Supported functionality from OASIS specifications
The application server supports the Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications.
WebSphere Application Server supports these OASIS Web Services Security Version 1.0 specifications.
- OASIS: Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)
- OASIS: Web Services Security: UsernameToken Profile 1.0
- OASIS: Web Services Security X.509 Certificate Token Profile 1.0
In WAS v6.1 Feature Pack for Web Services, and later, support for the OASIS standards has been updated to the latest versions of Web Services Security (WS-Security) specifications and tokens. Web Services Security Version 1.1 provides better security verification for signature, a standard way of encrypting SOAP headers, and meets the requirement from some of the inter-operability scenarios that use features from Web Services Security Version 1.1.
- OASIS: Web Services Security: SOAP Message Security 1.1 (WS-Security 2004) OASIS Standard Specification, 1 February 2006
- OASIS: Web Services Security UsernameToken Profile 1.1 (Standard Specification, 1 February 2006)
- OASIS: Web Services Security X.509 Certificate Token Profile 1.1 (Standard Specification, 1 February 2006)
The following standards are supported only in WAS v7 and later.
- WS-Security Kerberos Token Profile 1.1
- WS-SecureConversation Version 1.3
- WS-Trust Version 1.3
- WS-SecurityPolicy Version 1.2
WS-SecurityPolicy support is only available for Web Services Metadata Exchange (WS-MetadataExchange) scenarios where the assertions are embedded in the WSDL file. For more information, read the WS-MetadataExchange requests topic.
In 2007, the OASIS Web Services Secure Exchange Technical Committee (WS-SX) produced and approved the following specifications. Portions of these specifications are supported by WebSphere Application Server Version 7 and later.
OASIS: Web Services Security SOAP Message Security 1.0 and 1.1
The following table shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 and 1.1 specifications that are supported in WAS v6 and later.
of OASIS SOAP Message Security standard supported in WebSphere Application Server. Use the table to determine which aspects of the
Supported topic Specific aspect that is supported Security header
- @S11:actor (for an intermediary)
- @S11:mustUnderstand
- @S12:mustUnderstand
- @S12:role (S12 is the namespace prefix for http://www.w3.org/2003/05/soap-envelope when using SOAP Version 1.2)
Security tokens
- Username token (user name and password)
- Binary security token (X.509 and LTPA> (LTPA)
- Custom token
- Other binary security token
- XML token
WAS does not provide an implementation, but we can use an XML token with plug-in point.
Token references
- Direct reference
- Key identifier
- Key name
- Embedded reference
Signature Signature confirmation Signature algorithms
- Digest
- SHA1
- http://www.w3.org/2000/09/xmldsig#sha1
- SHA256
- http://www.w3.org/2001/04/xmlenc#sha256
- SHA512
- http://www.w3.org/2001/04/xmlenc#sha512
- MAC
- HMAC-SHA1
- http://www.w3.org/2000/09/xmldsig#hmac-sha1
- Signature
- DSA with SHA1
- http://www.w3.org/2000/09/xmldsig#dsa-sha1
Do not use this algorithm if we want the configured application to be in compliance with the Basic Security Profile (BSP)
- RSA with SHA1
- http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization
- Canonical XML (with comments)
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Canonical XML (without comments)
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- Exclusive XML canonicalization (with comments)
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- Exclusive XML canonicalization (without comments)
- http://www.w3.org/2001/10/xml-exc-c14n#
- Transform
- STR transform
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform
- XPath
- http://www.w3.org/TR/1999/REC-xpath-19991116
Do not use the original XPATH transform if we want the configured application to be in compliance with the Basic Security Profile (BSP).
When referring to an element in a SECURE_ENVELOPE that does not carry an attribute of type ID from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2
- Enveloped signature
- http://www.w3.org/2000/09/xmldsig#enveloped-signature
- XPath Filter2
- http://www.w3.org/2002/06/xmldsig-filter2
When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2
- Decryption transform
- http://www.w3.org/2002/07/decrypt#XML
Signature signed parts for JAX-RPC only
- WebSphere Application Server key words:
- body, which signs the SOAP message body
- timestamp, which signs all of the time stamps
- securitytoken, which signs all of the security tokens
- dsigkey, which signs the signing key
- enckey, which signs the encryption key
- messageid, which signs the wsa :MessageID element in WS-Addressing.
- to, which signs the wsa:To element in WS-Addressing
- action, which signs the wsa:Action element in WS-Addressing
- relatesto, which signs the wsa:RelatesTo element in WS-Addressing
wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing
- wscontext, which specifies the WS-Context header for the SOAP header.
