Lightweight Third-Party Authentication (LTPA)

The Lightweight Third Party Authentication (LTPA) is an IBM single-sign on technology that reduces the number of times a user’s credentials are checked against a user registry. When web users access application servers that use LTPA, they can reuse their logged-in credentials across different applications or servers. When a new authentication request occurs, the user's credentials, such as user ID and password, are authenticated as normal, but in response the server returns a signed authentication token to the requester.

To see which CICS access methods support LTPA, see Which authentication method can I use with which access method?.

Why use LTPA?

LTPA enables web users to reuse their logged-in credentials across different application or servers. LTPA can be used to improve the performance of security authentication and can simplify the authentication process in systems that use components that are spread across multiple servers. It can also be used in the deployment of Multi-Factor Authentication (MFA) solutions, by avoiding the need to request security factors for every request.

How LTPA works

Figure 1. Creating and validating an LTPA token
Creating and validating an LTPA token

When a user passes authentication on a Liberty server, a signed token is generated by using the LTPA protocol and transported to the web browser in a cookie called ltpaToken2. The token contains user information and an expiration time, and is signed by keys that are owned by the server. An LTPA token is a binary security token. Liberty supports the LTPA Version 2.

After receiving an LTPA token, if the user then accesses an application either on the same server or another server that is a member of the same authentication realm, the user is automatically authenticated by using the LTPA token that is flowed by the browser in a cookie. This scenario is called a Single-Sign-On (SSO) environment.

Support in CICS Liberty for LTPA

LTPA tokens are supported for use with all Liberty authentication mechanisms, including HTTP basic authentication, form logon, and TLS client certificates. They are enabled by default and the Liberty server manages the creation and expiration of the certificates in an underlying key file. The default LTPA key file is located in ${server.ouput.dir}/resources/security/ltpa.keys and can be modified by using the <webAppSecurity> element in server.xml.

LTPA is required by the Liberty CMCI server. For information, see How the CMCI JVM server authenticates clients.

You can set up Liberty to allow the sharing of LTPA tokens among multiple servers. HTTP client users can authenticate once and have access to other applications on Liberty servers that share the same LTPA keys. If HTTP endpoints are shared across cloned CICS regions that use a TCP/IP load balancer, then the Liberty servers must share a common LTPA keys file.

An LTPA token has a fixed lifetime. It cannot be extended or renewed, even if a user is active in a session. Upon timeout, the user is logged out and must provide login credentials again to get a new token. The expiration time of the LTPA token is configurable. For instructions, see Configuring LTPA in Liberty.

For more information, see Customizing SSO configuration using LTPA cookies in Liberty.