Importing multiple LTPA Keys for Single Sign On (SSO) fails
 Product documentation
 
Abstract
If there are three or more IBM® WebSphere® Application Server Cells making use of an identical Lightweight Thirdparty Authentication (LTPA) Key to be used for Single Sign On, the current documentation is unclear on how to accomplish that.

Example:
Cell A, B and C are configured for SSO.
If you exported the LTPA Keys of Cell A and B and attempt to import them into Cell C, you are most likely not going to get any errors returned during the import, rather than find the SSO functionality of Cell C compromised.
Cell C will in fact make use of the last LTPA key imported. So if your import sequence was key A followed by key B, Cell C will use the key of Cell B. If the import sequence was B first followed by A, Cell C will use the key of Cell A.
 
 
Content
Only one LTPA Key is allowed at a time.

When importing an LTPA Key, a merge of the new key with the one that is already present will not take place - the present key will get replaced.
This can be easily verified by comparing the contents of the security.xml file before and after the import of a foreign LTPA key.

In order to get around this constraint, you must decide for only one LTPA Key for all Cells requiring SSO.

Currently, the only Application Server Information Center reference can be found in the "Import Keys" section of "Lightweight Thirdparty Authentication Settings", reading:
"The LTPA keys are exported from one of the cells to a file."
(see related URLs below)

However, there is no clear statement made that only one LTPA key will be allowed and consequently used for SSO.

Select one of your systems where to export the "Master" LTPA Key, and import this key on all other Systems / in all other Application Server Cells which should join this Single Sign On community.

It is neither necessary nor possible to combine several LTPA keys into one.

Of course, the SSO domain names in the LTPA properties also need to match.

Remark:
The above is only valid for WAS v5.x and v6.0, where the LTPA Key is stored as an encrypted string in the security.xml file.

Starting with WAS v6.1 the LTPA key is stored in a keystore called ltpa.jceks, which allows more than one LTPA key at the same time. But be aware that you will not be able to display / export the older keys of the ltpa.jceks keystore. Only the most current one can be exported in the ISC AdminConsole.

 
Related information
WAS 5.0 Information Center
WAS 5.1 Information Center
WAS 6.0 Information Center
 
 
Original publication date
2008/9/25
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): z/OS
Software version: 6.0
Software edition:
Reference #: 7009340
IBM Group: Software Group
Modified date: Mar 1, 2007