PK20100: Java IP address security caching can cause LDAP connections to fail.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as suggestion for future release.

Error description

  • By default Java caches successful DNS query responses for the
    length of the application. In the default configuration, this
    can cause problems when external host ip addresses change such
    as in a round-robin DNS configuration. Java will attempt to
    connect to the first address it acquired and will not refresh
    its value. Various connections (such as LDAP) to a certain
    hostname might fail if the correct IP address is different now
    from when the first hostname lookup occured.
    
    
    External Symptoms:
    LDAP connections fail with a javax.naming.CommunicationException
    when the Java IP Address security caching is enabled even though
    LDAP operations with the same host outside of Java succeed.
    IP Security Caching is enabled by default and is only overridden
    by -Dsun.net.inetaddr.ttl on the command line, or
    networkaddress.cache.ttl in the java.security file.
    
    Other connections besides LDAP may also fail in a similar manner
    if the hostname no longer resides at the same IP address as when
    the first connection attempt occurred.
    

Local fix

  • The command line option -Dsun.net.inetaddr.ttl=0 can be used to
    disable java DNS caching entirely. Setting this value to a
    finite positive value will allow for limited caching for that
    given number of seconds. The default value is 'forever'.
    
    IP Address security caching was intended to address concerns of
    DNS spoofing. These issues are not prevalent in an enterprise
    environment where DNS servers in use are trusted. If security
    caching is causing problems, it should be disabled. The Java IP
    address security cache was not intended as a performance
    improvement.
    
    Disabling security caching may result in a performance impact.
    To achieve the performance benefits of IP Address caching, a
    proper "Cache-Only" local DNS nameserver which respects the DNS
    TTL value should be installed to the system. Applications should
    then be instructed to consult the local server for DNS lookups
    rather than a remote server.
    

Problem summary

Problem conclusion

Temporary fix

Comments

  • IP Address security caching was intended to address concerns of
    DNS spoofing. These issues are not prevalent in an enterprise
    environment where DNS servers in use are trusted. If security
    caching is causing problems, it should be disabled. The Java IP
    address security cache was not intended as a performance
    improvement.
    
    To Disable security caching or to limit it to a finite time, use
    the commandline option: -Dsun.net.inetaddr.ttl=N
    or the java.security option: networkaddress.cache.ttl=N
    where N is a positive number of seconds or 0 for no caching.
    THe default for these options is '-1' meaning "forever".
    
    Disabling security caching may result in a performance impact.
    To achieve the performance benefits of IP Address caching, a
    proper "Cache-Only" local DNS nameserver which respects the DNS
    TTL value should be installed to the system. Applications should
    then be instructed to consult the local server for DNS lookups
    rather than a remote server.
    
    Applications may also be modified to cache the IP Addresses
    which are frequently used.
    

APAR Information

  • APAR number

    PK20100

  • Reported component name

    JAVA(1.X) Z/OS

  • Reported component ID

    5648C9801

  • Reported release

    140

  • Status

    CLOSED SUG

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2006-02-20

  • Closed date

    2006-10-02

  • Last modified date

    2006-10-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels



Rate this page:

(0 users)Average rating

Document information


More support for:

z/OS family

Software version:

1.4.1

Reference #:

PK20100

Modified date:

2006-10-02

Translate my page

Machine Translation

Content navigation