This week's book giveaway is in the Cloud/Virtualization forum.
We're giving away four copies of Grokking Bitcoin and have Kalle Rosenbaum on-line!
See this thread for details.
Win a copy of Grokking Bitcoin this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Paul Clapham
  • Devaka Cooray
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Frits Walraven
Bartenders:
  • Carey Brown
  • salvin francis
  • Claude Moore

Websphere Application Server web application login delay due to LTPA token expiration  RSS feed

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am running a web application on Websphere application server BASE 9.0.0.8
Websphere security is configured with standalone LDAP registry(OpenLdap), which is also registry for application users.

After server is started user log in is normal and takes a few seconds.
After certain time of inactivity application session is timed out and user must log in again, but this time log in takes a few minutes.
I didn't noticed any records in the server logs that would explain such login delay, so I enabled LTPAToken2 tracing with this string '*=info:com.ibm.ws.security.ltpa.LTPAToken2=all'.
After reproducing login delay problem I checked trace log where I found large number of this records:

[9/27/18 14:07:28:532 CEST] 0000009c LTPAToken2    3   Returning existing encrypted bytes from token object.
[9/27/18 14:07:28:532 CEST] 0000009c LTPAToken2    3   Expiration returned from expire field in token: Thu Sep 27 14:35:00 CEST 2018

...
Approximately 1100 of these lines were recorded in trace log during the login delay. Initially almost 200 records in one second, and later less frequently with one record every few seconds.
After about two minutes of delay user is loged into the application with this records in trace log:

[9/27/18 14:09:46:132 CEST] 0000009c LdapRegistryI A   SECJ0419I: The user registry is currently connected to the LDAP server ldap://machineX:389.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    >  new LTPAToken2 from accessID Entry
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    3   userdata areau:user\:machineX\:389/uid=userX,ou=Users,dc=companyX,dc=xy
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    3   Expiration returned from expire field in token: Thu Sep 27 16:10:00 CEST 2018
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    3   Expiration set to: Thu Sep 27 16:10:00 CEST 2018
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    <  new LTPAToken2 from accessID Exit
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    3   Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    3   Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    3   Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    3   Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2    3   Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:147 CEST] 0000009c LTPAToken2    3   Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:147 CEST] 0000009c LTPAToken2    3   Token was updated thus clearing encrypted bytes to re-encrypt.



I would be very grateful for any help or suggestion
 
Rancher
Posts: 3513
33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's hard to tell...
LTPA problems could be caused by different time on WAS server and LDAP server.
Try to sync up times on these 2 servers (however it's not clear why initial authentication passes)
 
I can't beleive you just said that. Now I need to calm down with this tiny ad:
Create Edit Print & Convert PDF Using Free API with Java
https://coderanch.com/wiki/703735/Create-Convert-PDF-Free-Spire
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!