Blank page when logging to OC via Loadbalancer url: 401 Unauthorized | Json Web Token cannot be verified!
Article ID: 419089
Updated On:
Products
Issue/Introduction
Have two OC nodes configured with load balancing. Accessing and logging in through each node’s individual URL works without any issue.
However, when accessing via the load balancer URL, the login page appears, but after entering the username and password, it redirects to a blank page.
Critical API calls to /operatorconsole_portlet/api/user are returning 401 Unauthorized, preventing the application from loading the user context.
The following error is seen in wasp.log:
Mar 11 15:07:59:636 ERROR [https-jsse-nio-443-exec-16, com.firehunter.ump.utils.SecurityUtil] Token cannot be verifiedjava.lang.IllegalArgumentException: Json Web Token cannot be verified!Mar 11 15:07:59:637 ERROR [https-jsse-nio-443-exec-18, com.firehunter.ump.auth.TokenManager] Failed to validate tokencom.firehunter.ump.exceptions.JWTInvalidException: Token cannot be verified
This issue started after upgrading to UIM 23.4 CU5/CU6/CU7
Environment
- DX UIM 23.4 CU5 and later
- F5 loadbalancer
- CITRIX-Netscaler LB.
Cause
Root Cause: Ineffective Persistence. If the Load Balancer uses SSLSESSION persistence, when the browser is connected to OC by renegotiating SSL sessions it generates new Session IDs. Since OC nodes do not share session memory by default, the second node receives a JWT/Cookie it doesn't recognize, resulting in an HTTP 401.
Resolution
SSLSESSION persistence is generally not recommended for modern web applications like the Operator Console.
In the Load Balancer configuration, Swich the persistence type to COOKIEINSERT.
Broadcom documents this requirement in the multiple OC configuration Techdocs:
DX UIM 23.4 Configure Multiple Operator Console Servers>Configure Load Balancer
Feedback
