Configuring Lightweight Third Party Authentication (LTPA) and working with keys
You must configure Lightweight Third Party Authentication (LTPA) when you set up security for the first time. LTPA is the default authentication mechanism for WebSphere® Application Server. After you have configured LTPA you can generate LTPA keys manually or automatically.
Procedure
-
Configure LTPA and generate the first LTPA keys.
-
Use the administrative console to configure LTPA or Kerberos when you set up security for the
first time. The LTPA keys are generated automatically the first time. Read the Configuring the
Lightweight Third Party Authentication mechanism article for more information.
Application servers distributed in multiple nodes and cells can securely communicate using the LTPA protocol. Key set groups contain lists of key sets and LTPA authentication key generation schedules. Each key set contains key references to keys in key stores. To generate keys automatically, each key set must be a member of a key set group.
Read the Lightweight Third Party Authentication key sets and key set groups article for more information.
The keys for some key configurations must be generated together. The LTPA key pair is referenced in one key set while the secret or private key is in a separate key set. When the key set group is created, the two key sets are added as members of the key set group. Key set group settings determine whether the keys for both key sets are generated together automatically or manually.
The key set group contains the following attributes:- Member key sets
- Choice of either manual or automatic key generation in the member key sets
- Schedule for automatically generating keys
-
Use the administrative console to configure LTPA or Kerberos when you set up security for the
first time. The LTPA keys are generated automatically the first time. Read the Configuring the
Lightweight Third Party Authentication mechanism article for more information.
-
Generate keys manually or automatically, and control the
number of active keys.
-
WebSphere Application Server generates Lightweight
Third Party Authentication (LTPA) keys automatically during the first server startup. You can
generate additional keys as you need them in the Authentication mechanisms and expiration
panel.
You can disable the automatic generation of new LTPA keys for key sets that are members of a key set group. Automatic generation creates new keys on a schedule that you specify when you configure a key set group, which manages one or more key sets. WebSphere Application Server uses key set groups to automatically generate cryptographic keys or multiple synchronized key sets.
Generating keys manually or enabling or disabling the generation of keys are tasks that require you to recycle the node agents and application servers to accept the new keys. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager.
Key sets manage LTPA keys in a key store that is based on a key alias prefix. A key alias prefix is automatically generated when you generate a new key and store it in a key store. Key stores can contain multiple versions of keys for any given key alias prefix. You can specify a maximum number of active keys in the key set configuration.
Read the Generating Lightweight Third Party Authentication keys article for more information.
-
WebSphere Application Server generates Lightweight
Third Party Authentication (LTPA) keys automatically during the first server startup. You can
generate additional keys as you need them in the Authentication mechanisms and expiration
panel.
-
Import and export
keys.
-
To support single sign-on (SSO) in WebSphere® Application Server across multiple WebSphere Application Server domains or cells, you must
share the LTPA keys and the password among the domains. You can import LTPA keys from other domains
and export keys to other domains.
Note: You should disable automatic key generation if you import or export keys to or from another cell. This disabling causes the imported keys to get lost and the exported keys to no longer interoperate with this cell over time
You must recycle the node agents and application servers to accept the new keys. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager.
Read the Importing Lightweight Third Party Authentication keys and Exporting Lightweight Third Party Authentication keys articles for more information.
-
To support single sign-on (SSO) in WebSphere® Application Server across multiple WebSphere Application Server domains or cells, you must
share the LTPA keys and the password among the domains. You can import LTPA keys from other domains
and export keys to other domains.
-
Manage keys from multiple cells.
-
You can specify the shared keys and configure the authentication mechanism that is used to
exchange information between servers to import and export LTPA keys across multiple WebSphere®
Application Server cells.
You must start the server again for any changes you make to become active.
-
You can specify the shared keys and configure the authentication mechanism that is used to
exchange information between servers to import and export LTPA keys across multiple WebSphere®
Application Server cells.