WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-RPC web services > Configure Web Services Security using JAX-RPC at the platform level

Configure a nonce on the server level

We can configure nonce for the server using the WebSphere Application Server dmgr console. Nonce is a randomly generated, cryptographic token used to prevent replay attacks of user name tokens used with SOAP messages. Typically, nonce is used with the user name token.

We can configure nonce at the application level and the server level. However, you must consider the order of precedence. The following list shows the order of precedence:

  1. Application level

    The application level settings for the nonce maximum age and nonce clock skew fields are specified through the additional properties.

  2. Server level

If you configure nonce on the application level and the server level, the values specified for the application level take precedence over the values specified for the server level. Likewise, the values specified for the application level take precedence over the values specified for the server level. To configure nonce on the server level:

To configure a nonce on the server level:

  1. Access the default bindings for the server level.

    1. Click Servers > Server Types > WebSphere application servers > server_name.

    2. Under Security, click JAX-WS and JAX-RPC security runtime.

      In a mixed node cell with a server using WAS version 6.1 or earlier, click Web services: Default bindings for Web Services Security.

  2. Specify a value, in seconds, for the Nonce cache timeout field. The value specified for the Nonce cache timeout field indicates how long the nonce remains cached before it is discarded. Specify a minimum of 300 seconds. However, if we do not specify a value, the default is 600 seconds. This field is optional on the server level.

  3. Specify a value, in seconds, for the Nonce maximum age field. The value specified for the Nonce maximum age field indicates how long the nonce is valid. Specify a minimum of 300 seconds, but the value cannot exceed the number of seconds specified for the Nonce cache timeout field. If we do not specify a value, the default is 300 seconds. This field is optional on the server level.

  4. Specify a value, in seconds, for the Nonce clock skew field. The value specified for the Nonce clock skew field specifies the amount of time, in seconds, to consider when the message receiver checks the freshness of the value. Consider the following information when we set this value:

    • Difference in time between the message sender and the message receiver, if the clocks are not synchronized.
    • Time needed to encrypt and transmit the message.
    • Time needed to get through network congestion.

    At a minimum, specify 0 seconds in this field. However, the maximum value cannot exceed the number of seconds indicated in the Nonce maximum age field. If we do not specify a value, the default is 0 seconds. This field is optional on the server level.

  5. Optional: For WAS, Network Deployment only, select Distribute nonce caching. This option enables you to distribute the caching for a nonce using a Data Replication Service (DRS). In previous releases of WAS, the nonce was cached locally. By selecting this option, the nonce is propagated to other servers in the environment. However, the nonce might be subject to a one-second delay in propagation and subject to any network congestion.

  6. Restart the server. If you change the nonce cache timeout value and do not restart the server, the change is not recognized by the server.


+

Search Tips   |   Advanced Search