WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to avoid error messages in liberty profile

    Posted 2 days ago

    Hi, we've an IBM ODM installation with 4 nodes running on liberty 24. The 4 nodes serve HTTP REST requests with massive throughput. They're balanced by an Apache server with ROUND ROBIN. 

    The 4 nodes are continuously displaying the following message:

    com.ibm.ws.security.token.internal.TokenManagerImpl          I CWWKS4001E: The security token cannot be validated. This can be for the following reasons
1. The security token was generated on another server using different keys.
2. The token configuration or the security keys of the token service which created the token has been changed.
3. The token service which created the token is no longer available.

    Apparently, the actual reason is because the client application (or the Apache load balancer) are sending the LPTA token stored in a cookie from a previous call, then Apache is redirecting to the next ODM backend node following ROUND-ROBIN and the message is displayed because, in fact the token was generated on another back-end server.

    This message is written after each and every call in production and causing unnecessary and annoying log file rotation.

    We have tried setting a traceSpecification like this: "*=error:com.ibm.ws.security.token.internal.*=off" but it does not work, wen cannot avoid the massive messages.

    Can you explain how this cookie mechanism works? 

    Is there some configuration in the client or in the server to avoid this situation? 

    Thanks and regards.



    ------------------------------
    Eduardo Izquierdo Lázaro
    Automation Architect
    DECIDE
    Madrid
    609893677
    ------------------------------


  • 2.  RE: How to avoid error messages in liberty profile

    Posted yesterday

    As a workaround until you have resolved the main issue, you could hide the message from being logged by using the "hideMessage" parameter. 
    https://www.ibm.com/docs/en/was-liberty/base?topic=configuration-logging



    ------------------------------
    [Lars] [Besselmann]
    Application Modernization Specialist, IBM Technology Sales, EMEA
    IBM
    Düsseldorf
    [Lars.Besselmann@de.ibm.com]
    ------------------------------

    Original Message


  • 3.  RE: How to avoid error messages in liberty profile

    Posted yesterday

    Hello Eduardo,

    to resolve the main issue you sholud think about sticky session, that the user remains at one backend as long as his session is valid or you should supply the same LTP-Token to each of your ODM backends. Then the LTPA-token will be regarded as valid from each of your backends.

    Best regards

    André



    ------------------------------
    Andre Jahn
    WebAdministrator
    Deutsche Bundesbank
    Duesseldorf
    1-555-555-5555
    ------------------------------

    Original Message


  • 4.  RE: How to avoid error messages in liberty profile

    Posted 23 hours ago

    As mentioned by Andre - if you did not use the same LTPA key for the different Liberty instances, you should set this up. You can find details here: 

    https://www.ibm.com/docs/en/was-liberty/base?topic=auil-customizing-sso-configuration-using-ltpa-cookies-in-liberty

    Lars



    ------------------------------
    [Lars] [Besselmann]
    Application Modernization Specialist, IBM Technology Sales, EMEA
    IBM
    Düsseldorf
    [Lars.Besselmann@de.ibm.com]
    ------------------------------

    Original Message


Related Content