You can configure the
Web Services Security runtime to
use the security distributed cache to store security tokens.
About this task
Web Services Security functions such
as secure conversation,
trust, and nonce use the distributed cache to store security tokens
when the distributed cache is enabled. If the distributed cache option
is not selected, then a local cache is used to store the tokens. WebSphere® Application Server Version supports
distributed caching for the tokens in both cluster and non-cluster
environments. In a cluster environment, you can configure the security
cache to be distributed. If the cache is distributed, then all servers
in the cluster share information about issued tokens.
Procedure
- To configure the secure conversation client cache,
click .
- Change the
time in minutes in the Time token
is in cache after timeout field. The default
value is 120 minutes. The minimum allowable time is 10 minutes, meaning
you cannot enter a value that is less than 10 minutes. This field
specifies the number of minutes that the token is in cache after the
token expiration time expires (cache persist period).
- Change the time in minutes in the Renewal interval
before token timeout field. The default value
and minimum allowable time is 10 minutes. You cannot enter a value
that is less than 10 minutes. This field specifies the time period
before the token expires when the client attempts to renew the token.
This window of time is just before token expires where, if the token
is accessed, then the client attempts to renew the token so that a
downstream call can complete.
It is important that this setting
be set to a length of time that is longer than the longest possible
transaction. This value must include the time it takes to transport
to and from the server, the time that is needed by the server to process
the request, and the time that is cached by reliable messaging, if
appropriate. Setting this value to a length of time that is too small
might result in the token expiring in the middle of a transaction
and might prevent the transaction from completing.
If the Security
Context Token is renewed too often, it might cause Web Services Secure
Conversation (WS-SecureConversation) to fail or even cause an out-of-memory
error to occur. It is required that you set the renewal interval before
the token expires value for the Secure conversation client cache to
a value less than the token timeout value for the Security Context
Token. It is also suggested that the token timeout value be at least
two times the renewal interval before the token expires value.
- Select the Enable distributed caching check
box, if you want to share the tokens across the cluster. When
the checkbox is selected to enable distributed caching, choose one
of the following settings for updating the caches.
- Synchronous update of cluster members: performs synchronous
update of cache objects on cluster members (default).
- Asynchronous
update of cluster members: performs a non-synchronous
update of the cache on cluster members. This setting allows interoperability
with cluster members that use the older style of updating as implemented
in versions of WebSphere Application Server prior to version
7.0.
- Token recovery support: assigns a shared data
source as the
distributed cache.
If token recovery
support is selected as the update method,
then you must select a cell level data source using the drop-down
list. Token state data is saved in the database defined as the data
source. If there are no available data sources in the list, click
on Manage data sources to add one or more new data source objects.
The data source object supplies an application with connections for
accessing the database.
- To create
a new custom property, click New. For
example, you might add the cancelActionRST custom
property with a value of http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel.
- To edit an existing custom property, select the
check
box for the name of the existing custom property, and then click Edit.
For example, you might change the name or the value of the cancelActionRST
custom property.
- Click Apply to
save and apply the
changes.
Results
You have provided the basic information
to configure the Web
Services Security distributed cache. Use either the administrative
console or the wsadmin tool to modify the security cache configuration.
What to do next
You can also add or delete custom properties for the trust
service using the wsadmin tool. The wsadmin tool examples are written
in the Jython scripting language.