To configure Lightweight Third-Party Authentication (LTPA)
token authentication, collect the LTPA token authentication information.
Do not configure the client for LTPA token authentication unless the
authentication mechanism configured in WebSphere® Application
Server is LTPA.
About this task
Important: There is an important distinction
between Version 5.x and Version 6.0.x and later applications.
The information supports Version 5.x applications only that
are used with WebSphere Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
Use this task to configure
Lightweight Third-Party Authentication (LTPA) token authentication.
Do not configure the client for LTPA token authentication unless the
authentication mechanism configured in WebSphere Application
Server is LTPA. When a client authenticates to a WebSphere Application
Server, the credential created contains an LTPA token. When a web
service calls a downstream web service, you can configure the first
web service to send the LTPA token from the originating client. Do
not attempt to configure LTPA from a pure client. LTPA works only
when you configure the client-side of a web service acting as a client
to a downstream web service. In order for the downstream web service
to validate the LTPA token, the LTPA keys on both servers must be
the same.
Complete the following steps to specify how to collect
the LTPA token authentication information:
Procedure
- Launch an assembly tool.
For more information,
see the related information on Assembly Tools.
- Switch to the Java™ Platform,
Enterprise Edition (Java EE)
perspective. Click .
- Click .
- Right-click the application-client.xml file,
select .
-
Click the WS Bindings tab, which is located at the end of the deployment
descriptor editor within the assembly tool.
- Expand the section.
- Click Edit to view the login binding
information and select LTPA. If LTPA is not
already there, enter it as an option. The login binding dialog is
displayed. Select or enter the following information:
- Authentication method
- Specifies the type of authentication that occurs. Select LTPA to
use identity assertion.
- Token value type URI and token value type local name
- When you select LTPA, you must edit the
token value type URI (Uniform Resource Identifier)
and the local name fields. Specifies values
for custom authentication types, which are authentication methods
not mentioned in the specification. For the token value type URI field,
enter the following string: https://www.ibm.com/websphere/appserver/tokentype/5.0.2.
For the local name field, enter the following
string: LTPA.
- Callback handler
- Specifies the Java Authentication and Authorization
Service (JAAS) callback handler implementation for collecting the
LTPA information. Specify the
com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
implementation
for LTPA.
- Basic authentication user ID and basic authentication password
- For LTPA, you can leave these fields empty. However, when you
omit this information, the LTPA
CallbackHandler
implementation
attempts to obtain the LTPA token from the invocation (RunAs) credential.
If an invocation (RunAs) credential does not exist, then the LTPA
token is not propagated.
- Property name and property value
- For LTPA, you can leave these fields blank.