Understanding Lightweight Third Party Authentication (LTPA) in WebSphere

Home > Search
  by

Lightweight Third Party Authentication (LTPA) is a single-sign on (SSO) protocol. WebSphere uses LTPA tokens for SSO. As an example, when you sign into the WebSphere admin console, an LTPA token will be issued. The LTPA token will remain active for a period of time (120 minutes by default). For the duration of the LTPA token, when you navigate to the dmgr home page, you will not need to authenticate again by providing a username and password. Instead, you will automatically be authenticated via the LTPA token.

 


Configure WebSphere to use LTPA

By default, at Security > Global Security, WebSphere is configured to use LTPA. Selecting LTPA will let you configure LTPA. 

 


Muliple Websphere servers

If you have two or more WebSphere servers, and you want to be able to get an LTPA token for one of WebSphere servers and then use the LTPA token to be automatically authenticated to the other WebSphere servers, each WebSphere server will need to be configured to use the same type of users registry (federated repository, LDAP, local operating system, custom).

Also, each WebSphere server will need to be configured with an identical realm name. With federated repository, the default realm name is defaultWIMFileBasedRealm. If you didn't change the realm name, then all of the WebSphere servers should have the same realm name. To verify this, navigate to Security > Global Security > Configure. If you need to change the realm name, the cell (dmgr, nodes, application servers) will need to be restarted for this change to take effect. 

With LDAP, the default realm name is the LDAP server hostname and port. Just like a federated repository, you can verify the realmn name at Security > Global Security > Configure.

 


Timeout

By default, the timeout is 120 minutes. If you change the timeout, the cell (dmgr, nodes, application servers) will need to be restarted for this change to take effect.

 

When the LTPA token expires, the following event will be found in the SystemOut.log.

SECJ0371W: Validation of the LTPA token failed because the token expired with the following info:
Token expiration: Sun Nov 11 06:51:00 CST 2018
current Date: Sun Nov 11 20:12:40 CST 2019
Token attributes: username=user:defaultRealm/uid=root,o=defaultWIFFileBasedRealm

 


Encryption

The LTPA tokens are encrypted, using a public certificate and private key. The keystore that contains the public certificate and private key can be viewed by navigating to Security > Global Security > LTPA. In this example, CellLTPAKeySetGroup contains the keystore.

 

Selecting Key set groups >  CellLTPAKeySetGroupkey sets > CellLTPAKeys will display the keystore being used.  In this example, the ltpa.jceks file is the keystore that contains the public certificate and private key.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments