Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication
Time stamp
A time stamp is the value of an object that indicates the system time at some critical point in the history of the object.
A time stamp is included in a message to reduce the vulnerability of an application to replay attacks. In web services, a replay attack occurs when an HTTP request is intercepted and the content is resent to the provider in its original form. When you include a time stamp in a message, protect its integrity using transport security, such as secure sockets layer (SSL) or message-level security, such as XML digital signature. If you do not protect the integrity of the time stamp, it is possible to capture the message and retransmit the content with a different time stamp, message expiration date, or both.
For both the JAX-RPC and JAX-WS WS-Security run times, 5 minutes is the default message expiration time used for the receiver if a value is not specified in the message. If a different expiration is required for a specific client or you are unsure of the target service default value, configure a message expiration time value for the outbound time stamp.
- When the Web Services Security JAX-RPC and JAX-WS run times generate or consume a message, they do not enforce that the integrity of the time stamp is protected.
- The Web Services Security JAX-RPC and JAX-WS run times do not have a default outbound message expiration value. To include a message expiration value in a message, configure it. Although the JAX-WS run time does not have a default outbound message expiration value, you can configure an outbound message expiration value in the default general bindings. This value is acquired by all applications at the level for which the default bindings apply. For example, the value might be acquired at the cell or application level.
- For the JAX-RPC run time, the time stamp expiration value is specified in the web services deployment descriptor extension. We cannot modify the web services deployment descriptor extension from the admin console; you can only view it.
To modify the deployment descriptor extension, use an assembly tool and add or change the time stamp expiration value for a JAX-RPC application.
- If WS-Security constraints exist to consume a timestamp, the client must send a timestamp.
The JAX-WS WS-Security runtime complies with the OASIS WS-SecurityPolicy 1.2 specification Timestamp Required requirement. To configure an application to not require an inbound time stamp when an outbound time stamp is configured you can add the com.ibm.wsspi.wssecurity.consumer.timestampRequired custom property as either an inbound or an inbound/outbound web services security custom property.
Web Services Security enhancements
Configure the WS-Security policy
Related
Message expiration settings
Default bindings and runtime properties for Web Services Security
Security considerations for web services