WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Configure XML digital signature for v5.x web services with the dmgr console > Configure nonce using Web Services Security tokensConfigure nonce for the application level
Nonce is a randomly generated, cryptographic token used to thwart the highjacking of Username tokens, used with SOAP messages. Use nonce in conjunction with the basic authentication (BasicAuth) method. We can configure nonce for the application level using the WebSphere Application Server dmgr console. The information in this article supports v5.x applications only used with WAS v6.0.x and later. The information does not apply to v6.0.x and later applications.
We can configure nonce at the application level and server level.
However, you must consider the order of precedence:
- Application level
- Server level
If you configure nonce on the application level and the server level, the values specified for the application level take precedence over the values specified for the server level.
- Connect to the dmgr console.
Type http://localhost:port_number/ibm/console in the web browser unless we have changed the port number.
- Click Applications > Application Types > WebSphere enterprise applications > application_name.
- Under Manage modules, click URI_name.
- Under Web Services Security Properties, click Web services: Server security bindings.
- Click Edit under Request receiver binding
- Under Additional properties, click Login mappings > New.
- Specify (optional) a value, in seconds, for the Nonce maximum age field. This panel is optional and only valid if the BasicAuth authentication method is specified. If we specify another authentication method and attempt to specify values for this field, the following error message displays and you must remove the specified value:
Nonce is not supported for authentication methods other than BasicAuth.If we specify BasicAuth, but do not specify values for the Nonce maximum age field, the Web Services Security runtime searches for a nonce maximum age value on the server level.The value specified for the Nonce maximum age field indicates how long the nonce is valid. Specify a minimum of 300 seconds; however, the value cannot exceed the number of seconds specified for the Nonce cache timeout field for the server level.
We can specify the nonce cache timeout value for the server level by completing the following steps:
- Click Servers > Server Types > WebSphere application servers > server_name.
- Under Security, click JAX-WS and JAX-RPC security runtime.
In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.
- Specify (optional) a value, in seconds, for the Nonce clock skew field. The value specified for the Nonce clock skew field specifies the amount of time, in seconds, to consider when the message receiver checks the timeliness of the value. This panel is optional and only valid if the BasicAuth authentication method is specified. If we specify another authentication method and attempt to specify values for this field, the following error message displays and you must remove the specified value:
Nonce is not supported for authentication methods other than BasicAuth.If we specify BasicAuth, but do not specify values for the Nonce clock skew field, the Web Services Security runtime searches for a Nonce clock skew value on the server level.Consider the following information when we set this value:
- Difference in time between the message sender and the message receiver if the clocks are not synchronized.
- Time needed to encrypt and transmit the message.
- Time needed to get through network congestion.
- Restart the server.
Related concepts:
Nonce, a randomly generated token
Related
Configure nonce for the server level