I am running a web application on Websphere application server BASE 9.0.0.8. Websphere security is configured with standalone LDAP registry(OpenLdap), which is also registry for application users.
After server is started user login is normal and takes a few seconds.
After certain time of inactivity application session is timed out and user must login again, but this time login takes a few minutes.
I didn't noticed any records in the server logs that would explain such login delay, so I enabled LTPAToken2 tracing with this string *=info:com.ibm.ws.security.ltpa.LTPAToken2=all.
After reproducing login delay problem I checked trace log where I found large number of this records:
[9/27/18 14:07:28:532 CEST] 0000009c LTPAToken2 3 Returning existing encrypted bytes from token object.
[9/27/18 14:07:28:532 CEST] 0000009c LTPAToken2 3 Expiration returned from expire field in token: Thu Sep 27 14:35:00 CEST 2018*
...
Approximately 1100 of these lines were recorded in trace log during the login delay. Initially almost 200 records in a second, and later less frequently with one record every few seconds. After about two minutes of delay user is loged into the application with this records in trace log:
[9/27/18 14:09:46:132 CEST] 0000009c LdapRegistryI A SECJ0419I: The user registry is currently connected to the LDAP server ldap://machineX:389.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 > new LTPAToken2 from accessID Entry
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 userdata areau:user\:machineX\:389/uid=userX,ou=Users,dc=companyX,dc=xy
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Expiration returned from expire field in token: Thu Sep 27 16:10:00 CEST 2018
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Expiration set to: Thu Sep 27 16:10:00 CEST 2018
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 < new LTPAToken2 from accessID Exit
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:147 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:147 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
WAS server and LDAP servers are in different network subnets. After some time existing connection to LDAP become 'dead'. The problem was resolved by disabling WAS ldap registry parameter 'Reuse connection'.