You must configure Lightweight Third Party Authentication
(LTPA) or Kerberos when you set up security for the first time.
Procedure
- Open the administrative console.
Type http://fully_qualified_host_name:port_number/ibm/console to
access the administrative console in a web browser.
Type http://server_name:port_number/ibm/console to
access the administrative console in a web browser.
Port 9060
is the default port number for accessing the administrative console.
During installation, however, you might have specified a different
port number. Use the appropriate port number.
- Click Security > Global security > Authentication
mechanisms and expiration.
- Click LTPA.
- Select the appropriate group from the Key set group field
that contains your public, private, and shared LTPA keys.
These
keys are used to encrypt and decrypt data that is sent between servers.
You can access these key set group configurations using the Key set
group link. In the Key set group configuration, you can indicate whether
to automatically generate new keys and when to generate them.
- Enter a positive integer in the LTPA timeout value for
forwarded credentials between servers field.
This
value refers to how long the server credentials from another server
are valid before they expire. The default value is 120 minutes. The
value in the LTPA timeout value for forwarded credentials between
servers field must be greater than the value in the Cache timeout field
on the Authentication cache settings panel.
- Enter a password in the Password field.
This
password is used to protect the generated keys that are used to encrypt
and decrypt the LTPA keys from the SSO properties file. The password
is not used to generate keys; it is only used to protect them. During
import, this password should match the password used to export the
keys at another LTPA server (for example, another application server
Cell, Lotus® Domino® Server, and so on). During
export, remember this password in order to provide it during the import
operation.
Single sign-on across cells can be provided by sharing
keys and passwords. To share the keys and password, log on to one
cell, specify a key file, and click Export keys. Then, log
on to the other cell, specify the key file, and click Import keys.
- Click Apply or OK.
- Optional: Review the settings on the panel. By default, the authentication
cache is enabled. For more information on these fields and values,
see the documentation about authentication cache settings.
Results
The LTPA configuration is now set. The LTPA keys are generated
automatically the first time. Do not generate the LTPA keys in this
step because they are automatically generated later. Proceed with
the rest of the steps that are required to enable security, and start
with single sign-on (SSO), if it is required.
What to do next
After configuring LTPA, you can also complete the following
tasks:
- Generate key files. For more information, see Generating Lightweight Third Party Authentication keys.
- Export key files. For more information, see Exporting Lightweight Third Party Authentication keys.
- Import key files. For more information, see Importing Lightweight Third Party Authentication keys.
- Manage LPTA keys from multiple cells. For more information, see Managing LTPA keys
from multiple WebSphere Application Server cells.
- If you are enabling security, you can also enable single sign-on (SSO).
- If you generated a new set of keys or imported a new set of keys, verify that the keys are saved
to the master configuration by clicking Save on the panel. Because LTPA authentication uses
time-sensitive tokens, verify that the time, date, and time zone are synchronized among all of the
product servers that are participating in the protected domain. Changes to the time, date, and time
zone are done independently from WebSphere Application Server. If the clock skew is too high between
servers, the LTPA token seems prematurely expired and causes authentication or validation
failures.