+

Search Tips   |   Advanced Search

Prepare security for remote search service in a single-sign on domain

Single sign-on across cells can be provided by sharing keys and passwords. To share the keys and password, log on to one cell, specify a key file, and click Export keys. Then, log on to the other cell, specify the key file, and click Import keys.

Search results are filtered according to user security credentials. This filtering occurs independently of whether security is enabled on the remote search server or not. However, if security on the remote search server is not enabled, an unauthorized user can connect to the remote server, and obtain unfiltered search results. To prevent this issue, use EJB and this procedure.

  1. Make the key file available to all servers in the Single-Sign On (SSO) domain. Complete the following steps on one of the servers to be part of the SSO domain:

    1. Open the WAS console and go to:

        Security > Global Security > Authentication > LTPA

    2. Enter a fully qualified key file name and click the Export keys button.

      The keys are written to

        APPSERVER_ROOT/Key_File_Name

  2. Import the key file to all other servers of the SSO domain.

    1. Copy the key file exported in step 1 to the server into the directory WP_PROFILE.

    2. Log in to the WAS console and go to:

        Security > Global Security > Authentication > LTPA

    3. Enter the fully qualified key file name and click the Import keys button.

      The keys are propagated to all servers of the SSO domain.

    4. Restart all WebSphere Application Server profiles on this server.

  3. Ensure that automatic LTPA key generation is disabled on all servers of the SSO domain:

    1. Log in to the WAS console and go to:

        Security > Global Security

      In the Authentication mechanisms and expiration pane, click LTPA.

    2. Under Key generation, select Key set groups.

    3. Click NodeLTPAKeySetGroup.

    4. In the Key generation pane, disable the Automatically generate keys check box.

    5. Click OK.

    6. Click Save to save the changes to the master configuration.

    7. Log out from the WAS console.


What to do next

For more details about exporting the LTPA token, refer to the WAS information center under Administering > Security > Managing security > Configuring authentication mechanisms > Configuring Lightweight Third Party Authentication > Lightweight Third Party Authentication settings. We can also locate this topic by opening the search feature of the WAS information center and searching for ltpa key export.

If we work with EJB on a secure server, set the search user ID. For details about how to do this step, refer to Set the search user ID


Parent Remote search service

Related tasks:

Set the search user ID