Nonce is a randomly
generated, cryptographic token that
is used to thwart the highjacking of Username tokens, which are used
with SOAP messages. Use nonce in conjunction with the basic authentication
(BasicAuth) method. You can configure nonce
for the application level by using the WebSphere® Application
Server administrative console.
About this task
Important: The
information in this article supports
Version 5.x applications only that are used with WebSphere Application
Server Version 6.0.x and later. The information does not apply
to Version 6.0.x and later applications.
You can configure nonce
at the application level, the server level, and cell level.
However,
you must consider the order of precedence:
- Application level
- Server level
- Cell level
If
you configure nonce on the application level and the
server level, the values specified for the application level take
precedence over the values specified for the server level.
Likewise, the values specified for the application
level take precedence over the values specified for the server level
and cell level.
- Connect to the administrative
console.
Type http://localhost:port_number/ibm/console in
your web browser unless you have changed the port number.
- Click .
- Under Manage modules, click URI_name.
- Under Web Services Security Properties, click Web
services: Server security bindings.
- Click Edit under Request receiver
binding
- Under Additional properties, click .
- Specify (optional) a value, in seconds, for the Nonce
maximum age field. This panel is optional and
only valid if the BasicAuth authentication method is specified. If
you specify another authentication method and attempt to specify values
for this field, the following error message displays and you must
remove the specified value:
Nonce is not supported for authentication methods other than
BasicAuth.
If you specify BasicAuth,
but do not specify values for the Nonce maximum age field,
the Web Services Security runtime searches for a nonce maximum age
value on the server level. If a value is not found
on the server level, the runtime searches the cell level. If a value
is not found on either the server level or the cell level, the default
is 300 seconds.
The value specified for the Nonce
maximum age field indicates how long the nonce is valid.
You must specify a minimum of 300 seconds; however, the value cannot
exceed the number of seconds that is specified for the Nonce
cache timeout field for the server level. Nor
can it exceed the number of seconds specified for the Nonce
cache timeout field for the cell level.
You
can specify the nonce cache timeout value for the server level by
completing the following steps:
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click
Web services:
Default bindings for Web Services Security.
mixv
You can specify the nonce cache timeout
value for the cell level by clicking .
- Specify (optional) a value, in seconds, for the Nonce
clock skew field. The value specified for the Nonce
clock skew field specifies the amount of time, in seconds,
to consider when the message receiver checks the timeliness of the
value. This panel is optional and only valid if the BasicAuth authentication
method is specified. If you specify another authentication method
and attempt to specify values for this field, the following error
message displays and you must remove the specified value:
Nonce is not supported for authentication methods other than
BasicAuth.
If you specify BasicAuth,
but do not specify values for the Nonce clock skew field,
the Web Services Security runtime searches for a Nonce clock skew
value on the server level. If a value is not found
on the server level, the runtime searches the cell level. If a value
is not found on either the server level or the cell level, the default
is 0 seconds.
Consider the following information when you set
this value:
- Difference in time between the message sender and
the message
receiver if the clocks are not synchronized.
- Time needed to
encrypt and transmit the message.
- Time needed to get through
network congestion.
- Restart
the server.