LTPA Token for ST12 with docker

jerome · October 19, 2022, 7:55pm

Hi Community members

We genrated ltpa.keys with this method: https://help.hcltechsw.com/sametime/12/admin/ltpa_generate_key.html (on docker)

When trying to use Domino sso there is an error:

90 --- 140379590440768 : verify: exception caught: exception = invalid token supplied

LoginFailed userName=CN=Firstname Lastname/OU=users/O=CORPORATION/C=FR organization= IP=172.19.93.250 app=(0x12a5)(4773) reason=(0x80000211)

I first tought the password was incorrectly set in .env, but looking at the ltpa.keys, I do think there is an error on CreationHost, I do think it should be host.corp.com, but it is localhost

#Thu Sep 29 13:15:14 GMT 2022
com.ibm.websphere.CreationDate=Thu Sep 29 13\:15\:14 GMT 2022
com.ibm.websphere.ltpa.version=1.0
com.ibm.websphere.ltpa.3DESKey=2AgW6gnS5jIbmSjwx8VaKydyAYhDjQPQ3/cGjIn+mR4\=
com.ibm.websphere.CreationHost=localhost
com.ibm.websphere.ltpa.PrivateKey=sVmoyiL3QRwRPD/sp7/VVv4Mz9CgoGwKRjmecFo4U9/nSEI6ntbZ/5A2pW1g2qKefFmYgZJXYUimUIBNGo1MTAg6C4ifrkQVFPFVvlnRmarWsWUtxA2ZpuhLQLLGbBpSLa5WuAfta1x9WsI9jZh6QB/1ya4qL5A5RU6HrEpTV0NQUoNH/YfsYsd+NQsbxe28vrzitQ/GCSkhXZNVf3IVxhs1jIFFshdx6UfYIlu7Jj4Na9yH2h6gTFYzZ5Xu+B1Nh1/EQdCUsyLbbSBlmxbntChQbLmDlOeHDhsYvEU2ljnUX53TL6e5Q3yOoNPakKzOhmitYUFLiZsSdQ4ozB6nnooHUTzAeJwqYiYEYIMVN2k\=
com.ibm.websphere.ltpa.Realm=defaultRealm
com.ibm.websphere.ltpa.PublicKey=ANN7EIv9YOjlir7cnNVVDWzxQR1unLmRmWW4h2NJKlZmJtjE7s7e3SDWufkVS/xGeDuzNs62RxXR0GWLP46ThoQye8iL6pjM0rwQ4n53LZah602WEQlrU3TKIYUVSbylftZAVTRnHtCIiNQobefVd4/JqaH2CTTNCT68Am1w1ej1AQAB

Can the problem arise due to that (Domino sso doc is .corp.com), and so where the hell was liberty set localhost instaed of sametime.corp.com?

Any clue?

anon-1885 · October 19, 2022, 8:03pm

@Jerome Deniau

This would be best handled via a support case

Please open a support case so that we can assist you

jerome · October 19, 2022, 8:35pm

Done

tbahn · October 20, 2022, 11:21am

@Jerome Deniau

Please remember to post the results here (if the problem is not too specific for your environment) to help other.

Thank you!

jerome · October 20, 2022, 11:26am

Sure !

jerome · November 2, 2022, 7:02am

@Thomas Bahn

Thomas, got a patch for LTPDADomain= to be added in .env. We still are on the case with HCL, because the token is not understood on sametime side. I've checked Domino/.env/dock-compose.yml but still got same error concerning the token on the Sametime side.

tbahn · November 3, 2022, 2:20pm

Thank you for the update.

jerome · November 15, 2022, 2:00pm

@Thomas Bahn the user got rw------ on ltpa.keys, solution is to stop sametime, do a chmod 644 on ltpa.keys files on Linux box and then relaunch sametime. checking the auth container fodler ltpa-config displays correct file acces for ltpa.keys then.

They have another problem but now token can be read by sametime server

tbahn · November 15, 2022, 3:19pm

@Jerome Deniau Thank you once more for the solution.

anon-1873 · October 20, 2022, 8:55am

Hi, we recently faced similar error message in one environment.

I believe you may have 2 LTPA tokens 1. under internet site view, second in Web View and Sametime get wrong one (outdated).

verify config and leave only one. Also pay attention that in LTPA you should have LTPA2 (two support)

Hope this helps

jerome · October 20, 2022, 12:15pm

hi Vlad,

What I always do:

1/ Create the SSO document for organization, do my stuff (sso name (LtpaToken, keys import, etc.......)

2/ copy/paste the document, remove the organization, check the doc is not duplicated (before)

That way sure not problem with outdated docs or not.

AlexanderNovakTTA · September 13, 2023, 9:54am

@Jerome Deniau

could you please explain the LTPADomain= patch you got from support ?

Is this setting within the .env/custom.env file ?

I have the same problem.

There is a sametime 11 server running with ltpa settings within server document (website config).
SSO Login from Notes-clients is working

I installed a new st12 server (docker/podman) and i need to enable sametime SSO.
Because i could not use the existing st11 server i used a different server (same domino adressbook) and added ltpa configuration to "internet sites".
I cant get SSO with st12 working.

If i open a browser window to the domino webserver (that hostes my st12 ltpa key) and swith then to the sametime webchat, sso (with ltpa) within the browser is working.

In the past there was a parameter to tell sametime to use the internet site ltpatoken via sametime.ini
ST_TOKEN_TYPE=LtpaToken
ST_ORG_NAME=Org

I tried this via custom.env and the parameter is set within the sametime.ini, but st12 sso still not working.
STI__AuthToken__ST_TOKEN_TYPE=LtpaToken
STI__AuthToken__ST_ORG_NAME=MyOrg

I also tried to use ltpa configuration with website and using a different ltpa-name (e.g. LtpaTokenST12), but st12 sso is not working; and also not working if i tell ST12 to use the new Tokenname
STI__AuthToken__ST_TOKEN_TYPE=LtpaTokenST12

jerome · September 13, 2023, 10:22am

Sure

In .env file (at the end) (ltpa.keys is mandatory)

ENABLE_LTPA=true
LTPA_KEYS_FILE_PATH=/opt/hcl/sametime/ltpa.keys
LTPA_KEYS=/ltpa-config/ltpa.keys
LTPA_KEYS_PASSWORD=***my pwd***
REACT_APP_BLUR_VIDEO_ENABLED=true
LTPA_REALM=defaultWIMFileBasedRealm => My Realm (Websphere Ltpatoken realm in Domino)

In custom.env:

# Auth Token setting
STI__ST_BB_NAMES__ST_AUTH_TOKEN=Fork:Jwt,Ltpa

in docker-compose.yml

verify

auth:
image: hclcr.io/st/meetings-auth.node:${BUILD_LEVEL}
restart: ${RESTART_POLICY}
env_file: custom.env
volumes:
- ${LTPA_KEYS_FILE_PATH}:/ltpa-config/ltpa.keys:Z