0

Can I export a LTPA key file from a WebSphere Application Server 8.0.x, then import the file to an Liberty Profile Server and use the SSO functionality? (16.0.0.3)

I tried it out and it seems not to work. I get a login screen instead of being automatically logged-in.

Following configuration is done in server.xml:

...
<ltpa keysFileName="${server.output.dir}/ltpakeyexport.keys" keysPassword="ltpatest" expiration="400" />
<webAppSecurity ssoCookieName="ltpav2" ssoDomainNames="myintranet.net"/>

<basicRegistry id="basic" ignoreCaseForAuthentication="true" realm="realmNameFromWAS">
...
Karsten
  • 11
  • 5

2 Answers2

0

LTPA keys can be exported from WebSphere Application Server console. Global security > LTPA -> Cross-cell single sign-on

Provide the password and the file name to export LTPA keys.

These LTPA keys can be used on the Liberty Profile Server using the same password as specified above while exporting.

If you are trying to use Single Sign On (SSO) between WebSphere Application Server and Liberty profile, you will also need to make sure that the "realm name" is same for user registry (LDAP) on both. Realm name can be specified on Liberty profile by specifying realm="MyRealm" in ldapRegistry definition.

M. Tamboli
  • 386
  • 1
  • 6
  • Yes, i try to set-up a SSO between WAS and Liberty profile. Currently, i configured a ' ' and ' '. But for some reason it do not work. I used the same keyfile for SSO on a second WAS server which works perfectly. – Karsten Oct 05 '16 at 06:09
  • I also want to say that after logging into the liberty webapp by entering credentals (which i want to avoid) i have 2 cookies called "ltpav2" in following browser requests. One from WAS and one created by Liberty. – Karsten Oct 05 '16 at 06:25
0

Hmm, i was able to trace down the problem by enabling tracing:

<logging traceSpecification="com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all"/>

I found the following exeption: 

com.ibm.ws.security.registry.EntryNotFoundException: uid=KARSTEN,type=Person,scope=LTPA does not exist
at com.ibm.ws.security.registry.basic.internal.BasicRegistry.getUserSecurityName(BasicRegistry.java:506)

So, user cannot be automatically authenticated because the user id "uid=KARSTEN,type=Person,scope=LTPA" does not exist. Thats true, only user "KARSTEN" does exists. There seems to be a regex matching problem because the used pattern

java.util.regex.Matcher[pattern=([^:]+):(\QMyRealm\E)/(.*) region=0,49 lastmatch=user:MyRealm/uid=KARSTEN,type=Person,scope=LTPA]

does not only match the user id but the whole string including "type=Person" etc.

When i create this user in basic registry:

<basicRegistry id="basic" ... >
...
<user name="uid=KARSTEN,type=Person,scope=LTPA" password="test" />
...
</basicregistry>

everything works like expected!

Seems to be a bug in WLP (or our WebSphere 8.0.x SSO infrastructure provides a non standard identifier for users).

((Pattern specified in com.ibm.ws.security.AccessIdUtil.setSecurityService():38 ~))

Karsten
  • 11
  • 5