Fixes are available
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
This apar provides an option to look up Authentication Cache wit
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server who configured certificate * * authentication * **************************************************************** * PROBLEM DESCRIPTION: This apar provides an option to * * perform Authentication Cache lookup * * with the username mapped from * * certificate. * **************************************************************** * RECOMMENDATION: * **************************************************************** By default, WebSphere does not perform Authentication Cache look up with certificate object for certificate login. This is because a new certificate object is created for each login and no cache hit is expected anyway. The initial certificate login would trigger multiple user registry lookups in order to 1. Validate the username that is parsed from certificate 2. Confirm the user is unique in the registry 3. Look up groups the user belongs to. For web login, LTPA token is created and returned in the http response to the browser. The subsequent requests will have authentication cache hit by the ltpa token lookup. However, in case of EJB/ORB login, there is no mechanism to return ltpa token. The subsequent certificate logins still require multiple user registry access each time. This apar introduces an option for WebSphere to perform auth cache lookup by parsing the certificate object and mapping to username, then look up the authentication cache with the mapped username. For EJB/ORB certificate login, when the same set of certificates are expected to be used for authentication, this option will increase the chance of cache hit and help improve the performance. For web certificate login, or the scenario when new certificate are expected to come in most of the time, this option does not make much difference.
Problem conclusion
This apar introduces an option to look up Authentication Cache with username mapped from certificate. See "Problem details" section for further information. To enable this option, set following security custom property to true. --------------------------------- Custom property: com.ibm.websphere.security.cert.authCache.lookup Value: true (enables this APAR) false(default) ---------------------------------- Note: When the option is enabled, any change in user registry will not be reflected until the authentication cache entries time out. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.13 and 9.0.0.5. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI82342
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-05-31
Closed date
2017-07-14
Last modified date
2017-07-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
04 May 2022