Configuring LTPA on the Liberty profile

You can configure a Liberty profile server to use a specific Lightweight Third Party Authentication (LTPA) keys file, user-defined password, and expiration time.

About this task

The LTPA is configured by default when security is enabled for a Liberty profile server for the first time. The default location of the automatically generated LTPA keys file is ${server.output.dir}/resources/security/ltpa.keys. The LTPA keys are encrypted with a randomly generated key and a default password of WebAS is initially used to protect the keys. The password is required when importing the LTPA keys into another server. To protect the security of the LTPA keys, you must change the password. When the LTPA keys are exchanged between servers, this password must match across the servers for Single Sign On (SSO) to work.

The default expiration timeout is 120 minutes. The expiration value refers to how long the LTPA tokens are valid before they expire.

Fix Pack 8501 To enable dynamic reloading of the LTPA keys when copying an LTPA keys file from another server, you can specify a file monitor interval before copying the LTPA keys file. The monitor interval value refers to how often the LTPA keys file is monitored for updates.

For more information about LTPA, see LTPA concept in the Liberty profile.

Procedure

  1. Configure the <ltpa> element in the server.xml file as follows, replacing the sample values in the example with your values:
    <ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="keysPassword" expiration="120" />
  2. Optional: Fix Pack 8501 Set the monitorInterval attribute to check the lpta.keys file for key changes to be dynamically reloaded. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). In the following example, the LTPA keys file is checked for changes to be dynamically reloaded every 5 seconds:
    <ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="keysPassword" 
          expiration="120" monitorInterval="5s" />
  3. Encode the password within the configuration. You can get the encoded value by using the securityUtility encode command.
  4. Optional: Fix Pack 8501 Copy an existing LTPA keys file to the location specified in the keysFileName attribute. The default value is ${server.output.dir}/resources/security/ltpa.keys. Fix Pack 8501

    For more information on <ltpa> element, see Liberty profile: Configuration elements in the server.xml file.


Icon that indicates the type of topic Task topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-iseries&topic=twlp_sec_ltpa
File name: twlp_sec_ltpa.html