Kerberos message protection for Web services
Message-level security is based on the Organization for the Advancement of Structured Information Standards (OASIS) WS-Security Kerberos Token Profile V1.1 specification. Use this topic to gain an overall understanding of how message protection is implemented with a Kerberos token for Web services.
Message protection
The appserver can interoperate with other Web services technology because of the implementation of the OASIS Web services Kerberos token profile. This spec defines the standards for securing a SOAP message with the Kerberos token. However, mutual authentication is not defined by the token profile. The OASIS Web Services SOAP Message Security spec describes how to secure a SOAP message through signing and encryption by using and referencing a Kerberos token. Specifically, the OASIS spec defines how the Kerberos token, as a wrapped or unwrapped AP_REQ packet, is encoded and attached to the SOAP message. The token that is described in the OASIS Kerberos token profile is limited to the AP_REQ packet, which consists of a service ticket and an authenticator. The AP_REQ packet is obtained from the Key Distribution Center (KDC), which serves as the third-party authentication service. Multiple formats exist for the Kerberos token, as defined in the OASIS WS-Security Kerberos Token Profile 1.1. The @ValueType attribute is used to specify the token format. Specify one of the following <@ValueType> attributes for the element:
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
The resulting AP_REQ token can be either GSS-API framed (wrapped) or raw (unwrapped). The token must be Base-64 encoded.
 
Related concepts
Kerberos token 
Related information
Kerberos Token Profile V1.1 specification
Kerberos Token Profile 1.1 Approved Errata