PI33215: ASYN9999E MESSAGES MAY FILL LOGS IF SECURITY ATTRIBUTE PROPAGATION IS DISABLED

Fixes are available

APAR status

Closed as program error.

Error description

The Job log for a servant region contains vast numbers of
SECJ0371E and ASYN9999E messages issued for expired LTPA Tokens:
SECJ0371W: Validation of the LTPA token failed because the
    token expired with the following info:
    Token expiration Date: Mon Jan 12 19:51:00 GMT 2015,
    current Date: Mon Jan 12 20:22:25 GMT 2015
    Token attributes:
    username=user:UREALM/uid=bill,ou=users,ou=zz,ou=apples,dc=o,
    dc=zyx,dc=com.
    This warning might indicate expected behavior. Please refer
    to technote at
    http://www-01.ibm.com/support/docview.wss?uid=swg21594981.
Trace: 2015/01/12 15:22:25.391 02 t=7B9E00 c=UNK key=P8 tag=
(13007004)
  SourceId: com.ibm.ws.security.ltpa.LTPAServerObject
  ExtendedMessage: Exception occurred processing TokenFactory
  validateTokenBytes.;
  com.ibm.websphere.security.auth.TokenExpiredException:
  Token expiration Date: Mon Jan 12 19:51:00 GMT 2015,
  current Date: Mon Jan 12 20:22:25 GMT 2015
  Token attributes:
  username=user:UREALM/uid=bill,ou=users,ou=zz,ou=apples,dc=o,
  dc=zyx,dc=com.
at com.ibm.ws.security.ltpa.LTPAToken.isValid(
    LTPAToken.java:305)
at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(
    LTPAServerObject.java:1233)
at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(
    LTPAServerObject.java:1128)
at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(
    LTPAServerObject.java:1096)
at com.ibm.ws.security.ltpa.LTPAServerObject.validate(
    LTPAServerObject.java:1503)
at com.ibm.ws.security.server.lm.ltpaLoginModule.login(
    ltpaLoginModule.java:888)
ASYN9999E: Unexpected Exception Occurred:
    com.ibm.websphere.asynchbeans.SerialDeserialException:
    Exception while deserializing a saved service.
    Service=security.
    Unable to deserialize the Subjects in this Context,
    cause:Token expiration Date: Mon Jan 12 19:51:00 GMT 2015,
    current Date: Mon Jan 12 20:22:25 GMT 2015
    Token attributes:
    username=user:UREALM/uid=bill,ou=users,ou=zz,ou=apples,dc=o,
    dc=zyx,dc=com.
at com.ibm.ws.asynchbeans.J2EEContext.setSavedServicesFromBytes(
    J2EEContext.java:1942)
at com.ibm.ws.asynchbeans.J2EEContext.readObject(
    J2EEContext.java:1535)
at sun.reflect.GeneratedMethodAccessor110.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
    DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:600)
at java.io.ObjectStreamClass.invokeReadObject(
    ObjectStreamClass.java:1028)
at java.io.ObjectInputStream.readSerialData(
    ObjectInputStream.java:1878)
at java.io.ObjectInputStream.readOrdinaryObject(
    ObjectInputStream.java:1782)
at java.io.ObjectInputStream.readObject0(
    ObjectInputStream.java:1334)
at java.io.ObjectInputStream.readObject(
    ObjectInputStream.java:353)
at com.ibm.ws.asynchbeans.ExecutionContextImpl.readObject_PAE(
    ExecutionContextImpl.java:290)
at com.ibm.ws.asynchbeans.ExecutionContextImpl.access$100(
    ExecutionContextImpl.java:52)
at com.ibm.ws.asynchbeans.ExecutionContextImpl$PAEReadObject.
    run(ExecutionContextImpl.java:347)
at com.ibm.ws.asynchbeans.ExecutionContextImpl$PAEReadObject.
    run(ExecutionContextImpl.java:338)
at java.security.AccessController.doPrivileged(
    AccessController.java:280)
...
In every case, the expired LTPA Token belongs to a Work object
created for an asynchronous EJB, such as a scheduler. The LTPA
Token expiration timestamp never changes. This is unusual
because the WebSphere runtime can and usually does replace
expired LTPA Tokens with new ones that will expire 2 hours after
the expired ones were detected.  This error only manifests if
Security Attribute Propagation is disabled.
Once the APAR is installed, a manual property is required to
activate the APAR, as follows:
1)  Login to the WebSphere Integrated Solution Console
2)  Navigate to Security > Global Security > Java
Authentication and Authorization Service > System Logins >
DESERIALIZE_ASYNCH_CONTEXT >
com.ibm.ws.security.server.lm.ltpaLoginModule
3)  Create a new custom property
Name:  com.ibm.ws.security.context.renewToken
Value:  true
4)  Save changes.  Sync nodes.
5)  Restart the server(s).

