IBM Support

PH19907: OIDC RP: LOGIN FAILS WHEN CREATESESSION=TRUE AND HTTP SESSIONS EXHAUSTED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • When the provider_<id>.createSession OIDC TAI property is set
    to true, the login will fail when when HTTP sessions are
    exhausted.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP may reject a login          *
    *                      request if the HTTP sessions are        *
    *                      exhausted.                              *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR                          *
    ****************************************************************
    When the provider_<id>.createSession the OpenID Connect (OIDC)
    Relying Party (RP) Trust Association Interceptor (TAI)property
    is set to true, the TAI will attempt to create an HTTP session
    before making the initial authentication request to the OpenID
    provider.
    If the OIDC TAI encounters an error when creating the HTTP
    session, the login request will fail and the user will be
    unable to access the protected resource.
    

Problem conclusion

  • An administrator sets the provider_<id>.createSession OIDC
    TAI property to true when running in a cluster environment and
    they need the JSESSIONID cookie to maintain session affinity.
    The session affinity may be required in order for the TAI to
    be able to have access to data that was stored before the
    authentication was sent out to the OP.
    
    Since the initial release of the OIDC TAI feature, redundant
    methods for accessing this transient data has been put in
    place.  The OIDC TAI is updated so that if an HTTP session
    cannot be created, the login request be allowed to continue if
    either of the following conditions are true:
    
    * useStateCookies=true
    * DynaCache enabled on the server
    
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.18 and 9.0.5.3. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH19907

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-12-04

  • Closed date

    2020-01-21

  • Last modified date

    2020-01-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels



Document information

More support for: WebSphere Application Server
General

Software version: 900

Reference #: PH19907

Modified date: 21 January 2020