Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > What is new for securing web services
Supported functionality from OASIS specifications
WAS v8 supports the Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications.
WAS supports these OASIS Web Services Security v1.0 specifications.
- OASIS: Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)
- OASIS: Web Services Security: UsernameToken Profile 1.0
- OASIS: Web Services Security X.509 Certificate Token Profile 1.0
In WAS v6.1 Feature Pack for Web Services, and later, support for the OASIS standards has been updated to the latest versions of Web Services Security (WS-Security) specifications and tokens. Web Services Security v1.1 provides better security verification for signature, a standard way of encrypting SOAP headers, and meets the requirement from some of the inter-operability scenarios that use features from Web Services Security v1.1.
- OASIS: Web Services Security: SOAP Message Security 1.1 (WS-Security 2004) OASIS Standard Specification, 1 February 2006
- OASIS: Web Services Security UsernameToken Profile 1.1 (Standard Specification, 1 February 2006)
- OASIS: Web Services Security X.509 Certificate Token Profile 1.1 (Standard Specification, 1 February 2006)
The following standards are supported only in WAS v7.0 and later.
- WS-Security Kerberos Token Profile 1.1
- WS-SecureConversation v1.3
- WS-Trust v1.3
- WS-SecurityPolicy v1.2
WS-SecurityPolicy support is only available for Web Services Metadata Exchange (WS-MetadataExchange) scenarios where the assertions are embedded in the WSDL file. For more information, read the WS-MetadataExchange requests topic.
In 2007, the OASIS Web Services Secure Exchange Technical Committee (WS-SX) produced and approved the following specifications. Portions of these specifications are supported by WAS v7 and later.
OASIS: Web Services Security SOAP Message Security 1.0 and 1.1
The following table shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 and 1.1 specifications that are supported in WAS Versions 6 and later.
Aspects of OASIS SOAP Message Security standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.
Supported topic Specific aspect that is supported Security header
- @S11:actor (for an intermediary)
- @S11:mustUnderstand
- @S12:mustUnderstand
- @S12:role (S12 is the namespace prefix for http://www.w3.org/2003/05/soap-envelope when using SOAP v1.2)
Security tokens
- Username token (user name and password)
- Binary security token (X.509 and Lightweight Third Party Authentication (LTPA)
- Custom token
- Other binary security token
- XML token
WAS does not provide an implementation, but you can use an XML token with plug-in point.
Token references
- Direct reference
- Key identifier
- Key name
- Embedded reference
Signature Signature confirmation Signature algorithms
- Digest
- SHA1
- http://www.w3.org/2000/09/xmldsig#sha1
- SHA256
- http://www.w3.org/2001/04/xmlenc#sha256
- SHA512
- http://www.w3.org/2001/04/xmlenc#sha512
- MAC
- HMAC-SHA1
- http://www.w3.org/2000/09/xmldsig#hmac-sha1
- Signature
- DSA with SHA1
- http://www.w3.org/2000/09/xmldsig#dsa-sha1
Do not use this algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP)
- RSA with SHA1
- http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization
- Canonical XML (with comments)
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Canonical XML (without comments)
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- Exclusive XML canonicalization (with comments)
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- Exclusive XML canonicalization (without comments)
- http://www.w3.org/2001/10/xml-exc-c14n#
- Transform
- STR transform
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform
- XPath
- http://www.w3.org/TR/1999/REC-xpath-19991116
Do not use the original XPATH transform if you want your configured application to be in compliance with the Basic Security Profile (BSP).
When referring to an element in a SECURE_ENVELOPE that does not carry an attribute of type ID from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2
- Enveloped signature
- http://www.w3.org/2000/09/xmldsig#enveloped-signature
- XPath Filter2
- http://www.w3.org/2002/06/xmldsig-filter2
When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2
- Decryption transform
- http://www.w3.org/2002/07/decrypt#XML
Signature signed parts for JAX-RPC only
- WAS key words:
- body, which signs the SOAP message body
- timestamp, which signs all of the time stamps
- securitytoken, which signs all of the security tokens
- dsigkey, which signs the signing key
- enckey, which signs the encryption key
- messageid, which signs the wsa :MessageID element in WS-Addressing.
- to, which signs the wsa:To element in WS-Addressing
- action, which signs the wsa:Action element in WS-Addressing
- relatesto, which signs the wsa:RelatesTo element in WS-Addressing
wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing
- wscontext, which specifies the WS-Context header for the SOAP header.
- wsafrom, which specifies the <wsa:From> WS-Addressing From element in the SOAP header.
- wsareplyto, which specifies the <wsa:ReplyTo> WS-Addressing ReplyTo element in the SOAP header.
- wsafaultto, which specifies the <wsa:FaultTo> WS-Addressing FaultTo element in the SOAP header.
- wsaall, which specifies all of the WS-Addressing elements in the SOAP header.
- XPath expression to select an XML element in a SOAP message. See http://www.w3.org/TR/1999/REC-xpath-19991116.
Signature message parts for JAX-WS only
- Body (which signs the SOAP message body)
- Header (which signs one or more SOAP headers within the main SOAP header)
- XPath expression to select an XML element in a SOAP message.
- See http://www.w3.org/TR/1999/REC-xpath-19991116.
Encryption EncryptedHeader element Encryption algorithms Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
- Data encryption
- Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc
- AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc
This algorithm requires the unrestricted JCE policy file. See the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).
- AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc
This algorithm requires the unrestricted JCE policy file. See the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
- Key encryption
- Key transport (public key cryptography)
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
- When running with SDK v1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK v1.5.
- Use of the FIPS -compliant Java cryptography engine does not support this transport algorithm.
- RSA v1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5
- Symmetric key wrap (private key cryptography)
- Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
- AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
- AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192
This algorithm requires the unrestricted JCE policy file. See the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).
- AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256
This algorithm requires the unrestricted JCE policy file. See the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
- Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core
- xenc:ReferenceList
- xenc:EncryptedKey
Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, IBM recommends that you use AES, if possible, for symmetric key encryption.
Encryption message parts for JAX-RPC only
- WAS keywords
- bodycontent, which is used to encrypt the SOAP body content
- usernametoken, which is used to encrypt the username token
- digestvalue, which is used to encrypt the digest value of the digital signature
- signature, which is used to encrypt the entire digital signature
- wscontextcontent, which encrypts the content in the WS-Context header for the SOAP header.
- XPath expression to select the XML element in the SOAP message
- XML elements
- XML element contents
Encryption message parts for JAX-WS only
- Body (which encrypts the SOAP message body content)
- Header (which encrypts one or more SOAP headers within the main SOAP header, resulting in the EncryptedHeader element)
- XPath expression to select an XML element in a SOAP message
- See http://www.w3.org/TR/1999/REC-xpath-19991116.
Time stamp
- Within Web Services Security header
- WAS is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.
Error handling SOAP faults
- New failure SOAP fault with faultcode
- The message has expired text has been added
OASIS: Web Services Security UsernameToken Profile 1.0
The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WAS.
Aspects of OASIS Username Token Profile V1.0 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.
Supported topic Specific aspect that is supported Password types Text Token references Direct reference
OASIS: Web Services Security UsernameToken Profile 1.1
The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.1 specification that is supported in WAS. Items that were previously supported for Web Services Security UsernameToken Profile 1.0 are not listed but are still supported, unless noted otherwise.
Aspects of OASIS Username Token Profile V1.1 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.
Supported topic Specific aspect that is supported Password types Text Token references Direct reference
OASIS: Web Services Security X.509 Certificate Token Profile 1.0
The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that are supported in WAS Versions 6 and later.
Aspects of OASIS X.509 Certificate Token V1.0 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.
Supported topic Specific aspect that is supported Token types
- X.509 v3: Single certificate
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3
- X.509 v3: X509PKIPathv1 without certificate revocation lists (CRL)
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1
- X.509 v3: PKCS7 with or without CRLs. The IBM software development kit (SDK) supports both. The Sun Java SE Development Kit 6 (JDK 6) supports PKCS7 without CRL only.
Token references
- Key identifier – subject key identifier
- Direct reference
- Custom reference – issuer name and serial number
OASIS: Web Services Security X.509 Certificate Token Profile 1.1
The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile 1.1 specification that are supported in WAS. Items that were previously supported for Web Services Security X.509 Certificate Token Profile 1.0 are not listed but are still supported, unless noted otherwise.
