For both distributed and local clients, the WebSphere Application
Server secure conversation client cache stores tokens on the client.
WebSphere Application Server supports the caching of Security Context
Token for both distributed client and local client. If Security Context Token
is distributed, a client in the same replication domain uses the same Security
Context Token. Distributed cache also support the disk offload to save Security
Context Token to disk for recovery.
If you choose to modify the default Secure Conversation cache settings,
use the administrative console to configure settings such as the following:
- Set the time that the token remains in the cache after timeout. The default
value is 10 minutes. This value is a time window to renew an expired token.
- Set the renewal interval before the token expires. The default value is
10 minutes, and the minimum value is 3 minutes. Entering a number less than
3 minutes causes an error.
Important: This setting is critical.
This setting represents the maximum roundtrip time for a client to make a
request, the transport request to go to the server, the server to process
the request, and the transport response (if applicable) back to the client.
If the time specified is too small and there is not enough time specified,
then the token might expire during the roundtrip, and the client receives
a failure response. If the time specified is too large, then performance diminishes.
If the Security Context Token
is renewed too often, it might cause Web Services Secure Conversation (WS-SecureConversation)
to fail or even cause an out-of-memory error to occur. It is recommended that
you set the renewal interval before the token expires value for the Secure
conversation client cache to a value less than the token timeout value for
the Security Context Token. It is also suggested that the token timeout value
be at least two times the renewal interval before the token expires value.
- Enable the option to distribute the cache among configured clustered servers
in the same replication domain, if there are any clustered servers.
Important: This setting requires that WebSphere Application Server dynamic
cache service be enabled.
- Define a custom property, edit, or remove existing custom properties.
The WS-SecureConversation client rejects a Security Context Token that
is issued at a future time. If you cannot synchronize the clock between the
client machine and service machine, the clock skew could be configured to
prevent the rejection of a valid token. The default clock skew is 3 minutes.
To modify the default clock skew setting, add the following custom property
to the desired minutes:
clockSkewToleranceInMinutes
Alternatively, use the wsadmin commands to manage secure conversation client
cache configurations.
Thin client
For a Web Service application client
running outside WebSphere Application Server, the security context token is
cached only in the local Java process. The following system properties can
be used to override the default cache setting on the thin client:
- com.ibm.wsspi.wssecurity.SC.cache.cushion
- Specifies the time in minutes to renew a security context token to be
used with WS-SecureConversation on the client side so that the security context
token has enough time to complete the downstream call. The default value is
10 minutes, and the minimum value is 3 minutes.
- com.ibm.wsspi.wssecurity.SC.token.clockSkewTolerance
- Specifies the tolerant clock skew time for a token between two machines.
The default value is 3 minutes.