Sharing LTPA keys

You must configure lightweight third party authentication (LTPA) to forward credentials to and support single sign on with servers in other cells in your environment. LTPA keys must be shared among all cells in your environment. LTPA key exchange is required to enable single sign on when the IBM® Business Monitor server is in a separate cell from the dashboard server. An example of this environment is when a web page is requested from one server and data is requested from another server. LTPA key exchange is also necessary when the IBM Business Monitor server is in a separate cell from the emitting common event infrastructure (CEI) cell.

Before you begin

Before completing this task, you should have completed the following tasks:
  • Logged in to the administrative console
  • For WebSphere® Portal, configured one of the following user registry settings:
    • Custom
    • LDAP
  • For IBM Business Monitor servers, configured federated repository.

About this task

The same LTPA keys must be used by all the cells in your environment. Select one cell to generate and export the keys. The other cells must import the exported keys.

Complete the following steps to import or export LTPA keys:

Procedure

  1. Export the LTPA key to a file.
    1. Log in to the administrative console of the cell that you have selected to export the LTPA key from.
    2. In the navigation panel, click Security > Global security.
    3. Under Authentication mechanisms and expiration, click LTPA.
    4. In the Cross-cell single sign-on section, enter a password in both the Password and Confirm Password fields. This password is used to encrypt the LTPA keys contained in the exported key file.
    5. In the Fully qualified key file name field, specify the fully qualified path to the location where you want the LTPA key file to reside on the file system of the deployment manager node. The deployment manager process must have write permission to the file. For example, the file name might be C:\LTPA.key.
    6. Click Export keys and export the LTPA key to the fully qualified key file name previously specified.
  2. For each other cell, import the key.
    1. Copy the previously exported LTPA key file to a location on the file system of the deployment manager node.
    2. Log in to the administrative console of the cell that you have selected to import the LTPA key to.
    3. In the navigation panel, click Security > Global security.
    4. Under Authentication mechanisms and expiration, click LTPA.
    5. In the Cross-cell single sign-on section, enter a password that was used to export the LTPA key in both the Password and Confirm Password fields. This password is used to decrypt the LTPA keys contained in the exported key file.
    6. In the Fully qualified key file name field, specify the fully qualified path to the location where the LTPA key file resides on the file system of the deployment manager node. The deployment manager process must have permission to read the file. For example, the file name might be C:\LTPA.key.
    7. Click Import keys to import the LTPA key from the fully qualified key file name previously specified.
Parent topic: Configuring user registries
Related concepts:
Authenticating users (WebSphere Application Server Network Deployment)
Related tasks:
Deploying monitor models
Related information:
Monitor model deployment with remote CEI: RMI connection issue caused by LTPA key mismatch (deprecated)