LTPA
Specify the shared keys and configure the authentication mechanism used to exchange information between servers. We can also use this page to specify the amount of time that the authentication information remains valid and specify the single sign-on configuration.
To view this administrative console page:
Security > Global security > > Authentication > LTPA
After configuring the properties on this page...
- Click...
Security > Global security
- Under "Available realm definitions", verify that the appropriate registry is configured.
- Click Apply.
When security is enabled and any of these properties change, return to the Global security panel and click Apply to validate the changes.
Key set group
Specifies groups of public, private, and shared keys. These key groups enable the application server to manage multiple sets of LTPA keys.
Generate Keys
Specifies whether to generate a new set of LTPA keys in the configured keystore, and to update the runtime with the new keys. By default, LTPA keys are regenerated on a schedule every 90 days, configurable to the day of the week. Each new set of LTPA keys is stored in the keystore associated with the key set group. A maximum number of keys (or even one) can be configured. However, IBM recommends to have at least two keys; the old keys can be used for validation while the new keys are being distributed.
This step is not necessary during security enablement. A default set of keys is created during the first server startup. If any nodes are down during a key generation event, the nodes should be synchronized with the Deployment Manager before restart.
LTPA timeout value for forwarded credentials between servers
Period of time during which the server credentials from another server are valid. After this time period expires, the server credential from the other server must be revalidated. Specify a value for this field that is greater than the value specified for the Cache timeout field on the Authentication cache settings panel.
Information Value Data type Integer Units Minutes and seconds Default 120 minutes Range An integer between 5 and 153722867280911
Password
Enter a password which will be used to encrypt and decrypt the LTPA keys from the SSO properties file. During import, this password should match the password used to export the keys at another LTPA server (for example, another application server Cell, Lotus Domino Server, and so on). During export, remember this password in order to provide it during the import operation. After the keys are generated or imported, they are used to encrypt and decrypt the LTPA token. Whenever the password is changed, a new set of LTPA keys are automatically generated when you click OK or Apply. The new set of keys is used after the configuration changes are saved.
Information Value Data type String
Confirm password
Confirmed password used to encrypt and decrypt the LTPA keys. Use this password when importing these keys into other application server administrative domain configurations and when configuring SSO for a Lotus Domino server.
Information Value Data type String
Fully qualified key file name
Name of the file used when importing or exporting keys. Enter a fully qualified key file name, and click Import Keys or Export Keys.
Information Value Data type String
Import Keys
Specifies whether the server imports new LTPA keys. To support single sign-on (SSO) in the application server product across multiple application server domains (cells), share the LTPA keys and the password among the domains. Use the Import Keys option to import the LTPA keys from other domains. The LTPA keys are exported from one of the cells to a file. To import a new set of LTPA keys:
- Enter the appropriate password in the Password and Confirm password fields.
- Enter the directory location where the LTPA keys are located in the Fully qualified key file name field prior to clicking Import Keys.
- Do not click OK or Apply, but save the settings.
Export Keys
Specifies whether the server exports LTPA keys. To support single sign-on (SSO) in the WebSphere product across multiple application server domains (cells), share the LTPA keys and the password among the domains. Use the Export Keys option to export the LTPA keys to other domains.
To export the LTPA keys, make sure the system is running with security enabled and is using LTPA. Enter the file name in the Fully qualified key file name field and click Export Keys. The encrypted keys are stored in the specified file. The exported key file is often supplied to other third-party security providers, such as Webseal and Datapower. These products use the information supplied in the keyfile to create single sign-on (SSO) LTPATokens(2) tokens. The exported key file contains a com.ibm.websphere.ltpa.Realm property. The realm setting, by default, is always the global or administrative realm. If we are using multiple security domains and want the key file to represent an application in one of these multiple security domains, we need to manually update this key file property with the correct multiple security domain realm prior to supplying the keyfile to these products.