WAS v8.5 > Secure applications > Authenticate users > Select an authentication mechanism > Configure LTPA and work with keys > Step 4. Manage keys from multiple cells.

Manage LTPA keys from multiple WAS cells

We can specify the shared keys, and configure the authentication mechanism, used to exchange information between servers to import and export LTPA keys across multiple WebSphere Application Server cells.

You must be sure the exported key file for the multiple cells is accessible on the host where WAS is running. Also, you must know the password that was used when the keys were exported.

You should disable automatic key generation if you import or export keys to or from another cell. This disabling causes the imported keys to get lost and the exported keys to no longer interoperate with this cell over time.

At runtime, the default key sets are NodeLTPASecret and NodeLTPAKeyPair. The default key group is NodeLTPAKeySetGroup. After generation, keys are stored in the default key store NodeLTPAKeys.

Complete the following steps to manage LTPA keys using the dmgr console.

  1. Access the dmgr console.

    Type http://fully_qualified_host_name:port_number/ibm/console to access the dmgr console in a web browser.

  2. Verify that all of the WAS processes are running, including cells, nodes, and all of the application servers. If any of the servers are down at the time of key generation and then brought back up later, these servers might contain old keys. Copy the new set of keys to these servers, then bring them back up.

  3. Click Security > Global security > Authentication mechanisms and expiration.

  4. Click LTPA.

  5. Type the password for the LTPA keys in the Password field. Enter a password used to encrypt and decrypt the LTPA keys from the SSO properties file. During import, this password should match the password used to export the keys at another LTPA server. During export, remember this password in order to provide it during the import operation.

  6. Type the password again in the Confirm password field.

  7. Select from among the following options:

    • To support SSO in the WebSphere product across multiple application server domains (cells), we can share the LTPA keys and the password among the domains. Before exporting, verify security is enabled and using LTPA on the system that is running. For more information, see Export LTPA keys.
    • To support SSO in the application server product across multiple application server domains (cells), we can share the LTPA keys and the password among the domains. For more information, see Importing LTPA keys.
    • To import LTPA keys for the current cell if they were previously exported, see Importing LTPA keys.

  8. Start the server again for any changes made to become active.


Results

The shared LTPA keys are now available for WAS to use for secure connections.

After the keys are generated or imported, they are used to encrypt and decrypt the LTPA token. To view the latest key version, see Change the number of active LTPA keys.


Related concepts:

LTPA key sets and key set groups


Related


Export LTPA keys
Importing LTPA keys
Disable automatic generation of LTPA keys
Change the number of active LTPA keys


+

Search Tips   |   Advanced Search