Disabling automatic LTPA Key Generation in WAS (or how to stop SSO between WAS and Domino from breaking)

I have been burned by this one,  and I am not alone, so I thought it was time for me to get around to writing this post. One thing you can accomplish fairly easily is create a Single Sign on environment between Domino and Websphere Application Server (WAS) in order to do so first you need to Generate an LTPA Token in WAS, and then Import the keys in to Domino.  There is also an article in the Lotus Connections Wiki on how to accomplish this.  Overall it is easily accomplished taking only a few minutes to set up. So by now you are asking What is the catch?  The catch is that by default WAS will rollover the LTPA keys every 12 weeks or put another way your SSO between WAS and Domino will work for 12 weeks and then mysteriously stop working.  What you want to do is Disable Automatic Generation of LTPA Keys in WAS. Log on to the Integrated Solutions Console (ISC) Navigate to SSL Certificate and Key Management > Key set groups A picture named M2 If you are on a Deployment Manager you are looking for the CellLPTAKeySetGroup A picture named M3 If you are on a Standalone Node you are looking for the NodeLPTAKeySetGroup A picture named M4 Select the appropriate group per above and clear the check box  for “Automatically Generate Keys” A picture named M5 Save your changes and restart WAS for the changes to take effect. Wait 12 weeks and sit back and relax knowing you will not be answering calls about SSO being broken. In the WAS 6.1 InfoCenter: Disabling automatic generation of Lightweight Third Party Authentication keys

3 Responses to Disabling automatic LTPA Key Generation in WAS (or how to stop SSO between WAS and Domino from breaking)
  1. Rob Novak
    June 9, 2009 | 5:35 pm

    VERY good find, Mitch. I’ve set this up 20 times and had no idea about “WAS will rollover the LPTA keys every 12 weeks,” causing me much pain when my SSO isn’t working and I had no idea why.

    Very nice, thanks!
    Emoticon

  2. Sjaak Ursinus
    June 17, 2009 | 8:57 am

    Mitch,

    Nice to see you have found it yourself also Emoticon

    I already blogged about this several time ago after i got alerted by some people out of the community with the problem they where experiencing.

    { Link }

  3. Martin Rolph
    February 11, 2010 | 2:28 pm

    Excellent post. This has been annoying me for ages. Many thanks!