CA API Gateway 9.1

9.4 9.1

WS-Security Cluster Properties

The following cluster properties control various aspects of WS-Security behavior on the .
gateway
The following cluster properties control various aspects of WS-Security behavior on the 
API Gateway
.
Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.
Property
Description
outbound.secureConversation.
defaultSessionDuration
The system default for the token lifetime. Value is a time unit. Valid range is 1 minute to 24 hours.
Default:
2h
This property is used in the following assertions:
  • Build RST SOAP Request
  • Establish Outbound Secure Conversation
outbound.secureConversation.
maxSessions
Maximum number of outbound secure conversation sessions that can be created. Enter a range between 1 and 1000000.
Default:
10000
outbound.secureConversation.
sessionPreExpiryAge
Pre-expiry age for outbound secure conversation sessions. This is used to "move up" the supplied expiry time and can help prevent the use of an expired session. For example, if the maximum expiry period is 20 minutes and the value of this cluster property is 5 minutes, the
API Gateway
 uses 15 minutes (20-5) as the final expiry period
Value is a time unit. Maximum is 2 hours.
Default: 
1m
 
This property is used in the following assertion:
Establish Outbound Secure Conversation
security.wss.timestamp.
createdFutureGrace
Time in the future that WSS timestamp dates are permitted to accommodate clock skew.
Default:
60000
(milliseconds)
security.wss.timestamp.
expiresPastGrace
Time in the past that WSS timestamp dates are permitted to accommodate clock skew.
Default:
60000
(milliseconds)
wss.decorator.digsig.messagedigest
Digital signature message digest algorithm that used by the following assertions:
(Non-SOAP) Sign XML Element
Add Security Token
Add Timestamp (when timestamp is signed)
Sign Element
Valid algorithms are: SHA-1, SHA-256, SHA-384, SHA-512.
Default:
SHA-1
Requires a
API Gateway
 restart for changes to take effect.
wss.decorator.mustUnderstand
Controls the “mustUnderstand” setting in a Security header. Value is a Boolean.
  • true
     = Generate Security headers with “mustUnderstand” asserted.
  • false
     = Generates Security headers without “mustUnderstand” asserted.
Default:
true
This setting only affects Security headers generated by the
API Gateway
 itself. When the
API Gateway
 adds to an existing Security header, that header retains its existing “mustUnderstand” setting. The
API Gateway
 must be restarted for changes to this property to take effect.
wss.decorator.soap.
soapActorNamespaced
Controls whether the SOAP 1.1 actor attribute created by the WSS decorator is in the SOAP namespace. Value is a Boolean.
  • true
     = Actor attribute is in the SOAP namespace; example: <wsse:Security soapenv:actor="secure_span">
  • false
     = Actor attribute is not in the SOAP namespace; example: <wsse:Security actor="secure_span">
Default: 
true
wss.decorator.omitNanos
Controls whether dates created by WS-Security timestamps should omit nanoseconds. Value is a Boolean.
Default:
false
wss.decorator.
wsTrustRequestTypeIndex
Sets the WS-Trust request type:
  • 0
     = 2005/02 version of WS-Trust
  • 1
     = IBM TFIM (Tivoli Federated Identity Manager) compatible
Default:
0
Requires a
API Gateway
 restart for changes to take effect.
wss.processor.allowMultiple
TimestampSignatures
Controls whether security headers should be permitted to contain multiple Signatures covering the timestamp. Value is a Boolean.
Default:
false
wss.processor.allowUnknown
BinarySecurityTokens
Controls response to Binary Security Tokens of an unknown type. Value is a Boolean.
  • true
     = Unknown tokens are permitted
  • f
    alse
     = Unknown tokens will cause security processing to fail
Default:
false
wss.processor.strictSignature
ConfirmationValidation
Controls how signature confirmation validation is performed. Value is a Boolean.
  • true
     = Signature confirmation validation is strictly enforced. All WSS 1.1 signature confirmation checks are performed. All checks are also performed on responses that are detected as using WSS 1.1.
  • false
     = Signature confirmation validation is more lenient. The following conditions are permitted and will not cause validation to fail:
    • no SignatureConfirmation element in a WSS 1.1 response
    • SignatureConfirmation element with no Value attribute is not the only SignatureConfirmation element
    • signature confirmation values that are not found in the request
    • unencrypted signature confirmations corresponding to encrypted signatures in the request
Default: t
rue
wss.secureConversation.
clusterSessions
Controls whether WS-SecureConversation sessions should be shared between cluster nodes. Value is a Boolean.
Default:
false
WS-SecureConversation session persistence may not be required when using a load balancer with node affinity.
wss.secureConversation.
defaultSessionDuration
Default duration of WS-SecureConversation sessions. Minimum is one minute; the maximum is one day. Value is a time unit. If the value is outside of the minimum/maximum range or is otherwise invalid, then the default value is used.
Default:
2h
wss.secureConversation.
maxSessions
Maximum number of WS-SecureConversation sessions.
Default:
10000

Content feedback and comments