IBM Support

PI55697: OPENID CONNECT RELYING PARTY: NO ENTRY IN CACHE FOR STATEID

Fixes are available

PI55697: OpenID Connect Relying Party : No entry in cache for stateid
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
9.0.0.1: WebSphere Application Server traditional V9.0 Fix Pack 1
9.0.0.2: WebSphere Application Server traditional V9.0 Fix Pack 2
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • OpenID Connect Relying Party: No entry in cache for stateid
happens in a cluster environment.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  Administrators of IBM WebSphere Application *
*                  Server and OpenID Connect                   *
****************************************************************
* PROBLEM DESCRIPTION: CWTAI2007E OpenID Connect error may     *
*                      occur in a cluster environment          *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
When a resource is protected by the OpenID Connect Relying
Party TAI in a cluster environment, an error like the
following may occur during login:
[1/4/16 14:05:21:107 CET] 00000057 WebAuthentica E
SECJ0126E: Trust Association failed during validation. The
exception is
com.ibm.websphere.security.WebTrustAssociationFailedException:
CWTAI2007E: TheOpenID Connect replying party (RP) encountered
a failure during the login. The exception is [No entry in
cache for stateid:  [6r0sco232ft5cstviumgm6i8fe]. Check the
logs for details that lead to this exception.

    



Problem conclusion


    

  • When a request is made to a resource producted by the OpenID
Connect Relying Party TAI, a login is initiated to the OpenID
Connect Provider (OP). After login, the OP sends a response
back to the TAI.  Before login, the TAI saves state
information about the login request in a cache using the
6r0sco232ft5cstviumgm6i8fe as the key.  When the
response is received from the OP, the TAI retrieves the
request information from the cache.  In a cluster environment,
when the OP responds, the individual cluster member that
receives the response is indeterminate.  If the cluster member
that retrieved the response is not the member that cached the
login request, the CWTAI2007E error will occur.

This issue can normally be resolved by using session affinity.
However, if you are using some front-end application to load
balance the cluster member resources, using session affinity
won't work.

The OpenID Connect TAI is updated in the following ways:

1) The dynacache put is set to PUSH
2) The session data that is stored in the cache is added to
the request sent to the OP so that any cluster member that
receives the response from the OP has access to it.  This
means that if a server that receives the response cannot find
the key in the cache, it can find the information it needs
from the response.

The fix for this APAR is currently targeted for inclusion in
fix packs 8.0.0.13 and 8.5.5.10.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, OIDC

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI55697
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-01-19
    • 

  • Closed date
    2016-04-08
    • 

  • Last modified date
    2016-04-08
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 

  • R850  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 May 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback