+

Search Tips   |   Advanced Search

Configure LTPA and working with keys

Configure LTPA when we set up security for the first time. LTPA is the default authentication mechanism for WebSphere Application Server. After we have configured LTPA we can generate LTPA keys manually or automatically.


Tasks

  1. Configure LTPA and generate the first LTPA keys.

    1. Use the administrative console to configure LTPA or Kerberos when we set up security for the first time. The LTPA keys are generated automatically the first time. Read the Configuring the LTPA mechanism article for more information. Application servers distributed in multiple nodes and cells can securely communicate using the LTPA protocol. Key set groups contain lists of key sets and LTPA authentication key generation schedules. Each key set contains key references to keys in key stores. To generate keys automatically, each key set must be a member of a key set group.

      Read the LTPA key sets and key set groups article for more information.

      The keys for some key configurations must be generated together. The LTPA key pair is referenced in one key set while the secret or private key is in a separate key set. When the key set group is created, the two key sets are added as members of the key set group. Key set group settings determine whether the keys for both key sets are generated together automatically or manually.

      The key set group contains the following attributes:

      • Member key sets
      • Choice of either manual or automatic key generation in the member key sets
      • Schedule for automatically generating keys

  2. Generate keys manually or automatically, and control the number of active keys.

    1. WAS generates LTPA keys automatically during the first server startup. We can generate additional keys as we need them in the Authentication mechanisms and expiration panel. We can disable the automatic generation of new LTPA keys for key sets that are members of a key set group. Automatic generation creates new keys on a schedule specified when we configure a key set group, which manages one or more key sets. WAS uses key set groups to automatically generate cryptographic keys or multiple synchronized key sets.

      Generate keys manually or enabling or disabling the generation of keys are tasks that require you to recycle the node agents and application servers to accept the new keys. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager.

      Key sets manage LTPA keys in a key store based on a key alias prefix. A key alias prefix is automatically generated when we generate a new key and store it in a key store. Key stores can contain multiple versions of keys for any given key alias prefix. We can specify a maximum number of active keys in the key set configuration.

      Read the Generate Lightweight Third Party Authentication keys article for more information.

  3. Import and export keys.

    1. To support single sign-on (SSO) in WebSphere Application Server across multiple WAS domains or cells, share the LTPA keys and the password among the domains. We can import LTPA keys from other domains and export keys to other domains.

      We should disable automatic key generation if we import or export keys to or from another cell. This disabling causes the imported keys to get lost and the exported keys to no longer interoperate with this cell over time

      Recycle the node agents and application servers to accept the new keys. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager.

      Read the Importing Lightweight Third Party Authentication keys and Exporting Lightweight Third Party Authentication keys articles for more information.

  4. Manage keys from multiple cells.

    1. We can specify the shared keys and configure the authentication mechanism used to exchange information between servers to import and export LTPA keys across multiple WebSphere Application Server cells. We must start the server again for any changes we make to become active.

      Read the Managing LTPA keys from multiple WAS cells article for more information.


Related:

  • LTPA key sets and key set groups
  • Configure the LTPA mechanism
  • Generate LTPA keys
  • Import LTPA keys
  • Manage LTPA keys from multiple WAS cells
  • Exporting LTPA keys