- wsafrom, which specifies the <wsa:From> WS-Addressing From element in the SOAP header.
- wsareplyto, which specifies the <wsa:ReplyTo> WS-Addressing ReplyTo element in the SOAP header.
- wsafaultto, which specifies the <wsa:FaultTo> WS-Addressing FaultTo element in the SOAP header.
- wsaall, which specifies all of the WS-Addressing elements in the SOAP header.
- XPath expression to select an XML element in a SOAP message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.
Signature message parts for JAX-WS only
- Body (which signs the SOAP message body)
- Header (which signs one or more SOAP headers within the main SOAP header)
- XPath expression to select an XML element in a SOAP message.
- For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.
Encryption EncryptedHeader element Encryption algorithms Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
- Data encryption
- Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc
- AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do not use the 192-bit data encryption algorithm if we want the configured application to be in compliance with the Basic Security Profile (BSP).
- AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
- Key encryption
- Key transport (public key cryptography)
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
- When running with Software Development Kit (SDK) Version 1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK Version 1.5.
- Use of the FIPS-compliant Java cryptography engine does not support this transport algorithm.
- RSA Version 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5
- Symmetric key wrap (private key cryptography)
- Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
- AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
- AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do not use the 192-bit data encryption algorithm if we want the configured application to be in compliance with the Basic Security Profile (BSP).
- AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
- Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core
- xenc:ReferenceList
- xenc:EncryptedKey
Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, IBM recommends that you use AES, if possible, for symmetric key encryption.
Encryption message parts for JAX-RPC only
- WebSphere Application Server keywords
- bodycontent, which is used to encrypt the SOAP body content
- usernametoken, which is used to encrypt the username token
- digestvalue, which is used to encrypt the digest value of the digital signature
- signature, which is used to encrypt the entire digital signature
- wscontextcontent, which encrypts the content in the WS-Context header for the SOAP header.
- XPath expression to select the XML element in the SOAP message
- XML elements
- XML element contents
Encryption message parts for JAX-WS only
- Body (which encrypts the SOAP message body content)
- Header (which encrypts one or more SOAP headers within the main SOAP header, resulting in the EncryptedHeader element)
- XPath expression to select an XML element in a SOAP message
- For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.
Time stamp
- Within Web Services Security header
- WebSphere Application Server is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.
Error handling SOAP faults
- New failure SOAP fault with faultcode
- The message has expired text has been added
OASIS: Web Services Security UsernameToken Profile 1.0
The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WebSphere Application Server.
V1.0 standard supported in WebSphere Application Server. Use the table to determine which aspects of the OASIS standard
Supported topic Specific aspect that is supported Password types Text Token references Direct reference
OASIS: Web Services Security UsernameToken Profile 1.1
The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.1 specification that is supported in WebSphere Application Server. Items that were previously supported for Web Services Security UsernameToken Profile 1.0 are not listed but are still supported, unless noted otherwise.
V1.1 standard supported in WebSphere Application Server. Use the table to determine which aspects of the OASIS standard
Supported topic Specific aspect that is supported Password types Text Token references Direct reference
OASIS: Web Services Security X.509 Certificate Token Profile 1.0
The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that are supported in WAS v6 and later.
of OASIS X.509 Certificate Token V1.0 standard supported in WebSphere Application Server. Use
Supported topic Specific aspect that is supported Token types
- X.509 Version 3: Single certificate
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3
- X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL)
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1
- X.509 Version 3: PKCS7 with or without CRLs. The IBM SDK supports both. The Sun Java SE Development Kit 6 (JDK 6) supports PKCS7 without CRL only.
Token references
- Key identifier - subject key identifier
- Direct reference
- Custom reference - issuer name and serial number
OASIS: Web Services Security X.509 Certificate Token Profile 1.1
The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile 1.1 specification that are supported in WebSphere Application Server. Items that were previously supported for Web Services Security X.509 Certificate Token Profile 1.0 are not listed but are still supported, unless noted otherwise.
of OASIS X.509 Certificate Token V1.1 standard supported in WebSphere Application Server. Use
Supported topic Specific aspect that is supported Token types X.509 Version 1: Single certificate Token references Key identifier - subject key identifier
- Can only reference an X.509v3 certificate
- Can specify the thumbprint of the specified certificate using the http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 attribute of the <wsse:KeyIdentifier> element.
