If you are not familiar with SSO and LTPA, check out our getting started article.

By default, LTPA tokens are encrypted using a public certificate and private key. The key set group being used can be viewed by navigating to Security > Global Security > LTPA. In this example, CellLTPAKeySetGroup is the key set group being used.

Selecting Key set groups >  CellLTPAKeySetGroup > key sets > CellLTPAKeys will display the keystore being used.  In this example, the ltpa.jceks file is the keystore that contains the public certificate and private key.

The contents of ltpa.jceks can be viewed on the command line. Be aware that you must use the Java keytool command that is included with WebSphere as the Java keytool that ships with WebSphere contains the com.ibm.ws.security.ltpa.LTPAKeyPairGenerator class, which is needed to view the contents of the ltpa.jceks keystore. 

${WAS_INSTALL_ROOT}/java/your_version/bin/keytool -list -keystore ${CONFIG_ROOT}/cells/DmgrCell01/ltpa.jceks -storetype jceks -storepass WebAS

Which will show that the ltpa.jceks keystore contains 3 entries, the LTPA secret key, the private key, and the public certificate.

Alias name: ltpasecret_1
Creation date: June 10, 2018
Entry type: SecretKeyEntry

*********************************************
*********************************************

Alias name: ltpakeypair_1_private
Creation date: June 10, 2018
Entry type: SecretKeyEntry

*********************************************
*********************************************

Alias name: ltpakeypair_1_public
Creation date: June 10, 2018
Entry type: SecretKeyEntry

By default, the Active key history page will have a single listing, LTPAKeyPair_1. This listing correlates to ltpakeypair_1_public and ltpakeypair_1_private in the ltpa.jceks keystore. Do not delete this listing, as this would remove ltpakeypair_1_public and ltpakeypair_1_private from the ltpa.jceks keystore, which would cause issues with LTPA.