Tuesday, June 14, 2016

Expired CTS Token not cleaned up in OpenDJ

Just came back from a short holiday to Perth. Winter time, so weather was super good!

During the trip, good news come one after another. Today, the greatest good news arrived! The 2nd half of this year will be super busy! :)

Anyway, back to the topic ....

In a clean-up exercise which happened prior to my holiday, we realized expired CTS tokens were not cleaned up in OpenDJ for one of our customers' deployment. OpenAM 11.0.2 was deployed.

From the graph above, it is very obvious that whenever OpenAM is restarted, expired CTS tokens will be cleared up nicely by a Java class in OpenAM - CTS Reaper. However, there is an issue with this class and thus subsequently, expired CTS tokens keeps building up.

I raised a support ticket with ForgeRock and received a prompt response:

I think the more likely culprit for this could be: OPENAM-3283 If so, upgrading to 11.0.3 will resolve this. .... You could diagnose this further by looking at the Session debug log, and also at the CTS Reaper behaviour in your OpenDJ access logs. If you're seeing OPENAM-3283, you would see the CTS Reaper searches (by default once per minute) stop occurring in the access logs. You may also see an exception in the Session log. With full message level debug logging you would be able to see that the CTS Reaper is no longer waking up.

Once I patched OpenAM to 11.0.3, the graph becomes "stable" for the past few days. And it will be for subsequent days to come. :)

PS: Support ticket was raised on 17th May. Response and resolution were given within 2 hours. The graph was for production which I was not given the green light to patch until 11th June.

Personally, I have deal with Support teams from various product principles. Most will route you to a Call Center (some are even outsourced). So the original tickets will then be routed to backend Engineering. This takes forever to resolve an issue. And by the way, before they route you to Engineering, they'll read the product documentation first to determine if your configuration is supported at all. OMG!

ForgeRock Support never fails my high expectation. These guys are awesomely technical. Thank you!

No comments:

Post a Comment