FreeKB - Single Sign On (SSO) and Lightweight Third Party Authentication (LTPA) in WebSphere - Across multiple servers
Single Sign On (SSO) and Lightweight Third Party Authentication (LTPA) in WebSphere - Across multiple servers

Home > Search

If you are not familiar with SSO and LTPA, check out our getting started article.

If you have two or more WebSphere servers, and you want to be able to get an LTPA token for one of WebSphere servers and then use the LTPA token to be automatically authenticated to the other WebSphere servers, each WebSphere server will need the same LTPA key.


Synchronize time

Since LTPA tokens expire (120 minutes is the default), it is important to ensure that each WebSphere server is configured with the correct date and time, which is usually done via network time protocol (NTP). Configuring a servers time is beyond the scope of this article.


Create and Export LTPA key

In one of your WebSphere servers, navigate to Security > Global Security > LTPA. Provide a password for the LTPA key and the location and name of the file that will contain the LTPA key and select Export. In this example, "ltpa.key" is the name of the file that contains the LTPA key.


If the export is successful, the following should be displayed, and the key file should now reside on your server.


Import LTPA key

Now, on your other WebSphere servers, at Security > Global Security > LTPA, enter the LTPA key password, select Import key, and select the file that you exported. Select OK and Save. And that's it. You should now be able to authenticate into server "a" and then automatically be authenticated into the other WebSphere servers for the duration of the LTPA token.


Other considerations

You typically want each WebSphere server to be configured to use the same type of users registry (federated repositoryLDAP, local operating system, custom).

Also, each WebSphere server will need to be configured with an identical realm name. With federated repository, the default realm name is defaultWIMFileBasedRealm. If you didn't change the realm name, then all of the WebSphere servers should have the same realm name. To verify this, navigate to Security > Global Security > Configure. If you need to change the realm name, the cell (dmgr, nodes, application servers) will need to be restarted for this change to take effect. 

With LDAP, the default realm name is the LDAP server hostname and port. Just like a federated repository, you can verify the realmn name at Security > Global Security > Configure.

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter c1854 in the box below so that we can be sure you are a human.