Aspects of OASIS X.509 Certificate Token V1.1 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.
Supported topic Specific aspect that is supported Token types X.509 v1: Single certificate Token references Key identifier – subject key identifier
- Can only reference an X.509v3 certificate
- Can specify the thumbprint of the specified certificate by using the http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 attribute of the <wsse:KeyIdentifier> element.
OASIS: Web Services Security Kerberos Token Profile 1.1
The following table shows the aspects of the OASIS: Web Services Security Kerberos Token Profile 1.1 specification that are supported in WAS.
Aspects of OASIS Kerberos Token Profile standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.
Supported topic Specific aspect that is supported Token types
- GSS_API Kerberos v5 token
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
- GSS_API Kerberos v5 token per RFC1510
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
- GSS_API Kerberos v5 token per RFC4120
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
- Kerberos v5 token
http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerberosv5_AP_REQ
- Kerberos v5 token per RFC1510
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
- Kerberos v5 token per RFC4120
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ412
Token references
- Security token reference
- Key identifier, which is used after the initial Kerberos v5 token is consumed
- Derived key token based on the Kerberos key
OASIS: Web Services Security WS-Secure Conversation Draft and v1.3
The following table shows the aspects of the OASIS: WS-SecureConversation specification that are supported in WAS v6.1 Feature Pack for Web Services, and later. Support for v1.3 of the specification is provided in WAS v7.0 and later.
Aspects of OASIS SecureConversation standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.
Supported topic Specific aspect that is supported Token types
- security context token draft version: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
- security context token v1.3: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
Token references Direct reference Security context establishment Security context token created by a security token service that is embedded in the WAS. Renewing context Automatic renewal of the token when its about to expire. Cancelling context Explicit cancel request support. Derived keys The following information is used to derive the keys using a shared secret from a security context:
- /wsc:DerivedKeyToken/wsse:SecurityTokenReference
- /wsc:DerivedKeyToken/wsc:Label
- /wsc:DerivedKeyToken/wsc:Nonce
- /wsc:DerivedKeyToken/wsc:Length
Error handling SOAP faults, including:
- wsc:BadContextToken
- wsc:UnsupportedContextToken
- wsc:RenewNeeded
- wsc:UnableToRenew
OASIS: Web Services Security WS-Trust v1.0 Draft and v1.3
The following tables show the aspects of the OASIS: Web Services Security: WS-Trust v1.0 Draft and Version 1.3 specifications that are supported in WAS v6.1 Feature Pack for Web Services, and later.
Aspects of OASIS Trust V1.0 and V1.3 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.
Supported topic Specific aspect that is supported Namespace http://schemas.xmlsoap.org/ws/2005/02/trust Request header /wsa:Action Valid options include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate
Request elements and attributes /wst:RequestSecurityToken /wst:RequestSecurityToken/@Context
/wst:RequestSecurityToken/wst:RequestType
- Valid options include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
- http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
- http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
- http://schemas.xmlsoap.org/ws/2005/02/trust/Validate
/wst:RequestSecurityToken/wst:TokenType
- Valid options include:
- for http://schemas.xmlsoap.org/ws/2005/02/sc/sct
- /wst:RequestSecurityToken/wsp:AppliesTo
- /wst:RequestSecurityToken/wst:Entropy
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
- for http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
- /wst:RequestSecurityToken/wst:Lifetime
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
- /wst:RequestSecurityToken/wst:KeySize
- /wst:RequestSecurityToken/wst:KeyType
- for http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
- /wst:RequestSecurityToken/wst:RenewTarget
- /wst:RequestSecurityToken/wst:Renewing
- /wst:RequestSecurityToken/wst:Renewing/@Allow
- /wst:RequestSecurityToken/wst:Renewing/@OK
- /wst:RequestSecurityToken/wst:CancelTarget
- /wst:RequestSecurityToken/wst:ValidateTarget
- /wst:RequestSecurityToken/wst:Issuer
Response header /wsa:Action Valid options include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate
Response elements and attributes /wst:RequestSecurityTokenResponse /wst:RequestSecurityTokenResponse/@Context
/wst:RequestSecurityTokenResponse/wst:TokenType
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wsp:AppliesTo
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken
/wst:RequestSecurityTokenResponse/wst:Entropy
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type
/wst:RequestSecurityTokenResponse/wst:Lifetime
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey
/wst:RequestSecurityTokenResponse/wst:KeySize
/wst:RequestSecurityTokenResponse/wst:Renewing
/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow
/wst:RequestSecurityTokenResponse/wst:Renewing/@OK
/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled
/wst:RequestSecurityTokenResponse/wst:Status
/wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status/wst:Code
- Valid responses include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid
- http://schemas.xmlsoap.org/ws/2005/02/trust/status/invalid
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason
Error handling wst:InvalidRequest wst:FailedAuthentication
wst:RequestFailed
wst:InvalidSecurityToken
wst:AuthenticationBadElements
wst:BadRequest
wst:ExpiredData
wst:InvalidTimeRange
wst:InvalidScope
wst:RenewNeeded
wst:UnableToRenew
Aspects of OASIS Trust V1.3 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.
