Changing the LTPA key used for single sign-on

The Lightweight Third Party Authentication (LTPA) security protocol requires that z/OSMF servers share a cryptographic key to establish a single sign-on (SSO) environment. The LTPA keys file is encrypted with a randomly-generated key and is protected with a user-defined password. The default password is WebAS. For security purposes, it is recommended that you change the default password before enabling SSO. You might also be required to periodically change the password to conform with your installation's security policy.

Before you begin

Ensure that your web browser is connected to the primary z/OSMF instance.

Procedure

By default, only a z/OSMF Administrator can change the LTPA key password. To do so, complete the following steps:

From the Actions menu in the Systems table, select Change LTPA Key to display the Change LTPA Key page. This action is listed only if you are authorized to change the LTPA key password.
In the New LTPA key field, enter the password to be used to protect the LTPA keys file.
In the Confirm new LTPA key field, re-enter the password. The values must match to proceed.
Click OK to save the new password. A message is displayed indicating whether the request was successful. If so, a notification is added to the Notifications task indicating that the primary z/OSMF server must be restarted to generate a new LTPA key.
Restart the primary z/OSMF server to generate a new LTPA key, which z/OSMF will protect using the specified password.

What to do next

Invoke the Enable Single Sign-on action to use the new key on the systems listed in the Systems field or on any system for which you want to enable single sign-on. For more details about enabling SSO, see Enabling single sign-on.

Important: If you do not re-enable SSO for the systems listed, SSO will be disabled because the LTPA key used on the primary system will not be the same as the LTPA key used on the secondary systems.