Configure Lightweight Third Party Authentication keys

Generating keys

 

Overview

Lightweight Third Party Authentication (LTPA) keys are automatically generated when a password change is detected. The first time that you set the LTPA password, as part of enabling security, the LTPA keys are automatically generated after OK or Apply is clicked in the LTPA panel. You do not have to click Generate Keys in this situation. Complete the following steps in the administrative console to generate a new set of LTPA keys:

 

Procedure

  1. Access the administrative console by typing http://localhost:9060/ibm/console in a Web browser.

  2. Verify that all the WAS processes are running (cell, nodes, and all of the application servers). If any of the servers are down at the time of key generation and then brought back up later, these servers might contain old keys. Copy the new set of keys to these servers to bring them back up.

  3. Click Security > Global security. Under Authentication, click Authentication mechanisms > LTPA.

  4. Click Generate Keys if you want to use the existing password. This action generates a new set of keys that are encrypted with the same password as the old set of keys. Regardless of the password change, a new set of keys is generated when you click Generate Keys. This new set of keys is not propagated to the run time unless saved; save the files immediately.

  5. Enter the new password and confirm it, to use a new password to generate keys. Click OK or Apply. A new set of keys is generated. A message indicating that a new set of keys is generated displays on the console. Do not click Generate Keys. These new keys are propagated to the run time after you save them.

  6. Click Save to save the keys. After a new set of keys is generated and saved, the generated keys are not used in the configuration until the WAS is restarted. In a Deployment Manager environment the node agents and application servers must also be recycled to accept the new keys. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager. The next sections describe the process of exporting and importing the keys.

Exporting keys

 

Overview

To support single signon (SSO) in WAS across multiple WAS domains or cells, share the LTPA keys and the password among the domains. Verify the time on the domains is similar to prevent the tokens from appearing as expired between the cells. Use Export Keys to export the LTPA keys to other domains or cells. Complete the following steps in the administrative console to export key files for LTPA:

 

Procedure

  1. Access the administrative console by typing http://localhost:9060/ibm/console in a Web browser.

  2. Click Security > Global security. Under Authentication, click Authentication mechanisms > LTPA.

  3. In the Key file name field, enter the full path of a file for key storage. This file needs write permissions.

  4. Click Export Keys. A file is created with the LTPA keys. Exporting keys fails if a new set of keys is generated or imported and not saved prior to exporting. To avoid failure, make sure that you save the new set of keys (if any) prior to exporting them.

  5. Click Save to save the configuration.

Import keys

 

Overview

To support SSO in WAS across multiple WebSphere Application Server domains or cells, share the LTPA keys and the password among the domains. Use Import Keys to import the LTPA keys from other domains. Verify that key files are exported from one of the cells involved, into a file. Complete the following steps in the administrative console to import key files for LTPA. After a new set of keys is generated and saved, the generated keys are not used in the configuration until the WebSphere Application Server is restarted. In a Deployment Manager environment, the node agents and application servers must also be recycled to accept the new keys. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager.

 

Procedure

  1. Access the administrative console by typing http://localhost:9060/ibm/console in a Web browser.

  2. Click Security > Global security. Under Authentication, click Authentication mechanisms > LTPA.

  3. Change the password in the password fields to match the password in the cell from which you are importing the keys.

  4. Click Save to save the new set of keys in the repository. This step is important to complete before importing the keys. If the password and the keys do not match, the servers fail. If the servers fail, turn off security and redo these steps.

  5. In the Key file name field, enter the full path of a file for key storage. This file needs read permissions.

  6. Click Import Keys. The keys are now imported into the system.

  7. Click Save to save the new set of keys in the repository. It is important to save the new set of keys to match the new password so that no problems are encountered starting the servers later.