Token generator configuration settings

Use this page to specify the information for the token generator. The information is used at the generator side only to generate the security token. To view this administrative console page for the cell level, complete the following steps:

Click Security > Web services .
Under Default generator bindings, click Token generators > token_generator_name or click New to create a new token generator.

To view this administrative console page for the server level, complete the following steps:

Click Servers > Application servers > server_name.
Under Security, click Web services: Default bindings for Web services security .
Under Default generator bindings, click Token generators > token_generator_name or click New to create a new token generator.

Click Applications > Enterprise applications > application_name.
Under Related items, click EJB modules or Web modules > URI_name.
Under Additional properties, you can access the token generator information for the following bindings:
- For the Request generator (sender) binding, click Web services: Client
  security bindings . Under Request generator (sender) binding, click Edit custom .
- For the Response generator (sender) binding, click Web services: Server
  security bindings . Under Response generator (sender) binding, click Edit custom .
Click New to create a new token generator or click the name of an existing token generator name to specify its settings.

To view this administrative console page for the application level, complete the following steps:

Click Applications > Enterprise applications > application_name.
Under Related items, click EJB modules or Web modules > URI_name.
Under Additional properties, click Web services: Client security bindings .
Under Request generator (sender) binding, click Edit custom .
Under Additional properties, click Token generators > New .

Before specifying additional properties, specify a value in the Token generator name and the Token generator class name fields.

Token generator name

The name of the token generator configuration.

Token generator class name

The name of the token generator implementation class.

This class must implement the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent interface.

Certificate path

The certificate revocation list (CRL) that is used for generating a security token wrapped in a PKCS#7 token type with CRL.

When the token generator is not for a PKCS#7 token type, select None . When the token generator is for the PKCS#7 token type and you want to package
CRL in the security token, select Dedicated signing information and specify the CRL for the collection certificate store. You can specify a certificate store configuration for the following bindings on the following levels:

Binding name Cell level, server level, or application level Path

Default generator bindings Cell level

Click Security > Web services .
Under Additional properties, click Collection certificate store .

Default generator bindings Server level

Click Servers > Application servers > server_name.
Under Security, click Web services: Default bindings for Web services security .
Under Additional properties, click Collection certificate store .

Binding name	Cell level, server level, or application level	Path
Default generator bindings	Cell level	Click Security > Web services . Under Additional properties, click Collection certificate store .
Default generator bindings	Server level	Click Servers > Application servers > server_name. Under Security, click Web services: Default bindings for Web services security . Under Additional properties, click Collection certificate store .

Using the collection certificate store, you can configure a related certificate revocation list by clicking Certificate revocation list under Additional properties.

Add nonce

Indicates whether nonce is included in the user name token for the token generator. Nonce is a unique cryptographic number that is embedded in a message to help stop repeat, unauthorized attacks of user name tokens. On the application level, if you select the Add nonce option, you can specify the following properties under Additional properties:

Table 1. Additional nonce properties

Property name Default value Explanation

com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.cacheTimeout
600 seconds The timeout value, in seconds, for the nonce value that is cached on the server.

com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.clockSkew
0 seconds The time, in seconds, before the nonce time stamp expires.

com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.maxAge
300 seconds The clock skew value, in seconds, to consider when WebSphere Application Server checks the timeliness of the message.

These properties are available on the administrative console at the cell and server level. However, on the application level, you can configure the properties under Additional properties.

Table 1. Additional nonce properties
Property name	Default value	Explanation
com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.cacheTimeout	600 seconds	The timeout value, in seconds, for the nonce value that is cached on the server.
com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.clockSkew	0 seconds	The time, in seconds, before the nonce time stamp expires.
com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.maxAge	300 seconds	The clock skew value, in seconds, to consider when WebSphere Application Server checks the timeliness of the message.

This option is displayed on the cell, server, and application levels. This option is valid only when the generated token type is a user name token.

Add timestamp

Whether to insert the time stamp into the user name token.

This option is displayed on the cell, server, and application levels. This option is valid only when the generated token type is a user name token.

Value type local name

The local name of the value type for the generated token. For a user name token and an X.509 certificate security token, WebSphere Application Server provides predefined value types. When you specify the following local names, you do not need to specify the URI of value type.

Username token: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
X509 certificate token: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509
X509 certificates in a PKIPath: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
A list of X509 certificates and CRLs in a PKCS#7: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
LTPA

Important: For LTPA, the value type local name is LTPA. If you enter LTPA for the local name, specify the http://www.ibm.com/websphere/appserver/tokentype/5.0.2 URI value in the Value type URI field as well. For the other predefined value types (Username token, X509 certificate token, X509 certificates in a PKIPath, and a list of X509 certificates and CRLs in a PKCS#7), the value for the local name field begins with http://. For example, if you are specifying the user name token for the value type, enter http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken in the Value type local name field and then you do not need to enter a value in the Value type URI field.

When you specify a custom value type for custom tokens, you can specify the local name and the URI of the quality name (QName) of the value type. For example, you might specify Custom for the local name and http://www.ibm.com/custom for the URI.

Value type URI

The namespace URI of the value type for the generated token.

When you specify the token generator for the user name token or the X.509 certificate security token, you do not need to specify this option. If you want to specify another token, specify the URI of the QName of the value type.

WebSphere Application Server provides the following predefined value type URI for the LTPA token: http://www.ibm.com/websphere/appserver/tokentype/5.0.2

Searchable topic ID: uwbs_tokengeneratorn