Configure LTPA in Liberty

We can configure a Liberty server to use a specific Lightweight Third Party Authentication (LTPA) keys file, user-defined password, and expiration time.

See Specify LTPA keys on the Open Liberty website.

The LTPA is configured by default when security is enabled for a Liberty server for the first time. The default location of the automatically generated LTPA keys file is...

${server.output.dir}/resources/security/ltpa.keys

The LTPA keys are encrypted with a randomly generated key and a default password of WebAS is initially used to protect the keys. The password is required when importing the LTPA keys into another server. To protect the security of the LTPA keys, we must change the password. When the LTPA keys are exchanged between servers, this password must match across the servers for Single Sign On (SSO) to work.

The default expiration timeout is 120 minutes. The expiration value refers to how long the LTPA tokens are valid before they expire.

To enable dynamic reloading of the LTPA keys when copying an LTPA keys file from another server, we can specify a file monitor interval before copying the LTPA keys file. The monitor interval value refers to how often the LTPA keys file is monitored for updates.

For more information about LTPA, see LTPA concept in Liberty.

FIPS 140-3 notes

When FIPS 140-3 is enabled, the LTPA keys created use FIPS 140-3 approved algorithms. Enable FIPS 140-3 on all Liberty servers for single sign-on (SSO) to work with the LTPA keys. Single sign-on (SS0) using LTPA tokens fails between servers that use FIPS 140-3 approved algorithms and servers that do not use FIPS 140-3 approved algorithms. If FIPS 140-3 is enabled on an existing Liberty server, the LTPA keys that were previously created do not use FIPS 140-3 approved algorithms. To create LTPA keys that use FIPS 140-3 approved algorithms, complete one of the following options.

• Stop the Liberty server, delete the ltpa.keys file and restart the server to automatically create the LTPA keys with FIPS 140-3 approved algorithms.

• Set the FIPS 140-3 system properties and run the securityUtility createLTPAKeys command to create new LTPA keys with FIPS 140-3 approved algorithms. After the system properties are set, replace the existing LTPA keys with the newly created LTPA keys. For more information about the createLTPAKeys command, see createLTPAKeys.

Steps

1. Configure the <ltpa> element in server.xml:

   <ltpa 
       keysFileName="yourLTPAKeysFileName.keys" 
       keysPassword="keysPassword" 
       expiration="120" />

2. Optional: Set the monitorInterval attribute to check the lpta.keys file for key changes to be dynamically reloaded.

   Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). In the following example, the LTPA keys file is checked for changes to be dynamically reloaded every 5 seconds:

   <ltpa 
       keysFileName="yourLTPAKeysFileName.keys" 
       keysPassword="keysPassword" 
       expiration="120" 
       monitorInterval="5s" />

3. Encode the password within the configuration. We can get the encoded value using the securityUtility encode command.

4. Optional: Copy an existing LTPA keys file to the location specified in the keysFileName attribute.

   The default value is ${server.output.dir}/resources/security/ltpa.keys.

   For more information on LTPA keys in the keysFileName element, see Application Security 2.0.

Parent topic: Authenticating users in Liberty

Related tasks

• Create a Liberty cluster with security considerations
• Customizing SSO configuration using LTPA cookies in Liberty

Related reference

• Security considerations