PK32564: NO LTPA TOKEN IN ASYNCBEANS

Fixes are available

APAR status

Closed as program error.

Error description

WebSphere Portal supports a concept called Parallel Portlet
Rendering. This concept allows to flag individual portlets on
a portal page to be rendered in parallel. If this is activated
for an individual portlet, the portal page aggregation process
will start an asynchronous work item for the corresponding
RequestDispatcher call that includes the markup provided by
that portlet. This asynchronous work item is implemented as
an asynch bean. in WAS 6.0.?

In WAS 6.0.2.x releases, the actual LTPA token data is no longer
available from WSCredential.getCredentialToken() call when
called from within an asynch bean. Thus, those portlets that
need to do LTPA token forwarding, e.g. the Lotus Notes Portlet
that does LTPA token based SSO with the Domino mail server, are
now broken with this change since they have no means of
accessing the LTPA token data anymore.

Possible errors seen for this problem:
SECJ5010E: Could not create default AuthenticationToken during
 propagation login.  The following exception occurred:
 com.ibm.websphere.security.auth.WSLoginFailedException:
 Validation of LTPA token failed due to invalid keys or token
 type.
  -
NMSV0610I: A NamingException is being thrown from a
 javax.naming.Context implementation. Details follow:
 Context implementation: com.ibm.ws.naming.jndicos.CNContextImpl
 Context method: lookupExt
 Context name: Cellname/nodes/nodename/servers/ServerB
 Target name: ejb/com/xxxx/B/framework/communication/sequence/
               SequenceNumberHome
 Other data: ""
 Exception stack trace: javax.naming.NoPermissionException:
  NO_PERMISSION
  exception caught &#65517;Root exception is
   org.omg.CORBA.NO_PERMISSION:
  >> SERVER (id=aaaaaaaa, host=hostname) TRACE START:
  >>    org.omg.CORBA.NO_PERMISSION: Subject is null.
  Authentication Failed.  vmcid: 0x49424000  minor code: 300
   completed: No
 -
This solution is only for situations where ServerA makes EJB
calls from AsyncBeans to ServerB. It is not for JAAS login
problems.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED: WebSphere Application Server version 6       *
*                 users who are using AsyncBeans.              *
*                                                              *
*                                                              *
****************************************************************
* PROBLEM DESCRIPTION: WSCredential.getCredentialToken()       *
*                      method doesn't return actual the        *
*                      LTPAToken.                              *
*                                                              *
*                                                              *
****************************************************************
* RECOMMENDATION:                                              *
*                                                              *
*                                                              *
*                                                              *
*                                                              *
****************************************************************
In WebSphere Application Server version 6 releases, the actual
LTPA token data is no longer available from a
WSCredential.getCredentialToken() call when called from
within an AsyncBean. This function used to work on WebSphere
Application Server Version 5.1.x.
Since some of Portlets in WebSphere Portal Server use this
function, these portlets no longer work.

The same issue might occur with any application that has an
asynchronous bean and invokes the
WSCredential.getCredentialTokenmethod to get a forwardable
credential for an EJB invocation.

Problem conclusion

With this fix, the LTPAToken is forwarded to AsyncBeans.

To enable this function, the following custom property need to
specify in security.xml:
  com.ibm.ws.security.createTokenSubjectForAsynchLogin=true

Please follow the steps below to specify the property:
1) In Admin Console, click Security, then click Global Security.
2) Under Additional Properties, click Custom properties.
3) Click New.
4) In the Name field, type
com.ibm.ws.security.createTokenSubjectForAsynchLogin
5) In the Value field, type true
6) Click Apply and Save.
7) Restart WebSphere Application Server

The fix for this APAR is currently targeted for inclusion in
fixpack 6.0.2.19 and 6.1.0.9. Please refer to the
Recommended Updates page for delivery information:

Temporary fix

Comments

APAR Information

APAR number
PK32564
Reported component name
WEBSPH APP SERV
Reported component ID
5724J0800
Reported release
60A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2006-10-06
Closed date
2006-11-02
Last modified date
2010-11-29

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Modules/Macros

```
SECURITY
```

Fix information

Fixed component name
WEBSPH APP SERV
Fixed component ID
5724J0800

Applicable component levels

R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PK32564: NO LTPA TOKEN IN ASYNCBEANS

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R60A PSY

R60H PSY

R60I PSY

R60P PSY

R60S PSY

R60W PSY

R60Z PSY

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

Document Information

Share your feedback

Need support?