Configure nonce settings

A nonce is a randomly generated, cryptographic token used to thwart the highjacking of username tokens used with SOAP messages. Nonces are used in conjunction with the BasicAuth authentication method. For more information, see Nonce.

This task provides instructions on how to configure nonce settings with the WebSphere Application Server administrative console. You can configure nonce at the application level or server level.

The following list shows the order of precedence:

1. Application level
2. Server level

If you configure nonce settings for the application level and the server level, the values that are specified for the application level take precedence over the values that are specified for the server level. Likewise, the values specified for the application level take precedence over the values that are specified for the server level.

In a WebSphere Application Server - Express environment, you must specify values for the Nonce Cache Timeout, Nonce Maximum Age, and Nonce Clock Skew fields on the server level to use nonces effectively.

Configure nonce settings for the server level)

Perform the following steps in the WebSphere administrative console to configure nonce settings for the server level:

1. Start the administrative console.

2. Expand Servers. Click Application Servers. Click the name of your application server.

3. Under Additional Properties, click Web Services: Default Bindings for Web Services Security.

4. (Optional) Specify a value, in seconds, for the Nonce Cache Timeout field.

   The value that is specified for the Nonce Cache Timeout field indicates how long the nonce remains cached before it is expunged. You must specify a minimum of 300 seconds. However, if you do not specify a value, the default is 600 seconds.

5. (Optional) Specify a value, in seconds, for the Nonce Maximum Age field.

   The value that is specified for the Nonce Maximum Age field indicates how long the nonce is valid. You must specify a minimum of 300 seconds, but the value cannot exceed the number of seconds that is specified for the Nonce Cache Timeout field on the server level.

6. (Optional) Specify a value, in seconds, for the Nonce Clock Skew field.

   The value of the Nonce Clock Skew field specifies the amount of time, in seconds, to consider when the message receiver checks the freshness of the value. Consider the following information when you set this value:

   • Difference in time between the message sender and message receiver if the clocks are unsynchronized.
   • Time needed to encrypt and transmit the message.
   • Time needed to get through network congestion.

   You must specify at least 0 seconds for the Nonce Clock Skew field. However, the maximum value cannot exceed the number of seconds specified in the Nonce Maximum Age field on the server level. If you do not specify a value, the default is 0 seconds.

7. Restart the server.

Configure nonce settings for the application level

Perform the following steps in the WebSphere administrative console to configure nonce settings for the application level:

1. Start the administrative console.

2. Expand Servers. Click Application Servers. Click the name of your application server.

3. Under Additional Properties, click Web Services: Default Bindings for Web Services Security --> Login Mappings --> BasicAuth.

4. Specify a value, in seconds, for the Nonce Maximum Age field.

   The value that is specified for the Nonce Maximum Age field indicates how long the nonce is valid. You must specify a minimum of 300 seconds, but the value cannot exceed the number of seconds that is specified for the Nonce Cache Timeout field for either the server level.

   Note: The Nonce Maximum Age field on this panel is optional and only valid if the BasicAuth authentication method is specified. If you specify another authentication method and attempt to specify values for this field, the following error message displays and you must remove the specified value:

   Nonce is not supported for authentication methods other than BasicAuth.

   If you specify BasicAuth, but do not specify values for the Nonce Maximum Age field, the Web services security run time searches for a Nonce Maximum Age value on the server level. If a value is not found on either the server level, the default is 300 seconds.

5. Specify a value, in seconds, for the Nonce Clock Skew field.

   The value specified for the Nonce Clock Skew field specifies the amount of time, in seconds, to consider when the message receiver checks the freshness of the value. Consider the following information when you set this value:

   • Difference in time between the message sender and message receiver if the clocks are unsynchronized.
   • Time needed to encrypt and transmit the message.
   • Time needed to get through network congestion.

   Note: The Nonce Clock Skew field on this panel is optional and only valid if the BasicAuth authentication method is specified. If you specify another authentication method and attempt to specify values for this field, the following error message displays and you must remove the specified value:

   Nonce is not supported for authentication methods other than BasicAuth.

   If you specify BasicAuth, but do not specify values for the Nonce Clock Skew field, the Web services security run time searches for a Nonce Clock Skew value on the server level. If a value is not found on either the server level, the default is 0 seconds.

6. Restart the server.