are running in a cluster
environment and the volume of active users is causing OIDC
sessions to be evicted from DynaCache.

Action: You can do the following to resolve this problem: 1)
If you are running in a cluster environment, enable session
affinity, then set -clusterCaching=false, 2) Create a custom
JNDI cache definition to tailor the behavior of the TAI's
session cache and provide its name on the -jndiCacheName TAI
custom property, 3) Remove the OIDC class,
com.ibm.ws.security.oidc.client.RelyingParty, from the base
security custom property
com.ibm.websphere.security.InvokeTAIbeforeSSO.  Refer to the
'Configuring an OpenID Connect Relying Party' article in the
Knowledge Center for the ramifications of this action.

The fix for this APAR is currently targeted for inclusion in
fix pack 8.0.0.14, 8.5.5.12, and 9.0.0.4.  Please refer to
the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PI78336
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-03-16
Closed date
2017-05-04
Last modified date
2017-05-04

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R800 PSY
UP
R850 PSY
UP
R900 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022

Tips

PI78336: WebSphere Application Server OpenID connect Relying Party jndiCacheName Property does not work

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R800 PSY

R850 PSY

R900 PSY

Document Information

Share your feedback

Need support?