WAS v8.5 > Secure applications > Secure the Liberty profile and its applications > Authenticate users in the Liberty profile

Configuring LTPA on the Liberty profile

This topic describes how we can configure a Liberty profile server to use a specific Lightweight Third Party Authentication (LTPA) keys file, user-defined password, and expiration time.

The LTPA is configured by default when security is enabled for a Liberty profile server for the first time. The default location of the automatically generated LTPA keys file is ${server.config.dir}/resources/security/ltpa.keys. The keys are encrypted with a randomly generated key and a default password of WebAS is initially used to protect the keys. The password is required when importing the keys into another server. Therefore, to protect the security of the LTPA keys, you must change the password. When the keys are exchanged between the servers, this password must match across the servers for Single Sign On (SSO) to work.

The default expiration timeout is 120 minutes. The expiration value refers to how long the LTPA tokens are valid before they expire.

To enable dynamic reload of the LTPA keys when copying an LTPA keys file from another server, we can specify a file monitor interval prior to copying the LTPA keys file. The monitor interval value refers to how often the LTPA keys file is monitored for updates.

See LTPA concept in the Liberty profile.

  1. Configure the ltpa element in server.xml as follows, replacing the sample values in the example with your values.

  2. Optional: Enable the LTPA keys file monitor by setting the monitorInterval attribute. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, 
    < ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="keysPassword" 
      expiration="120" monitorInterval="5s" />
  3. Encode the password within the configuration. We can get the encoded value using the securityUtility encode command.
  4. Optional: Copy an existing LTPA keys file to the location specified in the keysFileName attribute. Default is ${server.config.dir}/resources/security/ltpa.keys.

    For more information on ltpa element, see Liberty profile: Configuration elements in server.xml.


Parent topic: Authenticate users in the Liberty profile


Related concepts:

Liberty profile: Authentication


Related


Customizing SSO configuration using LTPA cookies for the Liberty profile


|