IBM Support

PI55697: OpenID Connect Relying Party : No entry in cache for stateid

Download


Abstract

OpenID Connect Relying Party: No entry in cache for stateid happens in a cluster environment.

Download Description

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.



PI55697 resolves the following problem:

ERROR DESCRIPTION:
When a resource is protected by the OpenID Connect Relying Party TAI in a cluster environment, an error like the following may occur during login:

[1/4/16 14:05:21:107 CET] 00000057 WebAuthentica E SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: TheOpenID Connect replying party (RP) encountered a failure during the login. The exception is [No entry in cache for stateid: [6r0sco232ft5cstviumgm6i8fe]. Check the logs for details that lead to this exception.

PROBLEM SUMMARY

USERS AFFECTED:
Administrators of IBM WebSphere Application Server and OpenID Connect

PROBLEM DESCRIPTION:
The current implementation of the OpenID Connect Relying Party Trust Association Interceptor (TAI) in the full profile only supports the configuration of a single provider. If a user needs to configure the TAI to interact with multiple providers, they cannot do it.

RECOMMENDATION:
Install a fix pack that contains this APAR.

PROBLEM CONCLUSION:
When a request is made to a resource producted by the OpenID Connect Relying Party TAI, a login is initiated to the OpenID Connect Provider (OP). After login, the OP sends a response back to the TAI. Before login, the TAI saves state information about the login request in a cache using the 6r0sco232ft5cstviumgm6i8fe as the key. When the response is received from the OP, the TAI retrieves the request information from the cache. In a cluster environment, when the OP responds, the individual cluster member that receives the response is indeterminate. If the cluster member that retrieved the response is not the member that cached the login request, the CWTAI2007E error will occur.

This issue can normally be resolved by using session affinity. However, if you are using some front-end application to load balance the cluster member resources, using session affinity won't work.

The OpenID Connect TAI is updated in the following ways:


  1. The dynacache put is set to PUSH
  2. The session data that is stored in the cache is added to the request sent to the OP so that any cluster member that receives the response from the OP has access to it. This means that if a server that receives the response cannot find the key in the cache, it can find the information it needs from the response.



The fix for this APAR is currently targeted for inclusion in fix packs 8.0.0.13 and 8.5.5.9. Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, OIDC, INTERIMFIX


THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.


Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

On

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.9;8.5.5.8;8.5.5.7;8.5.5.6;8.5.5.5;8.5.5.4;8.5.5.3;8.0.0.12;8.0.0.11;8.0.0.10","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PI25298;PI33449;PI37687;PI47460;PI52604;PI56331;PI59831;PI55697

Document Information

Modified date:
15 June 2018

UID

swg24042337