Versions Compared

Old Version 3

changes.mady.by.user Kim Rasmussen

Saved on

compared with

New Version 4

changes.mady.by.user Patrick Ahmed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Ceptor contendsCeptor support authenticating users using LTPA Tokens, and can also issue new LTPA Tokens to use as cookies to backend servers, thus enabling easy SSO with IBM products.

...

NameValueDescription
ltpa.tokensList of token names,
separated by comma or semicolon		List of token names to load - allows you to specify multiple different tokens which each use their own set of keys
ltpa.token.default.nameString

Name of token that will be used as default, if nothing else is indicated in the call.

Note that if only one token is configured, that token name will be used as default so in that case this does not need to be specified.

For the following <tokenname> is replaced with the name of the token
ltpa.token.<tokenname>.authenticate

true/false
Default: false

Set to true if authentication is allowed with this token - if false, LTPA tokens can be created for this, but authentication using such a token is not allowed. 
ltpa.token.<tokenname>.filenameString containing filename, macros
are allowed.

Specify a filename to load properties from - if not specified, ltpa.token.<tokenname>.properties must be specified.

If properties are not specified, and the file this points to does not exist, a new one will be generated with new keys. Note that this file must be kept the same across all clusters and kept in sync with all servers consuming the LTPA keys.

ltpa.token.<tokenname>.propertiesContens Contents of LTPA key file

If specified, contains the contends contents of the key file - this key is in the format generated by the various IBM products.

Example:

Code Block
#Mon May 21 10:27:07 CEST 2018
com.ibm.websphere.CreationDate=Mon May 21 10\:27\:07 CEST 2018
com.ibm.websphere.ltpa.version=1.0
com.ibm.websphere.ltpa.3DESKey=p7JQDC5aq5UIlfv5xtYsprRf8d8qItDvqthGSgXWQ14\=
com.ibm.websphere.CreationHost=localhost
com.ibm.websphere.ltpa.PrivateKey=hN2G2F59pWtFOVjUY...snipped...e81OlsaVp8\=
com.ibm.websphere.ltpa.Realm=defaultRealm
com.ibm.websphere.ltpa.PublicKey=AMKrclsDHhK...snipped...9vAQAB

You can use this property to keep the keys in Ceptor's configuration instead of having them on disk on all servers within a cluster.
If this property is specified, the ltpa.token.<tokenname>.filename property is ignored.

Note that the keys are encrypted with the password.

ltpa.token.<tokenname>.passwordPassword - may be encrypted.Specify the password that the keys are encrypted with - see Encrypting or Obfuscating Passwords for details on keeping the password safe.
ltpa.token.<tokenname>.create.useridMapper - used to specify userid in created tokens.
Default:
user:BasicRegistry/%{userid}

This mapper is used to specify the userid in a created token. The macro %{userid} will be replaced with the authenticated users userid, and %{xxxxx} will be replaced by any other input specified when calling the newToken() method on the authentication plugin.

This can also be a script (javascript / groovy / python) which generated and returns the value to use.

ltpa.token.<tokenname>.expiration.minutesLong

Token expiration time in minutes - newly created tokens will expires after the configured number of minutes.

Tokens created by the TAuthenticatorLTPAToken plugin in the Ceptor Gateway are cached and reused up to one minute before the expiration time.

ltpa.token.<tokenname>.create.scriptScriptThis script is called when creating new tokens - it allows adding additional attributes to the token, such as the users groups, name or anything else you want to add to the token itself.
ltpa.token.<tokenname>.parse.scriptScriptCalled when parsing the token - it allows you to specify which attributes are mapped to what within the session.

...