Web services: default bindings for the Web services security collectionUse this page to configure the settings for nonce on the server level and to manage the default bindings for trust anchors, the collection certificate store, key locators, trusted ID evaluators, and login mappings.
To view this administrative console page, click Servers > Application Servers > server_name. Under Additional Properties, click Web Services: Default bindings for Web Services Security.
Read the Web services documentation before you begin defining the default bindings for Web services security.
To define the server bindings, complete the following steps:
To define the client bindings, complete the following steps:
Nonce is a unique cryptographic number embedded
in a message to help stop repeat, unauthorized attacks of user name tokens.
In a base WebSphere Application Server environment, you must specify values
for the Nonce Cache Timeout, Nonce Maximum Age, and Nonce
Clock Skew fields for the server-level.
The default binding configuration provides a central location where reusable binding information is defined. The application binding file can reference the information contained in the default binding configuration.
![[Release 5.1 and later]](v51x.gif)
The Nonce Cache Timeout field is required for the base WebSphere Application Server environment.
If you make changes to the nonce cache timeout value, you must restart WebSphere Application Server for the changes to take effect.
| Default | 600 seconds |
| Minimum | 300 seconds |
![[Release 5.1 and later]](v51x.gif)
The maximum value cannot exceed the number of seconds specified in the Nonce Cache Timeout field for the server level. The value set for this server-level Nonce Maximum Age field must not exceed Nonce Maximum Age value set for the cell level, which you can access by clicking Security > Web Services > Properties.
The Nonce Maximum Age field is required for the base WebSphere Application Server environment.
| Default | 300 seconds |
| Range | 300 to Nonce Cache Timeout seconds |
![[Release 5.1 and later]](v51x.gif)
The maximum value cannot exceed the number of seconds specified in the Nonce Maximum Age field.
The Nonce Clock Skew field is required for the base WebSphere Application Server environment.
| Default | 0 seconds |
| Range | 0 to Nonce Maximum Age seconds |
The certificate authority authenticates a user and issues a certificate. After the certificate is issued, the keystore objects, which contain these certificates, use the certificate for certificate path or certificate chain validation of incoming X.509-formatted security tokens.
The collection certificate store contains a chain of untrusted, intermediate certificates. The CertPath API attempts to validate these certificates, which are based on the trust anchor.
The trusted ID evaluators are used to authenticate additional identities from one server to another server. For example, a client sends the identity of user A to server 1 for authentication. Server 1 calls downstream to server 2, asserts the identity of user A, and includes the user ID and password of server 1. Server 2 attempts to establish trust with server 1 by authenticating its user ID and password and checking the trust based on the TrustedIDEvaluator implementation. If the authentication process and the trust check are successful, server 2 trusts that server 1 authenticated user A and a credential is created for user A on server 2 to invoke the request.
Login mappings map the authentication method to the Java Authentication and Authorization Service (JAAS) configuration.
To configure JAAS, use the administrative console and click Security > JAAS Configuration.