When the default single sign-on token is generated,
the application server utilizes the TokenFactory class that is specified using
the com.ibm.wsspi.security.token.singleSignonTokenFactory property. To modify
this property using the administrative console, complete the following steps:
- Click Security > Global security.
- Under Additional properties, click Custom properties.
The com.ibm.ws.security.ltpa.LTPAToken2Factory token factory is the default
that is specified for this property. This token factory creates a single sign-on
(SSO) token called LtpaToken2, which WebSphere Application Server uses for
propagation. This token factory uses the AES/CBC/PKCS5Padding cipher. If you
change this token factory, you lose the interoperability with any servers
running a version of WebSphere Application Server prior to version 5.1.1 that
use the default token factory. Only servers running WebSphere Application
Server Version 5.1.1 or later with propagation enabled are aware of the LtpaToken2
cookie. If all of your application servers use WebSphere Application Server
Version 5.1.1 or later and all of your servers use your new token factory
this awareness is not a problem.
If you need to perform your own signing
and encryption of the default single sign-on token, you must implement the
following classes:
- com.ibm.wsspi.security.ltpa.Token
- com.ibm.wsspi.security.ltpa.TokenFactory
Your token factory implementation instantiates (createToken) and validates
(validateTokenBytes) your token implementation. You can use the Lightweight
Third-Party Authentication (LTPA) keys passed into the initialize method of
the token factory or you can use your own keys. If you use your own keys,
they must be the same everywhere to validate the tokens that are generated
using those keys. See the API documentation, available through a link on the
front page of the information center, for more information on implementing
your own custom token factory. To associate your token factory with the default
single sign-on token using the administrative console, complete the following
steps:
- Click Security > Global security.
- Under Additional properties, click Custom properties.
- Locate the com.ibm.wsspi.security.token.singleSignonTokenFactory property
and verify that the value of this property matches your custom TokenFactory
implementation.
- Verify that your implementation classes are put into the app_server_root/classes directory so that the WebSphere Application Server class loader can load
the classes.
- Verify that your implementation classes are located
in the ${USER_INSTALL_ROOT}/classes directory so that
the WebSphere Application Server class loader can load the classes.