Projects‎ > ‎

LTPA Token Factory

Lets start with a piece of an Wikipedia article...

"Lightweight Third-Party Authentication (LTPA), is an authentication technology used in IBM WebSphere and Lotus Domino products. When accessing web servers that use the LTPA technology it is possible for a web user to re-use their login across physical servers.

A Lotus Domino server or an IBM WebSphere server that is configured to use the LTPA authentication will challenge the web user for a name and password. When the user has been authenticated, their browser will have received a session cookie - a cookie that is only available for one browsing session. This cookie contains the LTPA token.

If the user – after having received the LTPA token – accesses a server that is a member of the same authentication configuration as the first server, and if the browsing session has not been terminated (the browser was not closed down), then the user is automatically authenticated and will not be challenged for a name and password. Such an environment is also called a Single-Sign-On (SSO) environment."

Source: http://en.wikipedia.org/wiki/IBM_Lightweight_Third-Party_Authentication

Ok. Now let me tell you about the problem I've faced and how to solve it.

The problem is simple...

To integrate your own solution of SSO (Single Sign On [http://en.wikipedia.org/wiki/Single_sign-on]) with IBM products which uses LTPA token v1 and v2 to authenticate users.

The solution is

To encode and/or to decode tokens LTPA of version 1 and 2. To do that, I wrote a very basic API in Java which handles encoding and decoding of LTPA tokens. So, in order to integrate your SSO mechanism with an IBM server, you have to create two Session cookies with the LTPA tokens v1 and v2. The LTPA v1 token must be named as LtpaToken and the v2, LtpaToken2. Your SSO system must to create a UserMetadata (class from the library), call the encoding method from the TokenLTPAFactory and than to create the cookies to finally send them to the users browser.

I'll explain here how a Token LTPA is composed. If you don't want to know that and just use the API, jump to the next part of the article (Example):

Plain text token:

<token body>%<expiration time>%<signature>

where:

Token body is composed by some of the following fields:

  • Username: u:<realm+distinguished_name (i.e: user\:reaml/uid=wasadmin)>
  • Hostname: host:<server hostname (i.e: example.com)>
  • Port: port:<server port (i.e: 5555)>
  • Naming Provider: java.naming.provider.url:<url of the jndi provider (i.e: corbaloc:iiop>
  • Server Name: process.serverName:<server name (i.e: example.com)>
  • Authentication Method: security.authMechOID:<auth method (i.e: 1.3.18.0.2.30.2)>
  • Type: type:<protocol type (i.e: SOAP)>
  • Expiation Time: expire:<timestamp> (i.e: 123123123)
Concatenated by the symbol "$", as the follows:
u:user\:reaml/uid=wasadmin$host:example.com$port:5555$java.naming.provider:corbaloc:iiop$process.serverName:example.com$security.authMechOID:1.3.18.0.2.30.2$type:SOAP$expire:123123123

Ok. This is a complete token body, but a valid token can have just the username:
u:user\:reaml/uid=wasadmin

Exiration time is the same expiration time used in the token body.

The signature of a token depends of its version.

LTPA1 BASE64( RSA( SHA_DIGEST( token_body ) ) )
LTPA2 BASE64( SHA1_WITH_RSA( SHA_DIGEST( token_body ) ) )

Using the API

Here is an example of how to decode a Token LTPA v2:

String encodedToken =
 "e7gndC2qTwjMc6JSLmoiD8lG3DkOrx+v7/Q9HNIKS1tYAchyVLYdRV42h0dFAR8ZzHOiUi5qIgJRtw5Dq8fr+0PRzSCktbLoPvYxBfDU2O3z5DqzXVAdrtn5nkVhfljIBuVgzUU5aQgf8SCGQAhi9mo7WxnZWrUc5Th7Lk6VtE6ofQFMD1BYc0g6Qbuwc6DWIAnhLAaEtNDILXgWWhpgNJ3yOTqAdAIm6SD4dohlQ4nuoCL4kPeZaST2FDdPDQTDBjpMYIStZDusiuIzL3XqZq8LXgCsiImyzcmER04e8YM3mv6hhDcnSjf3NciyUG5HxiSBSqBeHF8ofvsIm1OtXShHyb";


