Configure LTPA keys

Generating keys

LTPA keys are automatically generated when a password change is detected. The first time you set the LTPA password, (as part of enabling security) the LTPA keys are automatically generated when OK or Apply is clicked in the LTPA panel. You do not have to click Generate Keys in this situation.

Perform these steps in the WebSphere administrative console:

  1. Click Security --> Authentication mechanisms --> LTPA in the navigation menu.

  2. Click Generate Keys if you want to use the existing password. This action generates a new set of keys that will be encrypted with the same password as the old set of keys.

    Note: Regardless of the password change, a new set of keys are generated when Generate Keys is clicked. Because these new set of keys are not propagated to the run time unless saved, save the files immediatley.

    To use a new password to generate keys, enter the new password and confirm it. Click OK or Apply. A new set of keys are generated. A message indicating that a new set of keys are generated shows up on the console. Do not click Generate Keys. These new keys are propagated to the run time after you save them.

  3. Click Save to save the keys.

After a new set of keys are generated and saved, the key propagation is dynamic. All the processes running at that time (cell, node agents, application servers) are updated with the new set of keys. The next topics describe the process of exporting and importing the keys.

Exporting keys

To support single sign on (SSO) in WebSphere Application Server - Express across multiple WebSphere Application Server - Express domains (cells) the LTPA keys and the password should be shared among the domains. The times on the domains should be similar to prevent the tokens from appearing as expired between the cells. The Export Keys button can be used to export the LTPA keys to other domains or cells. Complete the following steps in the administrative console to export key files for LTPA.

Perform these steps in the WebSphere administrative console:

  1. Click Security --> Authentication mechanisms --> LTPA in the navigation menu.

  2. In the Key File Name field, enter the full path of a file where the keys need to be stored. The file should have write permissions.

  3. Click Save to save the file.

  4. Click Export Keys. A file is created with the LTPA keys in it. Exporting keys fails if a new set of keys was generated or imported and not saved prior to exporting. To avoid failure, make sure you save the new set of keys (if any) before you export them.

  5. Click Save to save the configuration.

Importing keys

To support single sign on (SSO) in WebSphere Application Server - Express across multiple WebSphere Application Server - Express domains (cells) the LTPA keys and the password should be shared among the domains. The Import Keys button can be used to import the LTPA keys from other domains. The key files should have been exported from one of the cells involved into a file.

Importing keys is a dynamic operation. All the servers that are running at this time are updated with the new set of keys and any back-level tokens signed with the back-level keys fail validation and the user is prompted to login again.

Perform these steps in the WebSphere administrative console:

  1. Click Security --> Authentication mechanisms --> LTPA in the navigation menu.

  2. Change the password in the password fields to match the password in the cell from which you are importing the keys.

  3. Click Save to save the new set of keys in the repository. This is an important step to be completed before importing the keys. If the password and the keys do not match, the servers fails to start. In that case, you would have to turn off security and complete this process again.

  4. In the Key File Name field, enter the full path of a file where the keys need to be stored. The file should have read permissions.

  5. Click Import Keys. The keys are now imported into the system.

  6. Click Save to save the new set of keys in the repository. It is important to save the new set of keys to match the new password so that the servers start.