Sunday, March 15, 2009

Export / Import LTPA-Keys for Single Sign On (SSO)

Sometimes its necessary to implement an SSO-Enviroment over different WebSphere-Cells (e.g. Production-Cell and Acceptance-Cell). To do this both cells need the same LTPA-Keys.
The synchronization of LTPA-Keys can be done over Admin-Console.

1. To Export LTPA-Keys from a Cell navigate to
Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration.

2. Fill out the import/export-Form at the bottom of the pageand click "Export keys". The LTPA-Keys will be exported to the specified directory. (The Keys will be password protected.)

3. Copy the exported ltpa.jceks-File to other the Cell (do not override ltpa.jceks of this cell).

4. Take a look at ltpa.jceks-File of this cell and note the file-size.
File is located in /"websphere"/"dmgr"/config/cells/"cellname"/ltpa.jceks

5. To import the LTPA-Keys to other Cell navigate to
Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration.

6. Fill out "Cross-cell Single sign on"-From and click "Import keys"

7. File size of ltpa.jceks-File of this Cell should now be increased.
Sometimes nothing happens to file size of ltpa.jceks-File and Cross-cell SSO will not work (WAS-Bug).
In this case just repeat the import.

8. Restart servers/node