Open bwa opened 3 years ago
The custom cache key is indicated that the client subject had custom informations where WebSphere/Liberty can not fully re-recreated the client subject. This is the default behavior for traditional WebSphere and Liberty. I understand your requirement, can you open an RFE so it can go through the process. Thank you.
Already done. It's 2 years old ....
The proposal is different though.
https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=119066
Have tried different channels, but it's very hard to get this fixed. It's a really blocker going from WAS ND to Liberty.
@utle Is it possible to get a hint about the progress on this issue ?
@utle Still no progress on this ?
It is known that a LtpaToken2 created on one liberty server with a custom cache key, will fail on an another liberty server, even if the ltpa.keys are shared.
The error message from the trace is :
com.ibm.ws.security.authentication.AuthenticationException: Custom cache key missed authentication cache. Need to re-challenge the user to login again.
Since the custom cache key is created by the 'customer', it migth be possible to recreate the missing pieces by the second server, if the Principal is known.
In my trace I can see that the user is obtained :
[4/6/21 15:09:52:862 CEST] 0000034b id=00000000 com.ibm.ws.security.token.ltpa.internal.LTPATokenizer > convertArrayListToString Entry [user:defaultWIMFileBasedRealm/15105644105]
But it fails with the 'Custom cache key missed authentication cache' message.
If the subject was created without the custom data, normally the use of this custom data is created by the customer, so it actually need to retrieve it on the second server.
In most cases then the custom code on the second server, could use the user information to retrieve the missing data.
This could be achieved by a configurable option :
SSOContinueWithoutCustomCacheKeyData=true
or even better:
In my company the custom cache key is created by a our custom TAI, so if the same custom TAI could be challenged if the custom cache key was missing, that component could be in charge of recreating the Subject based of the username.