1

We are implementing a SSO between WebSphere Application Server and Tomcat Using LTPA2 Token. As our client will be sending us the LTPA 2 Token once the user is Authenticated. And on the other hand we need to decrypt the LTPA2 token sent form our client and "decrypt" it, And use it to Authenticate on our end.

To Decrypt the LTPA token I have found this Link ,

My approach is extract the user name and other required information from the token and authenticate against our own LDAP(which will be same as client LDAP). But the project mentioned in above link is still in beta. Is there any other way to decrypt the token(may be a standard library for decrypting LTPA2 tokens) or any alternative approach?

We do not have any other option as LTPA2 Token is the client Requirement.

Noob of All Arts
  • 31
  • 2

2 Answers2

0

Use Open Liberty instead of Tomcat and LTPA token will work just via configuration as it is all WebSphere, and as lightweight as Tomcat.

Gas
  • 17,601
  • 4
  • 46
  • 93
  • Thanks for the suggestion . I am not allowed to deploy the apps other than tomcat server.So I have no other choice left. How do I achieve SSO among apps deployed in tomcat after I decrypt LTPA(I can ask my client to send the encrypted password along with LTPA via REST call token since LTPA token does not contain password) – Noob of All Arts Nov 13 '20 at 18:09
  • @NoobofAllArts You really need to discuss that with your tech lead and customer, as what you are trying to do is just insecure and has no logical, nor technical reasons. – Gas Nov 16 '20 at 09:18
0

Decrypt the LTPA token implies many security issues normaly not approved bye security department, because you need to store in the local file system or in other place the security token. You should consider as suggested to move your code to openliberty.

Take a look to this project to do that

https://www.ibm.com/garage/method/practices/learn/ibm-transformation-advisor

michele buccarello
  • 70
  • 3