Manage LTPA keys from multiple WAS cells

We can specify the shared keys and configure the authentication mechanism used to exchange information between servers to import and export LTPA keys across multiple WebSphere Application Server cells. We must be sure that the exported key file for the multiple cells is accessible on the host where WAS is running. Also, we must know the password that was used when the keys were exported. We should disable automatic key generation if we import or export keys to or from another cell. This disabling causes the imported keys to get lost and the exported keys to no longer interoperate with this cell over time. At runtime, the default key sets are CellLTPASecret and CellLTPAKeyPair. The default key group is CellLTPAKeySetGroup. After generation, keys are stored in the default key store CellLTPAKeys.

Manage LTPA keys using

1. Access the administrative console.
   http://fully_qualified_host_name:port_number/ibm/console

2. Verify that all of the WAS processes are running, including cells, nodes, and all of the application servers. If any of the servers are down at the time of key generation and then brought back up later, these servers might contain old keys. Copy the new set of keys to these servers, then bring them back up.

3. Click...
   Security > Global security > Authentication mechanisms and expiration > LTPA

4. Type the password for the LTPA keys in the Password field. Enter a password used to encrypt and decrypt the LTPA keys from the single sign-on (SSO) properties file. During import, this password should match the password used to export the keys at another LTPA server. During export, remember this password in order to provide it during the import operation.

5. Type the password again in the Confirm password field.

6. To support SSO in multiple appserver domains (cells), we can share the LTPA keys and passwords among the domains. Make sure that security is enabled and using LTPA on the system running.
   1. Export LTPA keys from source cell.
   2. Import LTPA keys into target cell.

   3. Start the server again for any changes we make to become active.

   The shared LTPA keys are now available for WAS to use for secure connections.

   
   

   What to do next

   After the keys are generated or imported, they are used to encrypt and decrypt the LTPA token. To view the latest key version, see Change the number of active LTPA keys.

   
   Related:
   

7. LTPA key sets and key set groups
8. Exporting LTPA keys
9. Import LTPA keys
10. Disable automatic generation of LTPA keys
11. Change the number of active LTPA keys
12. Video: Exporting an LTPA key to be used by a different cell for cross-cell SSO communication (V8.5.5)