ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/seccakey.htm

79 lines
5.2 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure LTPA keys</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="seccakey"></a>Configure LTPA keys</h5>
<p><strong>Generating keys</strong></p>
<p>LTPA keys are automatically generated when a password change is detected. The first time you set the LTPA password, (as part of enabling security) the LTPA keys are automatically generated when <strong>OK</strong> or <strong>Apply</strong> is clicked in the LTPA panel. You do not have to click <strong>Generate Keys</strong> in this situation.</p>
<p>Perform these steps in the WebSphere administrative console:</p>
<ol>
<li><p>Click <strong>Security --&gt; Authentication mechanisms --&gt; LTPA</strong> in the navigation menu.</p></li>
<li><p>Click <strong>Generate Keys</strong> if you want to use the existing password. This action generates a new set of keys that will be encrypted with the same password as the old set of keys.</p>
<p><strong>Note:</strong> Regardless of the password change, a new set of keys are generated when G<strong>enerate Keys</strong> is clicked. Because these new set of keys are not propagated to the run time unless saved, save the files immediatley.</p>
<p>To use a new password to generate keys, enter the new password and confirm it. Click <strong>OK</strong> or <strong>Apply</strong>. A new set of keys are generated. A message indicating that a new set of keys are generated shows up on the console. Do not click <strong>Generate Keys</strong>. These new keys are propagated to the run time after you save them.</p></li>
<li><p>Click <strong>Save</strong> to save the keys.</p></li>
</ol>
<p>After a new set of keys are generated and saved, the key propagation is dynamic. All the processes running at that time (cell, node agents, application servers) are updated with the new set of keys. The next topics describe the process of exporting and importing the keys.</p>
<p><strong>Exporting keys</strong></p>
<p>To support single sign on (SSO) in WebSphere Application Server - Express across multiple WebSphere Application Server - Express domains (cells) the LTPA keys and the password should be shared among the domains. The times on the domains should be similar to prevent the tokens from appearing as expired between the cells. The Export Keys button can be used to export the LTPA keys to other domains or cells. Complete the following steps in the administrative console to export key files for LTPA.</p>
<p>Perform these steps in the WebSphere administrative console:</p>
<ol>
<li><p>Click <strong>Security --&gt; Authentication mechanisms --&gt; LTPA</strong> in the navigation menu.</p></li>
<li><p>In the <strong>Key File Name</strong> field, enter the full path of a file where the keys need to be stored. The file should have write permissions.</p></li>
<li><p>Click <strong>Save </strong>to save the file.</p></li>
<li><p>Click <strong>Export Keys</strong>. A file is created with the LTPA keys in it. Exporting keys fails if a new set of keys was generated or imported and not saved prior to exporting. To avoid failure, make sure you save the new set of keys (if any) before you export them.</p></li>
<li><p>Click <strong>Save</strong> to save the configuration.</p></li>
</ol>
<p><strong>Importing keys</strong></p>
<p>To support single sign on (SSO) in WebSphere Application Server - Express across multiple WebSphere Application Server - Express domains (cells) the LTPA keys and the password should be shared among the domains. The <strong>Import Keys</strong> button can be used to import the LTPA keys from other domains. The key files should have been exported from one of the cells involved into a file.</p>
<p>Importing keys is a dynamic operation. All the servers that are running at this time are updated with the new set of keys and any back-level tokens signed with the back-level keys fail validation and the user is prompted to login again.</p>
<p>Perform these steps in the WebSphere administrative console:</p>
<ol>
<li><p>Click <strong>Security --&gt; Authentication mechanisms --&gt; LTPA</strong> in the navigation menu.</p></li>
<li><p>Change the password in the password fields to match the password in the cell from which you are importing the keys.</p></li>
<li><p>Click <strong>Save</strong> to save the new set of keys in the repository. This is an important step to be completed before importing the keys. If the password and the keys do not match, the servers fails to start. In that case, you would have to turn off security and complete this process again.</p></li>
<li><p>In the <strong>Key File Name</strong> field, enter the full path of a file where the keys need to be stored. The file should have read permissions.</p></li>
<li><p>Click <strong>Import Keys</strong>. The keys are now imported into the system.</p></li>
<li>Click <strong>Save</strong> to save the new set of keys in the repository. It is important to save the new set of keys to match the new password so that the servers start.</li>
</ol>
</body>
</html>