Disabling automatic LTPA Key Generation in WAS (or how to stop SSO between WAS and Domino from breaking)

I have been burned by this one,  and I am not alone, so I thought it was time for me to get around to writing this post. One thing you can accomplish fairly easily is create a Single Sign on environment between Domino and Websphere Application Server (WAS) in order to do so first you need to Generate an LTPA Token in WAS, and then Import the keys in to Domino.  There is also an article in the Lotus Connections Wiki on how to accomplish this.  Overall it is easily accomplished taking only a few minutes to set up. So by now you are asking What is the catch?  The catch is that by default WAS will rollover the LTPA keys every 12 weeks or put another way your SSO between WAS and Domino will work for 12 weeks and then mysteriously stop working.  What you want to do is Disable Automatic Generation of LTPA Keys in WAS. Log on to the Integrated Solutions Console (ISC) Navigate to SSL Certificate and Key Management > Key set groups If you are on a Deployment Manager you are looking for the CellLPTAKeySetGroup If you are on a Standalone Node you are looking for the NodeLPTAKeySetGroup Select the appropriate group per above and clear the check box  for “Automatically Generate Keys” Save your changes and restart WAS for the changes to take effect. Wait 12 weeks and sit back and relax knowing you will not be answering calls about SSO being broken. In the WAS 6.1 InfoCenter: Disabling automatic generation of Lightweight Third Party Authentication keys