Configure the LTPA mechanism

 

+

Search Tips   |   Advanced Search

 

You must configure when you set up security for the first time. LTPA is the default authentication mechanism for WAS.

 

Procedure

1. Open the console.

   Type...

   http://fully_qualified_host_name:port_number/ibm/console

   ...to access the console in a Web browser.

   Port 9060 is the default port number for accessing the console. During installation, however, you might have specified a different port number. Use the appropriate port number.

2. Click...

   Security | Secure administration, applications, and infrastructure | Authentication mechanisms and expiration

   

3. Select the appropriate group from the Key set group field that contains your public, private, and shared LTPA keys. These keys are used to encrypt and decrypt data that is sent between servers. You can access these key set group configurations using the Key set group link. In the Key set group configuration, you can indicate whether to automatically generate new keys and when to generate them.

4. Enter a positive integer value in the Authentication cache timeout field. This timeout value refers to how long an LTPA token is valid in minutes. The token contains this expiration time so that any server that receives the token can verify that the token is valid before proceeding further. When the token expires, the user must log in again. An optimal value for this field depends on the configuration. However, the default value is 10 minutes.

5. Enter a positive integer in the Timeout value for forwarded credentials between servers field. This value refers to how long the server credentials from another server are valid before they expire. The default value is 120 minutes. The value in the Timeout value for forwarded credentials between servers field must be greater than the value in the Authentication cache timeout field.

6. Click Apply or OK. The LTPA configuration is now set. Do not generate the LTPA keys in this step because they are automatically generated later. Proceed with the rest of the steps that are required to enable security, and start with SSO, if it is required.

7. Complete the information in the...

   Security | Secure administration, applications, and infrastructure panel | OK

   The LTPA keys are generated automatically the first time. Do not generate the keys manually.

 

Results

The previous steps configured LTPA.

 

What to do next

After configuring LTPA, you can also complete the following tasks:

1. Generate key files.

2. Export key files.

3. Import key files.

4. Manage LPTA keys from multiple cells.

5. Enable SSO

   • If you generated a new set of keys or imported a new set of keys, verify that the keys are saved to the master configuration by clicking Save at the top of the panel. Because LTPA authentication uses time-sensitive tokens, verify that the time, date, and time zone are synchronized among all of the product servers that are participating in the protected domain. Changes to the time, date, and time zone are done independently from WAS. If the clock skew is too high between servers, the LTPA token seems prematurely expired and causes authentication or validation failures.

---

Authentication mechanisms and expiration
Generating LTPA keys
Exporting LTPA keys
Importing LTPA keys
Disabling automatic generation of LTPA keys
Manage LTPA keys from multiple WAS cells
Activating LTPA key versions

 

Related concepts

User registries and repositories
Single sign-on
Trust associations
LTPA key sets and key set groups

 

Related tasks

Enabling security