+

Search Tips   |   Advanced Search

Enabling or disabling single sign-on interoperability mode for the LTPA token

We can set an interoperability flag on the token generator to determine whether an LTPA Version 1 token or an LTPA Version 2 token is retrieved when a request message is received.

In WAS v7 and later, a flag is set in the global security settings to enable single sign-on interoperability mode for the LTPA token. This option determines whether an LTPA Version 1 token or an LTPA Version 2 token is sent when a message request is received. When the interoperability flag is set to true, then the AuthenticationToken is an LTPA Version 1 token, and the SingleSignonToken is an LTPA Version 2 token. When the interoperability flag is set to false, then both the AuthenticationToken and the SingleSignonToken are LTPA Version 2 tokens.

When the interoperability mode is enabled (the flag is set to true), and the Web Services Security binding configuration specifies LTPA Version 1 as the token, the AuthenticationToken is used to retrieve the token sent with the message. If interoperability mode is not enabled (the flag is set to false), and the Web Services Security binding configuration specifies LTPA Version 1 as the token, an exception error is logged.

We can disable the interoperability checking function by setting the custom property, com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7, on the token generator. This setting determines the LTPA token without checking the state of the interoperability flag, providing compatibility with servers running WAS v6.1 and earlier.

To enforce use of the LTPA Version 2 token, edit the token settings, and set the Enforce token version option for the token.

  1. Click Applications > Application Types > WebSphere enterprise applications.

  2. Select an application containing web services. The application must contain a service provider or a service client.

  3. Click the Service provider policy sets and bindings link or the Service client policy sets and bindings link in the Web Services Properties section.

  4. Select a binding. We must have previously attached a policy set and assigned an application specific binding.

  5. Click the WS-Security policy in the Policies table.

  6. Click the Authentication and protection link in the Main message security policy bindings section.

  7. Click a consumer or generator token link from the Protection Tokens table.

  8. Select the Enforce token version check box after the Token type field.


Related tasks

  • Configure token generators using JAX-RPC to protect message authenticity at the server or cell level

  • Authentication generator or consumer token settings