Configure nonce for the application level

Important: The information in this article supports version 5.x applications only that are used with WebSphere Application Server Version 6. The information does not apply to version 6 applications.

Nonce is a randomly generated, cryptographic token used to thwart the highjacking of username tokens used with Simple Object Access Protocol (SOAP) messages. Nonce is used in conjunction with the BasicAuth authentication method.

This task provides instructions on how to configure nonce for the application level using the WebSphere Application Server administrative console.

You can configure nonce at the application level, the server level, and cell level. However, consider the order of precedence:

1. Application level

2. Server level

3. Cell level

If you configure nonce on the application level and the server level, the values specified for the application level take precedence over the values specified for the server level.

Likewise, the values specified for the application level take precedence over the values specified for the server level and cell level.

1. Connect to the administrative console by typing http://localhost:9060/ibm/console in your Web browser unless you have changed the port number.

2. Click Applications > Enterprise applications > application_name.

3. Under Related Items, click Web module or EJB module > URI_name.

4. Under Additional properties, click Web services: Server security bindings .

5. Click Edit under Request receiver binding

6. Under Additional properties, click Login mappings > New .

7. Specify (optional) a value, in seconds, for the Nonce maximum age field. This panel is optional and only valid if the BasicAuth authentication method is specified. If you specify another authentication method and attempt to specify values for this field, the following error message displays and remove the specified value:

   Nonce is not supported for authentication methods other than
   BasicAuth . If you specify BasicAuth , but do not specify values for the Nonce maximum age field, the Web services
   security run time searches for a Nonce Maximum Age value on the server level. If a value is not found on the server level, the run time searches the cell level. If a value is not found on either the server level or the cell level, the default is 300 seconds.

   The value specified for the Nonce Maximum Age field indicates how long the nonce is valid. You must specify a minimum of 300 seconds, but the value cannot exceed the number of seconds specified for the Nonce Cache Timeout field for either the server level or the cell level You can specify the Nonce Cache Timeout value for the server level by completing the following steps:

   1. Click Servers > Application servers > server_name.

   2. Under Security, click Web Services: Default bindings for Web services security .

   You can specify the Nonce Cache Timeout value for the cell level by clicking Security > Web services .

8. Specify (optional) a value, in seconds, for the Nonce clock skew field. The value specified for the Nonce Clock Skew field specifies the amount of time, in seconds, to consider when the message receiver checks the timeliness of the value. This panel is optional and only valid if the BasicAuth authentication method is specified. If you specify another authentication method and attempt to specify values for this field, the following error message displays and remove the specified value:

   Nonce is not supported for authentication methods other than
   BasicAuth . If you specify BasicAuth , but do not specify values for the Nonce clock skew field, the Web services
   security run time searches for a Nonce clock skew value on the server level. If a value is not found on the server level, the run time searches the cell level. If a value is not found on either the server level or the cell level, the default is 0 seconds. Consider the following information when you set this value:

   • Difference in time between the message sender and the message receiver if the clocks are not synchronized.

   • Time needed to encrypt and transmit the message.

   • Time needed to get through network congestion.

9. Restart the server.

Related concepts
Nonce, a randomly generated token
Username token element

Related tasks
Configuring nonce for the cell level
Configuring nonce for the server level

Related reference
Default bindings for Web services security