LTPA calls across WebSphere domains: WebSphere Application Server Version 3.5
Advanced Edition of IBM WebSphere Application Server

InfoCenter Home >
5: Securing applications >
5.3: Security task overview >
5.3.5: Making LTPA-secured calls across WebSphere domains <- you are here

5.3.5: Making LTPA-secured calls across WebSphere domains

If applications in two different WebSphere Application Server domains need to be able to communicate, the two WebSphere application servers must exchange security information so that the servers themselves can communicate. Specifically, the LTPA component of the administrative server in the calling domain must make its LTPA keys available to the LTPA component of the administrative server in the called domain. This allows the called server to decrypt security information from the calling server. Otherwise, the WebSphere application server in the calling domain will not be able to authenticate to the application server in the called domain.

For example, suppose that a servlet running in Domain A needs to call an enterprise bean running in Domain B. Before this exchange can take place, the two WebSphere application servers have to exchange LTPA key information. To exchange the necessary information between the two domains, three things must be done:

  1. The keys for the LTPA component in the calling application's domain must be exported to a file. In the example scenario, the calling application is the servlet.
  2. The file must be made accessible to the administrative server of the called WebSphere Application Server domain.
  3. The key information from the calling domain must be imported by the LTPA component of the called domain. In the example scenario, the called application is the enterprise bean.
This file describes the necessary steps.

Export the key information

You must export the calling domain's LTPA keys to a file so that the key can be made available to another domain, where the keys are imported from the file.

Note   Before LTPA keys can be exported, they have to be created. Such keys are typically created when the authentication mechanism is chosen for the domain. When the LTPA keys are created, you must provide a password that is used to protect the keys. This password is required when the keys are imported from a file into another application, so you must have this password.

To export the LTPA key information, perform these steps:

  1. Start the administrative server for the domain, if necessary.
  2. Start the administrative console, if necessary.
  3. On the administrative console, click Wizards.
  4. Select the Configure Global Security Settings task.
  5. Click the Authentication Mechanism tab.
  6. Click the Export To File tab.
  7. When prompted, specify the name and location of the file to contain the LTPA keys. You can use any file name and extension. Note the name and extension you specify; this file must later be imported by the application in the second domain.
  8. Click Save to save the file.
  9. Click Cancel to close the wizard. (This procedure has not changed any global security setting, so there are no new settings to save.)

Make the file accessible to the second domain

The file containing the exported keys must be installed in a location where the importing administrative server can find it. For example, to move the file from one machine to another, you can put it on a floppy disk and install it on the second machine. This file contains security keys, so treat it with care. Some sites have policies describing how such transfers can be done.

Import the key information

You must import the LTPA keys of calling domain from the file. This allows the called domain to decrypt information encrypted by the calling domain.

To import the key information from a file, perform these steps:

  1. Start the administrative server for the domain, if necessary.
  2. Start the administrative console, if necessary.
  3. On the administrative console, click Wizards.
  4. Select the Configure Global Security Settings task.
  5. Click the Authentication Mechanism tab.
  6. Click Import From File.
  7. When prompted, select the file that was generated during the export step.
  8. Click Open.
  9. When prompted, type the LTPA password established when initially generating the keys.
  10. Click OK to import the keys.
  11. Stop and restart the administrative server.

Go to previous article: Specifying authentication options in sas.client.props Go to next article: LDAP with MS Active Directory

 

Go to previous article: Specifying authentication options in sas.client.props Go to next article: LDAP with MS Active Directory