TokenLTPAFactory factory = new TokenLTPAFactory( "keys.properties" );
String token = factory.decodeLTPAToken( encodedToken, TokenLTPAFactory.LTPA_VERSION.LTPA2 ).toString( );


The content of keys.properties is:

com.ibm.websphere.ltpa.3DESKey=TpZw61ninSNYc8a9FoM/INdXV6bxe/S0XuIPEs6/3To\=
com.ibm.websphere.ltpa.PrivateKey=kiUqmnoksWsGavbWVMx5slYtOBmGVoKW0hhwG8wsnDOOKmfQ5HAttgKaEGPlcUnk7QAvgb0+ToP9UYdexOIbpV+demYaUbtqPe879VWzLuU5/Bi8uzRl0wVZsEHoS6N4VqEtsqtpYReS82xfgwX2YmbQwL4ep8kGtdBfbdkJhSjZYrnoTvqTwESCdQ/tiSsQZnhWjJK6Y057xL2cVNDCxuysfVoyXeMyQa3zt51MU3i0Uk5JforWAeczuBSujjK4aKQIEqTEZ1Bb4TtGJGCBd6bSPx9i9j5wEcrdCV0CInf8UK8GsMbkdY6mYkEIC4sK78XLrBHQzef7VZTn/WlL+9a9fakbazpauSrC5TvtjZA\=
com.ibm.websphere.ltpa.PublicKey=AODDSeYqjbMK7vKVpeKlhucswJ3u3SdbYnN5EMDX98Vsdp2MktjE/OFIQn9u8THBoDTtN4vRhxxbPWJ2pwi8q0HpDZ1hxUBqcU8vZCKCIwRVLhx1LVpem7v5/RQpOG9QtEsHa4JO8CE+XolWsUzNzhObrUJcjwRmx8/8rlfKHA0XAQAB
com.ibm.websphere.ltpa.KeyPassword=abc.123

There is a helper function which can be used to see what the library does. To call it just run the jar file as a runnable jar, like the example bellow:

Decrypting a TOKEN LTPA 1

java -jar TokenLTPASessionManager.jar -d1 n1bmuKFLT1myIsfGsuug5ILFNl3WD4XfGrYTbNx/PDY2HEM4prlw8ecfRZ/0+kdgsiLHxrLroOSCxTZd1g+F3xq2E2zcfzw2iIbzc8s+XGb+cw8JtH2M+2RBmRW6fQwTG8Gm/tibrsWJ/6erQjA6pDe5otPgAEEEBhMW/i8LDzzCk+e6xqq+TebfHMCrDaUKiA58Bffc7o3f7Jp9oipcxIPHglbSHrSzBbCtmpY3THtM1Y8rutBbSECqco2HIyQ/dkx/MFOv+VMgL1obyIL7Dis0/xKh2g/tkDrp0pgc3gHoawkVl+8McJNsMRfsxlqzIHHkxsluBXViki4GcAJZr4+A93XYmIxR

u:user\:defaultWIMFileBasedRealm/uid=wpsadmin,o=defaultWIMFileBasedRealm%1410205320000%FnynPm5aAXwXZEOh47p/bXU5T5/mKKt/88yrL/2/nrLdHz4kBcAa7R31GtBO7A71pu1PrCRRg53Eb5CrN3GpAvQvqmo3tMV1YsH3kjrpfToyTCBnSTOWpGUWLDlKE9EfVcyZAYf48vGmiL7A2UnGtmOwSF2NQrjFMgOBr33DJhY=


Decrypting a TOKEN LTPA 2

java -jar TokenLTPASessionManager.jar -d2 B3d3F5J9A7vJEgCF74C9jpiMF0n4gDbKWjWVWrX01+kprmCCbbz4dLJwc/uaDUmiOkOclzt+gc9Wuz+dgDRAd9Hacpy6KPvjp0+zF/5jXlLBDOJSecgl3DDwK6oEkXCq4lQGiAh+fpZoenjv6Ex0ALs6nuVnE8GGlqM+ljJiNCEBGSvT1oIn7W2YlKcDq+Mon1W+qJSaQjBYLd7CmT4t4Pg8sVO8vnJEedUXbUkQRRyOmXPuaCm85ig6BzFyqmLZG2JYsQrNL4afJBp4TSKLe7+VreaLqiXyZiqj4cOcNTgCQnW8M+X3tC7z0pJXtP86oK8L572bzFA9E7FZxJJJ1s+OdpvxlMDdpld9xrRxKjNVtIhCu5bj1IqslQzEiNky

