Each wsse:UsernameToken contains a timestamp inserted into the
<wsu:Created> element. Using this timestamp together with
the details entered in this section, the Enterprise Gateway can determine whether the WS-Security
UsernameToken has expired. The <wsu:Created>
element is as follows:
| | |
|
<wsse:UsernameToken wsu:Id="oracle"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsu:Created>2006.01.13T-10:42:43Z</wsu:Created>
...
</wsse:UsernameToken>
| |
| | |
|
To configure token validation settings, complete the following fields:
Drift Time:
Specified in seconds to account for differences in the clock times between
the machine on which the token was generated and the machine running the
Enterprise Gateway. Using the start time, end
time, and drift time, the token is considered
valid if the current time falls between the following times:
| | |
|
[start - drift] and [start + drift + end]
| |
| | |
|
Validity Period:
Specifies the lifetime of the token, where the value of the
<wsu:Created> element represents the
start time of the assertion, and the time period
entered represents the end time.
Timestamp Required:
Select this option if you want to ensure that the Username Token contains
a timestamp. If no timestamp is found in the Username Token, a SOAP Fault
is returned.
Nonce Required:
Select this option to ensure that the Username Token contains a
<wsse:Nonce> element. This is a randomly generated
number that is added to the message. You can use the combination of a timestamp
and a nonce to help prevent replay attacks.
Select cache to store WSS username token nonces in:
Click the button on the right, and select the cache that stores the nonce value
(for example, Kerberos Session Keys ). Defaults to the local WSS
Username Token Nonce Cache .
To add a cache, right-click the Caches tree node, and select
Add Local Cache or Add Distributed Cache.
Alternatively, you can configure caches under the Libraries
node in the Policy Studio tree. For more details, see the topic on Global Caches.
|