Wednesday, January 04, 2006

Missing PDPrincipal with TAI+

We configured websphere trust association with Tivoli Access Manager. It works fine when we tested it with individual logins. But when we tried to load test the authentication and authorization using TAM and TAM's Authorization API , the PDPrincipal of the subject was lost in a significant number of cases. When we contacted IBM about this, they suggested that we apply PK00852 to websphere, which is available from websphere cumulative fix pack Although the fix does not directly address the problem at hand, we could load test TAM authentication and authorization with Azn API successfully. Probably TAI+ creates a custom cache key and modifies the subject with information that cannot be retrieved from the user registry alone. For more on custom JAAS subjects and cache keys in websphere, refer to this article in the WebSphere technical Journal. This is what IBM has to say about the APAR fix mentioned above.

IBM - PK00852: SSO tokens with custom cacheKey from TAI are not handled
correctly: "When using the security attribute propagation token framework or the
cacheKey property within a Hashtable login to affect the custom cache key of a
Subject, an SSO token containing this custom cache key will result in a cache
miss at a backup server. This will cause either a DynaCache hit (if configured)
or an MBean retrieval to get the Subject contents. In cases where the
originating server is down, the LTPA token will be used to login, but it's
unlikely the custom attributes will be preserved in that situation. To
accommodate the behavior of a new challenge whenever these custom attributes
cannot be retrieved, any SSO token containing the custom cache key that cannot
retrieve the originating attributes will, by default, result in a new
authentication challenge. However, there will be a property that can be used to
change to the old login using the token behavior."


  1. me if you still have this problem. I think I know you.

  2. I don't know who you are though! How would I contact?

  3. Abhi.....I am Rajeev...I saw ur blog a year ago and figured u r same Abhi..and put this comment..I was searching something today..and and saw ur picture this time..

    Great...I am proud of u..keep writing....

  4. Hi,
    We have missing PDPrincipal problem in WAS 6.0.
    Subject returns PDPrincipal initially and later at some point PDPrincipal is not found and throws PD exception.

    Assuming fixes in (PK00852) are handled in WAS 6.0.


  5. Do you have multiple servers involved here? If so, you have to enable subject attribute propagation here. Or is the PDPrincipal simply "lost" after a few calls?
    Also, check if your cache is being invalidated, check for any timeouts.

  6. Hi,
    We don't have multiple servers involved it is single server.
    We have Refference application which has web module and EJB module and other property files and url's mapped and deployed on WAS 6.0.
    Initially subject gets populated with PDPrincipal and gets lost after 10 mnts.
    we are looking into timeout on Webseal/TAM.


Popular Posts