LTPA token ltpa.jceks regenerate

LTPA overview

LTPA - Lightweight Third Party Authentication. 轻量级第三方认证。 是一种SSO单点登录的credential format，用于分布的多个应用服务器环境。

LTPA is a single-sign on credential format intended for use in distributed, multiple application server environment.

LTPA Exception error log:

Unexpected Exception Occurred: com.ibm.websphere.asynchbeans.SerialDeserialException: Exception while deserializing a saved service.  Service=security. Unable to deserialize the Subjects in this Context, cause: Validation of LTPA token failed due to invalid keys or token type.

Check content of ltpa.jceks

Listing the contents of ltpa.jceks with keytool from <install_root>/java/bin
keytool –list –storetype jceks –keystore ltpa.jceks –storepass WebAS
 The output should look like this

LTPA Key ltpa.jceks location:

The key store containing the LTPA keys is named ltpa.jceks file stored at the cell level for each profile:
<WAS_install_root>\profiles\<profile>\config\cells\<cellname>

To recover from a corrupted file:

1. Backup the old ltpa.jceks
2. Remove the ltpa.jceks
3. Regenerate a new ltpa.jceks file with keytool or from was console: Security->Global Security->Authentication->Authentication mechanisms and expiration->LTPA->Generate key.
4. Stop the Node Agent, and run syncNode.sh to bring the Node Agent back in sync with the Deployment Manager.