Configuring the Lightweight Third Party Authentication mechanism

You must configure Lightweight Third Party Authentication (LTPA) when you set up security for the first time. LTPA is the default authentication mechanism for WebSphere Application Server.

Procedure

  1. Open the administrative console.

    [AIX HP-UX Linux Solaris Windows] [z/OS] Type http://fully_qualified_host_name:port_number/ibm/console to access the administrative console in a Web browser.

    [iSeries] Type http://server_name:port_number/ibm/console to access the administrative console in a Web browser.

    Port 9060 is the default port number for accessing the administrative console. During installation, however, you might have specified a different port number. Use the appropriate port number.

  2. Click Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration.
  3. Select the appropriate group from the Key set group field that contains your public, private, and shared LTPA keys. These keys are used to encrypt and decrypt data that is sent between servers. You can access these key set group configurations using the Key set group link. In the Key set group configuration, you can indicate whether to automatically generate new keys and when to generate them.
  4. Enter a positive integer value in the Authentication cache timeout field.

    This timeout value determines how long the authenticated credential in the cache remains valid.

    The optimal value for this field depends on your configuration.

    You must consider the following effects of this value on your configuration:
    • Larger authentication cache timeout values can increase the security risk. For example, you might revoke a user in the user registry or repository. However, the revoked user can log into the administrative console using the credential that is cached in the authentication cache until the cache is refreshed.
    • Smaller authentication cache timeout values can affect performance. When this value is smaller, the application server accesses the user registry or repository more frequently.
    • Larger numbers of entries in the authentication cache, which is due to an increased number of users, increases the memory usage by the authentication cache. Thus, the application server might slow down and affect performance.
    You can limit the size of the authentication cache by setting the com.ibm.websphere.security.util.authCacheMaxSize custom property. Use this custom property and tune the authentication cache timeout value to balance your security risk and performance needs. For more information on the com.ibm.websphere.security.util.authCacheMaxSize custom property, see the documentation about the security cache properties.

    The value that you specify for this field must be less than the value specified for the Timeout value for forwarded credentials between servers field.

    The default value is 10 minutes.

  5. Enter a positive integer in the Timeout value for forwarded credentials between servers field.

    This value refers to how long the server credentials from another server are valid before they expire. The default value is 120 minutes. The value in the Timeout value for forwarded credentials between servers field must be greater than the value in the Authentication cache timeout field.

  6. Click Apply or OK. The LTPA configuration is now set. Do not generate the LTPA keys in this step because they are automatically generated later. Proceed with the rest of the steps that are required to enable security, and start with single sign-on (SSO), if it is required.
  7. Complete the information in the Security > Secure administration, applications, and infrastructure panel and click OK. The LTPA keys are generated automatically the first time. Do not generate the keys manually.

Results

The previous steps configured LTPA.

What to do next

After configuring LTPA, you can also complete the following tasks:

  1. Generate key files. For more information, see Generating Lightweight Third Party Authentication keys.
  2. Export key files. For more information, see Exporting Lightweight Third Party Authentication keys.
  3. Import key files. For more information, see Importing Lightweight Third Party Authentication keys.
  4. Manage LPTA keys from multiple cells. For more information, see Managing LTPA keys from multiple WebSphere Application Server cells.
  5. If you are enabling security, you can also enable single sign-on (SSO). See:
  6. If you generated a new set of keys or imported a new set of keys, verify that the keys are saved to the master configuration by clicking Save at the top of the panel. Because LTPA authentication uses time-sensitive tokens, verify that the time, date, and time zone are synchronized among all of the product servers that are participating in the protected domain. Changes to the time, date, and time zone are done independently from WebSphere Application Server. If the clock skew is too high between servers, the LTPA token seems prematurely expired and causes authentication or validation failures.



In this information ...


Related tasks
Related reference

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 1:23:07 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=tsecltpa
File name: tsec_ltpa.html