Authentication mechanisms and expiration

Use this page to specify the shared keys and configure the authentication mechanism that is used to exchange information between servers. You can also use this page to specify the amount of time that the authentication information remains valid and specify the single sign-on configuration.

To view this administrative console page, complete the following steps:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under Authentication, click Authentication mechanisms and expiration.
After you configure the properties on this page, complete the following steps:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Verify that the appropriate registry is configured.
  3. Click Apply. When security is enabled and any of these properties change, return to the Secure administration, applications, and infrastructure panel and click Apply to validate the changes.

Configuration tab

Key set group

Specifies groups of public, private, and shared keys. These key groups enable the application server to manage multiple sets of Lightweight Third Party Authentication (LTPA) keys.

Generate Keys

Specifies whether to generate a new set of LTPA keys in the configured keystore, and to update the runtime with the new keys. By default, LTPA keys are regenerated on a schedule every 90 days, configurable to the day of the week.

Each new set of LTPA keys is stored in the keystore associated with the key set group. A maximum number of keys (or even one) can be configured. However, it is recommended to have at least two keys; the old keys can be used for validation while the new keys are being distributed.

This step is not necessary during security enablement. A default set of keys is created during the first server startup. If any nodes are down during a key generation event, the nodes should be synchronized with the Deployment Manager before restart.

Authentication cache timeout

Specifies the time period during which the authenticated credential in the cache is valid. This time period must be less than the time period specified for the Timeout value for forwarded credentials between servers field.

If the application server infrastructure security is enabled, the authentication cache timeout can influence performance. The timeout setting specifies how often to refresh the security-related caches. Security information pertaining to beans, permissions, and credentials is cached. When the cache timeout expires, all cached information not accessed within the timeout period is purged from the cache. Subsequent requests for the information result in a database lookup. Sometimes, acquiring the information requires invoking a Lightweight Directory Access Protocol (LDAP)-bind or native authentication. Both invocations are relatively costly operations for performance.

You must consider the following effects of this value on your configuration:
  • Larger authentication cache timeout values can increase the security risk. For example, you might revoke a user in the user registry or repository. However, the revoked user can log into the administrative console using the credential that is cached in the authentication cache until the cache is refreshed.
  • Smaller authentication cache timeout values can affect performance. When this value is smaller, the application server accesses the user registry or repository more frequently.
  • Larger numbers of entries in the authentication cache, which is due to an increased number of users, increases the memory usage by the authentication cache. Thus, the application server might slow down and affect performance.
You can limit the size of the authentication cache by setting the com.ibm.websphere.security.util.authCacheMaxSize custom property. Use this custom property and tune the authentication cache timeout value to balance your security risk and performance needs. For more information on the com.ibm.websphere.security.util.authCacheMaxSize custom property, see the documentation about the security cache properties.
Data type Integer
Units Minutes and seconds
Default 10 minutes
Range: Greater than 30 seconds
Avoid trouble Avoid trouble: There is no relationship between the authentication cache timeout value and the ORB request timeout value.gotcha

Timeout value for forwarded credentials between servers

Specifies the period of time during which the server credentials from another server are valid. After this time period expires, the server credential from the other server must be revalidated.

Specify a value for this field that is greater than the value specified for the Authentication cache timeout field.

It is also recommended that the value for this field should be set higher than the orb request timeout value.

Data type Integer
Units Minutes and seconds
Default 120 minutes
Range: An integer between 5 and 35971

Password

Enter a password which will be used to encrypt and decrypt the LTPA keys from the SSO properties file. During import, this password should match the password used to export the keys at another LTPA server (for example, another application server Cell, Lotus Domino Server, and so on). During export, remember this password in order to provide it during the import operation.

After the keys are generated or imported, they are used to encrypt and decrypt the LTPA token. Whenever the password is changed, a new set of LTPA keys are automatically generated when you click OK or Apply. The new set of keys is used after the configuration changes are saved.

Data type String

Confirm password

Specifies the confirmed password that is used to encrypt and decrypt the LTPA keys.

Use this password when importing these keys into other application server administrative domain configurations and when configuring SSO for a Lotus Domino server.

Data type String

Fully qualified key file name

Specifies the name of the file that is used when importing or exporting keys.

Enter a fully qualified key file name, and click Import Keys or Export Keys.

Data type String

Internal server ID

Specifies the server ID that is used for interprocess communication between servers. The server ID is protected with an LTPA token when sent remotely. You can edit the internal server ID to make it identical to server IDs across multiple application server administrative domains (cells). By default this ID is the cell name.

This internal server ID should only be used in a Version 6.1 or higher environment. For mixed-version Cells, you should convert to using a server user ID and server password for interoperability.

To switch back to the server user ID and password for interoperability, complete the following steps:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under User account repository, click the Available realm definitions drop-down list, select a user registry, and click Configure.

You can specify either the Automatically generated server identity option or the User identity for the z/OS started task option.

Data type String

Import Keys

Specifies whether the server imports new LTPA keys.

To support single sign-on (SSO) in the application server product across multiple application server domains (cells), share the LTPA keys and the password among the domains. You can use the Import Keys option to import the LTPA keys from other domains. The LTPA keys are exported from one of the cells to a file. To import a new set of LTPA keys, complete the following steps:
  1. Enter the appropriate password in the Password and Confirm password fields.
  2. Click OK and click Save.
  3. Enter the directory location where the LTPA keys are located in the Fully qualified key file name field prior to clicking Import keys.
  4. Do not click OK or Apply, but save the settings.

Export Keys

Specifies whether the server exports LTPA keys.

To support single sign-on (SSO) in the WebSphere product across multiple application server domains (cells), share the LTPA keys and the password among the domains. Use the Export Keys option to export the LTPA keys to other domains.

To export the LTPA keys, make sure that the system is running with security enabled and is using LTPA. Enter the file name in the Fully qualified key file name field and click Export Keys. The encrypted keys are stored in the specified file.




Related tasks
Configuring the Lightweight Third Party Authentication mechanism
Related information
rsec_tuneproperties.dita
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 12:02:36 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-zos&topic=usec_authmechandexpire
File name: usec_authmechandexpire.html