Vivek Agarwal’s Portal/Java Blog

An IBM Gold Consultant’s weblog about IBM, Lotus, WebSphere, J2EE, IT Processes, and other IT technologies

Need to decode WebSphere/Domino LTPA token for SSO?

Posted by Vivek Agarwal on July 15, 2008


I needed to implement Single Sign-On between IBM WebSphere Portal and HP Operations Dashboard (HPOD) without using a SSO product, and figured that we could do that using the LTPA token generated by WPE on login to the Portal. For LTPA token based SSO to work, we need to be able to decode the LTPA token on the HPOD front – HPOD is based on Jetspeed – in other words, we are looking at implementing SSO between WebSphere and Jetspeed. I was just getting ready to look up some info that I have from Jerry Cuomo on the LTPA token format, when I tried a quick Google search and found an even better answer. I stumbled upon a blog entry and functional code for LTPA token decoding at http://offbytwo.com/2007/08/21/working-with-ltpa.html. I downloaded the code, exported the LTPA keys from a test WPE server, copied the 3DESKey and our LTPA encryption password into LtpaUtils, logged in to the WPE test server, determined the LTPA token cookie value for test purposes, and was able to decrypt it just fine using LtpaUtils. And thanks to Cosmin, all of this took about 20 minutes!

Advertisements

23 Responses to “Need to decode WebSphere/Domino LTPA token for SSO?”

  1. Vanishree said

    HI,

    I want to implement SSO for websphere and Tomcat application servers. can you please tell me if this requires a domino server ? Also how i can implement the same in steps. would be grateful for the same..

    After reading your article i thought i would be able to get more details from you.

    Vani

  2. agcuong said

    You should hit the link below to get code. Maybe it’s very useful to you
    http://offbytwo.googlecode.com/svn/trunk/bitsandpieces/LTPAUtils/
    Drop me a note if you find the code useful or if you have some improvements you would like to share.
    Please let me keep update what you do further. I’m learning more this topic
    Good lucky,

    agcuong

  3. Vanishree said

    Hi,

    Iam writing to you my deployment/design issue. please suggest me how i will be able to overcome the same.

    The set up or the high level architecture is as follows

    Websphere Portal Extend Suite is being used.

    1. IBM HTTP Server
    2. WPS 6.1 /WAS 6.1
    3. WPS 5.0 /WAS 5.0
    4. Tomcat 5.0
    5. LDAP server
    6. ADS for authentication and authorization for WAS

    We have a IBM HTTP Server, which accepts requests from a user.
    It is then redirected thru Iframes to WPS for authentication done thru ADS and LDAP.

    Some applications are deployed in WAS 6.1.
    There is an application BOSS 2 which was developed long back and it is simple jsp/java pages.
    This was to be deployed to WAS as portlet and since they were not aware of
    interportlet communication and use of session variables between these two applications.

    They deployed it in Tomcat as simple jsp portlets. This application is called Boss2

    Now the menus and sub menus for this application is loaded from WAS.

    The issue is if I know the url for the pages this application can be accessed by anyone.

    Problems

    1. Sharing of session variables between portlets – how to do this?
    2. How to prevent session variables being hijacked during penetration testing? Securing the Session variables
    3. How to do authentication for Tomcat server?
    4. How to do authorization for Boss2 application in Tomcat server so that only those menus/ submenus get loaded based on the user logged in and also based on the role available?

    So now we need to do the same authentication and authorization for this Boss2 application as done for WAS.

    Regards,
    Vani

  4. Vanishree said

    Hi,

    Iam writing to you my deployment/design issue. please suggest me how i will be able to overcome the same.

    The set up or the high level architecture is as follows

    Websphere Portal Extend Suite is being used.

    1. IBM HTTP Server
    2. WPS 6.1 /WAS 6.1
    3. WPS 5.0 /WAS 5.0
    4. Tomcat 5.0
    5. LDAP server
    6. ADS for authentication and authorization for WAS

    We have a IBM HTTP Server, which accepts requests from a user.
    It is then redirected thru Iframes to WPS for authentication done thru ADS and LDAP.

