Lightweight Third Party Authentication (LTPA) is a single-sign on (SSO) protocol. By default, WebSphere uses LTPA for SSO. As an example, when you sign into the WebSphere admin console, an LTPA token will be issued. The LTPA token will remain active for a period of time (120 minutes by default). For the lifespan of the LTPA token, when you navigate to the WebSphere admin console, you will not need to authenticate again by providing a username and password. Instead, you will be authenticated via the LTPA token.
Configure WebSphere to use LTPA
By default, at Security > Global Security, WebSphere is configured to use LTPA. Selecting LTPA will let you configure LTPA.
Get LTPA token
By default, log level is *=info. At this log level, the LTPA token will not be recorded in SystemOut.log or HPEL log. Updating the log level to fine, finer, or finest will make it so that the LTPA token is recorded in the log, like this.
Or, you can get the LTPA token by viewing the web browser cookies.
Destroying LTPA token
Following are the three most common events that will cause the LTPA token to be destroyed.
Closing only the browser tab for the WebSphere admin console but leaving the other browser tabs open will not destroy the LTPA token because this action does not remove the LtpaToken2 cookie from the browsers cache.
Sharing LTPA between Websphere servers
If you have two or more WebSphere servers, and can create an LTPA key on one of your WebSphere servers and then use the LTPA key to be automatically authenticated to the other WebSphere servers.
By default, LTPA tokens are encrypted using a public certificate and private key. In this example, the ltpa.jceks file is the keystore that contains the public certificate and private key used to encrypt LTPA tokens.