Skip to main content

IV31657: FIM DOES NOT GRACEFULLY EXIT IF THE DYNACACHE SAML20SESSION IS NOT FOUND, EVEN IF THE JSESSIONID IS PRESENT.


Fixes are available

Tivoli Federated Identity Manager 6.2.2 Fixpack 4 (6.2.2-TIV-TFIM-FP0004)
Tivoli Federated Identity Manager 6.2.2 Fixpack 6 (6.2.2-TIV-TFIM-FP0006)

 

APAR status

  • Closed as program error.

Error description

  • Problem reported where the customer was loading FIM with enough
solicited SAML 2.0 SSO requests to cause the FIM Dynacache
entries for the SAML20Session to be removed due to LRU.  FIM
uses both the Session cache and a Dynacache to process SSO
requests.  Customer is at the FIM 6.2.0.10 level.

[2/26/12 0:28:06:268 EST] 0000003c SAML20Session >
com.tivoli.am.fim.saml20.session.SAML20SessionManager
retrieveSession ENTRY
[2/26/12 0:28:06:268 EST] 0000003c SAML20Session >
com.tivoli.am.fim.saml20.session.SAML20SessionManager
determineSessionKey ENTRY
[2/26/12 0:28:06:268 EST] 0000003c SAML20Session <
com.tivoli.am.fim.saml20.session.SAML20SessionManager
determineSessionKey RETURN
[2/26/12 0:28:06:268 EST] 0000003c SAML20Session 3
com.tivoli.am.fim.saml20.session.SAML20SessionManager
retrieveSession Session Key: null
[2/26/12 0:28:06:268 EST] 0000003c SAML20Session 3
com.tivoli.am.fim.saml20.session.SAML20SessionManager
retrieveSession Session not found
[2/26/12 0:28:06:269 EST] 0000003c SAML20Session 3
com.tivoli.am.fim.saml20.session.SAML20SessionManager
retrieveSession Session: SAML20Session [sessionId =
af660bbb-dc85-4e2a-9a66-e9e45f438347 signOutInfo = null Session
Attributes = [  EMPTY  ] Current Requests = [  EMPTY  ]
SessionInfos = [  EMPTY  ] ]
[2/26/12 0:28:06:269 EST] 0000003c SAML20Session <
com.tivoli.am.fim.saml20.session.SAML20SessionManager
retrieveSession RETURN
[2/26/12 0:28:06:269 EST] 0000003c SAML20Protoco >
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector selectActionChain ENTRY
[2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco >
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector doChainSelectBasedOnBindingAndProfile ENTRY
[2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector doChainSelectBasedOnBindingAndProfile Using this
key to retrieve the action list MapKey [:  profile = Profile:
SSOBrowser urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser;
role = ip; binding = Protocol Binding:HTTPPost
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST; protocolRole =
RESPONDER; isRequestType = true ]
[2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector doChainSelectBasedOnBindingAndProfile Adding
action:
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ValidateAuth
nRequestAction
[2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector doChainSelectBasedOnBindingAndProfile Adding
action:
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction
[2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector doChainSelectBasedOnBindingAndProfile Adding
action:
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ExchangeToke
nAtIPAction
[2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector doChainSelectBasedOnBindingAndProfile Adding
action:
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20FederateAtIP
Action
[2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector doChainSelectBasedOnBindingAndProfile Adding
action:
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20BuildAuthnRe
sponseAction
[2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco 2
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector doChainSelectBasedOnBindingAndProfile Adding
action:
com.tivoli.am.fim.saml20.protocol.actions.SAML20SendMessageActio
n
[2/26/12 0:28:06:270 EST] 0000003c SAML20Protoco <
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector doChainSelectBasedOnBindingAndProfile RETURN
[2/26/12 0:28:06:271 EST] 0000003c SAML20Protoco <
com.tivoli.am.fim.saml20.protocol.delegate.SAML20ProtocolActionC
hainSelector selectActionChain RETURN
[2/26/12 0:28:06:271 EST] 0000003c SAML20Process >
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction runProtocol ENTRY
[2/26/12 0:28:06:271 EST] 0000003c SAML20Process >
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction needToAuthn ENTRY
[2/26/12 0:28:06:271 EST] 0000003c SAML20Process 1
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction needToAuthn No current authentication
[2/26/12 0:28:06:271 EST] 0000003c SAML20Process <
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction needToAuthn RETURN
[2/26/12 0:28:06:271 EST] 0000003c SAML20Process 1
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction runProtocol Authentication needed
[2/26/12 0:28:06:271 EST] 0000003c SAML20Process >
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction haltForForceAuthn ENTRY
[2/26/12 0:28:06:271 EST] 0000003c SAML20Process 1
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction haltForForceAuthn Halting with ForceAuthnInterrupt
[2/26/12 0:28:06:271 EST] 0000003c SAML20Process <
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction haltForForceAuthn RETURN
[2/26/12 0:28:06:272 EST] 0000003c SAML20Process <
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuthn
RequestAction runProtocol RETURN
[2/26/12 0:28:06:272 EST] 0000003c SAML20Session >
com.tivoli.am.fim.saml20.session.SAML20SessionManager
manageSession ENTRY
[2/26/12 0:28:06:272 EST] 0000003c SAML20Session >
com.tivoli.am.fim.saml20.session.SAML20SessionManager
storeSession ENTRY
[2/26/12 0:28:06:272 EST] 0000003c SAML20Session >
com.tivoli.am.fim.saml20.session.SAML20SessionManager
getSessionTimeToLive ENTRY
[2/26/12 0:28:06:272 EST] 0000003c SAML20Session <
com.tivoli.am.fim.saml20.session.SAML20SessionManager
getSessionTimeToLive RETURN
[2/26/12 0:28:06:273 EST] 0000003c SAML20Session 3
com.tivoli.am.fim.saml20.session.SAML20SessionManager
storeSession Session: SAML20Session [sessionId =
af660bbb-dc85-4e2a-9a66-e9e45f438347 signOutInfo = null Session
Attributes = [ ; key = SAMLSESS-UserInteractionActionList value
=
[com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ProcessAuth
nRequestAction,
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ExchangeToke
nAtIPAction,
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20FederateAtIP
Action,
com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20BuildAuthnRe
sponseAction,
com.tivoli.am.fim.saml20.protocol.actions.SAML20SendMessageActio
n]; key = SAMLSESS-ContextState value =
{RequestContext.InitialSAMLRequestReturnProtocolBinding=null,
ContextAttributes={SAMLCTX-ProtocolPartner=http://sp.ibm.com},
ResponseContext.SAMLMessageProtocolBinding=Protocol
Binding:HTTPPost urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST,
ResponseContext.RelayState=http://www.ibm.com/&rel=b771132d,
ResponseContext.SignMessage=false, RequestContext.Artifact=null,
ProtocolRole=RESPONDER,
RequestContext.RequestURL=https://idp.ibm.com/FIM/sps/spfed/saml
20/login,
RequestContext.SAMLMessage=com.tivoli.am.fim.saml.protocol.Saml2
0AuthnRequestImpl@67506750 [IssueInstant: Sun Feb 26 00:28:05
EST 2012, Version: 2.0, ID:
a9776729-bbc7-4cbe-ab18-160366504b0e, Consent: null,
Destination: https://idp.ibm.com/FIM/sps/spfed/saml20/login,
RelayState: null] (forceAuthn: false, isPassive: false,
AssertionConsumerServiceIndex: <not set>,
AssertionConsumerServiceURL: https://sp.ibm.com/acsurl,
protocolBinding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST,
AttributeConsumingServiceIndex: <not set>),
RequestContext.ProtocolBinding=Protocol Binding:HTTPPost
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST,
ResponseContext.SessionOP=STORE,
ResponseContext.ProtocolEndpoint=SAMLProtocolEndpoint [:  type =
SAML2.AssertionConsumerService; binding = Protocol
Binding:HTTPPost urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;
urlLocation = https://sp.ibm.com/acsurl; returnUrlLocation =
https://sp.ibm.com/acsurl; index = 1; isDefault = false;
isDefaultIsSet = true ],
RequestContext.InitialSAMLRequestProtocolBinding=null,
RequestContext.RelayState=http://www.ibm.com/&rel=b771132d,
RequestContext.Target=null}; key = SAMLSESS-ForcedAuth value =
true ] Current Requests = [  EMPTY  ] SessionInfos = [  EMPTY  ]
]
[2/26/12 0:28:06:273 EST] 0000003c SAML20Session 3
com.tivoli.am.fim.saml20.session.SAML20SessionManager
storeSession Session TimeToLive: 7200
[2/26/12 0:28:06:277 EST] 0000003c SAML20Session >
com.tivoli.am.fim.saml20.session.SAML20SessionManager
setSAMLCookie ENTRY
[2/26/12 0:28:06:277 EST] 0000003c SAML20Session 3
com.tivoli.am.fim.saml20.session.SAML20SessionManager
setSAMLCookie Setting Cookie: javax.servlet.http.Cookie@574e574e
[2/26/12 0:28:06:277 EST] 0000003c SAML20Session <
com.tivoli.am.fim.saml20.session.SAML20SessionManager
setSAMLCookie RETURN
[2/26/12 0:28:06:277 EST] 0000003c SAML20Session <
com.tivoli.am.fim.saml20.session.SAML20SessionManager
storeSession RETURN
[2/26/12 0:28:06:277 EST] 0000003c SAML20Session <
com.tivoli.am.fim.saml20.session.SAML20SessionManager
manageSession RETURN



