IBM Support

PI29397: AN UNRELATED LTPATOKEN COOKIE MIGHT BE REMOVED UPON LOGOUT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Even though the interoperability mode is disabled in the
    configuration of single sign-on, LTPAToken cookie (LTPA V1
    cookie) is always deleted when LTPAToken cookies are deleted.
    
    If LTPAToken cookie is used on other system such as Domino
    server, single sign-on fails after the removal of LTPAToken
    cookie on WebSphere Application Server. Following is the
    scenario how this problem happens;
    
    1. Login to Domino server and LTPAToken cookie is created for
    the request
    
    2. The same user login to WebSphere Application Server with
    LTPAToken. LTPAToken 2 is created for the request becuse
    interoperability mode is disabled.
    
    3. When SPNEGO token expires, all LTPAToken cookies are deleted
    and both LTPAToken and LTPAToken2 is deleted
    
    4. Single sign-on fails when the same user access to Domino
    server again because LTPAToken is removed from cookie
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: The unrelated LTPAToken cookie might    *
    *                      be removed upon logout.                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The security code always removes LTPAToken cookie upon
    logout even it is not used by WebSphere Application Server.
    As a result, it might interfere with the transaction by
    another server which relies on this LTPAToken cookie.
    

Problem conclusion

  • With this fix, the unrelated LTPAToken cookie is no longer
    removed upon logout. In order to enable this new behavior, the
    following security custom property needs to be set:
    
    Name: com.ibm.websphere.security.disableRemovingUnusedLTPACookie
    Value: true
    
    The security custom properties screen on the admin console
    can be reached by navigating to
    
    Security -> Global security -> Custom properties Click New...
    button.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.0.0.11, and 8.5.5.6.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI29397

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-11-11

  • Closed date

    2015-01-05

  • Last modified date

    2015-07-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022