Local fix

This problem only occurs if Security Attribute Propagation
(SAP) is disabled, which is not the default setting. Normally,
SAP is ENABLED. It is entirely possible that re-enabling SAP
will cause other problems which are more serious than flood of
messages. Proceed with caution.

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server V8.0 and higher.                     *
****************************************************************
* PROBLEM DESCRIPTION: Deserializing of expired serialized     *
*                      security contexts using JAAS login      *
*                      configuration                           *
*                      DESERIALIZE_ASYNCH_CONTEXT fails with   *
*                      ASYN9999E error message.                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When Security Attribute Propagion is disabled, serialized
security contexts that have expired can not be refreshed
during login via JAAS configuration
DESERIALIZE_ASYNCH_CONTEXT. These serialized security contexts
are utilized by the WebSphere Application Server(WSAS)
Schedular / Asynchronous beans( asyncbeans ) component. The
asyncbeans function will fail with ASYN9999E error message
indicating the LTPA Token is expired.
Use IBM Knowledge Center to verify whether Security Attribute
Propagation has been disabled:
http://www-
01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.i
bm.websphere.nd.iseries.doc/ae/tsec_enablesecattprop.html?cp=SSA
W57_8.5.5%2F2-8-2-31-2-16&lang=en

Problem conclusion

WSAS security code has been changed to allow the refresh of
expired LTPA Tokens when security custom property
com.ibm.ws.security.context.renewToken=true is set as an
option for the JAAS DESERIALIZE_ASYNCH_CONTEXT configuration
LoginModule com.ibm.ws.security.server.lm.ltpaLoginModule.

This APAR requires changes to documentation.

NOTE: Periodically, we refresh the documentation on our Web
site, so the changes might have been made before you read this
text. To access the latest on-line documentation, go to the
product library page at:

http://www.ibm.com/software/webservers/appserv/library

The following changes to the WebSphere Application Server
Versions 8.0 and 8.5 Knowledge Centers will be made available
in April, 2015.

(I) The topic, Propagating security attributes among
application servers, is updated to include a description of a
custom property, com.ibm.ws.security.context.renewToken, which
when set to true will allow the Java Authentication and
Authorization Service (JAAS)
Configuration DESERIALIZE_ASYNCH_CONTEXT to refresh expired
LTPA Tokens.

Specifically, a NOTE will be added to step 9 of this topic,
which reads:
NOTE: When Security Attribute Propagation is enabled, you
allow the JAAS configuration DESERIALIZE_ASYNCH_CONTEXT to
successfully refresh expired LTPA Tokens with the following
procedure:

1) Login to the WebSphere Integrated Solution Console

2) Navigate to Security > Global Security > Java
Authentication and
Authorization Service > System Logins >
DESERIALIZE_ASYNCH_CONTEXT >
com.ibm.ws.security.server.lm.ltpaLoginModule

3) Create a new custom property

Name: com.ibm.ws.security.context.renewToken

Value: true

4) Save changes and Synchronize the nodes.

5)Restart the server(s).

Setting the com.ibm.ws.security.context.renewToken property
this way  ensures that asynchronous beans succeed in
deserializing expired security contexts when Security
Attribute Propagation is disabled.

(II) The topic, Security enablement followed by errors, is
updated.
A new section entitled, Expired security context with message
ASYN9999E, is added and reads as follows:
Use this information if you are experiencing an ASYN9999E
error for an expired security context.

This error condition results from asynchronous beans failing
to deserialize an expired security context and issuing message
ASYN9999E: Unexpected Exception Occurred:
com.ibm.websphere.asynchbeans.SerialDeserialException:
Exception while deserializing a saved service.

ASYN9999E: Unexpected Exception Occurred:
com.ibm.websphere.asynchbeans.SerialDeserialException:
Exception while deserializing a saved service.
Service=security. Unable to deserialize the Subjects in this
Context, cause: Token expiration Date: Thu Sep 1 16:51:00 GMT
2014, current Date: Thu Sep 11 17:51:48 GMT 2014 Token
attributes:
username=user:myRealm/uid=myuser,ou=users,dc=ibm,dc=com.

See topic "Propagating security attributes among application
servers, for information on how to set the
com.ibm.ws.security.context.renewToken, property to ensure
deserializing of expired security contexts succeeds.

APAR PI33215 is currently targeted for inclusion in Fix Packs
8.0.0.11 and 8.5.5.6 of WebSphere Application Server.

Please refer to the Recommended Updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

In addition, please refer to URL:
http://www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack PTF information.

Temporary fix

Comments

APAR Information

APAR number
PI33215
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-01-21
Closed date
2015-04-01
Last modified date
2015-04-01

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R800 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022

Tips

PI33215: ASYN9999E MESSAGES MAY FILL LOGS IF SECURITY ATTRIBUTE PROPAGATION IS DISABLED

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R800 PSY

Document Information

Share your feedback

Need support?