InfoCenter Home >
5: Securing applications >
5.3: Security task overview >
5.3.5: Making LTPA-secured calls across WebSphere domains <- you are here
If applications in two different WebSphere Application Server domains
need to be able to communicate, the two WebSphere application servers must
exchange security information so that the servers themselves can
communicate. Specifically, the LTPA component of the administrative
server in the calling domain must make its LTPA keys available to
the LTPA component of the administrative server in the
called domain. This allows the called server to decrypt security
information from the calling server. Otherwise, the WebSphere
application server in the calling domain will not be able to authenticate
to the application server in the called domain.
For example, suppose that a servlet running in Domain
A needs to call an enterprise bean running in Domain B.
Before this exchange can take place, the two WebSphere application
servers have to exchange LTPA key information. To exchange the necessary
information between the two domains, three things must be done:
- The keys for the LTPA component in the calling application's
domain must be exported to a file. In the example scenario,
the calling application is the servlet.
- The file must be made accessible to the administrative server
of the called WebSphere Application Server domain.
- The key information from the calling domain must be imported
by the LTPA component of the called domain. In the example
scenario, the called application is the enterprise bean.
This file describes the necessary steps.
Export the key information
You must export the calling domain's LTPA keys to a file
so that the key can be made available to another domain,
where the keys are imported from the file.
Before LTPA keys can be exported, they have to be created.
Such keys are typically created when the authentication
mechanism is chosen for the domain. When the LTPA keys are created,
you must provide a password that is used to protect the keys. This
password is required when the keys are imported from a file
into another application, so you must have this password.
To export the LTPA key information, perform these steps:
- Start the administrative server for the domain, if necessary.
- Start the administrative console, if necessary.
- On the administrative console, click Wizards.
- Select the Configure Global Security Settings task.
- Click the Authentication Mechanism tab.
- Click the Export To File tab.
- When prompted, specify the name and location of the file
to contain the LTPA keys. You can use any file name and extension.
Note the name and extension you specify; this file must later
be imported by the application in the second domain.
- Click Save to save the file.
- Click Cancel to close the wizard. (This procedure
has not changed any global security setting, so there are no
new settings to save.)
Make the file accessible to the second domain
The file containing the exported keys must be installed in a location
where the importing administrative server can find it. For example, to move the
file from one machine to another, you can put it on a floppy disk and
install it on the second machine. This file contains security keys,
so treat it with care. Some sites have policies describing how
such transfers can be done.
Import the key information
You must import the LTPA keys of calling domain from the
file. This allows the called domain to decrypt information
encrypted by the calling domain.
To import the key information from a file, perform these steps:
- Start the administrative server for the domain, if necessary.
- Start the administrative console, if necessary.
- On the administrative console, click Wizards.
- Select the Configure Global Security Settings task.
- Click the Authentication Mechanism tab.
- Click Import From File.
- When prompted, select the file that was generated
during the export step.
- Click Open.
- When prompted, type the LTPA password established when
initially generating the keys.
- Click OK to import the keys.
- Stop and restart the administrative server.
|
|