Supported topic Specific aspect that is supported Namespace http://docs.oasis-open.org/ws-sx/ws-trust/200512 Request header /wsa:Action Valid options include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate
Request elements and attributes /wst:RequestSecurityToken /wst:RequestSecurityToken/@Context
/wst:RequestSecurityToken/wst:RequestType
- Valid options include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate
/wst:RequestSecurityToken/wst:TokenType
- Valid options include:
- for http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
- /wst:RequestSecurityToken/wsp:AppliesTo
- /wst:RequestSecurityToken/wst:Entropy
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
- /wst:RequestSecurityToken/wst:Lifetime
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
- /wst:RequestSecurityToken/wst:KeySize
- /wst:RequestSecurityToken/wst:KeyType
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
- /wst:RequestSecurityToken/wst:RenewTarget
- /wst:RequestSecurityToken/wst:Renewing
- /wst:RequestSecurityToken/wst:Renewing/@Allow
- /wst:RequestSecurityToken/wst:Renewing/@OK
- /wst:RequestSecurityToken/wst:CancelTarget
- /wst:RequestSecurityToken/wst:ValidateTarget
- /wst:RequestSecurityToken/wst:Issuer
Response header /wsa:Action Valid options include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/CancelFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/RenewFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/ValidateFinal
Response elements and attributes /wst:RequestSecurityTokenResponse /wst:RequestSecurityTokenResponse/@Context
/wst:RequestSecurityTokenResponse/wst:TokenType
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wsp:AppliesTo
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken
/wst:RequestSecurityTokenResponse/wst:Entropy
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type
/wst:RequestSecurityTokenResponse/wst:Lifetime
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey
/wst:RequestSecurityTokenResponse/wst:KeySize
/wst:RequestSecurityTokenResponse/wst:Renewing
/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow
/wst:RequestSecurityTokenResponse/wst:Renewing/@OK
/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled
/wst:RequestSecurityTokenResponse/wst:Status
/wst:RequestSecurityTokenResponse/wst:Status/wst:Code
- Valid responses include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/invalid
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason
Error handling wst:InvalidRequest wst:FailedAuthentication
wst:RequestFailed
wst:InvalidSecurityToken
wst:AuthenticationBadElements
wst:BadRequest
wst:ExpiredData
wst:InvalidTimeRange
wst:InvalidScope
wst:RenewNeeded
wst:UnableToRenew
Functionality that is not supported by WAS
The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations but is not supported by WAS Version 6 and later:
- Web Services Security SOAP Messages with Attachments (SwA) profile 1.0
When using JAX-WS, securing the SOAP MTOM attachment is supported. See the topic Enabling MTOM for JAX-WS web services for more information.
- XrML token profile
- XML enveloping digital signature
- XML enveloping digital encryption
- The following WS-SecureConversation functionality is not supported by WAS:
- Two methods for establishing security context are not supported: 1) security context token created by one of the communicating parties and propagated with a message; and 2) security context token created through negotiation or exchanges.
- SCT propagation
- Amending security contexts
- The following transform algorithms for digital signatures are not supported:
- XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116
- SOAP Message Normalization
See SOAP v1.2 Message Normalization for information, such as an empty header or header entry with mustUnderstand=false is removed, and so forth.
