Nonce is a randomly generated, cryptographic token that is used
to thwart the highjacking of Username tokens, which are used with SOAP messages.
Use nonce in conjunction with the basic authentication (BasicAuth)
method. You can configure nonce for the application level by using the WebSphere® Application
Server administrative console.
About this task
Important: The information in this article supports Version
5.x applications only that are used with WebSphere Application Server Version
6.0.x and later. The information does not apply to Version 6.0.x and
later applications.
However,
you must consider the order of precedence:
- Application level
- Server level
If you configure nonce on the application level and the server
level, the values specified for the application level take precedence over
the values specified for the server level.
Procedure
- Connect to the administrative console.
Type http://localhost:port_number/ibm/console in
your Web browser unless you have changed the port number.
- Click Applications > Application Types > WebSphere enterprise
applications > application_name.
- Under Manage modules, click URI_name.
- Under Web Services Security Properties, click Web services:
Server security bindings.
- Click Edit under Request receiver binding
- Under Additional properties, click Login mappings >
New.
- Specify (optional) a value, in seconds, for the Nonce maximum
age field. This panel is optional and only valid if the BasicAuth
authentication method is specified. If you specify another authentication
method and attempt to specify values for this field, the following error message
displays and you must remove the specified value:
Nonce is not supported for authentication methods other than
BasicAuth.
If you specify BasicAuth, but do not
specify values for the Nonce maximum age field, the Web services security
runtime searches for a nonce maximum age value on the server level.The value specified for the Nonce maximum
age field indicates how long the nonce is valid. You must specify a minimum
of 300 seconds; however, the value cannot exceed the number of seconds that
is specified for the Nonce cache timeout field for the server level.
You can specify the
nonce cache timeout value for the server level by completing the following
steps:
- Click Servers > Server Types > WebSphere application servers > server_name.
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere Application
Server version 6.1 or earlier, click
Web services: Default bindings
for Web services security.
mixv
- Specify (optional) a value, in seconds, for the Nonce clock
skew field. The value specified for the Nonce clock skew field
specifies the amount of time, in seconds, to consider when the message receiver
checks the timeliness of the value. This panel is optional and only valid
if the BasicAuth authentication method is specified. If you specify another
authentication method and attempt to specify values for this field, the following
error message displays and you must remove the specified value:
Nonce is not supported for authentication methods other than
BasicAuth.
If you specify BasicAuth,
but do not specify values for the Nonce clock skew field, the Web services
security runtime searches for a Nonce clock skew value on the server level. Consider the following information
when you set this value:
- Difference in time between the message sender and the message receiver
if the clocks are not synchronized.
- Time needed to encrypt and transmit the message.
- Time needed to get through network congestion.
- Restart the server.