expire:1410205320000$u:user\:defaultWIMFileBasedRealm/uid=wpsadmin,o=defaultWIMFileBasedRealm%1410205320000%vlLwD5ohUZ+UG+AOkgI7WWDgT3m3mdD3if21nfHmsSZYDL3mnQqs1W/hp1h8UpjnaKOMLhViAf8QVKU0npVQ4V18iMds3xoS+H/xBSUoCZls4T438Lpt3TSuVC43SdcHo25PkA6+d3XUY6CAUzkZeLs1wXPPGUZSVS5pw47Vrds=

Encrypting a TOKEN LTPA 1

java -jar TokenLTPASessionManager.jar -e1 u:user\:defaultWIMFileBasedRealm/uid=wpsadmin,o=defaultWIMFileBasedRealm%1410205320000%VbnojZzzUEpw4mXAMxGaiQ6GxKGpAibgbnaPFbnnceXQQ4bJXS6TA6ob5X3GiPAh6QiwpiFNVNLhFemrey5wRPbg1hu5XQgdJ3lOxSS+WZlvm5S7QCa7uQkK1IqZ1wzOsdBVn49rlHyiXZicXHEZx7xCbtNH6FtdAx92HO4=

n1bmuKFLT1myIsfGsuug5ILFNl3WD4XfGrYTbNx/PDY2HEM4prlw8ecfRZ/0+kdgsiLHxrLroOSCxTZd1g+F3xq2E2zcfzw2iIbzc8s+XGb+cw8JtH2M+2RBmRW6fQwTG8Gm/tibrsWJ/6erQjA6pDe5otPgAEEEBhMW/i8LDzzCk+e6xqq+TebfHMCrDaUKiA58Bffc7o3f7Jp9oipcxIPHglbSHrSzBbCtmpY3THtM1Y8rutBbSECqco2HIyQ/dkx/MFOv+VMgL1obyIL7Dis0/xKh2g/tkDrp0pgc3gHoawkVl+8McJNsMRfsxlqzIHHkxsluBXViki4GcAJZr4+A93XYmIxR

Encrypting a TOKEN LTPA 2

java -jar TokenLTPASessionManager.jar -e2 u:user\:defaultWIMFileBasedRealm/uid=wpsadmin,o=defaultWIMFileBasedRealm$expire:1410205320000%1410205320000%GDY37G8R2AzRyCI38Hwq+hBiFiYfBPvMToKOLq+oTaJqQ+wCFwvW2OHapp1L9Nj4PtIyUf5Bc1NElQp0AUMpl5i+Wj2VjHVeUIgyJS8O9mdJ1q2V7MY10Q7pi4980aH2iIl13HA19XENyd2frNaReUuP9gfxKFK5HshZn8=

B3d3F5J9A7vJEgCF74C9jpiMF0n4gDbKWjWVWrX01+kprmCCbbz4dLJwc/uaDUmiOkOclzt+gc9Wuz+dgDRAd9Hacpy6KPvjp0+zF/5jXlLBDOJSecgl3DDwK6oEkXCq4lQGiAh+fpZoenjv6Ex0ALs6nuVnE8GGlqM+ljJiNCEBGSvT1oIn7W2YlKcDq+Mon1W+qJSaQjBYLd7CmT4t4Pg8sVO8vnJEedUXbUkQRRyOmXPuaCm85ig6BzFyqmLZG2JYsQrNL4afJBp4TSKLe7+VreaLqiXyZiqj4cOcNTgCQnW8M+X3tC7z0pJXtP86oK8L572bzFA9E7FZxJJJ1s+OdpvxlMDdpld9xrRxKjNVtIhCu5bj1IqslQzEiNky

You can download the Java library from the link at the bottom of this page. The source code is inside

Please, let me know if this article helped you in some way.

ċ
TokenLTPASessionManager.jar
(19k)
Samir Araújo,
Oct 21, 2015, 4:41 AM