+

Search Tips   |   Advanced Search

 

Generating LTPA keys

 

WAS generates Lightweight Third Party Authentication (LTPA) keys automatically during the first server startup. You can generate additional keys as we need them in the Authentication mechanisms and expiration panel.

At runtime, the default key sets are CellLTPASecret and CellLTPAKeyPair. The default key group is CellLTPAKeySetGroup. After generation, keys are stored in the default key store CellLTPAKeys.

 

Overview

Complete the following steps to generate new LTPA keys in the administrative console.

 

Procedure

  1. Access the console.

    Type http://fully_qualified_host_name:port_number/ibm/console to access the console in a Web browser.

  2. Verify that all the WAS processes are running, including the cell, nodes, and appservers.

    If any of the servers are down at the time of key generation and then restarted later, these servers might contain old keys. Copy the new set of keys to these servers to restart them after you generate them.

  3. Click Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration.

  4. Click Generate keys to generate a new set of LTPA keys in the local keystore and update the runtime with the new keys. By default, LTPA keys are regenerated on a schedule every 90 days, configurable to the day of the week. Each new set of LTPA keys is stored in the keystore that is associated with the key set group. The same password that is already stored in the configuration is used when you generate new keys.

    This step is not necessary when you enable security because, by default, a set of keys is created during the first server startup. However, the keystore should have at least two keys: the old keys can be used for validation while the new keys are being distributed. If any nodes are down during a key generation event, the nodes should be synchronized with the Deployment Manager before restarting the server.

  5. Restart the server for the changes to become active.

 

Results

After WAS generates and saves a new set of keys, the generated keys are not used in the configuration until WebSphere Application Server is restarted. Token generation uses the keys that were last imported. To view the latest key version, see Activating LTPA key versions.

 

What to do next

You must recycle the node agents and appservers to accept the new keys. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager.



LTPA key sets and key set groups

 

Related tasks


Importing LTPA keys
Exporting LTPA keys
Disabling automatic generation of LTPA keys
Activating LTPA key versions