Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-RPC web services > Configure Web Services Security using JAX-RPC at the platform level
Configure a nonce on the server or cell level
We can configure nonce for the server or cell by using the console.
Nonce is a randomly generated, cryptographic token used to prevent replay attacks of user name tokens that are used with SOAP messages. Typically, nonce is used with the user name token.
We can configure nonce at the application level, the server level, and the cell level. However, consider the order of precedence. The following list shows the order of precedence:
- Application level
The application level settings for the nonce maximum age and nonce clock skew fields are specified through the additional properties.
- Server level
- Cell level
If you configure nonce on the application level and the server level, the values specified for the application level take precedence over the values specified for the server level. Likewise, the values specified for the application level take precedence over the values specified for the server level and the cell level. In the WAS ND environment, the Nonce cache timeout, Nonce maximum age, and Nonce clock skew fields are required to use nonce effectively. However, these fields are optional on the server level.
We can configure a nonce on the server level and the cell level. In the following steps, use the first step to access the server-level default bindings and use the second step to access the cell-level bindings.
Procedure
- Access the default bindings for the server level.
- Click Servers > Server Types > WebSphere application servers > server_name
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using WAS version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv
- Click Security > Web services to access the default bindings on the cell level.
- Specify a value, in seconds, for the Nonce cache timeout field. The value specified for the Nonce cache timeout field indicates how long the nonce remains cached before it is discarded. We must specify a minimum of 300 seconds. However, if you do not specify a value, the default is 600 seconds. This field is optional on the server level, but required on the cell level.
- Specify a value, in seconds, for the Nonce maximum age field. The value specified for the Nonce maximum age field indicates how long the nonce is valid. We must specify a minimum of 300 seconds, but the value cannot exceed the number of seconds specified for the Nonce cache timeout field. If you do not specify a value, the default is 300 seconds.
In a WAS ND environment, this field is optional on the server level, but it is required on the cell level.
- Specify a value, in seconds, for the Nonce clock skew field. The value specified for the Nonce clock skew field specifies the amount of time, in seconds, to consider when the message receiver checks the freshness of the value. Consider the following information when you set this value:
- Difference in time between the message sender and the message receiver, if the clocks are not synchronized.
- Time that is needed to encrypt and transmit the message.
- Time that is needed to get through network congestion.
At a minimum, specify 0 seconds in this field. However, the maximum value cannot exceed the number of seconds indicated in the Nonce maximum age field. If you do not specify a value, the default is 0 seconds. This field is optional on the server level, but required on the cell level.
- Optional: For WAS ND only, select Distribute nonce caching. This option enables you to distribute the caching for a nonce using a Data Replication Service (DRS). In previous releases of WAS, the nonce was cached locally. By selecting this option, the nonce is propagated to other servers in the environment. However, the nonce might be subject to a one-second delay in propagation and subject to any network congestion.
- Enable the dynamic cache service for each one of the application servers in your cluster.
To access the dynamic cache service through the admin console...
- Click Servers > Server Types > WebSphere application servers > server_name
- Under Container settings, click Container services > Dynamic cache service.
- Confirm that the Enable service at server startup option is selected.
- Specify the number of replication domains.
To specify the number of replicas, click
Environment > Replication domains. In a WAS ND environment, the Entire domain option for the number of replicas is recommended.
- Restart the server. If you change the nonce cache timeout value and do not restart the server, the change is not recognized by the server.
Configure Web Services Security using JAX-RPC at the platform level