Lightweight Third Party Authentication
The Lightweight Third Party Authentication (LTPA) protocol enables...
- WAS appservers distributed in multiple nodes and cells to securely communicate
- Single signon
Single signon uses LTPA keys to allow users to be authenticated once in a DNS domain, without being prompted for authentication information every time they access a resource.
When a user logs in, a token is created, signed by the keys, which contains user information and an expiration time. All WAS appservers that participate in a protection domain must have synchronized time, date, and time zone. If they do not, LTPA tokens appear to be prematurely expired and cause authentication or validation failures.
The LTPA token is passed to other servers (in the same cell or in a different cell) either through cookies (for Web resources when single signon is enabled) or through the authentication layer (SAS or CSIV2 for enterprise beans). If the receiving server or servers share the same keys as the originating server, the token can be decrypted to obtain the user information, which is then be validated to make sure that it has not expired and that the user information in the token is valid in its registry. Upon successful validation, resources in the receiving servers can be accessed.
All WAS processes in a cell (cell, nodes, and application servers) share the same set of keys. If keys need to be shared between different cells, they need to be exported from one cell and imported to the other. For security purposes the keys that are exported are encrypted with a user-defined password. This same password is required when keys are imported into another cell.
LTPA is only mechanism that is supported in the Network Deployment version of WAS. In the Base version, LTPA is supported along with SWAM. When security is enabled for the first time, configuring LTPA is normally the initial step that needs to be performed.
LTPA requires that the configured user registry is a central, shared repository.
This table summarizes the authentication mechanism capabilities and user registries with which LTPA can work:
Forwardable credentials SSO LocalOS User Registry LDAP User Registry Custom User Registry SWAM No No Yes Yes Yes LTPA Yes Yes Yes Yes Yes Note: The use of LTPA with the LocalOS user registry is only applicable to configurations where all servers reside on the same iSeries system.