Use this page to specify the information for the token generator. The information is used at the generator side only to generate the security token.
Before specifying additional properties, specify a value in the Token generator name and the Token generator class name fields.
Specifies the name of the token generator configuration.
For example, the default X509 token generator names are either gen_enctgen for encrypting or gen_signtgen for signing. Or, a custom token generator name might be sig_tgen for signing.
Specifies the name of the token generator implementation class.
This class must implement the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent interface.
Specifies the name of the token generator implementation class.
Specifies the certificate revocation list (CRL) that is used for generating a security token wrapped in a PKCS#7 token type with CRL.
When the token generator is not for a PKCS#7 token type, you must select None. When the token generator is for the PKCS#7 token type and you want to package CRL in the security token, select Dedicated signing information and specify the CRL for the collection certificate store.
Binding name | Server level, cell level, or application level | Path |
---|---|---|
Default generator bindings | Cell level |
|
Default generator bindings | Server level |
|
Using the collection certificate store, you can configure a related certificate revocation list by clicking Certificate revocation list under Additional properties.
Indicates whether nonce is included in the user name token for the token generator. Nonce is a unique cryptographic number that is embedded in a message to help stop repeat, unauthorized attacks of user name tokens.
On the application level, if you select the Add nonce option, you can specify the following properties under Additional properties:
Property name | Default value | Explanation |
---|---|---|
com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.cacheTimeout | 600 seconds | Specifies the timeout value, in seconds, for the nonce value that is cached on the server. |
com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.clockSkew | 0 seconds | Specifies the time, in seconds, before the nonce time stamp expires. |
com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.maxAge | 300 seconds | Specifies the clock skew value, in seconds, to consider when the application server checks the timeliness of the message. |
These properties are available on the administrative console at the cell and server level. However, on the application level, you can configure the properties under Additional properties.
This option is displayed on the cell, server, and application levels. This option is valid only when the generated token type is a user name token.
Specifies whether to insert the time stamp into the user name token.
This option is displayed on the cell, server, and application levels. This option is valid only when the generated token type is a user name token.
Specifies the local name of the value type for the generated token.
When you specify a custom value type for custom tokens, you can specify the local name and the URI of the quality name (QName) of the value type. For example, you might specify Custom for the local name and http://www.ibm.com/custom for the URI.
Specifies the namespace URI of the value type for the generated token.
When you specify the token generator for the user name token or the X.509 certificate security token, you do not need to specify this option. If you want to specify another token, specify the URI of the QName of the value type.