IV31657: FIM DOES NOT GRACEFULLY EXIT IF THE DYNACACHE SAML20SESSION IS NOT FOUND, EVEN IF THE JSESSIONID IS PRESENT.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Problem reported where the customer was loading FIM with enough
    solicited SAML 2.0 SSO requests to cause the FIM Dynacache
    entries for the SAML20Session to be removed due to LRU.  FIM
    uses both the Session cache and a Dynacache to process SSO
    requests.  Customer is at the FIM 6.2.0.10 level.
    
    [2/26/12 0:28:06:268 EST] 0000003c SAML20Session >
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    retrieveSession ENTRY
    [2/26/12 0:28:06:268 EST] 0000003c SAML20Session >
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    determineSessionKey ENTRY
    [2/26/12 0:28:06:268 EST] 0000003c SAML20Session <
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    determineSessionKey RETURN
    [2/26/12 0:28:06:268 EST] 0000003c SAML20Session 3
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    retrieveSession Session Key: null
    [2/26/12 0:28:06:268 EST] 0000003c SAML20Session 3
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    retrieveSession Session not found
    [2/26/12 0:28:06:269 EST] 0000003c SAML20Session 3
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    retrieveSession Session: SAML20Session [sessionId =
    af660bbb-dc85-4e2a-9a66-e9e45f438347 signOutInfo = null Session
    Attributes = [  EMPTY  ] Current Requests = [  EMPTY  ]
    SessionInfos = [  EMPTY  ] ]
    [2/26/12 0:28:06:269 EST] 0000003c SAML20Session <
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    retrieveSession RETURN
    [2/26/12 0:28:06:269 EST] 0000003c SAML20Protoco >
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector selectActionChain ENTRY
    [2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco >
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector doChainSelectBasedOnBindingAndProfile ENTRY
    [2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector doChainSelectBasedOnBindingAndProfile Using this
    key to retrieve the action list MapKey [:  profile = Profile:
    SSOBrowser urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser;
    role = ip; binding = Protocol Binding:HTTPPost
    urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST; protocolRole =
    RESPONDER; isRequestType = true ]
    [2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector doChainSelectBasedOnBindingAndProfile Adding
    action:
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ValidateAuth
    nRequestAction
    [2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector doChainSelectBasedOnBindingAndProfile Adding
    action:
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction
    [2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector doChainSelectBasedOnBindingAndProfile Adding
    action:
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ExchangeToke
    nAtIPAction
    [2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector doChainSelectBasedOnBindingAndProfile Adding
    action:
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20FederateAtIP
    Action
    [2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector doChainSelectBasedOnBindingAndProfile Adding
    action:
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20BuildAuthnRe
    sponseAction
    [2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector doChainSelectBasedOnBindingAndProfile Adding
    action:
    com.tivoli.am.fim.saml20.protocol.actions.SAML20SendMessageActio
    n
    [2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco <
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector doChainSelectBasedOnBindingAndProfile RETURN
    [2/26/12 0:28:06:271 EST] 0000003c SAML20Protoco <
    com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
    hainSelector selectActionChain RETURN
    [2/26/12 0:28:06:271 EST] 0000003c SAML20Process >
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction runProtocol ENTRY
    [2/26/12 0:28:06:271 EST] 0000003c SAML20Process >
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction needToAuthn ENTRY
    [2/26/12 0:28:06:271 EST] 0000003c SAML20Process 1
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction needToAuthn No current authentication
    [2/26/12 0:28:06:271 EST] 0000003c SAML20Process <
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction needToAuthn RETURN
    [2/26/12 0:28:06:271 EST] 0000003c SAML20Process 1
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction runProtocol Authentication needed
    [2/26/12 0:28:06:271 EST] 0000003c SAML20Process >
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction haltForForceAuthn ENTRY
    [2/26/12 0:28:06:271 EST] 0000003c SAML20Process 1
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction haltForForceAuthn Halting with ForceAuthnInterrupt
    [2/26/12 0:28:06:271 EST] 0000003c SAML20Process <
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction haltForForceAuthn RETURN
    [2/26/12 0:28:06:272 EST] 0000003c SAML20Process <
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
    RequestAction runProtocol RETURN
    [2/26/12 0:28:06:272 EST] 0000003c SAML20Session >
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    manageSession ENTRY
    [2/26/12 0:28:06:272 EST] 0000003c SAML20Session >
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    storeSession ENTRY
    [2/26/12 0:28:06:272 EST] 0000003c SAML20Session >
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    getSessionTimeToLive ENTRY
    [2/26/12 0:28:06:272 EST] 0000003c SAML20Session <
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    getSessionTimeToLive RETURN
    [2/26/12 0:28:06:273 EST] 0000003c SAML20Session 3
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    storeSession Session: SAML20Session [sessionId =
    af660bbb-dc85-4e2a-9a66-e9e45f438347 signOutInfo = null Session
    Attributes = [ ; key = SAMLSESS-UserInteractionActionList value
    =
    [com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuth
    nRequestAction,
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ExchangeToke
    nAtIPAction,
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20FederateAtIP
    Action,
    com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20BuildAuthnRe
    sponseAction,
    com.tivoli.am.fim.saml20.protocol.actions.SAML20SendMessageActio
    n]; key = SAMLSESS-ContextState value =
    {RequestContext.InitialSAMLRequestReturnProtocolBinding=null,
    ContextAttributes={SAMLCTX-ProtocolPartner=http://sp.ibm.com},
    ResponseContext.SAMLMessageProtocolBinding=Protocol
    Binding:HTTPPost urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST,
    ResponseContext.RelayState=http://www.ibm.com/&rel=b771132d,
    ResponseContext.SignMessage=false, RequestContext.Artifact=null,
    ProtocolRole=RESPONDER,
    RequestContext.RequestURL=https://idp.ibm.com/FIM/sps/spfed/saml
    20/login,
    RequestContext.SAMLMessage=com.tivoli.am.fim.saml.protocol.Saml2
    0AuthnRequestImpl@67506750 [IssueInstant: Sun Feb 26 00:28:05
    EST 2012, Version: 2.0, ID:
    a9776729-bbc7-4cbe-ab18-160366504b0e, Consent: null,
    Destination: https://idp.ibm.com/FIM/sps/spfed/saml20/login,
    RelayState: null] (forceAuthn: false, isPassive: false,
    AssertionConsumerServiceIndex: <not set>,
    AssertionConsumerServiceURL: https://sp.ibm.com/acsurl,
    protocolBinding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST,
    AttributeConsumingServiceIndex: <not set>),
    RequestContext.ProtocolBinding=Protocol Binding:HTTPPost
    urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST,
    ResponseContext.SessionOP=STORE,
    ResponseContext.ProtocolEndpoint=SAMLProtocolEndpoint [:  type =
    SAML2.AssertionConsumerService; binding = Protocol
    Binding:HTTPPost urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;
    urlLocation = https://sp.ibm.com/acsurl; returnUrlLocation =
    https://sp.ibm.com/acsurl; index = 1; isDefault = false;
    isDefaultIsSet = true ],
    RequestContext.InitialSAMLRequestProtocolBinding=null,
    RequestContext.RelayState=http://www.ibm.com/&rel=b771132d,
    RequestContext.Target=null}; key = SAMLSESS-ForcedAuth value =
    true ] Current Requests = [  EMPTY  ] SessionInfos = [  EMPTY  ]
    ]
    [2/26/12 0:28:06:273 EST] 0000003c SAML20Session 3
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    storeSession Session TimeToLive: 7200
    [2/26/12 0:28:06:277 EST] 0000003c SAML20Session >
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    setSAMLCookie ENTRY
    [2/26/12 0:28:06:277 EST] 0000003c SAML20Session 3
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    setSAMLCookie Setting Cookie: javax.servlet.http.Cookie@574e574e
    [2/26/12 0:28:06:277 EST] 0000003c SAML20Session <
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    setSAMLCookie RETURN
    [2/26/12 0:28:06:277 EST] 0000003c SAML20Session <
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    storeSession RETURN
    [2/26/12 0:28:06:277 EST] 0000003c SAML20Session <
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    manageSession RETURN
    
