Export LTPA keys
Overview
To support single sign-on (SSO) in WebSphere Application Server across multiple WAS domains or cells, share the LTPA keys and the password among the domains.
Verify the time in the domains is similar so that we do not mistakenly interpret the tokens as expired between the cells.
Export LTPA key files
- Type http://server:port_number/ibm/console in a web browser to access the administrative console, then go to...
Security | Global security | Authentication mechanisms and expiration
- Click LTPA.
- In the Password and Confirm password fields, enter the password used to encrypt the LTPA keys.
Remember the password so we can use it later when the keys are imported into the other cell.
- In the Fully qualified key file name field, specify the fully qualified path to the location where we want the exported LTPA keys to reside.
We must have write permission to this file.
- Click Export keys to export the keys to the location specified in the Fully qualified key file name field.
- Specify the Internal server ID used for interprocess communication between servers.
The server ID is protected with an LTPA token when sent remotely. We can edit the internal server ID to make it identical to server IDs across multiple application server administrative domains (cells). By default this ID is the cell name.
- Click OK and Save.
We can share LTPA keys and passwords among domains on WAS.
LTPA keys that are exported to a file should be readable in an ASCII editor like Notepad.
What to do next
After exporting the keys from one cell, import those keys into the other cell. If the other cell is on a separate system, ftp the key file in binary format.
Related:
LTPA key sets and key set groups Generate LTPA keys Import LTPA keys Disable automatic generation of LTPA keys Change the number of active LTPA keys