Default single signon token

 

Default single signon token

Do not use the default single signon token in service provider code. This default token is used by the WebSphere Application Server run-time code only. Size limitations exist for this token when it is added as an HTTP cookie. If you need to create an HTTP cookie using this token framework, you can implement a custom single signon token. To implement a custom single signon token, see Implementing a custom single signon token for more information.

Changing the token factory that is associated with the default single signon token When the default single signon token is generated, the application server utilizes the TokenFactory class that is specified using the com.ibm.wsspi.security.token.singleSignonTokenFactory property. To modify this property using the administrative console, complete the following steps:

  1. Click Security > Global security .

  2. Under Additional properties , click Custom properties.
The com.ibm.ws.security.ltpa.LTPAToken2Factory token factory is the default that is specified for this property. This token factory creates a single signon (SSO) token called LtpaToken2, which WebSphere Application Server uses for propagation. This token factory uses the AES/CBC/PKCS5Padding cipher. If you change this token factory, you lose the interoperability with any servers running a version of WebSphere Application Server prior to version 5.1.1 that use the default token factory. Only servers running WebSphere Application Server Version 5.1.1 or later with propagation enabled are aware of the LtpaToken2 cookie. If all of your application servers use WebSphere Application Server Version 5.1.1 or later and all of your servers use your new token factory this awareness is not a problem. If you need to perform your own signing and encryption of the default single signon token, implement the following classes:

Your token factory implementation instantiates (createToken) and validates (validateTokenBytes) your token implementation. You can use the Lightweight Third-Party Authentication (LTPA) keys passed into the initialize method of the token factory or you can use your own keys. If you use your own keys, they must be the same everywhere to validate the tokens that are generated using those keys. See the API documentation, available through a link on the front page of the information center, for more information on implementing your own custom token factory. To associate your token factory with the default single signon token using the administrative console, complete the following steps:

  1. Click Security --> Global security.

  2. Under Additional properties, click Custom properties.

  3. Locate the com.ibm.wsspi.security.token.singleSignonTokenFactory property and verify that the value of this property matches your custom TokenFactory implementation.

  4. Verify that your implementation classes are located in the app_server_root/classes directory so that the WebSphere Application Server class loader can load the classes.

  5. Verify that your implementation classes are located in the ${USER_INSTALL_ROOT}/classes directory so that the WebSphere Application Server class loader can load the classes. For iSeries, verify that the QEJBSVR user profile has read, write, and execute (*RWX) authority to the classes directory. You can use the Work with Authority (WRKAUT) command to view the authority on the directory.


Related concepts
Security attribute propagation

Related tasks
Implementing a custom SingleSignonTokenPropagating security attributes among application servers

Implementing a custom a single signon token


Searchable topic ID: rsec_defssotoken