    
    
    [2/26/12 0:30:40:675 EST] 00000031 SAML20Session >
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    retrieveSession ENTRY
    [2/26/12 0:30:40:675 EST] 00000031 SAML20Session >
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    determineSessionKey ENTRY
    [2/26/12 0:30:40:675 EST] 00000031 SAML20Session <
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    determineSessionKey RETURN
    [2/26/12 0:30:40:676 EST] 00000031 SAML20Session 3
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    retrieveSession Session Key:
    af660bbb-dc85-4e2a-9a66-e9e45f438347
    [2/26/12 0:30:40:676 EST] 00000031 SAML20Session 3
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    retrieveSession Session not found
    [2/26/12 0:30:40:676 EST] 00000031 SAML20Session 3
    com.tivoli.am.fim.saml20.session.SAML20SessionManager
    retrieveSession Session: SAML20Session [sessionId =
    0d44a624-11c8-47da-95fa-8929d4b109ea signOutInfo = null Session
    Attributes = [  EMPTY  ] Current Requests = [  EMPTY  ]
    SessionInfos = [  EMPTY  ] ]
    
    <lines removed>
    

Local fix

  • Increase the size of the ssops_plugins Dynacache in WebSphere an
    restart the JVMs.  The problem is related to transactions per
    second, and how long it takes the user to make the second
    request.
    

Problem summary

  • Blank page is shown when the session cannot be found.
    

Problem conclusion

  • The fix for this APAR is contained in the following maintenance
    packages:
    | fix pack | 6.2.2-TIV-TFIM-FP0004
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV31657

  • Reported component name

    TIV FED ID MGR

  • Reported component ID

    5724L7300

  • Reported release

    622

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-11-08

  • Closed date

    2012-11-08

  • Last modified date

    2012-11-08

  • APAR is sysrouted FROM one or more of the following:

    IV16479

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV FED ID MGR

  • Fixed component ID

    5724L7300

Applicable component levels

  • R622 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Federated Identity Manager

Software version:

622

Reference #:

IV31657

Modified date:

2012-11-08

Translate my page

Machine Translation

Content navigation