100 lines
6.9 KiB
HTML
100 lines
6.9 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Configure nonce settings</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h6><a name="wssecbasnon"></a>Configure nonce settings</h6>
|
|
|
|
<p>A nonce is a randomly generated, cryptographic token used to thwart the highjacking of username tokens used with SOAP messages. Nonces are used in conjunction with the BasicAuth authentication method. For more information, see <a href="wssecnonce.htm">Nonce</a>.</p>
|
|
|
|
<p>This task provides instructions on how to configure nonce settings with the WebSphere Application Server administrative console. You can configure nonce at the application level or server level.</p>
|
|
|
|
<p>The following list shows the order of precedence:</p>
|
|
<ol>
|
|
<li>Application level</li>
|
|
<li>Server level</li>
|
|
</ol>
|
|
|
|
<p>If you configure nonce settings for the application level and the server level, the values that are specified for the application level take precedence over the values that are specified for the server level. Likewise, the values specified for the application level take precedence over the values that are specified for the server level.</p>
|
|
|
|
<p>In a WebSphere Application Server - Express environment, you must specify values for the <strong>Nonce Cache Timeout</strong>, <strong>Nonce Maximum Age</strong>, and <strong>Nonce Clock Skew</strong> fields on the server level to use nonces effectively.</p>
|
|
|
|
<p><strong>Configure nonce settings for the server level)</strong></p>
|
|
<p>Perform the following steps in the WebSphere administrative console to configure nonce settings for the server level:</p>
|
|
|
|
<ol>
|
|
<li><p>Start the administrative console.</p></li>
|
|
|
|
<li><p>Expand <strong>Servers</strong>. Click <strong>Application Servers</strong>. Click the name of your application server.</p></li>
|
|
|
|
<li><p>Under <strong>Additional Properties</strong>, click <strong>Web Services: Default Bindings for Web Services Security</strong>.</p></li>
|
|
|
|
<li><p>(Optional) Specify a value, in seconds, for the <strong>Nonce Cache Timeout</strong> field.</p>
|
|
<p>The value that is specified for the <strong>Nonce Cache Timeout</strong> field indicates how long the nonce remains cached before it is expunged. You must specify a minimum of 300 seconds. However, if you do not specify a value, the default is 600 seconds.</p></li>
|
|
|
|
<li><p>(Optional) Specify a value, in seconds, for the <strong>Nonce Maximum Age</strong> field.</p>
|
|
<p>The value that is specified for the <strong>Nonce Maximum Age</strong> field indicates how long the nonce is valid. You must specify a minimum of 300 seconds, but the value cannot exceed the number of seconds that is specified for the <strong>Nonce Cache Timeout</strong> field on the server level.</p></li>
|
|
|
|
<li><p>(Optional) Specify a value, in seconds, for the <strong>Nonce Clock Skew</strong> field.</p>
|
|
<p>The value of the <strong>Nonce Clock Skew</strong> field specifies the amount of time, in seconds, to consider when the message receiver checks the freshness of the value. Consider the following information when you set this value:</p>
|
|
|
|
<ul>
|
|
<li>Difference in time between the message sender and message receiver if the clocks are unsynchronized.</li>
|
|
<li>Time needed to encrypt and transmit the message.</li>
|
|
<li>Time needed to get through network congestion.</li>
|
|
</ul>
|
|
|
|
<p>You must specify at least 0 seconds for the <strong>Nonce Clock Skew</strong> field. However, the maximum value cannot exceed the number of seconds specified in the <strong>Nonce Maximum Age</strong> field on the server level. If you do not specify a value, the default is 0 seconds.</p></li>
|
|
<li><p>Restart the server.</p></li>
|
|
</ol>
|
|
|
|
<p><strong>Configure nonce settings for the application level</strong></p>
|
|
|
|
<p>Perform the following steps in the WebSphere administrative console to configure nonce settings for the application level:</p>
|
|
|
|
<ol>
|
|
<li><p>Start the administrative console.</p></li>
|
|
|
|
<li><p>Expand <strong>Servers</strong>. Click <strong>Application Servers</strong>. Click the name of your application server.</p></li>
|
|
|
|
<li><p>Under <strong>Additional Properties</strong>, click <strong>Web Services: Default Bindings for Web Services Security</strong> --> <strong>Login Mappings</strong> --> <strong>BasicAuth</strong>.</p></li>
|
|
|
|
<li><p>Specify a value, in seconds, for the <strong>Nonce Maximum Age</strong> field.</p>
|
|
|
|
<p>The value that is specified for the <strong>Nonce Maximum Age</strong> field indicates how long the nonce is valid. You must specify a minimum of 300 seconds, but the value cannot exceed the number of seconds that is specified for the <strong>Nonce Cache Timeout</strong> field for either the server level.</p>
|
|
|
|
<p><strong>Note:</strong> The <strong>Nonce Maximum Age</strong> field on this panel is optional and only valid if the BasicAuth authentication method is specified. If you specify another authentication method and attempt to specify values for this field, the following error message displays and you must remove the specified value:</p>
|
|
|
|
<pre>Nonce is not supported for authentication methods other than BasicAuth.</pre>
|
|
|
|
<p>If you specify BasicAuth, but do not specify values for the <strong>Nonce Maximum Age</strong> field, the Web services security run time searches for a <strong>Nonce Maximum Age</strong> value on the server level. If a value is not found on either the server level, the default is 300 seconds.</p></li>
|
|
|
|
<li><p>Specify a value, in seconds, for the <strong>Nonce Clock Skew</strong> field.</p>
|
|
<p>The value specified for the <strong>Nonce Clock Skew</strong> field specifies the amount of time, in seconds, to consider when the message receiver checks the freshness of the value. Consider the following information when you set this value:</p>
|
|
|
|
<ul>
|
|
<li>Difference in time between the message sender and message receiver if the clocks are unsynchronized.</li>
|
|
<li>Time needed to encrypt and transmit the message.</li>
|
|
<li>Time needed to get through network congestion.</li>
|
|
</ul>
|
|
|
|
<p><strong>Note:</strong> The <strong>Nonce Clock Skew</strong> field on this panel is optional and only valid if the BasicAuth authentication method is specified. If you specify another authentication method and attempt to specify values for this field, the following error message displays and you must remove the specified value:</p>
|
|
|
|
<pre>Nonce is not supported for authentication methods other than BasicAuth.</pre>
|
|
|
|
<p>If you specify BasicAuth, but do not specify values for the <strong>Nonce Clock Skew</strong> field, the Web services security run time searches for a <strong>Nonce Clock Skew</strong> value on the server level. If a value is not found on either the server level, the default is 0 seconds.</p></li>
|
|
|
|
<li><p>Restart the server.</p></li>
|
|
</ol>
|
|
|
|
</body>
|
|
</html>
|