Webseal LTPA Expiry Issue

One of the components of Tivoli Access Manager is its reverse proxy security server called WebSEAL. WebSEAL can front-end any Web application server or Web server in an enterprise e-business infrastructure. When WebSphere Application Server and WebSphere Portal are implemented with WebSEAL, it is usually necessary to provide a SSO experience for the end user. In order to achieve SSO, the WebSphere Application Server needs to be configured to “trust” the WebSEAL server so that if WebSEAL has already authenticated a user, Application Server will not challenge the user again.




Request flow:
1. User requests a resource protected by WebSEAL. User is challenged by WebSEAL for credentials, and the user supplies them.
2. WebSEAL authenticates the user by communicating with its user registry. It also determines whether the user is authorized to open the requested URL. Upon successful authentication of the end user, WebSEAL creates the LTPA token cookie.
3. The request is passed to the IBM HTTP Server using the junction that is configured for it. The junction from WebSEAL to IBM HTTP Server is configured to pass the iv-user, iv-groups information, and the LTPA Token that was created in Step 2, in the HTTP header.
4. The request is forwarded to the appropriate WebSphere Application Server or clone, as determined by the Application Server plug-in.
5. In WebSphere Application Server, the TAI is not enabled and Application Server gets the LTPA token in the header. Application Server only creates the session cookie for this user and assumes that this user has been authenticated. WebSphere Portal searches LDAP for the group information, gets the resource mapping from the database, and then displays the portal page.
Logging in to portal using webseal some times gives below error even after providing correct user id and password
Which means LTPA token for websphere portal on webseal expired.

Lets see how to export the keys from portal and import to webseal.

Step1 : login to portal console using wpadmin

click Security > Secure administration, applications and infrastructure and then click Authentication Mechanism and Expiration.

  1. In the Cross-cell single sign-on section, type a password and an absolute path for a key file.
  2. Click Export keys. The key file is generated.


Once the keys generated we need to update in webseal


Copy the keys to your local machine which will be imported to webseal servers later


Login to TAM
Go to Junctions and open /wps61dev (one which has problem in this case its dev portal)
Need to update below things
1.Update key file with new file we exported
     Copy the the key file to path /opt/pdweb/jct_keys
2.Update password , repeat the steps on other webseal server also
Click on apply on junction and then try to login to portal again and it should be successful now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s