If you are not familiar with SSO and LTPA, check out our getting started article.

If you have two or more WebSphere servers, and you want to be able to get an LTPA token for one of WebSphere servers and then use the LTPA token to be automatically authenticated to the other WebSphere servers, each WebSphere server will need the same LTPA key.

Prerequisites

• Synchronize time - Since LTPA tokens expire (120 minutes is the default), it is important to ensure that each WebSphere server is configured with the correct date and time, which is usually done via network time protocol (NTP). Configuring a servers time is beyond the scope of this article.
• User account repository - Ensure each WebSphere server is configured to use the same user account repository.
• Administrative security - Ensure administrative security is enable on each WebSphere server.
• DNS - Ensure each server is in the same DNS domain.
• Realm name - Ensure each server is configured with the same realm name.

Create and Export LTPA key

In one of your WebSphere servers, navigate to Security > Global Security > LTPA. Provide a password for the LTPA key and the location and name of the file that will contain the LTPA key and select Export. In this example, "ltpa.key" is the name of the file that contains the LTPA key.

If the export is successful, the following should be displayed, and the key file should now reside on your server.

The exported file is nothing more than a text file that contains the following lines.

#IBM WebSphere Application Server key file
#Tue Sep 03 06:21:30 CDT 2019
com.ibm.websphere.CreationDate=Tue Sep 03 06\:21\:30 CDT 2019
com.ibm.websphere.ltpa.version=1.0
com.ibm.websphere.ltpa.3DESKey=mbcyCurh+lcGC852xxBavK1eX8cdHbesNdAES2AeaUE\=
com.ibm.websphere.CreationHost=dmgr.example.com
com.ibm.websphere.ltpa.PrivateKey=DXbx8HooPNeW9U5Vya4LWUHPoBXMlKfd/uHhCdc4sZzKOr5YyxtUH6Q1JqYkM3iQoM3R9QtrTvf5z+FVqa1Dj2gl9CtvqJm6UP5vMNbHhtUEe8hS0jdPImdiUAyJ4svqY9zFOlhz9qGD7dNWxnQTwUC62gx2wgeAehLl3Y05ZTaEZb38JvA6m+xjnFelUwcWF7LNTVuhe3+qzku2jSeP/6ud/RLvQU7aFLgoRuQA4zHF550IyAfhQuMYBguYZCTHjJppv9Lx8/xzQu6kSNENFr102GrfEJ3+rlNh3lBjGChhabL8Cte0BHvbS8pvZ4vs9zc++o/rYwNPG4gGPEZHYX7qd991WjxZprSFmJEgN1Y\=
com.ibm.websphere.ltpa.Realm=defaultRealm
com.ibm.websphere.ltpa.PublicKey=AMxdld/PvJHafIzIngP67yPbakmSdWbph9xALIDbCBDDoI+YyWbxDK4d3CFtPlb2Tt6HXuD1H2JOdtLYidoeedDj32RKybs3p9LYGiJv1tRbZY2w4Dt2FNVOskBXjIJW0qQYD3iGW2eWVcglrcy6k3iVr+uQya8byv+P2TxOjO2/AQAF

Import LTPA key

Now, on your other WebSphere servers, transfer the file that was exported from server "a" to some directory on server "b". Then, at Security > Global Security > LTPA, enter the LTPA key password, enter the path to the file, and select Import key. If the import is successful, the following should be displayed. Select Save.

And that's it. You should now be able to authenticate into server "a" and then automatically be authenticated into the other WebSphere servers for the duration of the LTPA token.

Other considerations

You typically want each WebSphere server to be configured to use the same type of users registry (federated repository, LDAP, local operating system, custom).