Configure nonce for the cell level

Nonce is a randomly generated, cryptographic token used to prevent the theft of username tokens, used with SOAP messages. Nonce is used in conjunction with the basic authentication (BasicAuth) method. We can configure nonce for the cell level using the WAS console.

Important: The information supports Version 5.x applications only used with WAS v6.0.x and later. The information does not apply to Version 6 and later applications.

We can configure nonce at the application level, the server level, and cell level. However, we must consider the order of precedence:

1. Application level

2. Server level

3. Cell level

If we configure nonce on the application level and the server level, the values specified for the application level take precedence over the values specified for the server level. Likewise, the values specified for the application level take precedence over the values specified for the server level and the cell level. In WebSphere Application Server Network Deployment, the Nonce cache timeout, Nonce maximum age, and Nonce clock skew fields are required to use nonce effectively. However, these fields are optional on the server level. Complete the following steps to configure nonce on the cell level:

1. Connect to the console.

   (dist)(zos) Type http://localhost:port_number/ibm/console in our web browser unless you have changed the port number.

   (iseries) Type http://server:port_number/ibm/console in our web browser unless you have changed the port number.

2. Click Servers > Server Types > WebSphere application servers > server.

3. Under Security, click security runtime.

   In a mixed node cell with a server using WebSphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.

4. Specify a value, in seconds, for the Nonce cache timeout field. The value specified for the Nonce cache timeout field indicates how long the nonce remains cached before it is expunged. Specify a minimum of 300 seconds. However, if we do not specify a value, the default is 600 seconds. This field is optional on the server level, but required on the cell level.

5. Specify a value, in seconds, for the Nonce maximum age field. The value specified for the Nonce maximum age field indicates how long the nonce is valid. Specify a minimum of 300 seconds, but the value cannot exceed the number of seconds specified for the Nonce cache timeout field in the previous step. If we do not specify a value, the default is 600 seconds. In a WAS Network Deployment environment or on the z/OS platform, if specified a value on the server level for the Nonce cache timeout field, the value cannot exceed the value specified for on the cell level for the Nonce cache timeout field. This field is optional on the server level, but required on the cell level

6. Specify a value, in seconds, for the Nonce clock skew field. The value specified for the Nonce clock skew field specifies the amount of time, in seconds, to consider when the message receiver checks the freshness of the value. Consider the following information when you set this value:

   • Difference in time between the message sender and the message receiver if the clocks are not synchronized.

   • Time needed to encrypt and transmit the message.

   • Time needed to get through network congestion.

   At a minimum, specify 0 seconds in this field. However, the maximum value cannot exceed the number of seconds indicated in the Nonce maximum age field. If we do not specify a value, the default is 0 seconds. This field is optional on the server level but required on the cell level.

7. Restart the server. If we change the Nonce cache timeout value and do not restart the server, the change is not recognized by the server.

Related concepts

Nonce, a randomly generated token

Related tasks

Configure nonce for the application level

Configure nonce for the server level

(dist)(zos) Default bindings and security runtime properties