Supported functionality from OASIS specifications

The application server supports the Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications.

WebSphere® Application Server supports these OASIS Web Services Security Version 1.0 specifications.

In WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later, support for the OASIS standards has been updated to the latest versions of Web Services Security (WS-Security) specifications and tokens. Web Services Security Version 1.1 provides better security verification for signature, a standard way of encrypting SOAP headers, and meets the requirement from some of the inter-operability scenarios that use features from Web Services Security Version 1.1.

The following standards are supported only in WebSphere Application Server Version 7.0 and later.

WS-SecurityPolicy support is only available for Web Services Metadata Exchange (WS-MetadataExchange) scenarios where the assertions are embedded in the WSDL file. For more information, read the WS-MetadataExchange requests topic.

In 2007, the OASIS Web Services Secure Exchange Technical Committee (WS-SX) produced and approved the following specifications. Portions of these specifications are supported by WebSphere Application Server Version 7 and later.

OASIS: Web Services Security SOAP Message Security 1.0 and 1.1

The following table shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 and 1.1 specifications that are supported in WebSphere Application Server Versions 6 and later.

Table 1. Aspects of OASIS SOAP Message Security standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are supported.
Supported topic	Specific aspect that is supported
Security header	@S11:actor (for an intermediary) @S11:mustUnderstand @S12:mustUnderstand @S12:role (S12 is the namespace prefix for https://www.w3.org/2003/05/soap-envelope when using SOAP Version 1.2)
Security tokens	Username token (user name and password) Binary security token (X.509 and Lightweight Third Party Authentication (LTPA) Custom token Other binary security token XML token Note: WebSphere Application Server does not provide an implementation, but you can use an XML token with plug-in point.
Token references	Direct reference Key identifier Key name Embedded reference
Signature	Signature confirmation
Signature algorithms	Digest SHA1 https://www.w3.org/2000/09/xmldsig#sha1 SHA256 https://www.w3.org/2001/04/xmlenc#sha256 SHA512 https://www.w3.org/2001/04/xmlenc#sha512 MAC HMAC-SHA1 https://www.w3.org/2000/09/xmldsig#hmac-sha1 Signature DSA with SHA1 https://www.w3.org/2000/09/xmldsig#dsa-sha1 Do not use this algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP) RSA with SHA1 https://www.w3.org/2000/09/xmldsig#rsa-sha1 Canonicalization Canonical XML (with comments) https://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments Canonical XML (without comments) https://www.w3.org/TR/2001/REC-xml-c14n-20010315 Exclusive XML canonicalization (with comments) https://www.w3.org/2001/10/xml-exc-c14n#WithComments Exclusive XML canonicalization (without comments) https://www.w3.org/2001/10/xml-exc-c14n# Transform STR transform http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform XPath https://www.w3.org/TR/1999/REC-xpath-19991116 Do not use the original XPATH transform if you want your configured application to be in compliance with the Basic Security Profile (BSP). Note: When referring to an element in a SECURE_ENVELOPE that does not carry an attribute of type ID from a ds:Reference in a SIGNATURE, you must use the XPATH Filter 2.0 Transform, https://www.w3.org/2002/06/xmldsig-filter2 Enveloped signature https://www.w3.org/2000/09/xmldsig#enveloped-signature XPath Filter2 https://www.w3.org/2002/06/xmldsig-filter2 Note: When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE, you must use the XPATH Filter 2.0 Transform, https://www.w3.org/2002/06/xmldsig-filter2 Decryption transform https://www.w3.org/2002/07/decrypt#XML
Signature signed parts for JAX-RPC only	WebSphere Application Server key words: body, which signs the SOAP message body timestamp, which signs all of the time stamps securitytoken, which signs all of the security tokens dsigkey, which signs the signing key enckey, which signs the encryption key messageid, which signs the `wsa :MessageID` element in WS-Addressing. to, which signs the `wsa:To` element in WS-Addressing action, which signs the `wsa:Action` element in WS-Addressing relatesto, which signs the `wsa:RelatesTo` element in WS-Addressing wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing wscontext, which specifies the WS-Context header for the SOAP header. wsafrom, which specifies the `<wsa:From>` WS-Addressing From element in the SOAP header. wsareplyto, which specifies the `<wsa:ReplyTo>` WS-Addressing ReplyTo element in the SOAP header. wsafaultto, which specifies the `<wsa:FaultTo>` WS-Addressing FaultTo element in the SOAP header. wsaall, which specifies all of the WS-Addressing elements in the SOAP header. XPath expression to select an XML element in a SOAP message. For more information, see https://www.w3.org/TR/1999/REC-xpath-19991116.
Signature message parts for JAX-WS only	Body (which signs the SOAP message body) Header (which signs one or more SOAP headers within the main SOAP header) XPath expression to select an XML element in a SOAP message. For more information, see https://www.w3.org/TR/1999/REC-xpath-19991116.
Encryption	EncryptedHeader element
Encryption algorithms	Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, you must check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted. Data encryption Triple DES in CBC: https://www.w3.org/2001/04/xmlenc#tripledes-cbc AES128 in CBC: https://www.w3.org/2001/04/xmlenc#aes128-cbc AES192 in CBC: https://www.w3.org/2001/04/xmlenc#aes192-cbc This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts. Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP). AES256 in CBC: https://www.w3.org/2001/04/xmlenc#aes256-cbc This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts. Key encryption Key transport (public key cryptography) https://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p. Note: When running with Software Development Kit (SDK) Version 1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK Version 1.5. Use of the Federal Information Processing Standard (FIPS)-compliant Java™ cryptography engine does not support this transport algorithm. RSA Version 1.5: https://www.w3.org/2001/04/xmlenc#rsa-1_5 Symmetric key wrap (private key cryptography) Triple DES key wrap: https://www.w3.org/2001/04/xmlenc#kw-tripledes AES key wrap (aes128): https://www.w3.org/2001/04/xmlenc#kw-aes128 AES key wrap (aes192): https://www.w3.org/2001/04/xmlenc#kw-aes192 This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts. Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP). AES key wrap (aes256): https://www.w3.org/2001/04/xmlenc#kw-aes256 This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts. Manifests-xenc is the namespace prefix of https://www.w3.org/TR/xmlenc-core xenc:ReferenceList xenc:EncryptedKey Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.
Encryption message parts for JAX-RPC only	WebSphere Application Server keywords bodycontent, which is used to encrypt the SOAP body content usernametoken, which is used to encrypt the username token digestvalue, which is used to encrypt the digest value of the digital signature signature, which is used to encrypt the entire digital signature wscontextcontent, which encrypts the content in the WS-Context header for the SOAP header. XPath expression to select the XML element in the SOAP message XML elements XML element contents
Encryption message parts for JAX-WS only	Body (which encrypts the SOAP message body content) Header (which encrypts one or more SOAP headers within the main SOAP header, resulting in the EncryptedHeader element) XPath expression to select an XML element in a SOAP message For more information, see https://www.w3.org/TR/1999/REC-xpath-19991116.
Time stamp	Within Web Services Security header WebSphere Application Server is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.
Error handling	SOAP faults New `failure` SOAP fault with faultcode `The message has expired` text has been added

OASIS: Web Services Security UsernameToken Profile 1.0

The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WebSphere Application Server.

Table 2. Aspects of OASIS Username Token Profile V1.0 standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are supported.
Supported topic	Specific aspect that is supported
Password types	Text
Token references	Direct reference

OASIS: Web Services Security UsernameToken Profile 1.1

The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.1 specification that is supported in WebSphere Application Server. Items that were previously supported for Web Services Security UsernameToken Profile 1.0 are not listed but are still supported, unless noted otherwise.

Table 3. Aspects of OASIS Username Token Profile V1.1 standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are supported.
Supported topic	Specific aspect that is supported
Password types	Text
Token references	Direct reference

OASIS: Web Services Security X.509 Certificate Token Profile 1.0

The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that are supported in WebSphere Application Server Versions 6 and later.

Table 4. Aspects of OASIS X.509 Certificate Token V1.0 standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are supported.
Supported topic	Specific aspect that is supported
Token types	X.509 Version 3: Single certificate http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3 X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL) http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1 X.509 Version 3: PKCS7 with or without CRLs. The IBM® software development kit (SDK) supports both. The Sun Java SE Development Kit 6 (JDK 6) supports PKCS7 without CRL only.
Token references	Key identifier – subject key identifier Direct reference Custom reference – issuer name and serial number

OASIS: Web Services Security X.509 Certificate Token Profile 1.1

The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile 1.1 specification that are supported in WebSphere Application Server. Items that were previously supported for Web Services Security X.509 Certificate Token Profile 1.0 are not listed but are still supported, unless noted otherwise.