OASIS: Web Services Security Kerberos Token Profile 1.1
The following table shows the aspects of the OASIS: Web Services Security Kerberos Token Profile 1.1 specification that are supported in WebSphere Application Server.
standard supported in WebSphere Application Server. Use the table to determine which aspects of the OASIS standard
Supported topic Specific aspect that is supported Token types
- GSS_API Kerberos v5 token
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
- GSS_API Kerberos v5 token per RFC1510
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
- GSS_API Kerberos v5 token per RFC4120
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
- Kerberos v5 token
http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerberosv5_AP_REQ
- Kerberos v5 token per RFC1510
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
- Kerberos v5 token per RFC4120
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ412
Token references
- Security token reference
- Key identifier, which is used after the initial Kerberos v5 token is consumed
- Derived key token based on the Kerberos key
OASIS: Web Services Security WS-Secure Conversation Draft and Version 1.3
The following table shows the aspects of the OASIS: WS-SecureConversation specification that are supported in WAS v6.1 Feature Pack for Web Services, and later. Support for Version 1.3 of the specification is provided in WAS v7 and later.
of OASIS SecureConversation standard supported in WebSphere Application Server. Use the table to determine which aspects of the
Supported topic Specific aspect that is supported Token types
- Security Context Token draft version: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
- Security Context Token Version 1.3: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
Token references Direct reference Security context establishment Security context token created by a security token service embedded in the WAS. Renewing context Automatic renewal of the token when its about to expire. Cancelling context Explicit cancel request support. Derived keys The following information is used to derive the keys using a shared secret from a security context:
- /wsc:DerivedKeyToken/wsse:SecurityTokenReference
- /wsc:DerivedKeyToken/wsc:Label
- /wsc:DerivedKeyToken/wsc:Nonce
- /wsc:DerivedKeyToken/wsc:Length
Error handling SOAP faults, including:
- wsc:BadContextToken
- wsc:UnsupportedContextToken
- wsc:RenewNeeded
- wsc:UnableToRenew
OASIS: Web Services Security WS-Trust Version 1.0 Draft and Version 1.3
The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications that are supported in WAS v6.1 Feature Pack for Web Services, and later.
standard supported in WebSphere Application Server. Use the table to determine which aspects of the OASIS standard
Supported topic Specific aspect that is supported Namespace http://schemas.xmlsoap.org/ws/2005/02/trust Request header /wsa:Action Valid options include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel
- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate
Request elements and attributes /wst:RequestSecurityToken
/wst:RequestSecurityToken/@Context
/wst:RequestSecurityToken/wst:RequestType
- Valid options include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
- http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
- http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
- http://schemas.xmlsoap.org/ws/2005/02/trust/Validate
/wst:RequestSecurityToken/wst:TokenType
- Valid options include:
- for http://schemas.xmlsoap.org/ws/2005/02/sc/sct
- /wst:RequestSecurityToken/wsp:AppliesTo
- /wst:RequestSecurityToken/wst:Entropy
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
- for http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
- /wst:RequestSecurityToken/wst:Lifetime
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
- /wst:RequestSecurityToken/wst:KeySize
- /wst:RequestSecurityToken/wst:KeyType
- for http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
- /wst:RequestSecurityToken/wst:RenewTarget
- /wst:RequestSecurityToken/wst:Renewing
- /wst:RequestSecurityToken/wst:Renewing/@Allow
- /wst:RequestSecurityToken/wst:Renewing/@OK
- /wst:RequestSecurityToken/wst:CancelTarget
- /wst:RequestSecurityToken/wst:ValidateTarget
- /wst:RequestSecurityToken/wst:Issuer
Response header /wsa:Action Valid options include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel
- http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate
Response elements and attributes /wst:RequestSecurityTokenResponse
/wst:RequestSecurityTokenResponse/@Context
/wst:RequestSecurityTokenResponse/wst:TokenType
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wsp:AppliesTo
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken
/wst:RequestSecurityTokenResponse/wst:Entropy
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type
/wst:RequestSecurityTokenResponse/wst:Lifetime
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey
/wst:RequestSecurityTokenResponse/wst:KeySize
/wst:RequestSecurityTokenResponse/wst:Renewing
/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow
/wst:RequestSecurityTokenResponse/wst:Renewing/@OK
/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled
/wst:RequestSecurityTokenResponse/wst:Status
/wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status/wst:Code
- Valid responses include:
- http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid
- http://schemas.xmlsoap.org/ws/2005/02/trust/status/invalid
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason
Error handling wst:InvalidRequest
wst:FailedAuthentication
wst:RequestFailed
wst:InvalidSecurityToken
wst:AuthenticationBadElements
wst:BadRequest
wst:ExpiredData
wst:InvalidTimeRange
wst:InvalidScope
wst:RenewNeeded
wst:UnableToRenew
