The application server supports the Organization for the
Advancement of Structured Information (OASIS) Web Services Security
(WS-Security) specifications.
WebSphere® Application Server supports these
OASIS Web Services Security Version 1.0 specifications.
In WebSphere Application Server Version 6.1
Feature Pack for Web Services, and later, support for the OASIS standards
has been updated to the latest versions of Web Services Security (WS-Security)
specifications and tokens. Web Services Security Version 1.1 provides
better security verification for signature, a standard way of encrypting
SOAP headers, and meets the requirement from some of the inter-operability
scenarios that use features from Web Services Security Version 1.1.
The following standards are supported only in WebSphere Application
Server Version 7.0 and later.
WS-SecurityPolicy support is only available for Web Services Metadata
Exchange (WS-MetadataExchange) scenarios where the assertions are
embedded in the WSDL file. For more information, read the WS-MetadataExchange
requests topic.
In 2007, the OASIS Web Services Secure Exchange Technical Committee
(WS-SX) produced and approved the following specifications. Portions
of these specifications are supported by WebSphere Application
Server Version 7 and later.
OASIS: Web Services Security SOAP Message Security
1.0 and 1.1
The following table shows the aspects of the
OASIS: Web Services Security: SOAP Message Security 1.0 and 1.1 specifications
that are supported in WebSphere Application Server
Versions 6 and later.
Table 1. Aspects
of OASIS SOAP Message Security standard supported in WebSphere Application
Server . Use the table to determine which aspects of the
OASIS standard are supported.
Supported topic |
Specific aspect that is supported |
Security header |
- @S11:actor (for an intermediary)
- @S11:mustUnderstand
- @S12:mustUnderstand
- @S12:role (S12 is the namespace prefix for https://www.w3.org/2003/05/soap-envelope
when using SOAP Version 1.2)
|
Security tokens |
- Username token (user name and password)
- Binary security token (X.509 and Lightweight Third Party Authentication
(LTPA)
- Custom token
|
Token references |
- Direct reference
- Key identifier
- Key name
- Embedded reference
|
Signature |
Signature confirmation |
Signature algorithms |
- Digest
- SHA1
- https://www.w3.org/2000/09/xmldsig#sha1
- SHA256
- https://www.w3.org/2001/04/xmlenc#sha256
- SHA512
- https://www.w3.org/2001/04/xmlenc#sha512
- MAC
- HMAC-SHA1
- https://www.w3.org/2000/09/xmldsig#hmac-sha1
- Signature
- DSA with SHA1
- https://www.w3.org/2000/09/xmldsig#dsa-sha1
Do
not use this algorithm if you want your configured application to
be in compliance with the Basic Security Profile (BSP)
- RSA with SHA1
- https://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization
- Canonical XML (with comments)
- https://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Canonical XML (without comments)
- https://www.w3.org/TR/2001/REC-xml-c14n-20010315
- Exclusive XML canonicalization (with comments)
- https://www.w3.org/2001/10/xml-exc-c14n#WithComments
- Exclusive XML canonicalization (without comments)
- https://www.w3.org/2001/10/xml-exc-c14n#
- Transform
- STR transform
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-
security-1.0#STR-Transform
- XPath
- https://www.w3.org/TR/1999/REC-xpath-19991116
Do
not use the original XPATH transform if you want your configured application
to be in compliance with the Basic Security Profile (BSP). Note: When
referring to an element in a SECURE_ENVELOPE that does not carry an
attribute of type ID from a ds:Reference in a SIGNATURE, you must
use the XPATH Filter 2.0 Transform, https://www.w3.org/2002/06/xmldsig-filter2
- Enveloped signature
- https://www.w3.org/2000/09/xmldsig#enveloped-signature
- XPath Filter2
- https://www.w3.org/2002/06/xmldsig-filter2
Note: When
referring to an element in a SECURE_ENVELOPE that does not carry an
ID attribute type from a ds:Reference in a SIGNATURE, you must use
the XPATH Filter 2.0 Transform, https://www.w3.org/2002/06/xmldsig-filter2
- Decryption transform
- https://www.w3.org/2002/07/decrypt#XML
|
Signature signed parts for JAX-RPC only |
|
Signature message parts for JAX-WS only |
- Body (which signs the SOAP message body)
- Header (which signs one or more SOAP headers within the main SOAP
header)
- XPath expression to select an XML element in a SOAP message.
