Configure Lightweight Third Party Authentication keys
Generating keys
Lightweight Third Party authentication (LTPA) keys are automatically generated when a password change is detected. The first time that you set the LTPA password, as part of enabling security, the LTPA keys are automatically generated after OK or Apply is clicked in the LTPA panel. You do not have to click Generate Keys in this situation. Complete the following steps in the administrative console to generate a new set of LTPA keys.
- Access the administrative console
- Verify that all the WAS processes are running (cell, nodes, and all of the appservers).If any of the servers are down at the time of key generation and then brought back up later, these servers might contain old keys. Copy the new set of keys to these servers to bring them back up.
- Click...
Security | Authentication mechanisms | LTPA- Click Generate Keys if you want to use the existing password. This action generates a new set of keys that are encrypted with the same password as the old set of keys.Regardless of the password change, a new set of keys is generated when you click Generate Keys. This new set of keys is not propagated to the run time unless saved; save the files immediately.
- Enter the new password and confirm it, to use a new password to generate keys. Click OK or Apply. A new set of keys is generated. A message indicating that a new set of keys is generated displays on the console. Do not click Generate Keys. These new keys are propagated to the run time once you save them.
- Click Save to save the keys.After a new set of keys is generated and saved, the key propagation is dynamic. All of the processes running at that time (cells, node agents, appservers) are updated with the new set of keys. The next sections describe the process of exporting and importing the keys.
Exporting keys
To support single signon in WAS across multiple WAS domains or cells, share the LTPA keys and the password among the domains. Verify that the time on the domains is similar to prevent the tokens from appearing as expired between the cells. Use Export Keys to export the LTPA keys to other domains or cells. Complete the following steps in the administrative console to export key files for LTPA.
- Access the administrative console
- Click...
Security | Authentication mechanisms | LTPA- In the Key File Name field, enter the full path of a file for key storage. This file needs write permissions.
- Click Export Keys.
A file is created with the LTPA keys. Exporting keys fails if a new set of keys is generated or imported and not saved prior to exporting. To avoid failure, make sure that you save the new set of keys (if any) prior to exporting them.
- Click Save to save the configuration.
Importing keys
To support single signon in WAS across multiple WAS domains or cells, share the LTPA keys and the password among the domains. Use Import Keys to import the LTPA keys from other domains. Verify that key files are exported from one of the cells involved, into a file. Complete the following steps in the administrative console to import key files for LTPA.Importing keys is a dynamic operation. All of the servers that are running at this time are updated with the new set of keys. Any back-level tokens signed with the back-level keys fail validation and the user is prompted to log in again.
- Access the administrative console
- Click...
Security | Authentication mechanisms | LTPA- Change the password in the password fields to match the password in the cell from which you are importing the keys.
- Click Save to save the new set of keys in the repository. This step is important to complete before importing the keys. If the password and the keys do not match, the servers fail. If the servers fail, turn off security and redo these steps.
- In the Key File Name field, enter the full path of a file for key storage. This file needs read permissions.
- Click Import Keys. The keys are now imported into the system.
- Click Save to save the new set of keys in the repository. It is important to save the new set of keys to match the new password so that no problems are encountered starting the servers later.