|Applies To||RSA ClearTrust 5.5.3 Authorization Server (AServer)|
RSA ClearTrust Agent 4.5 for IBM WebSphere
TAI (Trust Association Interceptor)
IBM WebSphere 5.0.1
|Issue||Token Decryption errors occurring with TAI (Trust Association Interceptor) when using RSA ClearTrust Agent 4.5 for IBM WebSphere|
Error: "HTTP 404 access denied" occasionally appears in web browser
The following error occurs in the aserver.log file.
sequence_number=57,2006-04-20 17:01:48:441 EDT,messageID=6,client_ip_address=10.10.10.10,client_port=1234,result_code=0,result_action=User Token Failed,result_reason=Token error
The following error appears in IBM WebSphere system output log:
[4/20/06 17:01:48:438 EDT] 743a392c SystemOut O <RSA MESSAGE> : class com.ibm.wps.sso.RSATrustAssociationInterceptor : getClearTrustCookieValue() cookie= AAAAAgABAED9KIRsH2/sAG3Pm3RbObMjxS4zeK2ZGkoHgkLooizYeyI0qib9CDSIB+W6gogy1SKqKl4cReq06BSlsUVcDg/T
[4/20/06 17:01:48:537 EDT] 743a392c WebCollaborat A SECJ0056E: Authentication failed for reason Token decryption failed
|Cause||Token Decryption errors occur whenever a user presents an RSA ClearTrust session cookie (token) that is older than the lifetime outlined in the keyserver.conf parameter "cleartrust.keyserver.token_lifetime" (default 1 hour). These tokens cannot be decrypted because the keyserver has purged the encryption keys from its authorized list. It is normal for token decryption errors to show up in the ClearTrust Agent and AServer log files under normal operation. By definition, these clients have also exceeded the webagent.conf file parameter "cleartrust.agent.idle_timeout" (default 15 minutes) and are forced to re-authenticate.|
The TAI validates all session cookies (tokens) and will only allow valid sessions to SSO into IBM WebSphere. The TAI (Trust Association Interceptor) will capture all sessions where the tokens are undecryptable and throws a WebTrustAssociationFailedException TAI exception indicating that the user is not to be authenticated. The problem is that the TAI is unique in that it is not a complete Agent, and hence does not have the logic to redirect the user to the logon page in these instances. It is up to the developer to trap this error and handle it in an appropriate manner.
|Resolution||Depending on your deployment, there may be several ways to handle this exception. The validation of the ClearTrust cookie in the TAI (Trust Association Interceptor) is optional. In the 4.5 version of the TAI, this check can be disabled by modifying the cleartrust.agent.websphere.tai_validate_sessions setting in the configuration file. The RSA ClearTrust Agent 4.5 Installation and Configuration Guide has these notes about this parameter:|
When this property is set to True, TAI validates the session token set by the front-end web server Agent against the RSA ClearTrust Servers. The authenticated user name is also retrieved from the session token passed by the external web server.
Do not set this property to False unless you are sure that no one can directly access the protected resource in WebSphere, bypassing the external web server, or that the resource is protected in the external web server so that no one can access the resource through the external web server without authenticating.
You can also avoid this error by fronting the TAI with proxy server hosting a ClearTrust Agent. The ClearTrust agent will then process all ClearTrust session cookies prior to passing them to the TAI and this will ensure that they are valid. NOTE: You should configure the cleartrust.agent.idle_timeout with a value that is sufficiently higher than the token_lifetime to ensure that tokens cannot expire in transit between the agent and the TAI.
You can also modify your code that it interprets the WebTrustAssociationFailedException message from the TAI as a failed authentication. If you are already doing this in your code and the only concern is the messages in the log file, then no further action is required. As stated above, the token decryption errors are normal and can be ignored under normal circumstances.
|Legacy Article ID||a30361|