- For more information, see https://www.w3.org/TR/1999/REC-xpath-19991116.
|
Encryption |
EncryptedHeader element |
Encryption algorithms |
Important: Your country of origin might have restrictions on
the import, possession, use, or re-export to another country, of encryption software. Before
downloading or using the unrestricted policy files, you must check the laws of your country, its
regulations, and its policies concerning the import, possession, use, and re-export of encryption
software, to determine if it is permitted.
- Data encryption
- Triple DES in CBC: https://www.w3.org/2001/04/xmlenc#tripledes-cbc
- AES128 in CBC: https://www.w3.org/2001/04/xmlenc#aes128-cbc
- AES192 in CBC: https://www.w3.org/2001/04/xmlenc#aes192-cbc
This
algorithm requires the unrestricted JCE policy file. For more information,
see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do
not use the 192-bit data encryption algorithm if you want your configured
application to be in compliance with the Basic Security Profile (BSP).
- AES256 in CBC: https://www.w3.org/2001/04/xmlenc#aes256-cbc
This
algorithm requires the unrestricted JCE policy file. For more information,
see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
- Key encryption
- Key transport (public key cryptography)
- https://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
Note:
- When running with Software Development Kit (SDK) Version 1.4,
the list of supported key transport algorithms does not include this
one. This algorithm appears in the list of supported key transport
algorithms when running with SDK Version 1.5.
- Use of the Federal Information Processing Standard (FIPS)-compliant Java™ cryptography engine does not support this
transport algorithm.
- RSA Version 1.5: https://www.w3.org/2001/04/xmlenc#rsa-1_5
- Symmetric key wrap (private key cryptography)
- Triple DES key wrap: https://www.w3.org/2001/04/xmlenc#kw-tripledes
- AES key wrap (aes128): https://www.w3.org/2001/04/xmlenc#kw-aes128
- AES key wrap (aes192): https://www.w3.org/2001/04/xmlenc#kw-aes192
This
algorithm requires the unrestricted JCE policy file. For more information,
see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do
not use the 192-bit data encryption algorithm if you want your configured
application to be in compliance with the Basic Security Profile (BSP).
- AES key wrap (aes256): https://www.w3.org/2001/04/xmlenc#kw-aes256
This
algorithm requires the unrestricted JCE policy file. For more information,
see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
- Manifests-xenc is the namespace prefix of https://www.w3.org/TR/xmlenc-core
- xenc:ReferenceList
- xenc:EncryptedKey
Advanced Encryption Standard (AES) is designed to provide
stronger and better performance for symmetric key encryption over
Triple-DES (data encryption standard). Therefore, it is recommended
that you use AES, if possible, for symmetric key encryption.
|
Encryption message parts for JAX-RPC only |
- WebSphere Application Server keywords
- bodycontent, which is used to encrypt the SOAP body content
- usernametoken, which is used to encrypt the username token
- digestvalue, which is used to encrypt the digest value of the
digital signature
- signature, which is used to encrypt the entire digital signature
- wscontextcontent, which encrypts the content in the WS-Context
header for the SOAP header.
- XPath expression to select the XML element in the SOAP message
- XML elements
- XML element contents
|
Encryption message parts for JAX-WS only |
- Body (which encrypts the SOAP message body content)
- Header (which encrypts one or more SOAP headers within the main
SOAP header, resulting in the EncryptedHeader element)
- XPath expression to select an XML element in a SOAP message
- For more information, see https://www.w3.org/TR/1999/REC-xpath-19991116.
|
Time stamp |
- Within Web Services Security header
- WebSphere Application Server is extended
to allow you to insert time stamps into other elements so that the
age of those elements can be determined.
|
Error handling |
SOAP faults
- New
failure SOAP fault with faultcode
The message has expired text has been added
|
OASIS: Web Services Security UsernameToken Profile
1.0
The following table shows the aspects of the OASIS:
Web Services Security Username Token Profile 1.0 specification that
is supported in WebSphere Application Server.
Table 2. Aspects of OASIS Username Token Profile
V1.0 standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard
are supported.
Supported topic |
Specific aspect that is supported |
Password types |
Text |
Token references |
Direct reference |
OASIS: Web Services Security UsernameToken Profile
1.1
The following table shows the aspects of the OASIS:
Web Services Security Username Token Profile 1.1 specification that
is supported in WebSphere Application Server. Items that
were previously supported for Web Services Security UsernameToken
Profile 1.0 are not listed but are still supported, unless noted otherwise.
