Manage LTPA keys from multiple WebSphere Application Server cells

Operating Systems: i5/OS
Personalize the table of contents and search results

Manage LTPA keys from multiple WebSphere Application Server cells

You can specify the shared keys and configure the authentication mechanism that is used to exchange information between servers to import and export LTPA keys across multiple WebSphere Application Server cells. You must be sure that the exported key file for the multiple cells is accessible on the host where WebSphere Application Server is running. Also, know the password that was used when the keys were exported.

At runtime, the default key sets are CellLTPASecret and CellLTPAKeyPair. The default key group is CellLTPAKeySetGroup. After generation, keys are stored in the default key store CellLTPAKeys.

Overview

Complete the following steps to manage LTPA keys using the administrative console.

Procedure

Access the administrative console.
Type http://server_name:port_number/ibm/console to access the administrative console in a Web browser.
Verify that all of the WebSphere Application Server processes are running, including cells, nodes, and all of the application servers. If any of the servers are down at the time of key generation and then brought back up later, these servers might contain old keys. Copy the new set of keys to these servers, then bring them back up.
Click Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration.
Type the password for the LTPA keys in the Password field. Enter a password that is used to encrypt and decrypt the LTPA keys from the single sign-on (SSO) properties file. During import, this password should match the password that is used to export the keys at another LTPA server. During export, remember this password in order to provide it during the import operation.
Type the password again in the Confirm password field.
Select from among the following options:
- To support SSO in the WebSphere product across multiple application server domains (cells), you can share the LTPA keys and the password among the domains. Before exporting, make sure that security is enabled and using LTPA on the system that is running. For more information, see Exporting Lightweight Third Party Authentication keys.
- To support SSO in the application server product across multiple application server domains (cells), you can share the LTPA keys and the password among the domains. For more information, see Importing Lightweight Third Party Authentication keys.
- To import LTPA keys for the current cell if they were previously exported, see Importing Lightweight Third Party Authentication keys.
Start the server again for any changes you make to become active.

Results

The shared LTPA keys are now available for WebSphere Application Server to use for secure connections.

What to do next

After the keys are generated or imported, they are used to encrypt and decrypt the LTPA token. To view the latest key version, see Activating Lightweight Third Party Authentication key versions.

}
Lightweight Third Party Authentication key sets and key set groups