InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications (overview) >
6.6.18.1a.6: Making LTPA-secured calls across WebSphere domains with the Java administrative console
6.6.18.1a.6: Making LTPA-secured calls across WebSphere domains with the Java administrative console
If applications in two different WebSphere Application Server domains
need to be able to communicate, the two WebSphere application servers must
share security information so that the servers themselves can
communicate. Specifically, the LTPA component of the administrative
servers in both domains must use the same LTPA key. This allows the two
servers to communicate securely with each other, and it allows the called server
to decrypt security information from the calling server. Otherwise, the WebSphere
application server in the calling domain cannot authenticate
to the application server in the called domain.
Note: When using LPTA for authentication, the cookies are set with a domain name.
Any URL without a fully qualified host name will not receive this cookie.
A form based login will take you back to the login screen. Make sure
you specify the domain name as http://server.company.com in
the URL.
See below for an example.
This article describes the procedure for making LTPA-secured calls:
- Generate keys
- Export the key information
- Make the file accessible to the second domain
- Import the key information
Use the Generate Keys button on the Authentication tabbed
page to generate LTPA keys.
When LTPA keys generated, you must provide a password that is used
to protected the keys. This password is required when the keys are imported from a file
into another WebSphere Application Server domain.
You must export the calling domain's LTPA keys to a file
so that the key can be made available to another domain,
where the keys are imported from the file.
Before LTPA keys can be exported, they have to be created.
Such keys are typically created when security is enabled for the first time
using the LTPA authentication mechanism for the domain, or can
be created any time by clicking the Generate Keys button. When the LTPA keys are created,
you must provide a password that is used to protect the keys. This
password is required when the keys are imported from a file
into another application, so you must have this password.
To export the LTPA key information, perform these steps:
- Start the administrative server for the domain, if necessary.
- Start the administrative console, if necessary.
- Click on the Console
action bar and then choose Security Center from the drop-down
menu.
- Click the Authentication tab in the Security Center.
- Ensure that LTPA is selected as the authentication mechanism.
- Click the Export Key button.
- When prompted, specify the name and location of the file
to contain the LTPA keys. You can use any file name and extension.
Note the name and extension you specify; this file must later
be imported by the application in the second domain.
- Click Save to save the file.
- Click Cancel to close the wizard. (This procedure
has not changed any global security setting, so there are no
new settings to save.)
The file containing the exported keys must be installed in a location
where the importing administrative server can find it. For example, to move the
file from one machine to another, you can put it on a floppy disk and
install it on the second machine. This file contains security keys,
so treat it with care. Some sites have policies describing how
such transfers can be done.
You must import the LTPA keys of calling domain from the
file. This allows the called domain to decrypt information
encrypted by the calling domain.
To import the key information from a file, perform these steps:
- Start the administrative server for the domain, if necessary.
- Start the administrative console, if necessary.
- Click on the Console
action bar and then choose Security Center from the drop-down
menu.
- Click the Authentication tab in the Security Center.
- Ensure that LTPA is selected as the authentication mechanism.
- Click the Import Key button.
- When prompted, select the file that was generated
during the export step.
- Click Open.
- When prompted, type the LTPA password established when
initially generating the keys.
- Click OK to import the keys.
- Stop and restart the administrative server.
Suppose that a servlet running in Domain
A needs to call an enterprise bean running in Domain B.
Before this exchange can take place, the two WebSphere application
servers have to exchange LTPA key information. To exchange the necessary
information between the two domains, three things must be done:
- The keys for the LTPA component in the calling application's
domain must be exported to a file. In the example scenario,
the calling application is the servlet.
- The file must be made accessible to the administrative server
of the called WebSphere Application Server domain.
- The key information from the calling domain must be imported
by the LTPA component of the called domain. In the example
scenario, the called application is the enterprise bean.
|