WAS v8.5 > Secure applications > Authenticate users > Select an authentication mechanism > Configure LTPA and work with keys > Step 2. Generate keys manually or automatically, and control the number of active keys.

Generate Lightweight Third Party Authentication keys

WebSphere Application Server generates LTPA keys automatically during the first server startup. We can generate additional keys as required in the Authentication mechanisms and expiration panel.

At runtime, the default key sets are NodeLTPASecret and NodeLTPAKeyPair. The default key group is NodeLTPAKeySetGroup. After generation, keys are stored in the default key store NodeLTPAKeys.

To generate new LTPA keys in the dmgr console.

  1. Access the dmgr console.

    Type http://fully_qualified_host_name:port_number/ibm/console to access the dmgr console in a web browser.

  2. Verify that all the WAS processes are running, including the cell, nodes, and application servers.

    If any of the servers are down at the time of key generation and then restarted later, these servers might contain old keys. Copy the new set of keys to these servers to restart them after you generate them.

  3. Click Security > Global security > Authentication mechanisms and expiration.

  4. Click LTPA.

  5. Click Generate keys to generate a new set of LTPA keys in the local keystore and update the runtime with the new keys. By default, LTPA keys are regenerated on a schedule every 90 days, configurable to the day of the week. Each new set of LTPA keys is stored in the keystore associated with the key set group. The same password that is already stored in the configuration is used when we generate new keys.

    This step is not necessary when we enable security because, by default, a set of keys is created during the first server startup. However, the keystore should have at least two keys: the old keys can be used for validation while the new keys are being distributed. If any nodes are down during a key generation event, the nodes should be synchronized with the Deployment Manager before restarting the server.

  6. Restart the server for the changes to become active.


Results

If the Dynamically update the runtime when SSL configuration changes check box is checked in the dmgr console, then new keys are loaded automatically.

Reminder: Having the check box checked is the default setting. If the Dynamically update the runtime when SSL configuration changes check box is NOT checked in the dmgr console and you want changes that you make to an existing SSL configuration to occur, then restart the WebSphereApplication Server to use the generated keys. Token generation uses the keys that were last imported. To view the latest key version, see Change the number of active LTPA keys.


Related concepts:

LTPA key sets and key set groups


Related


Importing LTPA keys
Export LTPA keys
Disable automatic generation of LTPA keys
Change the number of active LTPA keys


+

Search Tips   |   Advanced Search