WAS v8.5 > Secure applications > Authenticate users > Select an authentication mechanism > Configure LTPA and work with keys > Step 1. Configure LTPA and generate the first LTPA keys.

Configure the LTPA mechanism

You must configure LTPA (LTPA) or Kerberos when we set up security for the first time.

1. Open the dmgr console.

   Type http://fully_qualified_host_name:port_number/ibm/console to access the dmgr console in a web browser.

   Port 9060 is the default port number for accessing the dmgr console. During installation, however, you might have specified a different port number. Use the appropriate port number.

2. Click Security > Global security > Authentication mechanisms and expiration.

3. Click LTPA.

4. Select the appropriate group from the Key set group field containing your public, private, and shared LTPA keys. These keys are used to encrypt and decrypt data sent between servers. We can access these key set group configurations using the Key set group link. In the Key set group configuration, we can indicate whether to automatically generate new keys and when to generate them.

5. Enter a positive integer in the LTPA timeout value for forwarded credentials between servers field.

   This value refers to how long the server credentials from another server are valid before they expire. Default is 120 minutes. The value in the LTPA timeout value for forwarded credentials between servers field must be greater than the value in the Cache timeout field on the Authentication cache settings panel.

6. Enter a password in the Password field.

   This password is used to protect the generated keys used to encrypt and decrypt the LTPA keys from the SSO properties file. The password is not used to generate keys; it is only used to protect them. During import, this password should match the password used to export the keys at another LTPA server (for example, another application server Cell, Lotus Domino Server, and so on). During export, remember this password in order to provide it during the import operation.

   Single sign-on across cells can be provided by sharing keys and passwords. To share the keys and password, log on to one cell, specify a key file, and click Export keys. Then, log on to the other cell, specify the key file, and click Import keys.

7. Click Apply or OK.

8. Optional: Review the settings on the Global security > Authentication cache settings panel. By default, the authentication cache is enabled. For more information on these fields and values, see the documentation about authentication cache settings.

Results

The LTPA configuration is now set. The LTPA keys are generated automatically the first time. Do not generate the LTPA keys in this step because they are automatically generated later. Proceed with the rest of the steps required to enable security, and start with SSO, if it is required.

After configuring LTPA, we can also complete the following tasks:

1. Generate key files. For more information, see Generate LTPA keys.
2. Export key files. For more information, see Export LTPA keys.
3. Import key files. For more information, see Importing LTPA keys.
4. Manage LTPA keys from multiple cells. For more information, see Manage LTPA keys from multiple WAS cells.

5. If you are enabling security, we can also enable single sign-on (SSO). See:
   • Configure single sign-on capability with Tivoli Access Manager or WebSEAL

6. If you generated a new set of keys or imported a new set of keys, verify the keys are saved to the master configuration by clicking Save at the top of the panel. Because LTPA authentication uses time-sensitive tokens, verify the time, date, and time zone are synchronized among all of the product servers that are participating in the protected domain. Changes to the time, date, and time zone are done independently from WAS. If the clock skew is too high between servers, the LTPA token seems prematurely expired and causes authentication or validation failures.

Subtopics

• LTPA
  Use this page to specify the shared keys, and configure the authentication mechanism, used to exchange information between servers. We can also use this page to specify the amount of time the authentication information remains valid and specify the single sign-on configuration.
• Generate LTPA keys
  WAS generates LTPA keys automatically during the first server startup. We can generate additional keys as required in the Authentication mechanisms and expiration panel.
• Export LTPA keys
  To support SSO in WAS across multiple WAS domains or cells, share the LTPA keys and the password among the domains.
• Importing LTPA keys
  To support SSO in WAS across multiple WAS domains or cells, share the LTPA keys and the password among the domains. We can import LTPA keys from other domains and export keys to other domains.
• Disable automatic generation of LTPA keys
  We can disable the automatic generation of new LTPA keys for key sets that are members of a key set group. Automatic generation creates new keys on a schedule specified when we configure a key set group, which manages one or more key sets. WAS uses key set groups to automatically generate cryptographic keys or multiple synchronized key sets.
• Manage LTPA keys from multiple WAS cells
  We can specify the shared keys, and configure the authentication mechanism, used to exchange information between servers to import and export LTPA keys across multiple WAS cells.
• Change the number of active LTPA keys
  Key sets manage LTPA keys in a key store based on a key alias prefix. A key alias prefix is automatically generated when we generate a new key and store it in a key store. Key stores can contain multiple versions of keys for any given key alias prefix. We can specify a maximum number of active keys in the key set configuration.
• LTPA
  Use this page to specify the shared keys, and configure the authentication mechanism, used to exchange information between servers. We can also use this page to specify the amount of time the authentication information remains valid and specify the single sign-on configuration.

Related concepts:

Single sign-on for authentication using LTPA cookies
Trust associations
LTPA key sets and key set groups

Related

Enable security
Select a registry or repository

Reference:

Authentication cache settings

+

Search Tips   |   Advanced Search