Fix (APAR):  PI55697

Status:  Fix

Release:  8.5.5.9,8.5.5.8,8.5.5.7,8.5.5.6,8.5.5.5,8.5.5.4,8.5.5.3

Operating System:  AIX,HP-UX,IBM i,Inspur K-UX,Linux,Solaris,Windows,z/OS

Supersedes Fixes:  PI25298 PI33449 PI37687 PI47460 PI52604 PI56331 PI59831

CMVC Defect:  xxxxxx

Byte size of APAR:  20069451

Date: 2016-05-26

Abstract:  openid connect relying party: no entry in cache for stateid

Description/symptom of problem:  
PI55697 resolves the following problem:

ERROR DESCRIPTION:                                              
OpenID Connect Relying Party: No entry in cache for stateid     
happens in a cluster environment.                               

LOCAL FIX:                                                      
None                                                            

PROBLEM SUMMARY

USERS AFFECTED:
 Administrators of IBM WebSphere Application
Server and OpenID Connect

PROBLEM DESCRIPTION:
CWTAI2007E OpenID Connect error may
occur in a cluster environment

RECOMMENDATION:
 Install a fix pack that contains this
APAR.

When a resource is protected by the OpenID Connect Relying
Party TAI in a cluster environment, an error like the
following may occur during login:
[1/4/16 14:05:21:107 CET] 00000057 WebAuthentica E
SECJ0126E: Trust Association failed during validation. The
exception is
com.ibm.websphere.security.WebTrustAssociationFailedException:
CWTAI2007E: TheOpenID Connect replying party (RP) encountered
a failure during the login. The exception is [No entry in
cache for stateid:  [6r0sco232ft5cstviumgm6i8fe]. Check the
logs for details that lead to this exception.

PROBLEM CONCLUSION:                                             
When a request is made to a resource producted by the OpenID    
Connect Relying Party TAI, a login is initiated to the OpenID   
Connect Provider (OP). After login, the OP sends a response     
back to the TAI.  Before login, the TAI saves state             
information about the login request in a cache using the        
6r0sco232ft5cstviumgm6i8fe as the key.  When the                
response is received from the OP, the TAI retrieves the         
request information from the cache.  In a cluster environment,  
when the OP responds, the individual cluster member that        
receives the response is indeterminate.  If the cluster member  
that retrieved the response is not the member that cached the   
login request, the CWTAI2007E error will occur.                 
                                                                
This issue can normally be resolved by using session affinity.  
However, if you are using some front-end application to load    
balance the cluster member resources, using session affinity    
won't work.                                                     
                                                                
The OpenID Connect TAI is updated in the following ways:        
                                                                
1) The dynacache put is set to PUSH                             
2) The session data that is stored in the cache is added to     
the request sent to the OP so that any cluster member that      
receives the response from the OP has access to it.  This       
means that if a server that receives the response cannot find   
the key in the cache, it can find the information it needs      
from the response.                                              
                                                                
The fix for this APAR is currently targeted for inclusion in    
fix packs 8.0.0.13 and 8.5.5.10.  Please refer to the           
Recommended Updates page for delivery information:              
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980   
                                                                
Keywords: IBMWL3WSS, OIDC                                       


Directions to apply fix:  Fix applies to Editions:
Release 8.5
_x_ Application Server (Express or BASE)
_x_ Network Deployment (ND)
__ Liberty Core
__ Edge Components
__ Developer

Install Fix to all WebSphere installations unless special instructions are included below.

Special Instructions: None

NOTE:
The user must:
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required.

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before applying the iFixes.  Restart WebSphere Application Server after applying the iFixes.

Directions to remove fix:  

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before removing the iFixes.  Restart WebSphere Application Server after removing the iFixes.

Directions to re-apply fix:  
1) Shutdown WebSphere Application Server.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere Application Server.



Additional Information: