APAR status
Closed as program error.
Error description
OutOfMemoryExceptions were seen recently due to the SSLSession cache in the JSSE security code being unlimited. APAR IY78651 to the JDK is adding default limits on the cache; however, WebSphere Application Server v6 administrators should be able to control the cache size and session timeouts through the SSL channel instead of depending on the default JDK values.
Local fix
The SSLSession cache size can be controlled through the system property "-Djavax.net.ssl.sessionCacheSize=<numsessions>". There is no system property for the session timeout value.
Problem summary
**************************************************************** * USERS AFFECTED: All WebSphere Application Server version * * 6.0.2 users of the SSL channel. * **************************************************************** * PROBLEM DESCRIPTION: Due to the default unconstrained SSL * * session cache in the JDK, out of memory * * exceptions were seeing under stress. * **************************************************************** * RECOMMENDATION: * **************************************************************** The JDK 1.4 had no default limits on the SSL engine cache. There is a system property to limit the number of engines allowed, but no other controls exist except through JSSE programming APIs. There is an upcoming patch to the JSSE code to add default limits; however, controls through WebSphere Application Server itself would be preferable.
Problem conclusion
The SSL channel now has several mechanisms for controlling and monitoring the SSL engine cache in the JSSE code. These take precedence over the JSSE system properties that might be set, and are unique per channel (instead of system wide like the system properties). name: SSLSessionCacheSize purpose: limit the number of allowed items in the cache. This acts like the -Djavax.net.ssl.sessionCacheSize=<x> property. value: integer default: 100 name: SSLSessionTimeout purpose: provide an idle timeout on the sessions in the cache. There is no equivalent System property. value: int (time in milliseconds) default: 86400 (24 hours) name: StatsEnabled purpose: enable monitoring of the cache, requires Tr debug of SSLChannelStats=all to be seen. If this is set to true and the matching Tr debug is enabled, then every 30 seconds a debug will be logged for active SSL channels, printing the current number of active sessions in the cache. If the number has not changed in the last 30 seconds, then no additional debug will printed to avoid excessive logging; however, every 5 minutes, it will print the number no matter what. Thus under rapid changes to the cache, the number will be show at 30 second intervals but under a steady state it will only print every 5 minutes. The fix for this APAR is currently targeted for inclusion in fixpack 6.0.2.7. Please refer to the Recommended Updates page for delivery information: http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP& uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK16095
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2005-12-01
Closed date
2005-12-29
Last modified date
2005-12-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
10 February 2022