Table 3. Aspects of OASIS Username Token Profile
V1.1 standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard
are supported.
Supported topic |
Specific aspect that is supported |
Password types |
Text |
Token references |
Direct reference |
OASIS: Web Services Security X.509 Certificate Token
Profile 1.0
The following table shows the aspects of the
OASIS: Web Services Security X.509 Certificate Token Profile specification
that are supported in WebSphere Application Server
Versions 6 and later.
Table 4. Aspects
of OASIS X.509 Certificate Token V1.0 standard supported in WebSphere Application Server . Use
the table to determine which aspects of the OASIS standard are supported.
Supported topic |
Specific aspect that is supported |
Token types |
|
Token references |
- Key identifier – subject key identifier
- Direct reference
- Custom reference – issuer name and serial number
|
OASIS: Web Services Security X.509 Certificate Token
Profile 1.1
The following table shows the aspects of the
OASIS: Web Services Security X.509 Certificate Token Profile 1.1 specification
that are supported in WebSphere Application Server.
Items that were previously supported for Web Services Security X.509
Certificate Token Profile 1.0 are not listed but are still supported,
unless noted otherwise.
Table 5. Aspects
of OASIS X.509 Certificate Token V1.1 standard supported in WebSphere Application Server . Use
the table to determine which aspects of the OASIS standard are supported.
Supported topic |
Specific aspect that is supported |
Token types |
X.509 Version 1: Single certificate |
Token references |
Key identifier – subject key identifier
- Can only reference an X.509v3 certificate
- Can specify the thumbprint of the specified certificate by using
the http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
attribute of the <wsse:KeyIdentifier> element.
|
OASIS: Web Services Security Kerberos Token Profile
1.1
The following table shows the aspects of the OASIS:
Web Services Security Kerberos Token Profile 1.1 specification that
are supported in WebSphere Application Server.
Table 6. Aspects of OASIS Kerberos Token Profile
standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard
are supported.
Supported topic |
Specific aspect that is supported |
Token types |
- GSS_API Kerberos v5 token
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
- GSS_API Kerberos v5 token per RFC1510
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
- GSS_API Kerberos v5 token per RFC4120
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
- Kerberos v5 token
http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerberosv5_AP_REQ
- Kerberos v5 token per RFC1510
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
- Kerberos v5 token per RFC4120
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ412
|
Token references |
- Security token reference
- Key identifier, which is used after the initial Kerberos v5 token
is consumed
- Derived key token based on the Kerberos key
|
OASIS: Web Services Security WS-Secure Conversation
Draft and Version 1.3
The following table shows the aspects
of the OASIS: WS-SecureConversation specification that are supported
in WebSphere Application Server Version 6.1
Feature Pack for Web Services, and later. Support for Version 1.3
of the specification is provided in WebSphere Application
Server Version 7.0 and later.
Table 7. Aspects
of OASIS SecureConversation standard supported in WebSphere Application
Server . Use the table to determine which aspects of the
OASIS standard are supported.
Supported topic |
Specific aspect that is supported |
Token types |
- Security Context Token draft version: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
- Security Context Token Version 1.3: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
|
Token references |
Direct reference |
Security context establishment |
Security context token created by a security
token service that is embedded in the WebSphere Application
Server. |
Renewing context |
Automatic renewal of the token when its about
to expire. |
Cancelling context |
Explicit cancel request support. |
Derived keys |
The following information is used to derive
the keys using a shared secret from a security context:
- /wsc:DerivedKeyToken/wsse:SecurityTokenReference
- /wsc:DerivedKeyToken/wsc:Label
- /wsc:DerivedKeyToken/wsc:Nonce
- /wsc:DerivedKeyToken/wsc:Length
|
Error handling |
SOAP faults, including:
- wsc:BadContextToken
- wsc:UnsupportedContextToken
- wsc:RenewNeeded
- wsc:UnableToRenew
|
OASIS: Web Services Security WS-Trust Version 1.0
Draft and Version 1.3
The following tables show the aspects
of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and
Version 1.3 specifications that are supported in WebSphere Application
Server Version 6.1 Feature Pack for Web Services, and later.
Table 8. Aspects of OASIS Trust V1.0 and V1.3
standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard
are supported.
