14-20 Oracle Fusion Middleware Security and Administrators Guide for Web Services Tuning Web Service Security Policy Enforcement The BindingSecurityInterceptor property on the Policy Interceptors tab allows you to tune security policy enforcement by adjusting the default message timestamp skews between system clocks, the time-to-live for nonce messages in the policy cache, and the message expiration time. Perform the following steps to tune the security policy enforcement: 1. Access the Platform Policy Configuration page, as described in Configuring Platform Policy Properties on page 14-15.

2. Select the Policy Interceptors tab.

3. Select the BindingSecurityInterceptor security property on the list. 4. To modify a BindingSecurityInterceptor security property, select it and then click Edit. In the Edit Property window, you can edit the Value field to change the default amount for each property. a. agent.clock.skew – Tolerance of time differences, in seconds, between client and server machines. For example, when timestamps are sent across in a message to a service that follows a different time zone, this property allows for the specified time tolerance. The default value is 300 seconds. Increase agent.clock.skew when: – The servers clock is ahead of the clients clock: If the server’s clock is ahead of the client’s clock then increase the agent.clock.skew. For example, if the server’s clock is ahead of the client’s clock by 10 minutes, then increase the server’s agent.clock.skew to 10 minutes. – The clients clock is ahead of the servers clock: If the client’s clock is ahead of the server’s clock then increase the agent.clock.skew. For example, if the client’s clock is ahead of the server’s clock by 10 minutes, then increase the server’s agent.clock.skew to 10 minutes. b. agent.nonce.ttl – Total time-to-live, in seconds, for nonce in the cache when nonce is sent across in a message. This property caches the nonce and once this duration is over, the nonce is removed from the cache. The default value is 28800 seconds. c. agent.expire.time – Duration of time, in seconds, before a message expires after its creation. This property is used in cases where a timestamp is sent across in the SOAP header to verify if the timestamp has expired or not. The default value is 300 seconds. If the message expires when received by the service even when there is no time difference between the client’s and service’s clocks, then the message expiry time must be increased. The message expiry time is derived from the values of agent.expiry.time and the expiry time in the incoming message, and is the lesser of the two. For example, if the servers agent.expiry.time is set to 5 minutes and expiry time in the incoming message expiry time is 6 minutes, then the agent.expiry.time at the service side must be increased. On the other hand, if the servers agent.expiry.time is 5 minutes and the incoming message expiry time is 3 minutes, then the expiry time in the incoming message that is, at the client side must be increased. A higher value of the agent.expiry.time may lead to a security vulnerability

d. Click OK.

5. To delete an existing property, select it and then click Delete.