Do not use the default single sign-on token in service
provider code. This default token is used by the WebSphere® Application
Server run-time code only.
Procedure
- Modify the single sign-on token factory configuration to
use a token factory other than the default token factory.
When
the default single sign-on token is generated, the application server
utilizes the TokenFactory class that is specified using the com.ibm.wsspi.security.token.singleSignonTokenFactory
property. Use the administrative console to modify the property.
The
com.ibm.ws.security.ltpa.LTPAToken2Factory token factory is the default
that is specified for this property. This token factory creates a
single sign-on (SSO) token called LtpaToken2, which WebSphere Application
Server uses for propagation. This token factory uses the AES/CBC/PKCS5Padding
cipher.
- Open the administrative console.
- Click Security > Global security.
- Under Authentication, click Custom properties.
- Perform your own signing and encryption of the default
single sign-on token.
If you need to perform your own
signing and encryption of the default single sign-on token, you must
implement the following classes:
- com.ibm.wsspi.security.ltpa.Token
- com.ibm.wsspi.security.ltpa.TokenFactory
Your token factory implementation instantiates (createToken)
and validates (validateTokenBytes) your token implementation. You
can use the Lightweight Third-Party Authentication (LTPA) keys passed
into the initialize method of the token factory or you can use your
own keys. If you use your own keys, they must be the same everywhere
to validate the tokens that are generated using those keys. See the
API reference information for more information on implementing your
own custom token factory.
- Associate your own token factory with the default single
sign-on token.
- Open the administrative console.
- Click Security > Global security.
- Under Authentication, click Custom properties.
- Locate the com.ibm.wsspi.security.token.singleSignonTokenFactory
property and verify that the value of this property matches your custom
TokenFactory implementation.
- Verify that your implementation classes are put into
the app_server_root/classes directory
so that the WebSphere Application Server class loader
can load the classes.
- Verify that your implementation
classes are located in the ${USER_INSTALL_ROOT}/classes directory
so that the WebSphere Application Server class loader
can load the classes.
- Verify that the QEJBSVR user profile
has read, write, and execute (*RWX) authority to the classes directory.
You can use the Work with Authority (WRKAUT) command to view the authority
permissions for the directory.