Configuration of an LTPA junction
Single signon to WebSphere with an LTPA cookie requires the following configuration tasks:
- Enable the LTPA mechanism.
- Provide the name of the key file used to encrypt the identity information. Provide the password to this key file.
- Ensure the LTPA cookie name for the WebSEAL junction matches the WebSphere LTPA cookie name.
The name of the WebSEAL cookie containing the LTPA token must match the configured name of the LTPA cookie in the WebSphere application. You can configure the jct-ltpa-cookie-name configuration item on a global or per junction basis. If we do not configure this cookie name, WebSEAL uses the same default values as WebSphere. See Specify the cookie name for junctions.
The first three configuration requirements are specified in the following options to the standard junction and virtual host junction create commands.
-A option Enable LTPA cookies. LtpaToken and LtpaToken2 are both supported. LtpaToken cookies are specified by default. LtpaToken2 cookies must be specified with the additional -2 option. Also requires -F, and -Z options. -2 option Specify that LtpaToken2 cookies are used. the -A option without the -2 option specifies that LtpaToken cookies are used. -F "keyfile" Name of the key file used to encrypt the identity information in the cookie. The shared key is originally created on the WebSphere server and copied securely to the WebSEAL server. -Z " keyfile-password" Password required to open the key file. The password appears as encrypted text in the junction XML file. Use these options in addition to other required junction options when creating the junction between WebSEAL and the back-end WebSphere server. For example:
pdadmin> server task default-webseald-webseal.ibm.com create ... -A -F "/abc/xyz/key.file" -Z "abcdefg" ...
Parent topic: LTPA overview