Supported topic |
Specific aspect that is supported |
Namespace |
http://schemas.xmlsoap.org/ws/2005/02/trust |
Request header |
/wsa:ActionValid options include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate
|
Request elements and attributes |
/wst:RequestSecurityToken
/wst:RequestSecurityToken/@Context
/wst:RequestSecurityToken/wst:RequestType
- Valid options include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
- http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
- http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
- http://schemas.xmlsoap.org/ws/2005/02/trust/Validate
/wst:RequestSecurityToken/wst:TokenType
- Valid options include:
- for http://schemas.xmlsoap.org/ws/2005/02/sc/sct
- /wst:RequestSecurityToken/wsp:AppliesTo
- /wst:RequestSecurityToken/wst:Entropy
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
- for http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
- /wst:RequestSecurityToken/wst:Lifetime
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
- /wst:RequestSecurityToken/wst:KeySize
- /wst:RequestSecurityToken/wst:KeyType
- for http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
- /wst:RequestSecurityToken/wst:RenewTarget
- /wst:RequestSecurityToken/wst:Renewing
- /wst:RequestSecurityToken/wst:Renewing/@Allow
- /wst:RequestSecurityToken/wst:Renewing/@OK
- /wst:RequestSecurityToken/wst:CancelTarget
- /wst:RequestSecurityToken/wst:ValidateTarget
- /wst:RequestSecurityToken/wst:Issuer
|
Response header |
/wsa:ActionValid options include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate
|
Response elements and attributes |
/wst:RequestSecurityTokenResponse
/wst:RequestSecurityTokenResponse/@Context
/wst:RequestSecurityTokenResponse/wst:TokenType
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wsp:AppliesTo
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken
/wst:RequestSecurityTokenResponse/wst:Entropy
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type
/wst:RequestSecurityTokenResponse/wst:Lifetime
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey
/wst:RequestSecurityTokenResponse/wst:KeySize
/wst:RequestSecurityTokenResponse/wst:Renewing
/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow
/wst:RequestSecurityTokenResponse/wst:Renewing/@OK
/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled
/wst:RequestSecurityTokenResponse/wst:Status
/wst:RequestSecurityTokenResponse/wst:Status
/wst:RequestSecurityTokenResponse/wst:Status/wst:Code
- Valid responses include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid
- http://schemas.xmlsoap.org/ws/2005/02/trust/status/invalid
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason
|
Error handling |
wst:InvalidRequest
wst:FailedAuthentication
wst:RequestFailed
wst:InvalidSecurityToken
wst:AuthenticationBadElements
wst:BadRequest
wst:ExpiredData
wst:InvalidTimeRange
wst:InvalidScope
wst:RenewNeeded
wst:UnableToRenew
|
Table 9. Aspects of OASIS Trust
V1.3 standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard
are supported.
Supported topic |
Specific aspect that is supported |
Namespace |
http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Request header |
/wsa:ActionValid options include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate
|
Request elements and attributes |
/wst:RequestSecurityToken
/wst:RequestSecurityToken/@Context
/wst:RequestSecurityToken/wst:RequestType
- Valid options include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate
/wst:RequestSecurityToken/wst:TokenType
- Valid options include:
- for http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
- /wst:RequestSecurityToken/wsp:AppliesTo
- /wst:RequestSecurityToken/wst:Entropy
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
- /wst:RequestSecurityToken/wst:Lifetime
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
- /wst:RequestSecurityToken/wst:KeySize
- /wst:RequestSecurityToken/wst:KeyType
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
- /wst:RequestSecurityToken/wst:RenewTarget
- /wst:RequestSecurityToken/wst:Renewing
- /wst:RequestSecurityToken/wst:Renewing/@Allow
- /wst:RequestSecurityToken/wst:Renewing/@OK
- /wst:RequestSecurityToken/wst:CancelTarget
- /wst:RequestSecurityToken/wst:ValidateTarget
- /wst:RequestSecurityToken/wst:Issuer
|
Response header |
/wsa:ActionValid options include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/CancelFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/RenewFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/ValidateFinal
|
Response elements and attributes |
/wst:RequestSecurityTokenResponse
/wst:RequestSecurityTokenResponse/@Context
/wst:RequestSecurityTokenResponse/wst:TokenType
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wsp:AppliesTo
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken
/wst:RequestSecurityTokenResponse/wst:Entropy
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type
/wst:RequestSecurityTokenResponse/wst:Lifetime
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey
/wst:RequestSecurityTokenResponse/wst:KeySize
/wst:RequestSecurityTokenResponse/wst:Renewing
/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow
/wst:RequestSecurityTokenResponse/wst:Renewing/@OK
/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled
/wst:RequestSecurityTokenResponse/wst:Status
/wst:RequestSecurityTokenResponse/wst:Status/wst:Code
- Valid responses include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/invalid
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason
|
Error handling |
wst:InvalidRequest
wst:FailedAuthentication
wst:RequestFailed
wst:InvalidSecurityToken
wst:AuthenticationBadElements
wst:BadRequest
wst:ExpiredData
wst:InvalidTimeRange
wst:InvalidScope
wst:RenewNeeded
wst:UnableToRenew
|
Functionality that is not supported by WebSphere Application
Server
The following list shows the functionality that is
supported in the OASIS specifications, OASIS drafts, and other recommendations
but is not supported by WebSphere Application Server
Version 6 and later:
Unsupported function for WS-Trust Version 1.0 Draft
and Version 1.3
The following tables show the aspects of
the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version
1.3 specifications that are not supported in WebSphere Application
Server Version 6.1 Feature Pack for Web Services, and later.
