Using the default single sign-on token with default or custom token factory to propagate security attributes

Do not use the default single sign-on token in service provider code. This default token is used by the WebSphere® Application Server run-time code only.

Before you begin

Size limitations exist for this token when it is added as an HTTP cookie. If you need to create an HTTP cookie using this token framework, you can implement a custom single sign-on token. To implement a custom single sign-on token see Implementing a custom single sign-on token for security attribute propagation for more information.

Procedure

  • Modify the single sign-on token factory configuration to use a token factory other than the default token factory.

    When the default single sign-on token is generated, the application server utilizes the TokenFactory class that is specified using the com.ibm.wsspi.security.token.singleSignonTokenFactory property. Use the administrative console to modify the property.

    The com.ibm.ws.security.ltpa.LTPAToken2Factory token factory is the default that is specified for this property. This token factory creates a single sign-on (SSO) token called LtpaToken2, which WebSphere Application Server uses for propagation. This token factory uses the AES/CBC/PKCS5Padding cipher.

    1. Open the administrative console.
    2. Click Security > Global security.
    3. Under Authentication, click Custom properties.
  • Perform your own signing and encryption of the default single sign-on token.
    If you need to perform your own signing and encryption of the default single sign-on token, you must implement the following classes:
    • com.ibm.wsspi.security.ltpa.Token
    • com.ibm.wsspi.security.ltpa.TokenFactory

    Your token factory implementation instantiates (createToken) and validates (validateTokenBytes) your token implementation. You can use the Lightweight Third-Party Authentication (LTPA) keys passed into the initialize method of the token factory or you can use your own keys. If you use your own keys, they must be the same everywhere to validate the tokens that are generated using those keys. See the API reference information for more information on implementing your own custom token factory.

  • Associate your own token factory with the default single sign-on token.
    1. Open the administrative console.
    2. Click Security > Global security.
    3. Under Authentication, click Custom properties.
    4. Locate the com.ibm.wsspi.security.token.singleSignonTokenFactory property and verify that the value of this property matches your custom TokenFactory implementation.
    5. Verify that your implementation classes are put into the app_server_root/classes directory so that the WebSphere Application Server class loader can load the classes.
    6. [AIX Solaris HP-UX Linux Windows][z/OS]Verify that your implementation classes are located in the ${USER_INSTALL_ROOT}/classes directory so that the WebSphere Application Server class loader can load the classes.
    7. [IBM i]Verify that the QEJBSVR user profile has read, write, and execute (*RWX) authority to the classes directory. You can use the Work with Authority (WRKAUT) command to view the authority permissions for the directory.