IBM WebSphere / Connections – Performance, Security and the SESN0008E Error


Just found a new issue today that has been vexing me for quite some time, I only found it because of the error [SESN0008E] and the fact that I had to add a whole new WebSphere Nodes to an existing environment so that these errors finally happend with a frequency that I finally noticed it:

logServletError SRVE0293E: [Servlet Error]-[atom-basic]: com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:defaultWIMFileBasedRealm/CN=Joe Shmoe,OU=MYOU,dc=corp,dc=company,dc=com

We ran function testing on the new Node and performance was horrendous … I mean really horrendous. Performance has been bad overall before that, but at least tings worked. I investigated a few tech notes, there was some mentioning about the LTPA timeout being too short in combination with several other settings. This is an upgrade, same settings as other systems, should not be an issue … so I looked at other sites/pages here, here and here.

All of the tech notes mentioned [Security Integration] being at the heart of it. I checked all servers and noticed – none of the server that the Connections installer created had this settings set, all servers that I created manually had it. I looked into this a bit more and found out that the [Session Management] – [Security integration] is now a default setting for WebSphere and if you create a server manually it is automatically set. I ran a few third party products in separate servers that were all manually created … they probably brought the overall performance down.

So, I went through all servers that I had created, unset the settings (pic below) and then synced and restarted everything and …. voila, speed restored.

sessionManagement

Advertisements

6 thoughts on “IBM WebSphere / Connections – Performance, Security and the SESN0008E Error

  1. You haven’t posted the picture. I had what is probably a similar issue and I’d be interested in seeing what you have disabled to see whether it was similar to the problem I faced previously.

    Like

  2. I had a similar issue with Sametime Proxy integration into Connections. During testing the customer would log out of the browser as User A and then log in as User B. What was happening in my case was that at log out the LTPAToken was being deleted (good) but because User B was logging in quickly there wasn’t enough time to invalidate the JSESSIONID (bad) so it was being reused. Connections was able to handle this but Sametime could not which caused the same exceptions in the STProxy SystemOut.log.

    I found that unticking “security integration” worked but I questioned it further and asked IBM because there were some docs I read that suggested this was a bad thing to do. IBM said that “security integration” ties the user to the HTTP session so that User A owns a particular JSESSIONID. This stops User B then using the same JSESSIONID but this creates a problem seen with STProxy.

    What worked for me and I needed IBM to come up with the second value is the following.

    servers -> server types -> ******* -> session management -> customer properties:
    InvalidateOnUnauthorizedSessionRequestException: true
    UseInvalidatedId: false

    I enabled “security integration” and then set the two custom properties and the SESN0008E exceptions stopped whilst keeping “security integration” enabled.

    Like

    • Thanks for the details. However, for security integration to work correctly, it requires that the application is coded appropriately to take advantage of it. Also, if this is a necessary setting I wonder why it is not set by the IBM installer nor mentioned anywhere in the documentation …. I will also look into this some more – it is a security overhead that I would rather do without if possible.

      Like

      • Good point. I had missed the point that it is not enabled by default. I shouldn’t have assumed that if it’s enabled for Sametime that it should be enabled for Connections.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s