WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Secure requests to the trust service using system policy setsConfigure the Web Services Security distributed cache
We can configure the Web Services Security runtime to use the security distributed cache to store security tokens. Web Services Security functions such as secure conversation, trust, and nonce use the distributed cache to store security tokens when the distributed cache is enabled. If the distributed cache option is not selected, then a local cache is used to store the tokens. WebSphere Application Server Version supports distributed caching for the tokens in both cluster and non-cluster environments. In a cluster environment, we can configure the security cache to be distributed. If the cache is distributed, then all servers in the cluster share information about issued tokens.
- To configure the secure conversation client cache, click Services > Security cache.
- Change the time in minutes in the Time token is in cache after timeout field. Default is 120 minutes. Minimum allowable time is 10 minutes, meaning we cannot enter a value that is less than 10 minutes. This field specifies the number of minutes the token is in cache after the token expiration time expires (cache persist period).
- Change the time in minutes in the Renewal interval before token timeout field. The default value and minimum allowable time is 10 minutes. We cannot enter a value that is less than 10 minutes. This field specifies the time period before the token expires when the client attempts to renew the token. This window of time is just before token expires where, if the token is accessed, then the client attempts to renew the token so that a downstream call can complete.
It is important that this setting be set to a length of time that is longer than the longest possible transaction. This value must include the time it takes to transport to and from the server, the time needed by the server to process the request, and the time that is cached by reliable messaging, if appropriate. Setting this value to a length of time that is too small might result in the token expiring in the middle of a transaction and might prevent the transaction from completing.
If the Security Context Token is renewed too often, it might cause Web Services Secure Conversation (WS-SecureConversation) to fail or even cause an out-of-memory error to occur. It is required set the renewal interval before the token expires value for the Secure conversation client cache to a value less than the token timeout value for the Security Context Token. It is also suggested the token timeout value be at least two times the renewal interval before the token expires value.
- Select the Enable distributed caching check box, to share the tokens across the cluster. When the checkbox is selected to enable distributed caching, choose one of the following settings for updating the caches.
- Synchronous update of cluster members: performs synchronous update of cache objects on cluster members (default).
- Asynchronous update of cluster members: performs a non-synchronous update of the cache on cluster members. This setting allows interoperability with cluster members that use the older style of updating as implemented in versions of WAS prior to version 7.0.
- Token recovery support: assigns a shared data source as the distributed cache.
If token recovery support is selected as the update method, then select a cell level data source using the drop-down list. Token state data is saved in the database defined as the data source. If there are no available data sources in the list, click on Manage data sources to add one or more new data source objects. The data source object supplies an application with connections for accessing the database.
- To create a new custom property, click New. For example, you might add the cancelActionRST custom property with a value of http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel.
- To edit an existing custom property, select the check box for the name of the existing custom property, and then click Edit. For example, you might change the name or the value of the cancelActionRST custom property.
- Click Apply to save and apply the changes.
Results
You have provided the basic information to configure the Web Services Security distributed cache. Use either the dmgr console or wsadmin to modify the security cache configuration.
We can also add or delete custom properties for the trust service using wsadmin. The wsadmin tool examples are written in the Jython scripting language.
Subtopics
- Security cache settings
Use this page to configure the Web Services Secure Conversation (WS-SecureConversation) security local and distributed cache settings using the dmgr console.
Related concepts:
Web Services Secure Conversation
Secure conversation client cache and trust service configuration
Related
Configure WS-SecureConversation to work with WS-ReliableMessaging