WebSphere Application Server & Liberty

 View Only

  • 1.  WebSphere LTPA token expiry issue

    Posted Tue December 24, 2024 11:42 AM

    Team,

    We are facing ltpa token expiry issue in WAS 8.5.5 with one of our custom REST API CE connection module. Here is the scenario.

    1. We have custom REST API to serve FileNet p8 operations  where we are using Subject callerSubject = WSSubject.getCallerSubject() to get the current user subject and creating CE connection for every user request.
    2. we have a layer with WAS OIDC RP client integrated with OKTA system with required interceptors and OIDC RP client will take the OKTA token and validate and convert it into ltpa and with that we are getting caller subject and by using caller subject we are getting FileNet CE connection.
    3. This integration is working as expected but sometimes we are getting some other user expired ltpa token and with that REST API failed to get the CE connection due to user not authenticated. It is an intermittent issue and we are suspecting as some WAS cache issue.
    4. Please suggest if there is any workaround to fix this issue.


    ------------------------------
    Ravi Kiran Saladi
    ------------------------------


  • 2.  RE: WebSphere LTPA token expiry issue

    Posted Thu January 02, 2025 02:36 PM

    Hi Ravi,

    You can try disabling auto key generation for LTPA in WAS Admin Console. 

    WAS Admin Console --> Global Security --> LTPA --> Key Set Groups:

    Key Set Group name = CellLTPAKeySetGroup

    Automatically Generate Keys = false

    Best Regds,

    Rashmin



    ------------------------------
    Rashminkumar Panchal
    ------------------------------

    Original Message


  • 3.  RE: WebSphere LTPA token expiry issue

    Posted Fri January 03, 2025 09:27 AM

    Hi Rashmin,

    Thanks for your suggestion!

    We already have the same settings in WAS. Please suggest if anything required on top of it.



    ------------------------------
    Ravi Kiran Saladi
    ------------------------------

    Original Message


  • 4.  RE: WebSphere LTPA token expiry issue

    Posted Thu January 23, 2025 09:21 AM

    hi Ravi Kiran Saladi

    Is the REST API & FileNet deployed on the same WAS profile or each on deployed on different application server?



    ------------------------------
    Yahya Arab
    Technical Team Leader
    DataServe
    ------------------------------

    Original Message


  • 5.  RE: WebSphere LTPA token expiry issue

    Posted 22 days ago

    Hi Ravi,

    The issue you're describing sounds like it could be related to a caching problem in WAS, especially since the expired LTPA token appears to be tied to another user. Here are a few suggestions you could try to resolve or investigate the issue:

    1. LTPA Token Timeout Configuration:
      Check the token expiration time set in your WAS environment. Ensure the timeout value is aligned with the expected session duration and re-authentication flow. You can configure this under Security > Global Security > Authentication > LTPA.

    2. Cache Settings:
      Since this seems intermittent, it might be caused by cached tokens. Try clearing the WAS security cache to see if that resolves the issue temporarily. Additionally, review your cache configuration settings under WebSphere Application Server > Servers > Server Types > WebSphere application servers > Your Server > Container Services > Dynamic Cache Service.

    3. OIDC Token Handling:
      Double-check the integration with the OKTA system. Ensure the interceptor is not holding on to stale tokens. You might also want to verify that the token validation logic is working consistently.

    4. Concurrent Requests:
      If multiple user requests are being processed simultaneously, there's a chance that the same LTPA token is being used incorrectly for multiple users. Implementing thread safety in how the tokens are managed or isolating sessions per request could help.

    5. Debugging Logs:
      Enable detailed WAS security logs to identify the root cause. Specifically, look for logs related to token generation and validation to determine where the expired token is being picked up..



    ------------------------------
    keara will
    ------------------------------

    Original Message