WebSphere® Application
Server generates
Lightweight Third Party Authentication (LTPA) keys automatically
during the first server startup. You can generate additional keys
as you need them in the Authentication mechanisms and expiration panel.
Before you begin
At runtime, the default key
sets are CellLTPASecret and CellLTPAKeyPair. The default key group
is CellLTPAKeySetGroup. After generation, keys are stored in the default
key store CellLTPAKeys.
About this task
Complete the following
steps to generate new LTPA keys in
the administrative console.
Procedure
-
Access the administrative console.
Type http://fully_qualified_host_name:port_number/ibm/console to
access the administrative console in a web browser.
Type http://server_name:port_number/ibm/console to
access the administrative console in a web browser.
- Verify that all the WebSphere Application
Server processes are running, including the cell, nodes, and application
servers.
Important: If any of the servers
are down at the time of key generation and then restarted later, these
servers might contain old keys. Copy the new set of keys to these
servers to restart them after you generate them.
- Click Security > Global security > Authentication
mechanisms and expiration.
- Click LTPA.
- Click Generate keys to generate a new set
of LTPA
keys in the local keystore and update the runtime with the new keys.
By default, LTPA keys are regenerated on a schedule every 90
days, configurable to the day of the week. Each new set of LTPA
keys is stored in the keystore that is associated with the key set
group. The same password that is already stored in the configuration
is used when you generate new keys.
Tip: This step is
not necessary when you enable security because, by default, a set
of keys is created during the first server startup. However, the keystore
should have at least two keys: the old keys can be used for validation
while the new keys are being distributed. If any nodes are down during
a key generation event, the nodes should be synchronized with the
Deployment Manager before restarting the server.
- Restart the server for the changes to become active.
Results
If the Dynamically update the runtime when
SSL configuration
changes check box is checked in the administrative console, then
new keys are loaded automatically. Reminder: Having the check box checked is the default setting.
If
the Dynamically update the runtime when SSL configuration changes check
box is NOT checked in the administrative console and you want changes
that you make to an existing SSL configuration to occur, then restart
the WebSphereApplication Server to use the
generated keys. Token generation uses the keys that were
last imported. To view the latest key version, see Changing the number of active LTPA keys.
What to do next
You must recycle
the node agents and application servers to accept the new keys. If
any of the node agents are down, run a manual file synchronization
utility from the node agent machine to synchronize the security configuration
from the deployment manager.