- Decryption transform
- The following key agreement algorithm for encryption is not supported:
- The following canonicalization algorithm for encryption, which is optional in the XML encryption specification, is not supported:
- Canonical XML with or without comments
- Exclusive XML Canonicalization with or without comments
- DSA digital signature is not supported.
- Pre-agreed symmetric key data encryption is not supported.
- Auditing for nonrepudiation for digital signatures is not supported.
- In both versions of the Username Token Profile specification, the digest password type is not supported.
- In the Username Token v1.1 Profile specification, the key derivation based on a password is not supported.
Unsupported function for WS-Trust v1.0 Draft and v1.3
The following tables show the aspects of the OASIS: Web Services Security: WS-Trust v1.0 Draft and Version 1.3 specifications that are not supported in WAS v6.1 Feature Pack for Web Services, and later.
Table 10. Aspects of OASIS Trust V1.0 and V1.3 standard that are unsupported in WAS. Use the table to determine which aspects of the OASIS standard are not supported.
Unsupported topic Specific aspect that is not supported Elements and attributes /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type Unsupported request options:
- for http://schemas.xmlsoap.org/ws/2005/02/trust/AsymmetricKey and http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
- /wst:RequestSecurityToken/wst:Claims
- /wst:RequestSecurityToken/wst:AllowPostdating
- /wst:RequestSecurityToken/wst:OnBehalfOf
- /wst:RequestSecurityToken/wst:AuthenticationType
- /wst:RequestSecurityToken/wst:KeyType
- for http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
- /wst:RequestSecurityToken/wst:SignatureAlgorithm
- /wst:RequestSecurityToken/wst:EncryptionAlgorithm
- /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
- /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
- /wst:RequestSecurityToken/wst:Encryption
- /wst:RequestSecurityToken/wst:ProofEncryption
- /wst:RequestSecurityToken/wst:UseKey
- /wst:RequestSecurityToken/wst:UseKey/@Sig
- /wst:RequestSecurityToken/wst:SignWith
- /wst:RequestSecurityToken/wst:EncryptWith
- /wst:RequestSecurityToken/wst:DelegateTo
- /wst:RequestSecurityToken/wst:Forwardable
- /wst:RequestSecurityToken/wst:Delegatable
- /wst:RequestSecurityToken/wsp:Policy
- /wst:RequestSecurityToken/wsp:PolicyReference
Response elements and attributes /wst:RequestSecurityTokenResponseCollection /wst:RequestSecurityTokenResponseCollection/wst:RequestSecurityTokenResponse
Table 11. Aspects of OASIS Trust V1.3 standard that are unsupported in WAS. Use the table to determine which aspects of the OASIS standard are not supported.
Unsupported topic Specific aspect that is not supported Elements and attributes /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type Unsupported request options:
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
- /wst:RequestSecurityToken/wst:Claims
- /wst:RequestSecurityToken/wst:AllowPostdating
- /wst:RequestSecurityToken/wst:OnBehalfOf
- /wst:RequestSecurityToken/wst:AuthenticationType
- /wst:RequestSecurityToken/wst:KeyType
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
- /wst:RequestSecurityToken/wst:SignatureAlgorithm
- /wst:RequestSecurityToken/wst:EncryptionAlgorithm
- /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
- /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
- /wst:RequestSecurityToken/wst:Encryption
- /wst:RequestSecurityToken/wst:ProofEncryption
- /wst:RequestSecurityToken/wst:UseKey
- /wst:RequestSecurityToken/wst:UseKey/@Sig
- /wst:RequestSecurityToken/wst:SignWith
- /wst:RequestSecurityToken/wst:EncryptWith
- /wst:RequestSecurityToken/wst:DelegateTo
- /wst:RequestSecurityToken/wst:Forwardable
- /wst:RequestSecurityToken/wst:Delegatable
- /wst:RequestSecurityToken/wsp:Policy
- /wst:RequestSecurityToken/wsp:PolicyReference
Response header /wsa:Action Unsupported Responses:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validate
WS-MetadataExchange requests
Encrypted SOAP headers
Signature confirmation
Basic Security Profile compliance tips
What is new for securing web services
Enable MTOM for JAX-WS web services
Related
Encryption information configuration settings: Message parts