Troubleshooting
Problem
IBM WebSphere DataPower appliance models (XS40, XI50, XI50B, XB60, XM70) have the ability to create WebSphere Application Server (WAS) Lightweight Third Party Authentication (LTPA) credentials in the AAA processing action. An LTPA credential contains a client’s identity. When processing requests with IBM WebSphere DataPower appliances, this identity is typically pulled from the client message in the Extract Identity (EI) stage of AAA processing, and then authenticated and authorized prior to creating the LTPA credential in a Post Processing (PP) stage. The LTPA credential will be passed down-stream as proof of the client’s identity. The identity in the LTPA credential should be a Unique Identity for the downstream consumer, e.g. WebSphere Application Server (WAS), to process the LTPA token successfully.
Symptom
As IBM program products continue to enhance credential handling, some credential handling behaviors previously tolerated may no longer be tolerated. With default AAA processing (without the Map Credentials stage), the identity from Extract Identity (EI) is placed into the LTPA credential which is created in the Post Processing (PP) step. In many cases (basic authentication and WS-Security UserNameToken for example), the identity from the EI stage is a simple userid, instead of unique identity.
A valid LTPA token for WebSphere Application Server (WAS) requires an unique identity. If an LDAP registry is used as the repository, the unique identity is typically a fully-formed LDAP Distinguished Name (DN). If DataPower generates the LTPA token without using the unique identity, in the future, WAS may fail to consume the LTPA token generated by DataPower.
Log InLog in to view more of this document
Was this topic helpful?
Document Information
Modified date:
08 June 2021
UID
swg21446677