Table 5. Aspects of OASIS X.509 Certificate Token V1.1 standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are supported.
Supported topic	Specific aspect that is supported
Token types	X.509 Version 1: Single certificate
Token references	Key identifier – subject key identifier Can only reference an X.509v3 certificate Can specify the thumbprint of the specified certificate by using the http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 attribute of the <wsse:KeyIdentifier> element.

OASIS: Web Services Security Kerberos Token Profile 1.1

The following table shows the aspects of the OASIS: Web Services Security Kerberos Token Profile 1.1 specification that are supported in WebSphere Application Server.

Table 6. Aspects of OASIS Kerberos Token Profile standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are supported.
Supported topic	Specific aspect that is supported
Token types	GSS_API Kerberos v5 token http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ GSS_API Kerberos v5 token per RFC1510 http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510 GSS_API Kerberos v5 token per RFC4120 http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120 Kerberos v5 token http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerberosv5_AP_REQ Kerberos v5 token per RFC1510 http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510 Kerberos v5 token per RFC4120 http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ412
Token references	Security token reference Key identifier, which is used after the initial Kerberos v5 token is consumed Derived key token based on the Kerberos key

OASIS: Web Services Security WS-Secure Conversation Draft and Version 1.3

The following table shows the aspects of the OASIS: WS-SecureConversation specification that are supported in WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later. Support for Version 1.3 of the specification is provided in WebSphere Application Server Version 7.0 and later.

Table 7. Aspects of OASIS SecureConversation standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are supported.
Supported topic	Specific aspect that is supported
Token types	Security Context Token draft version: http://schemas.xmlsoap.org/ws/2005/02/sc/sct Security Context Token Version 1.3: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
Token references	Direct reference
Security context establishment	Security context token created by a security token service that is embedded in the WebSphere Application Server.
Renewing context	Automatic renewal of the token when its about to expire.
Cancelling context	Explicit cancel request support.
Derived keys	The following information is used to derive the keys using a shared secret from a security context: /wsc:DerivedKeyToken/wsse:SecurityTokenReference /wsc:DerivedKeyToken/wsc:Label /wsc:DerivedKeyToken/wsc:Nonce /wsc:DerivedKeyToken/wsc:Length
Error handling	SOAP faults, including: wsc:BadContextToken wsc:UnsupportedContextToken wsc:RenewNeeded wsc:UnableToRenew

OASIS: Web Services Security WS-Trust Version 1.0 Draft and Version 1.3

The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications that are supported in WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later.

Table 8. Aspects of OASIS Trust V1.0 and V1.3 standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are supported.
Supported topic	Specific aspect that is supported
Namespace	http://schemas.xmlsoap.org/ws/2005/02/trust
Request header	/wsa:Action Valid options include: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate
Request elements and attributes	/wst:RequestSecurityToken /wst:RequestSecurityToken/@Context /wst:RequestSecurityToken/wst:RequestType Valid options include: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue http://schemas.xmlsoap.org/ws/2005/02/trust/Renew http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel http://schemas.xmlsoap.org/ws/2005/02/trust/Validate /wst:RequestSecurityToken/wst:TokenType Valid options include: for http://schemas.xmlsoap.org/ws/2005/02/sc/sct /wst:RequestSecurityToken/wsp:AppliesTo /wst:RequestSecurityToken/wst:Entropy /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type for http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce /wst:RequestSecurityToken/wst:Lifetime /wst:RequestSecurityToken/wst:Lifetime/wsu:Created /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires /wst:RequestSecurityToken/wst:KeySize /wst:RequestSecurityToken/wst:KeyType for http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey /wst:RequestSecurityToken/wst:RenewTarget /wst:RequestSecurityToken/wst:Renewing /wst:RequestSecurityToken/wst:Renewing/@Allow /wst:RequestSecurityToken/wst:Renewing/@OK /wst:RequestSecurityToken/wst:CancelTarget /wst:RequestSecurityToken/wst:ValidateTarget /wst:RequestSecurityToken/wst:Issuer
Response header	/wsa:Action Valid options include: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate
Response elements and attributes	/wst:RequestSecurityTokenResponse /wst:RequestSecurityTokenResponse/@Context /wst:RequestSecurityTokenResponse/wst:TokenType /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wsp:AppliesTo /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference /wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference /wst:RequestSecurityTokenResponse/wst:RequestedProofToken /wst:RequestSecurityTokenResponse/wst:Entropy /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type /wst:RequestSecurityTokenResponse/wst:Lifetime /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires /wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey /wst:RequestSecurityTokenResponse/wst:KeySize /wst:RequestSecurityTokenResponse/wst:Renewing /wst:RequestSecurityTokenResponse/wst:Renewing/@Allow /wst:RequestSecurityTokenResponse/wst:Renewing/@OK /wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled /wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status/wst:Code Valid responses include: http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid http://schemas.xmlsoap.org/ws/2005/02/trust/status/invalid /wst:RequestSecurityTokenResponse/wst:Status/wst:Reason
Error handling	wst:InvalidRequest wst:FailedAuthentication wst:RequestFailed wst:InvalidSecurityToken wst:AuthenticationBadElements wst:BadRequest wst:ExpiredData wst:InvalidTimeRange wst:InvalidScope wst:RenewNeeded wst:UnableToRenew