    Some applications are deployed in WAS 6.1.
    There is an application BOSS 2 which was developed long back and it is simple jsp/java pages.
    This was to be deployed to WAS as portlet and since they were not aware of
    interportlet communication and use of session variables between these two applications.

    They deployed it in Tomcat as simple jsp portlets. This application is called Boss2

    Now the menus and sub menus for this application is loaded from WAS.

    The issue is if I know the url for the pages this application can be accessed by anyone because its assumed authentication is done and if i know the username and the values to pass i can acess any page.

    Problems

    1. Sharing of session variables between portlets – how to do this?
    2. How to prevent session variables being hijacked during penetration testing? Securing the Session variables
    3. How to do authentication for Tomcat server?
    4. How to do authorization for Boss2 application in Tomcat server so that only those menus/ submenus get loaded based on the user logged in and also based on the role available?

    So now we need to do the same authentication and authorization for this Boss2 application as done for WAS.

    Regards,
    Vani

  5. denis said

    Hi,

    Thanks for your really interesting article.

    With this class I can decode the LTPA cookie. However what can we found inside it ? The idea is to use WebSphere portal with deployed portlets + LTPA (or other) as SSO + JBoss with deployed application which the portlets call.

    However, I cannot figure how to integrate this LTPA stuffs with existing application based on JAAS. Have you got idea on that ?

    Regards,
    Denis.

  6. Vivek Agarwal said

    Once you decode a LTPA token, you get the username and the expiration time for the token. For example –

    Token is for: u:user\:wpsldap\:389/uid=vagarwal,cn=people,dc=organizationName,dc=com
    Token expires at: 2008-08-21-18:26:19 CDT

    Full token string : u:user\:wpsldap\:389/uid=vagarwal,cn=people,dc=organizationName,dc=com%1219361179281%dI8CxUr7Xc4O2bPp57g0KMbRgQQs00IcJf+EoQUcaZuz8i7SOp08Uq4tikwcJ5xIgwhSeWLFIuW9VAjZe2Ux5FIU+znrQxkXZKrD3IdwLyMcJ/K1chog7YqqExQm4M0n3j6p+SYysBIKCmx545p4Q5TLI+VMbBXtvFLnO+DY2qg=

    So, once you get the username/expiration time, you can use that on the JBoss end to verify user identity/authentication.

    Hope this helps!

    • Michael henderson said

      Hello Vivek, We would like to explore using the code samples. We are running WebSphere Portal v7 on Linux using LTPA2 token. Our need is to pass the token to a Tomcat server for SSO into another java web application. I have reviewed the code and would like to know if their are steps to using it. i.e. Where to run it from target or source? How to call it?

      Thanks

  7. Erik said

    Did you have any issues compiling/running Cosmin’s code? I keep running into a crypto exception…

  8. angapi said

    thanks for this post.
    it helps me to quickly intergrate some .net apps in my wps portal 6

    angapi

  9. Bhavani said

    Vani

    Is it possible to the reverse what you explain here. I want to authenticate against a different system and create a LTPAtoken and post to WebSpehere for the validation and login without autenticating.

    thanks
    Bhavani

  10. Andrea said

    Hi,
    I need to generate the ltpa cookie for the same reasons. Does someone knows the format and how to create a ltaptoken2?
    thanks
    Andrea

  11. sunny ajmera said

    Hi, I am executing the same code(LDAPUtils.java & Base64.java) but facing this issue:

    Caught inner : javax.crypto.BadPaddingException: Given final block not properly padded

    Please help.

