WAS v8.5 > Secure applications > Authenticate users > Select an authentication mechanismConfigure LTPA and work with keys
LTPA is the default authentication mechanism for WebSphere Application Server. After we have configured LTPA we can generate LTPA keys manually or automatically.
- Configure LTPA and generate the first LTPA keys
Use the dmgr console to configure LTPA or Kerberos when we set up security for the first time. The LTPA keys are generated automatically the first time.
Application servers distributed in multiple nodes and cells can securely communicate using the LTPA protocol. Key set groups contain lists of key sets and LTPA authentication key generation schedules. Each key set contains key references to keys in key stores. To generate keys automatically, each key set must be a member of a key set group.
The keys for some key configurations must be generated together. The LTPA key pair is referenced in one key set while the secret or private key is in a separate key set. When the key set group is created, the two key sets are added as members of the key set group. Key set group settings determine whether the keys for both key sets are generated together automatically or manually.
The key set group contains the following attributes:
- Member key sets
- Choice of either manual or automatic key generation in the member key sets
- Schedule for automatically generating keys
- Generate keys manually or automatically, and control the number of active keys.
WAS generates LTPA keys automatically during the first server startup. We can generate additional keys as required in the Authentication mechanisms and expiration panel.
We can disable the automatic generation of new LTPA keys for key sets that are members of a key set group. Automatic generation creates new keys on a schedule specified when we configure a key set group, which manages one or more key sets. WAS uses key set groups to automatically generate cryptographic keys or multiple synchronized key sets.
Generating keys manually or enabling or disabling the generation of keys are tasks that require you to recycle the node agents and application servers to accept the new keys. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager.
Key sets manage LTPA keys in a key store based on a key alias prefix. A key alias prefix is automatically generated when we generate a new key and store it in a key store. Key stores can contain multiple versions of keys for any given key alias prefix. We can specify a maximum number of active keys in the key set configuration.
- Import and export keys
To support single sign-on (SSO) in WebSphere Application Server across multiple WAS domains or cells, share the LTPA keys and the password among the domains. We can import LTPA keys from other domains and export keys to other domains.
Disable automatic key generation if you import or export keys to or from another cell. This disabling causes the imported keys to get lost and the exported keys to no longer interoperate with this cell over time
Recycle the node agents and application servers to accept the new keys. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager.
- Manage keys from multiple cells
We can specify the shared keys, and configure the authentication mechanism, used to exchange information between servers to import and export LTPA keys across multiple WebSphere Application Server cells.
Start the server again for any changes made to become active.