How to determine the client that is causing the SECJ0371W message?
SECJ0371W: Validation of the LTPAToken failed because the token expired with the following info: Token expiration Date: Thu Apr 19 10:42:00 EDT 2012, current Date: Thu Apr 19 10:45:30 EDT 2012.
Most SECJ0371W messages on WEB Inbound connections are harmless. The majority of these messages are logged as a result of an expired LTPAToken which are cached in browsers.
The following procedures will show you how to identify a client which sent an expired LTPAToken by way of a Web Inbound connection.
- Identify host/port of a client
To identify a client which sent an expired LTPAToken, security auditing function can be used.
Please refer to the instructions for security auditing:
To log the event, event name "SECURITY_AUTHN" and event outcome "DENIED" needs to be chosen. In this sample, DefaultAuditSpecification_2, which enable event "SECURITY_AUTHN and event outcome is DENIED, is used.
Here is the sample output in SystemOut.log file:
[4/19/12 10:45:30:244 EDT] 00000023 LTPAServerObj W SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Thu Apr 19 10:42:00 EDT 2012, current Date: Thu Apr 19 10:45:30 EDT 2012.
Here is the sample output of default binary audit:
Seq = 0 | Event Type = SECURITY_AUTHN | Outcome = UNSUCCESSFUL | OutcomeReason = DENIED | OutcomeReasonCode = 15 | SessionId = -T-aUHgacB74vjF3asH6k25 | RemoteHost = testhost.ibm.com | RemoteAddr = 220.127.116.11 | RemotePort = 4303 | ProgName = /test.do | Action = webAuth | AppUserName = /UNAUTHENTICATED | ResourceName = GET | RegistryUserName = null | AccessDecision = denied | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Thu Apr 19 10:45:30 EDT 2012 | GlobalInstanceId = 0 | EventTrailId = null | FirstCaller = /UNAUTHENTICATED | Realm = yamato2.raleigh.ibm.com:389 | RegistryType = LDAP | AuthnType = challengeResponse | Provider = WebSphere | ProviderStatus = providerSuccess
In here, the corresponding entry in audit log can be found by searching corresponding time of the event. Once the audit entry is found, client information can be found in keys of RemoteHost, RemoteAddr and RemotePort.
- Identify a user
To identify a user of an expired LTPAToken, the following trace specification needs to be enabled.
This trace option logs contents of LTPAToken2 cookie, the following shows you a sample output:
[4/13/12 14:26:54:711 EDT] 00000016 LTPAToken2 3 token expired port: 8883u: user:testrealm:389/CN=testuser,CN=Users,dc=ibm,dc=comsecurity.authMechOID: oid:18.104.22.168.2.30.2host: testhost.ibm.comtype: SOAPjava.naming.provider.url: corbaloc:iiop:testserver.ibm.com:2812/WsnAdminNameServiceprocess.serverName: testCell:testNode1:server1expire: 1334335800000Expiration time: 12.04.13 12:50:00:000 EDT
[4/13/12 14:26:54:711 EDT] 00000016 LTPAServerObj W SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Fri Apr 13 12:50:00 EDT 2012, current Date: Fri Apr 13 14:26:54 EDT 2012.
In here, the corresponding entry can be found by finding the same thread ID and expiration date of SECJ0371W message. For example, in the above trace entries, thread ID is 00000016, and expiration date is Apr 13 12:50:00 EDT 2012.
Then the value after string "user:" is the access ID (Fully qualified username). In the above example, user ID istestrealm:389/CN=testuser,CN=Users,dc=ibm,dc=com