    Content of my LTPA Key file

    #IBM WebSphere Application Server key file
    #Mon Jul 26 12:55:20 IST 2010
    com.ibm.websphere.CreationDate=Mon Jul 26 12\:55\:20 IST 2010
    com.ibm.websphere.ltpa.version=1.0
    com.ibm.websphere.ltpa.3DESKey=rHRMticTSMT5KAxRJJIdosKpE3A0hjZU5nfxsyUtq8s\=
    com.ibm.websphere.CreationHost=test.cmm.icms.in
    com.ibm.websphere.ltpa.PrivateKey=DX7erzIicpZwxuUtaqOXniGTJtrnbjGqFqUc594mdmwii9m1kncEQ4QbwZel23XHr9CLFbzTDkMWLxeGbPtFB5zpHUCV2xNfEbnEZqo/tnq8pnP7ywTqVXSmJf2/2RR/IE48oLqBDqC5gLwtsAZ3p7KHv4Dd6I8ULJdQ+LOxlUSuxd8blfIsPIB2NlNbT3KWD5Qh2liUHoNUf5vW8AXNzxcND3edFwn/aJNyxQuDwXgmvNe+PZBtf4dLGgxl+DB4W60kTtbev2rQ1hH44K8879PKLJd+I63IyrmbuMu4ev9813pP06BavR9C4fjMikfat+gsx36HUpVKG8yLJ3SxSO98AzpxWjuFi7Riu3boGik\=
    com.ibm.websphere.ltpa.Realm=dc\=railways,dc\=in
    com.ibm.websphere.ltpa.PublicKey=AM1wRhHo0yT+mRbgO2QCfxEXoOZRKRgaW6cmYYLWe4wzdjTXNUMQlSriFGWT36CWlOjQCeskA+htaKMyRCpDqet5J1QPAQe1FPyM4vX+4Dq8COpD667hZTmqFtZUZDVuFGdYdIzo3uZE/EMWH12otB/kW4j4ocgjZp8eiRkFjChrAQAB

    • morbac said

      Hi,

      First of all, don’t use “LDAPUtils.java” but “LTPAUtils.java” (I guess you just type wrong file name).

      Now, I also got this issue. I’m actually using WebSphere 7 which generates LtpaToken2 token. If it’s the same to you, try this:

      – Check that the property com.ibm.ws.security.ssoInteropModeEnabled is enabled (true). This property determines whether to send LtpaToken2 and LtpaToken cookies in the response to a Web request (interoperable). When this property value is false, the application server just sends the new LtpaToken2 cookie which is stronger, but not interoperable with some other products and Application Server releases prior to Version 5.1.1. In most cases, the old LtpaToken cookie is not needed and you can set this property to false.

      – Restart WAS7

      – Regenerate a export file with keys (same as you already did)

      – Get the LtpaToken value from your browser once logged in a WebSphere Server hosted Application

      – Try LTPAUtils.java again with new keys.

      By me, it worked, hope it will work for you too.

  12. Daniel said

    You may want to update the link in your blog post as it did not work for me. I found the article here instead: http://offbytwo.com/2007/08/21/working-with-ltpa.html

  13. KTR said

    Hi Vivek,

    Nice post , With this code we can able to decode LTPA cookie , but when we tried with LTPA 2 cookie ,we are getting the same padding exception , when i went through the document it uses AES and password needs to be ‘ed ,is there any clue on this?
    2. can we add SAML Assertion attributes to this LTPA cookie

    Thanks,
    KTr

    • John said

      Take the backslash out of the 3DESKey… it is stuck in there for compatibility with some older systems.

  14. Ivan Brencsics said

    Hello Vivek,

    First of all thanks for the great post.

    However, I have trouble with Websphere 7 / LTPA 2.
    – If I export the LTPA key from Websphere 7 I receive a 3DES key, but in principle LTPA2 is based on AES
    – I receive “javax.crypto.BadPaddingException: Given final block not properly padded” when trying to decode an LTPA2 token with your code. (I replaced “\=” with “=”)

    Could you please give me a hint in which way to start investigating? Is AES the main problem? And in that case why is Websphere exporting a 3DES key instead of AES?

    Thanks a lot in advance,
    Ivan

  15. Jörg Asmussen said

    Has anyone tried this with a Domino-originated LtpaToken (and not WebSphere) ?

Sorry, the comment form is closed at this time.

 
%d bloggers like this: