The ESM Module can be configured in MFDS; see MLDAP ESM Module configuration for more information. You can set values in the optional [Passtoken] section of the "Custom Configuration" area to set some options for passtoken processing.
In that section, there are two settings you can use to change the secret key for the MAC verifier used in the passtokens the MLDAP ESM Module generates. You can set the key directly in the MFDS configuration with the Secret keyword, or point the ESM Module to a file containing the secret key with the SecretFile keywords.
Note that passtokens generated by the MLDAP ESM Module in one security domain will only be verifiable by another instance of the module in another domain if both are configured with the same secret key.
You can also use the Duration keyword in that section to control how long passtokens remain valid after they are generated. (The default is one minute.) This should be long enough for the sending component to get the token to the receiving component, taking network delays into account, and for the receiving component to perform its Verify request; but making it too long gives an attacker more time to capture and replay a token, especially if it is being sent over an unsecured channel.
See MLDAP ESM Module Custom Configuration Information for more information.