Configure administrative authentication
An authentication mechanism defines rules about security information, such as whether a credential is forwardable to another Java process, and the format of how security information is stored in both credentials and tokens.
With RSA tokens we can submit administrative jobs through a job manager. We can manage applications, perform product maintenance, modify configurations, and control the application server runtime.
Avoid trouble: Administrative authentication is set to RSA by default for servers running in a Base or Express environment, and LTPA for servers running in a Network Deployment environment. gotcha
- NodeRSATokenKeyStore
Contains personal certificate, signed by an RSA root certificate. The private key creates RSA tokens. The public key is used by other processes to create RSA tokens.
- NodeRSATokenTrustStore
- Signer certificates from other processes trusted to send RSA tokens to this process. The signers in this trust store are placed there automatically during registration. This task allows an administrator to configure trust between to processes not normally involved in the same administrative domain. There may be requirements where two base servers are communicating administratively. When using the RSA token authentication mechanism, the base servers need to share RSA signers if administrative communications is operating in both directions.
- NodeRSATokenRootStore
Contains root personal certificate used to create new RSA personal certificates. Do not use the root certificate to create RSA tokens because this usage compromises the long-lived keys. Only use the root certificate to sign other certificates.
No manual steps are required with these keystores, and this allows uncommon trust establishment among processes not in the same administrative domain. We can also replace the RSA personal certificate with a personal certificate obtained from a certificate authority (CA) if desired. In this case, make sure the CA root certificate is placed in all RSA trust stores in the same administrative domain.
To administer and RSA keystore...
Security | SSL certificate and key management | Related Items | Key stores and certificates | Keystore usages | RSA token keystores | RSA token key store
You can set description, path, read only and/or initialize at setup. Enter password to make these modifications. In cases where the process is back-level or a target RSA certificate cannot be obtained, the fallback mechanism is LTPA which is supported in all previous releases for administrative communications. The fallback occurs automatically. If the LTPA keys are not shared and a fallback occurs, LTPA will fail as well. However, this situation is typically an error case in the RSA mechanism and should occur infrequently.
Related concepts:Job manager security Authenticating users