Configuring a nonce on the server or cell level

Nonce is a randomly generated, cryptographic token that is used to prevent replay attacks of user name tokens that are used with Simple Object Access Protocol (SOAP) messages. Typically, nonce is used with the user name token.

This task provides instructions on how to configure nonce for the cell level using the WebSphere® Application Server administrative console. You can configure nonce at the application level, the server level, and the cell level. However, consider the order of precedence. The following list shows the order of precedence:

  1. Application level

    The application level settings for the nonce maximum age and nonce clock skew fields are specified through the additional properties.

  2. Server level

If you configure nonce on the application level and the server level, the values that are specified for the application level take precedence over the values that are specified for the server level. Likewise, the values that are specified for the application level take precedence over the values specified for the server level. Complete the following steps to configure nonce on the server level:

Complete the following steps to configure a nonce on the server or cell level:

  1. Access the default bindings for the server level.

    1. Click Servers > Application servers > server_name.

    2. Under Security, click Web services: Default bindings for Web services security.

  2. Specify a value, in seconds, for the Nonce cache timeout field. The value that is specified for the Nonce cache timeout field indicates how long the nonce remains cached before it is discarded. You must specify a minimum of 300 seconds. However, if you do not specify a value, the default is 600 seconds. This field is optional on the server level, but required on the cell level.

  3. Specify a value, in seconds, for the Nonce maximum age field. The value that is specified for the Nonce maximum age field indicates how long the nonce is valid. You must specify a minimum of 300 seconds, but the value cannot exceed the number of seconds that is specified for the Nonce cache timeout field in the previous step. If you do not specify a value, the default is 300 seconds.

    In a Network Deployment environment, this field is optional on the server level, but it is required on the cell level.

  4. Specify a value, in seconds, for the Nonce clock skew field. The value that is specified for the Nonce clock skew field specifies the amount of time, in seconds, to consider when the message receiver checks the freshness of the value. Consider the following information when you set this value:

    • Difference in time between the message sender and the message receiver, if the clocks are not synchronized.

    • Time that is needed to encrypt and transmit the message.

    • Time that is needed to get through network congestion.
    At a minimum, specify 0 seconds in this field. However, the maximum value cannot exceed the number of seconds indicated in the Nonce maximum age field. If you do not specify a value, the default is 0 seconds. This field is optional on the server level, but required on the cell level.

  5. Select the Distribute nonce caching option. This option enables you to distribute the caching for a nonce using a Data Replication Service (DRS). In previous releases of WAS, the nonce was cached locally. By selecting this option, the nonce is propagated to other servers in your environment. However, the nonce might be subject to a one-second delay in propagation and subject to any network congestion.

  6. Restart the server. If you change the Nonce cache timeout value and do not restart the server, the change is not recognized by the server.