WebSphere Application Server supports Web Services Secure Conversation
(WS-SecureConversation) client caching for the security context token in both
cluster and non-cluster environments.
About this task
For both distributed and local clients, the secure conversation
client cache stores tokens on the client. WebSphere Application Server supports
the security context token for the secure conversation client and trust service
component only.
WebSphere Application Server supports caching for the
security context token in both cluster and non-cluster environments. In a
cluster environment, you can configure the security context token cache for
the secure conversation client to be distributed. If the security context
token cache is distributed, then all servers in the cluster share information
about issued tokens.
Procedure
- To configure the secure conversation client cache, click Services
> Secure conversation client cache.
- Change the time in minutes in the Time token is in cache after
timeout field. The default value is 120 minutes. The minimum
allowable time is 10 minutes, meaning you cannot enter a value that is less
than 10 minutes. This field specifies the number of minutes that the token
is in cache after the token expiration time expires (cache persist period).
- Change the time in minutes in the Renewal interval before token
timeout field. The default value and minimum allowable time
is 10 minutes. You cannot enter a value that is less than 10 minutes. This
field specifies the time period before the token expires when the client
attempts to renew the token. This window of time is just before token expires
where, if the token is accessed, then the client attempts to renew the token
so that a downstream call can complete.
It is important that this setting
be set to a length of time that is longer than the longest possible transaction.
This value must include the time it takes to transport to and from the server,
the time that is needed by the server to process the request, and the time
that is cached by reliable messaging, if appropriate. Setting this value to
a length of time that is too small might result in the token expiring in the
middle of a transaction and might prevent the transaction from completing.
If the Security Context Token
is renewed too often, it might cause Web Services Secure Conversation (WS-SecureConversation)
to fail or even cause an out-of-memory error to occur. It is recommended that
you set the renewal interval before the token expires value for the Secure
conversation client cache to a value less than the token timeout value for
the Security Context Token. It is also suggested that the token timeout value
be at least two times the renewal interval before the token expires value.
- Select the Distribute cache among clustered server check
box, if you want to share the tokens across the cluster.
- To create a new custom property, click New. For
example, you might add the cancelActionRST custom property with a value of http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel.
- To edit an existing custom property, select the check box for
the name of the existing custom property, and then click Edit.
For example, you might change the name or the value of the cancelActionRST
custom property.
- Click Apply to save and apply the changes.
Results
You have provided the basic information to configure the secure conversation
client cache settings. Use either the administrative console or the wsadmin
tool to modify the secure conversation client cache configuration.
What to do next
You can also add or delete custom properties for the trust service
using the wsadmin tool. The wsadmin tool examples are written in the Jython
scripting language.