It's all about the answers!

Ask a question

How to setup LTPA SSO with Liberty Profile for CLM


Chao Wang (2156) | asked Jul 11 '16, 5:30 p.m.
 How to setup LTPA SSO with Liberty Profile for CLM

One answer



permanent link
Chao Wang (2156) | answered Jul 11 '16, 5:30 p.m.
 To setup SSO for CLM using LTPA with liberty profile the following condition needs to be satisfied:
1)All servers need to share the same user directory.
If you are using the liberty basic user registry, the users should be propagated to each of the servers once you register them with JTS and finish the setup. In the case if the users are not propagated, you can copy the basicUserRegsitry.xml(<install directory>\server\liberty\servers\clm\conf) to the target server.
If you are using LDAP, then you need to make sure all servers have the same ldap configurations. (<install directory>\server\liberty\servers\clm\conf\ldapUserRegistry.xml and <install directory>\server\liberty\servers\clm\conf\application.xml)

2)All servers need to share the same ltpa.key file.
By default there is a ltpa.key generated in each of the server. You can take the JTS server's ltpa.key to replace the keys on the other servers. The key is located in the following folder:
<install directory>\server\liberty\servers\clm\resources\security\ltpa.keys
If not specified in the liberty server.xml, liberty will look for the default file path and name(the path and name above) and use the default password. If you have generated your own ltpa key and password you can follow the instruction below to specify it in the server.xml(Needs to be applied on all liberty servers that you want to setup SSO)
https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_ltpa.html

Here is some additional information regarding generating new LTPA keys in WAS liberty:
https://developer.ibm.com/answers/questions/268021/how-to-generate-new-ltpa-keys-in-was-liberty.html

3)All servers need to share the same domain and cookie name.
In the <install directory>\server\liberty\servers\clm\server.xml, the ssoDomainNames and ssoCookieName needs to be consistent across all of the liberty servers. While the ssoCookieName is not required(default value is ltpaToken2), if you run into any issues it may help to specify the cookie name to ensure they are all the same.
Example: <webAppSecurity  logoutOnHttpSessionExpire=”true”  ssoCookieName=”myCookieName” ssoDomainNames="domain.com"/>
For more information see the following documentation.
https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_sso.html

NOTE: For applications such as RS and DCC where they delegate the authentication to JTS server, the above still need be configured. Other wise the SSO will not work properly for those application if they are on different servers.

Your answer


Register or to post your answer.