Configuring LTPA in Liberty

You can configure a Liberty server to use a specific Lightweight Third Party Authentication (LTPA) keys file, user-defined password, and expiration time.

Open Liberty In version 20.0.0.5 and later, see the documentation for specifying the Lightweight Third Party Authentication (LTPA) keys on the Open Liberty website.

About this task

The LTPA is configured by default when security is enabled for a Liberty server for the first time. The default location of the automatically generated LTPA keys file is ${server.output.dir}/resources/security/ltpa.keys. The LTPA keys are encrypted with a randomly generated key and a default password of WebAS is initially used to protect the keys. The password is required when importing the LTPA keys into another server. To protect the security of the LTPA keys, you must change the password. When the LTPA keys are exchanged between servers, this password must match across the servers for Single Sign On (SSO) to work.

The default expiration timeout is 120 minutes. The expiration value refers to how long the LTPA tokens are valid before they expire.

To enable dynamic reloading of the LTPA keys when copying an LTPA keys file from another server, you can specify a file monitor interval before copying the LTPA keys file. The monitor interval value refers to how often the LTPA keys file is monitored for updates.

For more information about LTPA, see LTPA concept in Liberty.

Procedure

  1. Configure the <ltpa> element in the server.xml file as follows, replacing the sample values in the example with your values:
    <ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="keysPassword" expiration="120" />
  2. Optional: Set the monitorInterval attribute to check the lpta.keys file for key changes to be dynamically reloaded. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). In the following example, the LTPA keys file is checked for changes to be dynamically reloaded every 5 seconds:
    <ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="keysPassword" 
          expiration="120" monitorInterval="5s" />
  3. Encode the password within the configuration. You can get the encoded value by using the securityUtility encode command.
  4. Optional: Copy an existing LTPA keys file to the location specified in the keysFileName attribute. The default value is ${server.output.dir}/resources/security/ltpa.keys.

    For more information on LTPA keys in the keysFileName element, see Application Security 2.0.