Configure a nonce on the server or cell level

You can configure nonce for the server or cell by using the WebSphere Application Server administrative console.

Overview

Nonce is a randomly generated, cryptographic token that is used to prevent replay attacks of user name tokens that are used with SOAP messages. Typically, nonce is used with the user name token.

You can configure nonce at the application level, the server level, and the cell level. However, consider the order of precedence. The following list shows the order of precedence:

1. Application level

   The application level settings for the nonce maximum age and nonce clock skew fields are specified through the additional properties.

2. Server level

3. Cell level

If you configure nonce on the application level and the server level, the values that are specified for the application level take precedence over the values that are specified for the server level. Likewise, the values that are specified for the application level take precedence over the values that are specified for the server level and the cell level. In the WebSphere Application Server Network Deployment environment, the Nonce cache timeout, Nonce maximum age, and Nonce clock skew fields are required to use nonce effectively. However, these fields are optional on the server level.

You can configure a nonce on the server level and the cell level. In the following steps, use the first step to access the server-level default bindings and use the second step to access the cell-level bindings.

Complete the following steps to configure a nonce on the server or cell level:

Procedure

1. Access the default bindings for the server level.

   1. Click Servers > Application servers > server_name .

   2. Under Security, click Web services: Default bindings for Web services security.

2. Click Security > Web services to access the default bindings on the cell level.

3. Specify a value, in seconds, for the Nonce cache timeout field. The value that is specified for the Nonce cache timeout field indicates how long the nonce remains cached before it is discarded. You must specify a minimum of 300 seconds. However, if you do not specify a value, the default is 600 seconds. This field is optional on the server level, but required on the cell level.

4. Specify a value, in seconds, for the Nonce maximum age field. The value that is specified for the Nonce maximum age field indicates how long the nonce is valid. You must specify a minimum of 300 seconds, but the value cannot exceed the number of seconds that is specified for the Nonce cache timeout field. If you do not specify a value, the default is 300 seconds.

   In a Network Deployment environment, this field is optional on the server level, but it is required on the cell level.

5. Specify a value, in seconds, for the Nonce clock skew field. The value that is specified for the Nonce clock skew field specifies the amount of time, in seconds, to consider when the message receiver checks the freshness of the value. Consider the following information when you set this value:

   • Difference in time between the message sender and the message receiver, if the clocks are not synchronized.

   • Time that is needed to encrypt and transmit the message.

   • Time that is needed to get through network congestion.

   At a minimum, specify 0 seconds in this field. However, the maximum value cannot exceed the number of seconds indicated in the Nonce maximum age field. If you do not specify a value, the default is 0 seconds. This field is optional on the server level, but required on the cell level.

6. Select the Distribute nonce caching option. This option enables you to distribute the caching for a nonce using a Data Replication Service (DRS). In previous releases of WebSphere Application Server, the nonce was cached locally. By selecting this option, the nonce is propagated to other servers in your environment. However, the nonce might be subject to a one-second delay in propagation and subject to any network congestion.

7. Enable the dynamic cache service for each one of the application servers in your cluster. To access the dynamic cache service through the administrative console, complete the following steps:

   1. Click Servers > Application servers > server_name .

   2. Under Container settings, click Container services > Dynamic cache service.

   3. Confirm that the Enable service at server startup option is selected.

8. Specify the number of replication domains. To specify the number of replicas, click Environment > Replication domains. In a Network Deployment environment, the Entire domain option for the number of replicas is recommended.

9. Restart the server. If you change the nonce cache timeout value and do not restart the server, the change is not recognized by the server.

Related tasks