Only one LTPA Key is allowed at a time.
When importing an LTPA Key, a merge of the new key with the one that is
already present will not take place - the present key will get replaced.
This can be easily verified by comparing the contents of the security.xml
file before and after the import of a foreign LTPA key.
In order to get around this constraint, you must decide for only
one LTPA Key for all Cells requiring SSO.
Currently, the only Application Server Information Center reference can
be found in the "Import Keys" section of "Lightweight Thirdparty
Authentication Settings", reading:
"The LTPA keys are exported from one of the cells to a file."
(see related URLs below)
However, there is no clear statement made that only one LTPA key will
be allowed and consequently used for SSO.
Select one of your systems where to export the "Master" LTPA Key, and
import this key on all other Systems / in all other Application Server
Cells which should join this Single Sign On community.
It is neither necessary nor possible to combine several LTPA keys into
one.
Of course, the SSO domain names in the LTPA properties also need to
match.
Remark:
The above is only valid for WAS v5.x and v6.0, where the LTPA Key is
stored as an encrypted string in the security.xml file.
Starting with WAS v6.1 the LTPA key is stored in a keystore called
ltpa.jceks, which allows more than one LTPA key at the same time. But be
aware that you will not be able to display / export the older keys of the
ltpa.jceks keystore. Only the most current one can be exported in the ISC
AdminConsole.
|