[2/26/12 0:30:40:675 EST] 00000031 SAML20Session >
com.tivoli.am.fim.saml20.session.SAML20SessionManager
retrieveSession ENTRY
[2/26/12 0:30:40:675 EST] 00000031 SAML20Session >
com.tivoli.am.fim.saml20.session.SAML20SessionManager
determineSessionKey ENTRY
[2/26/12 0:30:40:675 EST] 00000031 SAML20Session <
com.tivoli.am.fim.saml20.session.SAML20SessionManager
determineSessionKey RETURN
[2/26/12 0:30:40:676 EST] 00000031 SAML20Session 3
com.tivoli.am.fim.saml20.session.SAML20SessionManager
retrieveSession Session Key:
af660bbb-dc85-4e2a-9a66-e9e45f438347
[2/26/12 0:30:40:676 EST] 00000031 SAML20Session 3
com.tivoli.am.fim.saml20.session.SAML20SessionManager
retrieveSession Session not found
[2/26/12 0:30:40:676 EST] 00000031 SAML20Session 3
com.tivoli.am.fim.saml20.session.SAML20SessionManager
retrieveSession Session: SAML20Session [sessionId =
0d44a624-11c8-47da-95fa-8929d4b109ea signOutInfo = null Session
Attributes = [  EMPTY  ] Current Requests = [  EMPTY  ]
SessionInfos = [  EMPTY  ] ]

<lines removed>

Local fix

  • Increase the size of the ssops_plugins Dynacache in WebSphere an
restart the JVMs.  The problem is related to transactions per
second, and how long it takes the user to make the second
request.

Problem summary

  • Blank page is shown when the session cannot be found.

Problem conclusion

  • The fix for this APAR is contained in the following maintenance
packages:
| fix pack | 6.2.2-TIV-TFIM-FP0004

Temporary fix

  •  
    • 
  
 
  
Comments
 
  
     
   
  •  
    • 
  
 
  
APAR Information
 
  
 
   
     
    
  • APAR number
    IV31657
    •  
    
  • Reported component name
    TIV FED ID MGR
    •  
    
  • Reported component ID
    5724L7300
    •  
    
  • Reported release
    622
    •  
    
  • Status
    CLOSED PER
    •  
    
  • PE
    NoPE
    •  
    
  • HIPER
    NoHIPER
    •  
    
  • Special Attention
    NoSpecatt
    •  
    
  • Submitted date
    2012-11-08
    •  
    
  • Closed date
    2012-11-08
    •  
    
  • Last modified date
    2012-11-08
    •  
   
 
  
 
  
     
   
  • APAR is sysrouted FROM one or more of the following:
     
     IV16479
     
    •  
   
  • APAR is sysrouted TO one or more of the following:
     
    •  
  
 
  
Fix information
 
  
     
   
  • Fixed component name
    TIV FED ID MGR
    •  
   
  • Fixed component ID
    5724L7300
    •  
  
 
  
Applicable component levels
 
  
     
   
  • R622 PSY
       UP
    •  
  
 
 
 

 









Rate this page:



(0 users)Average rating 





















	
	
	
	
	









	



























Copyright and trademark information



	
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.































Rate this page:






(0 users)Average rating









Add comments














Document information





	
Tivoli Federated Identity Manager


	




	
Software version:

	622

	





	
Reference #:

IV31657






Modified date:

2012-11-08








Translate my page














































 



Content navigation