Advanced Administration 14-19

5. To modify an existing property, select it and then click Edit.

6. To delete an existing property, select it and then click Delete.

7. Click Apply to apply the property updates.

Table 14–3 Properties in Add Property Window Element Description java.naming.provider.url JNDI URL that specifies the location of a running Oracle WSM Policy Manager in another domain. By default, this property is not specified. If this property is not specified, Oracle WSM auto-discovery attempts to look up the Policy Manager in the same domain. jndi.lookup.csf.key If the location of the Oracle WSM Policy Manager is provided in the java.naming.provider.url property, the jndi.lookup.csf.key provides credential configuration. Because the Oracle WSM Policy Manager is security enabled, the jndi.lookup.csf.key specifies the java.naming.security.principal and java.naming.security.credentials when using the JNDI URL to look up a Oracle WSM Policy Manager. By default, this property is not specified. You should configure this property when: ■ You want to specify an explicit account to connect with the Oracle WSM Policy Manager rather than the system account, OracleSystemUser, that is used by Oracle WSM by default. ■ The Authentication Provider and LDAP directory that is configured does not support system accounts used by Oracle WebLogic, but which Oracle WSM relies on by default. Therefore, a different account in the LDAP directory must be used. ■ There is no concept of default system accounts in a particular application server, and so the system cannot rely on system accounts. For more information on modifying the default user, see Modifying the Default User on page 14-23. cache.refresh.initial Number of milliseconds to wait before initial cache refresh. The default is 600000 milliseconds 10 minutes. cache.refresh.repeat Number of milliseconds to wait between cache refreshes. The default is 600000 milliseconds 10 minutes. missing.retry.delay Number of milliseconds to wait before trying to retrieve a missing document. The default is 15000 milliseconds. usage.record.delay Number of milliseconds to wait before sending usage data. The default is 30000 milliseconds. failure.retry.count Number of times to retry after communication failure. The default is 2 retry attempts. failure.retry.delay Number of milliseconds to wait between retry attempts. The default is 5000 milliseconds. oracle.wsm.policymanager.a ccessor.IRepositoryAccessor Type of repository accessor class. The supported value is remote Java EE. 14-20 Oracle Fusion Middleware Security and Administrators Guide for Web Services Tuning Web Service Security Policy Enforcement The BindingSecurityInterceptor property on the Policy Interceptors tab allows you to tune security policy enforcement by adjusting the default message timestamp skews between system clocks, the time-to-live for nonce messages in the policy cache, and the message expiration time. Perform the following steps to tune the security policy enforcement: 1. Access the Platform Policy Configuration page, as described in Configuring Platform Policy Properties on page 14-15.

2. Select the Policy Interceptors tab.

3. Select the BindingSecurityInterceptor security property on the list. 4. To modify a BindingSecurityInterceptor security property, select it and then click Edit. In the Edit Property window, you can edit the Value field to change the default amount for each property. a. agent.clock.skew – Tolerance of time differences, in seconds, between client and server machines. For example, when timestamps are sent across in a message to a service that follows a different time zone, this property allows for the specified time tolerance. The default value is 300 seconds. Increase agent.clock.skew when: – The servers clock is ahead of the clients clock: If the server’s clock is ahead of the client’s clock then increase the agent.clock.skew. For example, if the server’s clock is ahead of the client’s clock by 10 minutes, then increase the server’s agent.clock.skew to 10 minutes. – The clients clock is ahead of the servers clock: If the client’s clock is ahead of the server’s clock then increase the agent.clock.skew. For example, if the client’s clock is ahead of the server’s clock by 10 minutes, then increase the server’s agent.clock.skew to 10 minutes. b. agent.nonce.ttl – Total time-to-live, in seconds, for nonce in the cache when nonce is sent across in a message. This property caches the nonce and once this duration is over, the nonce is removed from the cache. The default value is 28800 seconds. c. agent.expire.time – Duration of time, in seconds, before a message expires after its creation. This property is used in cases where a timestamp is sent across in the SOAP header to verify if the timestamp has expired or not. The default value is 300 seconds. If the message expires when received by the service even when there is no time difference between the client’s and service’s clocks, then the message expiry time must be increased. The message expiry time is derived from the values of agent.expiry.time and the expiry time in the incoming message, and is the lesser of the two. For example, if the servers agent.expiry.time is set to 5 minutes and expiry time in the incoming message expiry time is 6 minutes, then the agent.expiry.time at the service side must be increased. On the other hand, if the servers agent.expiry.time is 5 minutes and the incoming message expiry time is 3 minutes, then the expiry time in the incoming message that is, at the client side must be increased. A higher value of the agent.expiry.time may lead to a security vulnerability

d. Click OK.

5. To delete an existing property, select it and then click Delete.