Table 9. Aspects of OASIS Trust V1.3 standard supported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are supported.
Supported topic	Specific aspect that is supported
Namespace	http://docs.oasis-open.org/ws-sx/ws-trust/200512
Request header	/wsa:Action Valid options include: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate
Request elements and attributes	/wst:RequestSecurityToken /wst:RequestSecurityToken/@Context /wst:RequestSecurityToken/wst:RequestType Valid options include: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate /wst:RequestSecurityToken/wst:TokenType Valid options include: for http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct /wst:RequestSecurityToken/wsp:AppliesTo /wst:RequestSecurityToken/wst:Entropy /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type for http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce /wst:RequestSecurityToken/wst:Lifetime /wst:RequestSecurityToken/wst:Lifetime/wsu:Created /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires /wst:RequestSecurityToken/wst:KeySize /wst:RequestSecurityToken/wst:KeyType for http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey /wst:RequestSecurityToken/wst:RenewTarget /wst:RequestSecurityToken/wst:Renewing /wst:RequestSecurityToken/wst:Renewing/@Allow /wst:RequestSecurityToken/wst:Renewing/@OK /wst:RequestSecurityToken/wst:CancelTarget /wst:RequestSecurityToken/wst:ValidateTarget /wst:RequestSecurityToken/wst:Issuer
Response header	/wsa:Action Valid options include: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/CancelFinal http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/RenewFinal http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/ValidateFinal
Response elements and attributes	/wst:RequestSecurityTokenResponse /wst:RequestSecurityTokenResponse/@Context /wst:RequestSecurityTokenResponse/wst:TokenType /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wsp:AppliesTo /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference /wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference /wst:RequestSecurityTokenResponse/wst:RequestedProofToken /wst:RequestSecurityTokenResponse/wst:Entropy /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type /wst:RequestSecurityTokenResponse/wst:Lifetime /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires /wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey /wst:RequestSecurityTokenResponse/wst:KeySize /wst:RequestSecurityTokenResponse/wst:Renewing /wst:RequestSecurityTokenResponse/wst:Renewing/@Allow /wst:RequestSecurityTokenResponse/wst:Renewing/@OK /wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled /wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status/wst:Code Valid responses include: http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/invalid /wst:RequestSecurityTokenResponse/wst:Status/wst:Reason
Error handling	wst:InvalidRequest wst:FailedAuthentication wst:RequestFailed wst:InvalidSecurityToken wst:AuthenticationBadElements wst:BadRequest wst:ExpiredData wst:InvalidTimeRange wst:InvalidScope wst:RenewNeeded wst:UnableToRenew

Functionality that is not supported by WebSphere Application Server

The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations but is not supported by WebSphere Application Server Version 6 and later:

Web Services Security SOAP Messages with Attachments (SwA) profile 1.0
Note: When using the JAX-WS programming model, securing the SOAP Message Transmission Optimization Mechanism (MTOM) attachment is supported. See the topic Enabling MTOM for JAX-WS web services for more information.
XrML token profile
XML enveloping digital signature
XML enveloping digital encryption
The following WS-SecureConversation functionality is not supported by WebSphere Application Server:
- Two methods for establishing security context are not supported: 1) security context token created by one of the communicating parties and propagated with a message; and 2) security context token created through negotiation or exchanges.
- SCT propagation
- Amending security contexts
The following transform algorithms for digital signatures are not supported:
- XSLT: https://www.w3.org/TR/1999/REC-xslt-19991116
- SOAP Message Normalization
  See SOAP Version 1.2 Message Normalization for information, such as an empty header or header entry with mustUnderstand=false is removed, and so forth.
- Decryption transform
The following key agreement algorithm for encryption is not supported:
- Diffie-Hellman: https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-DHKeyValue
The following canonicalization algorithm for encryption, which is optional in the XML encryption specification, is not supported:
- Canonical XML with or without comments
- Exclusive XML Canonicalization with or without comments
DSA digital signature is not supported.
Pre-agreed symmetric key data encryption is not supported.
Auditing for nonrepudiation for digital signatures is not supported.
In both versions of the Username Token Profile specification, the digest password type is not supported.
In the Username Token Version 1.1 Profile specification, the key derivation based on a password is not supported.

Unsupported function for WS-Trust Version 1.0 Draft and Version 1.3

The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications that are not supported in WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later.

Table 10. Aspects of OASIS Trust V1.0 and V1.3 standard that are unsupported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are not supported.
Unsupported topic	Specific aspect that is not supported
Elements and attributes	/wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type Unsupported request options: for http://schemas.xmlsoap.org/ws/2005/02/trust/AsymmetricKey and http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey /wst:RequestSecurityToken/wst:Claims /wst:RequestSecurityToken/wst:AllowPostdating /wst:RequestSecurityToken/wst:OnBehalfOf /wst:RequestSecurityToken/wst:AuthenticationType /wst:RequestSecurityToken/wst:KeyType for http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey /wst:RequestSecurityToken/wst:SignatureAlgorithm /wst:RequestSecurityToken/wst:EncryptionAlgorithm /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm /wst:RequestSecurityToken/wst:Encryption /wst:RequestSecurityToken/wst:ProofEncryption /wst:RequestSecurityToken/wst:UseKey /wst:RequestSecurityToken/wst:UseKey/@Sig /wst:RequestSecurityToken/wst:SignWith /wst:RequestSecurityToken/wst:EncryptWith /wst:RequestSecurityToken/wst:DelegateTo /wst:RequestSecurityToken/wst:Forwardable /wst:RequestSecurityToken/wst:Delegatable /wst:RequestSecurityToken/wsp:Policy /wst:RequestSecurityToken/wsp:PolicyReference
Response elements and attributes	/wst:RequestSecurityTokenResponseCollection /wst:RequestSecurityTokenResponseCollection/wst:RequestSecurityTokenResponse

Table 11. Aspects of OASIS Trust V1.3 standard that are unsupported in WebSphere Application Server . Use the table to determine which aspects of the OASIS standard are not supported.
Unsupported topic	Specific aspect that is not supported
Elements and attributes	/wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type Unsupported request options: for http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey /wst:RequestSecurityToken/wst:Claims /wst:RequestSecurityToken/wst:AllowPostdating /wst:RequestSecurityToken/wst:OnBehalfOf /wst:RequestSecurityToken/wst:AuthenticationType /wst:RequestSecurityToken/wst:KeyType for http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer /wst:RequestSecurityToken/wst:SignatureAlgorithm /wst:RequestSecurityToken/wst:EncryptionAlgorithm /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm /wst:RequestSecurityToken/wst:Encryption /wst:RequestSecurityToken/wst:ProofEncryption /wst:RequestSecurityToken/wst:UseKey /wst:RequestSecurityToken/wst:UseKey/@Sig /wst:RequestSecurityToken/wst:SignWith /wst:RequestSecurityToken/wst:EncryptWith /wst:RequestSecurityToken/wst:DelegateTo /wst:RequestSecurityToken/wst:Forwardable /wst:RequestSecurityToken/wst:Delegatable /wst:RequestSecurityToken/wsp:Policy /wst:RequestSecurityToken/wsp:PolicyReference
Response header	/wsa:Action Unsupported Responses: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validate