+

Search Tips   |   Advanced Search

Configure LTPA on the Liberty profile

We can configure a Liberty profile server to use a specific Lightweight Third Party Authentication (LTPA) keys file, user-defined password, and expiration time.

The LTPA is configured by default when security is enabled for a Liberty profile server for the first time. The default location of the automatically generated LTPA keys file is ${server.output.dir}/resources/security/ltpa.keys. The LTPA keys are encrypted with a randomly generated key and a default password of WebAS is initially used to protect the keys. The password is required when importing the LTPA keys into another server. To protect the security of the LTPA keys, we must change the password. When the LTPA keys are exchanged between servers, this password must match across the servers for Single Sign On (SSO) to work.

The default expiration timeout is 120 minutes. The expiration value refers to how long the LTPA tokens are valid before they expire.

To enable dynamic reloading of the LTPA keys when copying an LTPA keys file from another server, we can specify a file monitor interval before copying the LTPA keys file. The monitor interval value refers to how often the LTPA keys file is monitored for updates.

For more information about LTPA, see LTPA concept .

  1. Configure the <ltpa> element in server.xml as follows, replacing the sample values in the example with the values:

  2. Optional: Set the monitorInterval attribute to check the lpta.keys file for key changes to be dynamically reloaded. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). In the following example, the LTPA keys file is checked for changes to be dynamically reloaded every 5 seconds:
    <ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="keysPassword" 
          expiration="120" monitorInterval="5s" />

  3. Encode the password within the configuration. We can get the encoded value using the securityUtility encode command.

  4. Optional: Copy an existing LTPA keys file to the location specified in the keysFileName attribute. The default value is ${server.output.dir}/resources/security/ltpa.keys.


Parent topic: Authenticate users

Concepts:

  • Authentication

    Tasks:

  • Customize SSO configuration using LTPA cookies
  • Create a Liberty cluster with security considerations

    Reference:

  • Security considerations