LTPA Token (ltpa)

Lightweight Third Party Authentication (LTPA) token configuration.

Name	Type	Default	Description
authFilterRef	A reference to top level authFilter element (string).		Specifies the authentication filter reference.
expiration	A period of time with minute precision	120m	Amount of time after which a token expires in seconds. The value can be specified in milliseconds, seconds, and minutes by using the following suffixes: "ms", "s", and "m". Specify a positive integer followed by a unit of time, which can be hours (h) or minutes (m). For example, specify 30 minutes as 30m. You can include multiple values in a single entry. For example, 1h30m is equivalent to 90 minutes.
keysFileName	Path to a file	${server.output.dir}/resources/security/ltpa.keys	The path to the file that contains the LTPA primary keys, which are used to create and validate LTPA tokens.
keysPassword	Reversably encoded password (string)	{xor}CDo9Hgw=	Password for the LTPA primary keys. The best practice is to encrypt the password by using the securityUtility tool.
monitorInterval	A period of time with millisecond precision	0ms	Rate at which the server checks for updates to the LTPA keys file. This rate applies to both the primary keys and the validation keys. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
monitorValidationKeysDir	boolean	false	If set to "true", the directory that contains LTPA primary keys is monitored for any modifications on files with the .keys suffix. The default value is false. All validation files must use the same password as the LTPA primary keys password and must have the .keys suffix.
updateTrigger	disabled mbean polled	polled	Specifies the update method or trigger that is used to update the LTPA keys. The following values are supported: "polled", "mbean" and "disabled". The default value is "polled". disabled This disables all update monitoring on all LTPA key files including primary key and validation keys (configured and non-configured). Changes to the LTPA key files are not applied while the server is running. mbean %ltpa.updateTrigger.external polled The server scans for LTPA key file changes at the monitor interval and updates if the LTPA key files have any detectable changes.

Name

Type

Default

Description

authFilterRef

A reference to top level authFilter element (string).

Specifies the authentication filter reference.

expiration

A period of time with minute precision

120m

Amount of time after which a token expires in seconds. The value can be specified in milliseconds, seconds, and minutes by using the following suffixes: "ms", "s", and "m". Specify a positive integer followed by a unit of time, which can be hours (h) or minutes (m). For example, specify 30 minutes as 30m. You can include multiple values in a single entry. For example, 1h30m is equivalent to 90 minutes.

keysFileName

Path to a file

${server.output.dir}/resources/security/ltpa.keys

The path to the file that contains the LTPA primary keys, which are used to create and validate LTPA tokens.

keysPassword

Reversably encoded password (string)

{xor}CDo9Hgw=

Password for the LTPA primary keys. The best practice is to encrypt the password by using the securityUtility tool.

monitorInterval

A period of time with millisecond precision

0ms

Rate at which the server checks for updates to the LTPA keys file. This rate applies to both the primary keys and the validation keys. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

monitorValidationKeysDir

boolean

false

If set to "true", the directory that contains LTPA primary keys is monitored for any modifications on files with the .keys suffix. The default value is false. All validation files must use the same password as the LTPA primary keys password and must have the .keys suffix.

updateTrigger

disabled
mbean
polled

polled

Specifies the update method or trigger that is used to update the LTPA keys. The following values are supported: "polled", "mbean" and "disabled". The default value is "polled".
disabled
This disables all update monitoring on all LTPA key files including primary key and validation keys (configured and non-configured). Changes to the LTPA key files are not applied while the server is running.
mbean
%ltpa.updateTrigger.external
polled
The server scans for LTPA key file changes at the monitor interval and updates if the LTPA key files have any detectable changes.

authFilter

Specifies the authentication filter reference.

authFilter > cookie

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > host

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > remoteAddress

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
ip	string		Specifies the remote host TCP/IP address.
matchType	contains equals greaterThan lessThan notContain	contains	Specifies the match type.

Name

Type

Default

Description

string

A unique configuration ID.

string

Specifies the remote host TCP/IP address.

matchType

contains
equals
greaterThan
lessThan
notContain

contains

Specifies the match type.

authFilter > requestHeader

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.
value	string		The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

value

string

The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

authFilter > requestUrl

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
urlPattern	string Required		Specifies the URL pattern. The * character is not supported to be used as a wildcard.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

urlPattern

string
Required

Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent

A unique configuration ID.

Name	Type	Default	Description
agent	string Required		Specifies the browser's user agent to help identify which browser is being used.
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.

Name

Type

Default

Description

agent

string
Required

Specifies the browser's user agent to help identify which browser is being used.

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

authFilter > webApp

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

validationKeys

A unique configuration ID.

Name	Type	Description
fileName	string Required	The name of the file that contains the LTPA validation keys. The path must be the same as the LTPA primary keys file.
id	string	A unique configuration ID.
password	Reversably encoded password (string) Required	The password for the LTPA validation keys. The best practice is to encrypt the password by using the securityUtility tool.
validUntilDate	string	A date and time value in ISO date format that the LTPA validation key is valid until. After the specified time, the validation keys is no longer used for LTPA token validation. The following example shows the ISO date format: "2023-11-18T18:08:35Z". If no value is specified, the LTPA validation keys can be used indefinitely.

Name

Type

Default

Description

fileName

string
Required

The name of the file that contains the LTPA validation keys. The path must be the same as the LTPA primary keys file.

string

A unique configuration ID.

password

Reversably encoded password (string)
Required

The password for the LTPA validation keys. The best practice is to encrypt the password by using the securityUtility tool.

validUntilDate

string

A date and time value in ISO date format that the LTPA validation key is valid until. After the specified time, the validation keys is no longer used for LTPA token validation. The following example shows the ISO date format: "2023-11-18T18:08:35Z". If no value is specified, the LTPA validation keys can be used indefinitely.