LTPA Token (ltpa)

LTPA Token (ltpa)

Lightweight Third Party Authentication (LTPA) token configuration.

Name Type Default Description

authFilterRef Top level authFilter element (string). Authentication filter reference.

expiration A period of time with minute precision 120m Amount of time after which a token expires in seconds. The value can be specified in milliseconds, seconds, and minutes using the following suffixes: "ms", "s", and "m". Specify a positive integer followed by a unit of time, which can be hours (h) or minutes (m). For example, specify 30 minutes as 30m. We can include multiple values in a single entry. For example, 1h30m is equivalent to 90 minutes.

keysFileName Path to a file ${server.output.dir}/resources/security/ltpa.keys The path to the file containing the LTPA primary keys, which are used to create and validate LTPA tokens.

keysPassword Reversably encoded password (string) {xor}CDo9Hgw= Password for the LTPA primary keys. The best practice is to encrypt the password using the securityUtility tool.

monitorInterval A period of time with millisecond precision 0ms Rate at which the server checks for updates to the LTPA keys file. This rate applies to both the primary keys and the validation keys. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

monitorValidationKeysDir boolean false If set to "true", the directory containing LTPA primary keys is monitored for any modifications on files with the .keys suffix. The default value is false. All validation files must use the same password as the LTPA primary keys password and must have the .keys suffix.

updateTrigger

disabled
mbean
polled

polled Specifies the update method or trigger used to update the LTPA keys. The following values are supported: "polled", "mbean" and "disabled". The default value is "polled".
disabled
This disables all update monitoring on all LTPA key files including primary key and validation keys (configured and non-configured). Changes to the LTPA key files are not applied while the server is running.
mbean
%ltpa.updateTrigger.external
polled
The server scans for LTPA key file changes at the monitor interval and updates if the LTPA key files have any detectable changes.

authFilter
Authentication filter reference.
authFilter > cookie
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Specifies the name.

authFilter > host
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Specifies the name.

authFilter > remoteAddress
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

ip string Specifies the remote host TCP/IP address.

matchType

contains
equals
greaterThan
lessThan
notContain

contains Match type.

authFilter > requestHeader
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Specifies the name.

value string The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

authFilter > requestUrl
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

urlPattern string
Required Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent
A unique configuration ID.

Name Type Default Description

agent string
Required Specifies the browser's user agent to help identify which browser is being used.

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

authFilter > webApp
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Specifies the name.

validationKeys
A unique configuration ID.

Name Type Default Description

fileName string
Required The name of the file containing the LTPA validation keys. The path must be the same as the LTPA primary keys file.

id string A unique configuration ID.

password Reversably encoded password (string)
Required The password for the LTPA validation keys. The best practice is to encrypt the password using the securityUtility tool.

validUntilDate string A date and time value in ISO date format that the LTPA validation key is valid until. After the specified time, the validation keys is no longer used for LTPA token validation. The following example shows the ISO date format: "2023-11-18T18:08:35Z". If no value is specified, the LTPA validation keys can be used indefinitely.

Name	Type	Default	Description
authFilterRef	Top level authFilter element (string).		Authentication filter reference.
expiration	A period of time with minute precision	120m	Amount of time after which a token expires in seconds. The value can be specified in milliseconds, seconds, and minutes using the following suffixes: "ms", "s", and "m". Specify a positive integer followed by a unit of time, which can be hours (h) or minutes (m). For example, specify 30 minutes as 30m. We can include multiple values in a single entry. For example, 1h30m is equivalent to 90 minutes.
keysFileName	Path to a file	${server.output.dir}/resources/security/ltpa.keys	The path to the file containing the LTPA primary keys, which are used to create and validate LTPA tokens.
keysPassword	Reversably encoded password (string)	{xor}CDo9Hgw=	Password for the LTPA primary keys. The best practice is to encrypt the password using the securityUtility tool.
monitorInterval	A period of time with millisecond precision	0ms	Rate at which the server checks for updates to the LTPA keys file. This rate applies to both the primary keys and the validation keys. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
monitorValidationKeysDir	boolean	false	If set to "true", the directory containing LTPA primary keys is monitored for any modifications on files with the .keys suffix. The default value is false. All validation files must use the same password as the LTPA primary keys password and must have the .keys suffix.
updateTrigger	disabled mbean polled	polled	Specifies the update method or trigger used to update the LTPA keys. The following values are supported: "polled", "mbean" and "disabled". The default value is "polled". disabled This disables all update monitoring on all LTPA key files including primary key and validation keys (configured and non-configured). Changes to the LTPA key files are not applied while the server is running. mbean %ltpa.updateTrigger.external polled The server scans for LTPA key file changes at the monitor interval and updates if the LTPA key files have any detectable changes.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Match type.
name	string Required		Specifies the name.
value	string		The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

Name	Type	Description
fileName	string Required	The name of the file containing the LTPA validation keys. The path must be the same as the LTPA primary keys file.
id	string	A unique configuration ID.
password	Reversably encoded password (string) Required	The password for the LTPA validation keys. The best practice is to encrypt the password using the securityUtility tool.
validUntilDate	string	A date and time value in ISO date format that the LTPA validation key is valid until. After the specified time, the validation keys is no longer used for LTPA token validation. The following example shows the ISO date format: "2023-11-18T18:08:35Z". If no value is specified, the LTPA validation keys can be used indefinitely.