Fixes are available
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
The Job log for a servant region contains vast numbers of SECJ0371E and ASYN9999E messages issued for expired LTPA Tokens: SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Mon Jan 12 19:51:00 GMT 2015, current Date: Mon Jan 12 20:22:25 GMT 2015 Token attributes: username=user:UREALM/uid=bill,ou=users,ou=zz,ou=apples,dc=o, dc=zyx,dc=com. This warning might indicate expected behavior. Please refer to technote at http://www-01.ibm.com/support/docview.wss?uid=swg21594981. Trace: 2015/01/12 15:22:25.391 02 t=7B9E00 c=UNK key=P8 tag= (13007004) SourceId: com.ibm.ws.security.ltpa.LTPAServerObject ExtendedMessage: Exception occurred processing TokenFactory validateTokenBytes.; com.ibm.websphere.security.auth.TokenExpiredException: Token expiration Date: Mon Jan 12 19:51:00 GMT 2015, current Date: Mon Jan 12 20:22:25 GMT 2015 Token attributes: username=user:UREALM/uid=bill,ou=users,ou=zz,ou=apples,dc=o, dc=zyx,dc=com. at com.ibm.ws.security.ltpa.LTPAToken.isValid( LTPAToken.java:305) at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken( LTPAServerObject.java:1233) at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken( LTPAServerObject.java:1128) at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken( LTPAServerObject.java:1096) at com.ibm.ws.security.ltpa.LTPAServerObject.validate( LTPAServerObject.java:1503) at com.ibm.ws.security.server.lm.ltpaLoginModule.login( ltpaLoginModule.java:888) ASYN9999E: Unexpected Exception Occurred: com.ibm.websphere.asynchbeans.SerialDeserialException: Exception while deserializing a saved service. Service=security. Unable to deserialize the Subjects in this Context, cause:Token expiration Date: Mon Jan 12 19:51:00 GMT 2015, current Date: Mon Jan 12 20:22:25 GMT 2015 Token attributes: username=user:UREALM/uid=bill,ou=users,ou=zz,ou=apples,dc=o, dc=zyx,dc=com. at com.ibm.ws.asynchbeans.J2EEContext.setSavedServicesFromBytes( J2EEContext.java:1942) at com.ibm.ws.asynchbeans.J2EEContext.readObject( J2EEContext.java:1535) at sun.reflect.GeneratedMethodAccessor110.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke( DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:600) at java.io.ObjectStreamClass.invokeReadObject( ObjectStreamClass.java:1028) at java.io.ObjectInputStream.readSerialData( ObjectInputStream.java:1878) at java.io.ObjectInputStream.readOrdinaryObject( ObjectInputStream.java:1782) at java.io.ObjectInputStream.readObject0( ObjectInputStream.java:1334) at java.io.ObjectInputStream.readObject( ObjectInputStream.java:353) at com.ibm.ws.asynchbeans.ExecutionContextImpl.readObject_PAE( ExecutionContextImpl.java:290) at com.ibm.ws.asynchbeans.ExecutionContextImpl.access$100( ExecutionContextImpl.java:52) at com.ibm.ws.asynchbeans.ExecutionContextImpl$PAEReadObject. run(ExecutionContextImpl.java:347) at com.ibm.ws.asynchbeans.ExecutionContextImpl$PAEReadObject. run(ExecutionContextImpl.java:338) at java.security.AccessController.doPrivileged( AccessController.java:280) ... In every case, the expired LTPA Token belongs to a Work object created for an asynchronous EJB, such as a scheduler. The LTPA Token expiration timestamp never changes. This is unusual because the WebSphere runtime can and usually does replace expired LTPA Tokens with new ones that will expire 2 hours after the expired ones were detected. This error only manifests if Security Attribute Propagation is disabled. Once the APAR is installed, a manual property is required to activate the APAR, as follows: 1) Login to the WebSphere Integrated Solution Console 2) Navigate to Security > Global Security > Java Authentication and Authorization Service > System Logins > DESERIALIZE_ASYNCH_CONTEXT > com.ibm.ws.security.server.lm.ltpaLoginModule 3) Create a new custom property Name: com.ibm.ws.security.context.renewToken Value: true 4) Save changes. Sync nodes. 5) Restart the server(s).
