You must review the Lightweight Third Party Authentication
(LTPA) on your WebSphere® Application
Server after
you have installed Tivoli® Federated
Identity Manager.
You can choose to use the default LTPA configuration or modify the
configuration so that it is appropriate for your environment.
About this task
The default LTPA configuration is as follows:
- Key set group
- The LTPA keys are used to encrypt and decrypt data that is sent
between the servers. The keys are stored in sets and the sets are
stored in groups. The default key set group is NodeLTPAKeySetGroup.
- Key sets
- The default key sets are NodeLTPAKeyPair and NodeLTPASecret.
- Key generation
- By default, LTPA keys are automatically generated the first time
you start the server after installation. LTPA keys are automatically
regenerated every 12 weeks at 2200 hours (on a 24-hour clock) on Sundays.
Attention: If you are using a separate target application server
in your configuration, the LTPA keys must be on your
WebSphere Application
Server point of contact server
and on your target application server. A separate target application
server can be a separate
WebSphere Application
Server,
or a server that is supported by the
Tivoli Federated
Identity Manager Web server plug-in.
If
you automatically generate keys, keep the keys on the application
server in sync with the keys that are generated on your WebSphere Application
Server point of contact server.
For
more information about exporting keys from your WebSphere Application
Server and importing them to
your application server, see Exporting LTPA key from the point of contact server,
and either Importing the LTPA key to the WebSphere Application Server, or Copying the LTPA key to the Web server
.
- Authentication cache timeout
- This value specifies how long an LTPA token is valid in minutes.
The default time is 10 minutes.
- Timeout value for forwarded credentials between servers
- This value specifies how long the server credentials from another
server are valid before they expire. The default value is 120 minutes.
To review or modify these settings, complete the
steps in this procedure:
Procedure
- Log on to the console.
- Click .
Secure administration, applications,
and infrastructure panel opens.
- On the left, click Authentication mechanisms
and expiration. The Configuration tab shows. Use this tab to review or modify the Key set group defined,
the authentication cache timeout, and the timeout value for forwarded
credentials between servers.
- To modify the key set group and key generation settings,
click Key set groups. Change your
environment as appropriate, and then click Apply.
- Return to the previous Configuration tab.
- In the Authentication expiration section of the Configuration
tab, review or modify the values in the Authentication
cache timeout field and the Timeout value for
forwarded credentials between servers field.
- Click Apply when you are done.
- Save the changes to the master configuration file.
What to do next
Continue with the configuration of your environment. For
example, continue with
Setting up message security.