InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications (overview) >
6.6.18.1a.6: Making LTPA-secured calls across WebSphere domains with the Java administrative console

6.6.18.1a.6: Making LTPA-secured calls across WebSphere domains with the Java administrative console

If applications in two different WebSphere Application Server domains need to be able to communicate, the two WebSphere application servers must share security information so that the servers themselves can communicate. Specifically, the LTPA component of the administrative servers in both domains must use the same LTPA key. This allows the two servers to communicate securely with each other, and it allows the called server to decrypt security information from the calling server. Otherwise, the WebSphere application server in the calling domain cannot authenticate to the application server in the called domain.

    Note:  When using LPTA for authentication, the cookies are set with a domain name. Any URL without a fully qualified host name will not receive this cookie. A form based login will take you back to the login screen. Make sure you specify the domain name as http://server.company.com in the URL.

See below for an example.

This article describes the procedure for making LTPA-secured calls:

  1. Generate keys
  2. Export the key information
  3. Make the file accessible to the second domain
  4. Import the key information

Generate keys

Use the Generate Keys button on the Authentication tabbed page to generate LTPA keys.

When LTPA keys generated, you must provide a password that is used to protected the keys. This password is required when the keys are imported from a file into another WebSphere Application Server domain.

Export the key information

You must export the calling domain's LTPA keys to a file so that the key can be made available to another domain, where the keys are imported from the file.

Note   Before LTPA keys can be exported, they have to be created. Such keys are typically created when security is enabled for the first time using the LTPA authentication mechanism for the domain, or can be created any time by clicking the Generate Keys button. When the LTPA keys are created, you must provide a password that is used to protect the keys. This password is required when the keys are imported from a file into another application, so you must have this password.

To export the LTPA key information, perform these steps:

  1. Start the administrative server for the domain, if necessary.
  2. Start the administrative console, if necessary.
  3. Click on the Console action bar and then choose Security Center from the drop-down menu.
  4. Click the Authentication tab in the Security Center.
  5. Ensure that LTPA is selected as the authentication mechanism.
  6. Click the Export Key button.
  7. When prompted, specify the name and location of the file to contain the LTPA keys. You can use any file name and extension. Note the name and extension you specify; this file must later be imported by the application in the second domain.
  8. Click Save to save the file.
  9. Click Cancel to close the wizard. (This procedure has not changed any global security setting, so there are no new settings to save.)

Make the file accessible to the second domain

The file containing the exported keys must be installed in a location where the importing administrative server can find it. For example, to move the file from one machine to another, you can put it on a floppy disk and install it on the second machine. This file contains security keys, so treat it with care. Some sites have policies describing how such transfers can be done.

Import the key information

You must import the LTPA keys of calling domain from the file. This allows the called domain to decrypt information encrypted by the calling domain.

To import the key information from a file, perform these steps:

  1. Start the administrative server for the domain, if necessary.
  2. Start the administrative console, if necessary.
  3. Click on the Console action bar and then choose Security Center from the drop-down menu.
  4. Click the Authentication tab in the Security Center.
  5. Ensure that LTPA is selected as the authentication mechanism.
  6. Click the Import Key button.
  7. When prompted, select the file that was generated during the export step.
  8. Click Open.
  9. When prompted, type the LTPA password established when initially generating the keys.
  10. Click OK to import the keys.
  11. Stop and restart the administrative server.

Example of LTPA-secured calls across domains

Suppose that a servlet running in Domain A needs to call an enterprise bean running in Domain B. Before this exchange can take place, the two WebSphere application servers have to exchange LTPA key information. To exchange the necessary information between the two domains, three things must be done:

  1. The keys for the LTPA component in the calling application's domain must be exported to a file. In the example scenario, the calling application is the servlet.
  2. The file must be made accessible to the administrative server of the called WebSphere Application Server domain.
  3. The key information from the calling domain must be imported by the LTPA component of the called domain. In the example scenario, the called application is the enterprise bean.
Go to previous article: Configuring Secure Socket Layer in WebSphere Application Server Go to next article: Selecting users and groups for administrative roles with the Java administrative console

 

 
Go to previous article: Configuring Secure Socket Layer in WebSphere Application Server Go to next article: Selecting users and groups for administrative roles with the Java administrative console