Set the Lightweight Third Party Authentication mechanism

 

+

Search Tips   |   Advanced Search

 

Configure Lightweight Third Party Authentication (LTPA) or Kerberos when you set up security for the first time.

1. Open the admin console.
   http://host:port/ibm/console

   Port 9060 is the default port number for accessing the admin console. During installation, however, we might have specified a different port number. Use the appropriate port number.

2. Click...

   Security > Global security > Authentication mechanisms and expiration

3. Click LTPA.

4. Select the appropriate group from the Key set group field that contains the public, private, and shared LTPA keys. These keys are used to encrypt and decrypt data that is sent between servers. We can access these key set group configurations using the Key set group link. In the Key set group configuration, we can indicate whether to automatically generate new keys and when to generate them.

5. Enter a positive integer value in the Authentication cache timeout field.

   This timeout value determines how long the authenticated credential in the cache remains valid.

   The optimal value for this field depends on the configuration. If we have a small number of users, you should specify a value that is higher than the default value. If we have a large number of users, you should specify a value that is lower than the default value. The value that you specify for this field must be less than the value specified for the Timeout value for forwarded credentials between servers field.

   The default value is 10 minutes.

6. Enter a positive integer in the Timeout value for forwarded credentials between servers field.

   This value refers to how long the server credentials from another server are valid before they expire. The default value is 120 minutes. The value in the Timeout value for forwarded credentials between servers field must be greater than the value in the Authentication cache timeout field.

7. Enter a password in the field.

   This password is used to protect the generated keys that are used to encrypt and decrypt the LTPA keys from the SSO properties file. The password is not used to generate keys; it is only used to protect them. During import, this password should match the password used to export the keys at another LTPA server (for example, another appserver Cell, Lotus Domino Server, and so on). During export, remember this password in order to provide it during the import operation.

   Single sign-on across cells can be provided by sharing keys and passwords. To share the keys and password, log on to one cell, specify a key file, and click Export keys. Then, log on to the other cell, specify the key file, and click Import keys.

8. Click Apply or OK. The LTPA configuration is now set. Do not generate the LTPA keys in this step because they are automatically generated later. Proceed with the rest of the steps that are required to enable security, and start with SSO, if it is required.

9. Complete the information in the Security > Global security panel and click OK. The LTPA keys are generated automatically the first time. Do not generate the keys manually.

 

Results

The previous steps configured LTPA.

 

Next steps

After configuring LTPA, we can also complete the following tasks:

1. Generate key files.

   See Generating Lightweight Third Party Authentication keys.

2. Export key files.

   See Exporting Lightweight Third Party Authentication keys.

3. Import key files.

   See Importing Lightweight Third Party Authentication keys.

4. Manage LPTA keys from multiple cells.

   See Manage LTPA keys from multiple WAS cells.

5. If enabling security, we can also enable SSO. See:
   • Set single sign-on capability with TAM or WebSEAL

6. If we generated a new set of keys or imported a new set of keys, verify that the keys are saved to the master configuration by clicking Save at the top of the panel. Because LTPA authentication uses time-sensitive tokens, verify that the time, date, and time zone are synchronized among all of WAS servers that are participating in the protected domain. Changes to the time, date, and time zone are done independently from WAS. If the clock skew is too high between servers, the LTPA token seems prematurely expired and causes authentication or validation failures.

Authentication mechanisms and expiration
Generating Lightweight Third Party Authentication keys
Exporting Lightweight Third Party Authentication keys
Importing Lightweight Third Party Authentication keys
Disable automatic generation of Lightweight Third Party Authentication keys
Manage LTPA keys from multiple WAS cells
Change the number of active LTPA keys

 

Related concepts

Single sign-on for authentication using LTPA cookies
Trust associations
Lightweight Third Party Authentication key sets and key set groups

 

Related tasks

Enable security
Select a registry or repository