FreeKB - Single Sign On (SSO) and Lightweight Third Party Authentication (LTPA) in WebSphere - Encrypting LTPA Tokens
Single Sign On (SSO) and Lightweight Third Party Authentication (LTPA) in WebSphere - Encrypting LTPA Tokens

Home > Search


If you are not familiar with SSO and LTPA, check out our getting started article.

By default, LTPA tokens are encrypted using a public certificate and private key. The key set group being used can be viewed by navigating to Security > Global Security > LTPA. In this example, CellLTPAKeySetGroup is the key set group being used.

 

Selecting Key set groups >  CellLTPAKeySetGroup > key sets > CellLTPAKeys will display the keystore being used.  In this example, the ltpa.jceks file is the keystore that contains the public certificate and private key.

 

The contents of ltpa.jceks can be viewed on the command line. Be aware that you must use the Java keytool command that is included with WebSphere as the Java keytool that ships with WebSphere contains the com.ibm.ws.security.ltpa.LTPAKeyPairGenerator class, which is needed to view the contents of the ltpa.jceks keystore. 

${WAS_INSTALL_ROOT}/java/your_version/bin/keytool -list -keystore ${CONFIG_ROOT}/cells/DmgrCell01/ltpa.jceks -storetype jceks -storepass WebAS

 

Which will show that the ltpa.jceks keystore contains 3 entries, the LTPA secret key, the private key, and the public certificate.

Alias name: ltpasecret_1
Creation date: June 10, 2018
Entry type: SecretKeyEntry

*********************************************
*********************************************

Alias name: ltpakeypair_1_private
Creation date: June 10, 2018
Entry type: SecretKeyEntry

*********************************************
*********************************************

Alias name: ltpakeypair_1_public
Creation date: June 10, 2018
Entry type: SecretKeyEntry

 

By default, the Active key history page will have a single listing, LTPAKeyPair_1. This listing correlates to ltpakeypair_1_public and ltpakeypair_1_private in the ltpa.jceks keystore. Do not delete this listing, as this would remove ltpakeypair_1_public and ltpakeypair_1_private from the ltpa.jceks keystore, which would cause issues with LTPA.

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 9ecb2 in the box below so that we can be sure you are a human.




Comments