You use the WebSphere® Application
Server administrative console to configure the Rivest Shamir Adleman
(RSA) token authentication mechanism. The RSA token authentication
mechanism can only be used for administrative requests. As such, the
authentication mechanism choices for administrative authentication
are part of the Global Security panel of the
administrative console.
Before you begin
RSA token authentication mechanism is the default selection
for the application server, administrative agent, and job manager
profiles. LTPA is still the default for the deployment manager profile
to preserve the same behavior for the existing topology.
About this task
You configure Lightweight Third-Party Authentication (LTPA) and Kerberos on the main
authentication mechanism panels of the administrative console as well as configure RSA token
authentication. During registration of a base profile with the administrative agent, the trusted
certificates on both sides are updated with the root signer for the other. The same process occurs
during registration of an administrative agent or deployment manager with a job manager. When
removing the registration, the trusted signers are removed from both sides so that trust is no
longer established.
By default, the RSA mechanism is set up correctly during the registration
tasks, such as registerNode or registerWithJobManager. No further
actions are necessary to establish trust within these environments. However, if you must establish
trust between two base servers or between two admin agents, for example, you can use the following
steps to further configure the RSA token authentication mechanism:
Procedure
- Click Security > Global security . In Administrative
security click the link to Administrative authentication.
- Select the RSA token radio button. Select a data encryption
keystore from the drop-down list. The option is recommend
for flexible systems administration.
- Optional: To exchange the root signers between
two base servers:
- Select the root keystore from the Data encryption keystore drop-down list (such as
NodeRSATokenRootStore).
- Click Extract Signer.
- Enter a fully qualified name in the Certificate file name field.
- Click OK.
- Optional: Transfer the extracted root signer
to the other server, and add it to that server's trusted signers keystore:
- Select the trusted keystore from the drop-down list (such as
NodeRSATokenTrustedStore).
- Click Add Signer.
- Enter a unique name for the Alias.
- Enter a fully qualified name for the signer key file.
- Click OK.
- Enter the nonce cache timeout value.
- Enter token timeout value.
- Click Apply and Save.
Results
You have configured the RSA token authentication mechanism.