File name: tsec_altpagen.html
Generating Lightweight Third Party Authentication keys
WebSphere Application Server generates Lightweight Third
Party Authentication (LTPA) keys automatically during the first server
startup. You can generate additional keys as you need them in the
Authentication mechanisms and expiration panel.
Before you begin
At runtime,
the default key sets are CellLTPASecret and CellLTPAKeyPair. The default
key group is CellLTPAKeySetGroup. After generation, keys are stored
in the default key store CellLTPAKeys.
About this task
Complete the following steps to generate new LTPA keys in
the administrative console.
Procedure
- Access the administrative console.
Type http://server_name:port_number/ibm/console to
access the administrative console in a Web browser.
- Verify that all the WebSphere Application Server processes
are running, including the cell, nodes, and application servers.
Important: If any of the servers are down at the
time of key generation and then restarted later, these servers might
contain old keys. Copy the new set of keys to these servers to restart
them after you generate them.
- Click Security > Secure administration, applications,
and infrastructure > Authentication mechanisms and expiration.
- Click Generate keys to generate a new set of LTPA
keys in the local keystore and update the runtime with the new keys.
By default, LTPA keys are regenerated on a schedule every 90
days, configurable to the day of the week. Each new set of LTPA
keys is stored in the keystore that is associated with the key set
group. The same password that is already stored in the configuration
is used when you generate new keys.
Tip: This step is
not necessary when you enable security because, by default, a set
of keys is created during the first server startup. However, the keystore
should have at least two keys: the old keys can be used for validation
while the new keys are being distributed. If any nodes are down during
a key generation event, the nodes should be synchronized with the
Deployment Manager before restarting the server.
- Restart the server for the changes to become active.
Results
If the
Dynamically update the runtime when SSL configuration
changes check box is checked in the administrative
console, then new keys are loaded automatically.
Reminder: Having the check box checked is
the default setting.
If the
Dynamically update the runtime
when SSL configuration changes check box is NOT checked in the
administrative console and you want changes that you make to an existing
SSL configuration to occur, then restart the WebSphere Application
Server to use the generated keys. Token generation uses the keys that
were last imported. To view the latest key version, see
Activating Lightweight Third Party Authentication key versions.
What to do next
You
must recycle the node agents and application servers to accept the
new keys. If any of the node agents are down, run a manual file synchronization
utility from the node agent machine to synchronize the security configuration
from the deployment manager.
In this information ...
| IBM Redbooks, demos, education, and more(Index)
Most of the following links will take you to information that is not part of the formal product documentation and is provided "as is." Some of these links go to non-IBM Web sites and are provided for your convenience only and do not in any manner serve as an endorsement by IBM of those Web sites, the material thereon, or the owner thereof.
|
|
