Consider the following when you configure Security for
the Liberty profile.
LTPA
- Protect file access to the LTPA keys file because it contains
the cryptographic material that is used to encrypt and decrypt the
user data. Ensure that only the server and administrators have access
to this file.
- Ensure that all servers use the same LTPA keys. In addition, make
sure that the all the servers have their time and date synchronized.
- When you specify a password, ensure that it is the same password
for all servers that use the same set of LTPA keys. The password is
not used to generate the keys, but rather it is used to encrypt the
LTPA keys file to prevent the keys from being read. If you copy the
LTPA keys file to another Liberty profile server to achieve Single
Sign-On (SSO), the password is required to gain access to the keys
in the LTPA keys file. For more information about LTPA, see Configuring LTPA on the Liberty profile topic.
Passwords
- Encrypt passwords by using the securityUtility encode command.
- If you override the default encryption key with the wlp.password.encryption.key property,
set the property in a separate configuration file that is stored outside
the normal configuration directory for the server.
Authorization
- If you specify an auth-constraint with no roles in an application,
then no one is allowed to access the resource.
- Be cautious when you specify the EVERYONE special subject, as
this specification is equivalent to not protecting a resource.
Authentication
- The timeout value for the authentication cache that is specified
in the <authCache> element must be smaller than the expiration
value for the LTPA token that is specified in the <ltpa> element.