TWS LTPA key update / exchange

Sometimes the LTPA (Lightweight Third-Party Authentication) key need to be updated for TWS / TDWC or exchanged between several TWS / TDWC servers in order to connect from any TDWC (tivoli Dynamic Workload Console) to any TWS / TDWC. Usually this exchange is done automatically (totally transparent for end user) but it some cases it doesn't work and manual exchange is needed.

To update or export / import LTPA key perform the following steps:

   
   1. Connect to TWS / TDWC WebSphere, administrative console:

Default path: https://:31124/ibm/console/logon.jsp?action=OK

   2. Log in using the administrative account and navigate to Security -- Global security -- Authentication -- LTPA

   3. To generate a new key press the Generate keys button from Key Generation menu or if you need to export / import the key in Cross-cell single sign-on menu add a Password / Confirm Password and a Fully qualified key file name and press Export Keys.

   4. To import the key, copy the exported key from step 3. on the target server, repeat steps 1 and 2 for the target and in Cross-cell single sign-on menu add a the  Password / Confirm Password from step 3. type the path and file name in Fully qualified key file name and press Import Keys.

   5. Save the changes are you are done (there is no need to restart the WebSphere).

TWS & TDWC MS AD integration

In this post I will describe how to set-up a MS AD (Microsoft Active Directory) users integration for TWS & TDWC directly using WebSphere (for Windows machine there is another way using the OS capabilities).

Prerequisites: A MS AD (Microsoft Active Directory) account (service account preferred) that will be used to connect to MS AD and read its repository.
For both TWS and TDWC the set-up is identical (if they both run on the same WebSphere it needs to be performed only once).

To set-up the TWS / TDWC and MS AD integration:
   

   1. Login to WebSphere admin page:

• Directly: https://:31124/ibm/console/secure/securelogon.do?action=force (this si the default link)
• From TDWC:

                    

   2. Go to Security -- Global Security, and under User account repository set Current realm definition as Standalone LDAP registry (to use a single repository, e.g. MS AD only) or Federated  repositories (to use multiple repositories, e.g. MS AD, Local Server Account).

!!!!! Important: If the account name is not unique across Federated  repositories the user WILL NOT be authenticated, be very very careful with this.  

 
   3. Then go to Configure ... -- Manage repositories (Under Related Items) and click Add

   4. On LDAP server under Directory type select Microsoft Windows Active Directory and fill in the data as:

• Repository identifier -- just a display name
• Primary host name -- your Microsoft Active Directory (MS AD) domain controller server name (DNS name) or fully qualified domain name (FQDN) or  IP address
• Port -- the server port that will be used to connect to MS AD in order to get users data (default: 389)
•  Bind distinguished name -- specify the distinguished name for the application name to use when binding to the MS AD repository 

e.g. CN=user_name,OU=IT,OU=TM,OU=RO,DC=europe,DC=ad,DC=company_name,DC=com

• Bind password -- specify the password for the application server to use when binding to the MS AD repository (in short: the password for user_name on the Bind distinguished name field)

Press OK and if you opted for Standalone LDAP registry go to the last step (8).

   

   5. Go to Global Security -- Federated  repositories -- Repositories in the realm: -- Add Base entry to Realm...

   6. On Repository reference select:

• Repository -- The one you created at step 4.
• Distinguished name of a base entry that uniquely identifies this set of entries in the realm -- specify the distinguished name of a base entry that uniquely identifies this set of entries in the realm

e.g. DC=ad,DC=company_name,DC=com

Press OK

   7. Press Apply and Save directly to the master configuration.

   8. Restart the WebSphere.

Now the users authentication is performed using MS AD (only MS AD or and MS AD). Also you may use MS AD groups or DL (distributions lists) to grant rights in TWS and / or TDWC.