Web services: default bindings for the Web services security collection

To configure the settings for nonce on the server level and to manage the default bindings for trust anchors, the collection certificate store, key locators, trusted ID evaluators, and login mappings.

To view this administrative console page, click Servers > Application Servers > server. Under Additional Properties, click Web Services: Default bindings for Web Services Security.

Read the Web services documentation before you begin defining the default bindings for Web services security.

To define the server bindings, complete the following steps...

  1. Click Applications > Enterprise Applications > appname.

  2. Under Related Items, click Web Modules > URI_file_name > Web Services: Server Security Bindings.

To define the client bindings, complete the following steps:

  1. Click Applications > Enterprise Applications > appname.

  2. Under Related Items, click Web Modules > URI_file_name > Web Services: Client Security Bindings.

Nonce is a unique cryptographic number embedded in a message to help stop repeat, unauthorized attacks of user name tokens. In a base WAS environment, specify values for the Nonce Cache Timeout, Nonce Maximum Age, and Nonce Clock Skew fields for the server-level.

The default binding configuration provides a central location where reusable binding information is defined. The application binding file can reference the information contained in the default binding configuration.

Nonce Cache Timeout   Specifies the timeout value, in seconds, for the nonce cached on the server. Nonce is a randomly generated value.

The Nonce Cache Timeout field is required for the base WebSphere Application Server environment.

If you make changes to the nonce cache timeout value, restart WAS for the changes to take effect.

Default 600 seconds
Minimum 300 seconds

Nonce Maximum Age   Specifies the default time, in seconds, before the nonce time stamp expires. Nonce is a randomly generated value.

The maximum value cannot exceed the number of seconds specified in the Nonce Cache Timeout field for the server level. The value set for this server-level Nonce Maximum Age field must not exceed Nonce Maximum Age value set for the cell level, which you can access by clicking Security > Web Services > Properties.

The Nonce Maximum Age field is required for the base WebSphere Application Server environment.

Default 300 seconds
Range 300 to Nonce Cache Timeout seconds

Nonce Clock Skew   Specifies the default clock skew value, in seconds, to consider when WAS checks the timeliness of the message. Nonce is a randomly generated value.

The maximum value cannot exceed the number of seconds specified in the Nonce Maximum Age field.

The Nonce Clock Skew field is required for the base WebSphere Application Server environment.

Default 0 seconds
Range 0 to Nonce Maximum Age seconds

Trust Anchors   Specifies a list of keystore objects that contain the trusted root certificates, self-signed or issued by a certificate authority (CA).

The certificate authority authenticates a user and issues a certificate. After the certificate is issued, the keystore objects, which contain these certificates, use the certificate for certificate path or certificate chain validation of incoming X.509-formatted security tokens.

Collection Certificate Store   Specifies a list of the untrusted, intermediate certificate files.

The collection certificate store contains a chain of untrusted, intermediate certificates. The CertPath API attempts to validate these certificates, which are based on the trust anchor.

Key Locators   Specifies a list of key locator objects that retrieves the keys for digital signature and encryption from a keystore file or a repository. The key locator maps a name or logical name to an alias or maps an authenticated identity to a key. This logical name is used to locate a key in a key locator implementation.

Trusted ID Evaluators   Specifies a list of trusted ID evaluators that determines whether to trust the identity-asserting authority or the message sender.

The trusted ID evaluators are used to authenticate additional identities from one server to another server. For example, a client sends the identity of user A to server 1 for authentication. Server 1 calls downstream to server 2, asserts the identity of user A, and includes the user ID and password of server 1. Server 2 attempts to establish trust with server 1 by authenticating its user ID and password and checking the trust based on the TrustedIDEvaluator implementation. If the authentication process and the trust check are successful, server 2 trusts that server 1 authenticated user A and a credential is created for user A on server 2 to invoke the request.

Login Mappings   Specifies a list of configurations for validating tokens within incoming messages.

Login mappings map the authentication method to the Java Authentication and Authorization Service (JAAS) configuration.

To configure JAAS, use the administrative console and click Security > JAAS Configuration.

 

See Also

Digital certificates
Securing Web services based on WS-Security
Requesting certificate authority-signed personal certificates
Trust anchors collection
Collection certificate store collection
Key locator collection
Trusted ID evaluator collection
Login mappings collection
Login mapping configuration settings