Table 10. Aspects of OASIS Trust V1.0 and V1.3
standard that are unsupported in WebSphere Application
Server . Use the table to determine which aspects of the
OASIS standard are not supported.
Unsupported topic |
Specific aspect that is not supported |
Elements and attributes |
/wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
Unsupported
request options:
- for http://schemas.xmlsoap.org/ws/2005/02/trust/AsymmetricKey
and http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
- /wst:RequestSecurityToken/wst:Claims
- /wst:RequestSecurityToken/wst:AllowPostdating
- /wst:RequestSecurityToken/wst:OnBehalfOf
- /wst:RequestSecurityToken/wst:AuthenticationType
- /wst:RequestSecurityToken/wst:KeyType
- for http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
- /wst:RequestSecurityToken/wst:SignatureAlgorithm
- /wst:RequestSecurityToken/wst:EncryptionAlgorithm
- /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
- /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
- /wst:RequestSecurityToken/wst:Encryption
- /wst:RequestSecurityToken/wst:ProofEncryption
- /wst:RequestSecurityToken/wst:UseKey
- /wst:RequestSecurityToken/wst:UseKey/@Sig
- /wst:RequestSecurityToken/wst:SignWith
- /wst:RequestSecurityToken/wst:EncryptWith
- /wst:RequestSecurityToken/wst:DelegateTo
- /wst:RequestSecurityToken/wst:Forwardable
- /wst:RequestSecurityToken/wst:Delegatable
- /wst:RequestSecurityToken/wsp:Policy
- /wst:RequestSecurityToken/wsp:PolicyReference
|
Response elements and attributes |
/wst:RequestSecurityTokenResponseCollection
/wst:RequestSecurityTokenResponseCollection/wst:RequestSecurityTokenResponse
|
Table 11. Aspects of OASIS Trust
V1.3 standard that are unsupported in WebSphere Application
Server . Use the table to determine which aspects of the
OASIS standard are not supported.
Unsupported topic |
Specific aspect that is not supported |
Elements and attributes |
/wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
Unsupported
request options:
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey
and http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
- /wst:RequestSecurityToken/wst:Claims
- /wst:RequestSecurityToken/wst:AllowPostdating
- /wst:RequestSecurityToken/wst:OnBehalfOf
- /wst:RequestSecurityToken/wst:AuthenticationType
- /wst:RequestSecurityToken/wst:KeyType
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
and http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
- /wst:RequestSecurityToken/wst:SignatureAlgorithm
- /wst:RequestSecurityToken/wst:EncryptionAlgorithm
- /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
- /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
- /wst:RequestSecurityToken/wst:Encryption
- /wst:RequestSecurityToken/wst:ProofEncryption
- /wst:RequestSecurityToken/wst:UseKey
- /wst:RequestSecurityToken/wst:UseKey/@Sig
- /wst:RequestSecurityToken/wst:SignWith
- /wst:RequestSecurityToken/wst:EncryptWith
- /wst:RequestSecurityToken/wst:DelegateTo
- /wst:RequestSecurityToken/wst:Forwardable
- /wst:RequestSecurityToken/wst:Delegatable
- /wst:RequestSecurityToken/wsp:Policy
- /wst:RequestSecurityToken/wsp:PolicyReference
|
Response header |
/wsa:Action
Unsupported Responses:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validate
|