Local fix
This problem only occurs if Security Attribute Propagation (SAP) is disabled, which is not the default setting. Normally, SAP is ENABLED. It is entirely possible that re-enabling SAP will cause other problems which are more serious than flood of messages. Proceed with caution.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server V8.0 and higher. * **************************************************************** * PROBLEM DESCRIPTION: Deserializing of expired serialized * * security contexts using JAAS login * * configuration * * DESERIALIZE_ASYNCH_CONTEXT fails with * * ASYN9999E error message. * **************************************************************** * RECOMMENDATION: * **************************************************************** When Security Attribute Propagion is disabled, serialized security contexts that have expired can not be refreshed during login via JAAS configuration DESERIALIZE_ASYNCH_CONTEXT. These serialized security contexts are utilized by the WebSphere Application Server(WSAS) Schedular / Asynchronous beans( asyncbeans ) component. The asyncbeans function will fail with ASYN9999E error message indicating the LTPA Token is expired. Use IBM Knowledge Center to verify whether Security Attribute Propagation has been disabled: http://www- 01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.i bm.websphere.nd.iseries.doc/ae/tsec_enablesecattprop.html?cp=SSA W57_8.5.5%2F2-8-2-31-2-16&lang=en
Problem conclusion
WSAS security code has been changed to allow the refresh of expired LTPA Tokens when security custom property com.ibm.ws.security.context.renewToken=true is set as an option for the JAAS DESERIALIZE_ASYNCH_CONTEXT configuration LoginModule com.ibm.ws.security.server.lm.ltpaLoginModule. This APAR requires changes to documentation. NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/library The following changes to the WebSphere Application Server Versions 8.0 and 8.5 Knowledge Centers will be made available in April, 2015. (I) The topic, Propagating security attributes among application servers, is updated to include a description of a custom property, com.ibm.ws.security.context.renewToken, which when set to true will allow the Java Authentication and Authorization Service (JAAS) Configuration DESERIALIZE_ASYNCH_CONTEXT to refresh expired LTPA Tokens. Specifically, a NOTE will be added to step 9 of this topic, which reads: NOTE: When Security Attribute Propagation is enabled, you allow the JAAS configuration DESERIALIZE_ASYNCH_CONTEXT to successfully refresh expired LTPA Tokens with the following procedure: 1) Login to the WebSphere Integrated Solution Console 2) Navigate to Security > Global Security > Java Authentication and Authorization Service > System Logins > DESERIALIZE_ASYNCH_CONTEXT > com.ibm.ws.security.server.lm.ltpaLoginModule 3) Create a new custom property Name: com.ibm.ws.security.context.renewToken Value: true 4) Save changes and Synchronize the nodes. 5)Restart the server(s). Setting the com.ibm.ws.security.context.renewToken property this way ensures that asynchronous beans succeed in deserializing expired security contexts when Security Attribute Propagation is disabled. (II) The topic, Security enablement followed by errors, is updated. A new section entitled, Expired security context with message ASYN9999E, is added and reads as follows: Use this information if you are experiencing an ASYN9999E error for an expired security context. This error condition results from asynchronous beans failing to deserialize an expired security context and issuing message ASYN9999E: Unexpected Exception Occurred: com.ibm.websphere.asynchbeans.SerialDeserialException: Exception while deserializing a saved service. ASYN9999E: Unexpected Exception Occurred: com.ibm.websphere.asynchbeans.SerialDeserialException: Exception while deserializing a saved service. Service=security. Unable to deserialize the Subjects in this Context, cause: Token expiration Date: Thu Sep 1 16:51:00 GMT 2014, current Date: Thu Sep 11 17:51:48 GMT 2014 Token attributes: username=user:myRealm/uid=myuser,ou=users,dc=ibm,dc=com. See topic "Propagating security attributes among application servers, for information on how to set the com.ibm.ws.security.context.renewToken, property to ensure deserializing of expired security contexts succeeds. APAR PI33215 is currently targeted for inclusion in Fix Packs 8.0.0.11 and 8.5.5.6 of WebSphere Application Server. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 In addition, please refer to URL: http://www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack PTF information.
Temporary fix
Comments
APAR Information
APAR number
PI33215
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-01-21
Closed date
2015-04-01
Last modified date
2015-04-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R800 PSY
UP
Document Information
Modified date:
28 April 2022