Configure LTPA

 

+

Search Tips   |   Advanced Search

 

The following steps describe how to integrate WebSEAL and WebSphere Application Server to use LTPA.

  1. Launch the Administrative Console for WebSphere Application Server and login.

  2. Select Global Security. expand Authentication mechanisms and click LTPA to see the LTPA configuration panel.

    Change the password if needed. The first time that security is enabled with LTPA authentication mechanism, LTPA keys are automatically generated with the password entered in the panel. In this procedure, however, LTPA keys will be generated manually so that they can be immediately exported and copied to the WebSEAL server. We cannot export the LTPA keys until the changed password is saved in the WebSphere Application Server repository. However its not mandatory to change the password to export the keys.

    In the Key File name field, enter the full path of a file on the WebSphere Application Server machine where the key file should be placed.

    Click Export Keys to create the exported key file.


  3. Save the configuration for WebSphere.

  4. Click Single signon (SSO) and check the Enabled box. Also enter the SSO Domain name as shown below in the figure.

  5. On the Global Security Panel, Ensure that the WebSphere Application Server is set up with the registry and Global Security is enabled. Change the Active Authentication Mechanism to LTPA (Light weight Third Party Authentication).

  6. Click Apply to accept the changes then save the configuration for WebSphere.

  7. Copy the LTPA key file to the WebSEAL server. Note that this file should be kept very secure, otherwise the LTPA trust relationship may be compromised.

  8. To set up an SSL junction, we need to enable the Web server to use SSL and exchange certificates between the Web server and WebSEAL.

  9. Next step is to create the junction on the WebSEAL server. For junction creation, it is required to specify three options:

    • A - Enables LTPA cookies.

    • F <full_path_to_ltpa_keys_file> - specifies the full path name and location (on the webseal host machine) of ltpa key file exported from the WAS machine. This shared ltpakeys.txt file was originally created on the WebSphere Application Server host and copied to the webseal machine.

    • Z <keyfile_password> - specifies the password required to open the keyfile for LTPA, it is defined in the WebSphere Application Server Administrative Console.

    Using pdadmin on the WebSEAL server, execute the following commands:

    server task default-webseald-m23vnx61 create -t SSL -A -F "c:\ltpakeys\ltpakeys.txt" -Z "password" -h bc2srv2 -p 443 /ltpa

  10. Test the junction by accessing the snoop servlet, in our example: https://m23vnx61/ltpa/snoop.