V1.3 standard supported in WebSphere Application Server. Use the table to determine which aspects of the OASIS standard
Supported topic Specific aspect that is supported Namespace http://docs.oasis-open.org/ws-sx/ws-trust/200512 Request header /wsa:Action Valid options include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate
Request elements and attributes /wst:RequestSecurityToken
/wst:RequestSecurityToken/@Context
/wst:RequestSecurityToken/wst:RequestType
- Valid options include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate
/wst:RequestSecurityToken/wst:TokenType
- Valid options include:
- for http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
- /wst:RequestSecurityToken/wsp:AppliesTo
- /wst:RequestSecurityToken/wst:Entropy
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
- /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
- /wst:RequestSecurityToken/wst:Lifetime
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
- /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
- /wst:RequestSecurityToken/wst:KeySize
- /wst:RequestSecurityToken/wst:KeyType
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
- /wst:RequestSecurityToken/wst:RenewTarget
- /wst:RequestSecurityToken/wst:Renewing
- /wst:RequestSecurityToken/wst:Renewing/@Allow
- /wst:RequestSecurityToken/wst:Renewing/@OK
- /wst:RequestSecurityToken/wst:CancelTarget
- /wst:RequestSecurityToken/wst:ValidateTarget
- /wst:RequestSecurityToken/wst:Issuer
Response header /wsa:Action Valid options include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/CancelFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/RenewFinal
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/ValidateFinal
Response elements and attributes /wst:RequestSecurityTokenResponse
/wst:RequestSecurityTokenResponse/@Context
/wst:RequestSecurityTokenResponse/wst:TokenType
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wsp:AppliesTo
/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken
/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken
/wst:RequestSecurityTokenResponse/wst:Entropy
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret
/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type
/wst:RequestSecurityTokenResponse/wst:Lifetime
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created
/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires
/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey
/wst:RequestSecurityTokenResponse/wst:KeySize
/wst:RequestSecurityTokenResponse/wst:Renewing
/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow
/wst:RequestSecurityTokenResponse/wst:Renewing/@OK
/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled
/wst:RequestSecurityTokenResponse/wst:Status
/wst:RequestSecurityTokenResponse/wst:Status/wst:Code
- Valid responses include:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/invalid
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason
Error handling wst:InvalidRequest
wst:FailedAuthentication
wst:RequestFailed
wst:InvalidSecurityToken
wst:AuthenticationBadElements
wst:BadRequest
wst:ExpiredData
wst:InvalidTimeRange
wst:InvalidScope
wst:RenewNeeded
wst:UnableToRenew
Functionality that is not supported by WebSphere Application Server
The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations but is not supported by WAS v6 and later:
- Web Services Security SOAP Messages with Attachments (SwA) profile 1.0
When using the JAX-WS programming model, securing the SOAP Message Transmission Optimization Mechanism (MTOM) attachment is supported. See the topic Enable MTOM for JAX-WS web services for more information.
- XrML token profile
- XML enveloping digital signature
- XML enveloping digital encryption
- The following WS-SecureConversation functionality is not supported by WebSphere Application Server:
- Two methods for establishing security context are not supported: 1) security context token created by one of the communicating parties and propagated with a message; and 2) security context token created through negotiation or exchanges.
- SCT propagation
- Amending security contexts
- The following transform algorithms for digital signatures are not supported:
- XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116
- SOAP Message Normalization
See SOAP Version 1.2 Message Normalization for information, such as an empty header or header entry with mustUnderstand=false is removed, and so forth.
- Decryption transform
- The following key agreement algorithm for encryption is not supported:
- The following canonicalization algorithm for encryption, which is optional in the XML encryption specification, is not supported:
- Canonical XML with or without comments
- Exclusive XML Canonicalization with or without comments
- DSA digital signature is not supported.
- Pre-agreed symmetric key data encryption is not supported.
- Auditing for nonrepudiation for digital signatures is not supported.
- In both versions of the Username Token Profile specification, the digest password type is not supported.
- In the Username Token Version 1.1 Profile specification, the key derivation based on a password is not supported.
Unsupported function for WS-Trust Version 1.0 Draft and Version 1.3
The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications that are not supported in WAS v6.1 Feature Pack for Web Services, and later.
standard that are unsupported in WebSphere Application Server. Use the table to determine which aspects of the
Unsupported topic Specific aspect that is not supported Elements and attributes /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
Unsupported request options:
- for http://schemas.xmlsoap.org/ws/2005/02/trust/AsymmetricKey and http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
- /wst:RequestSecurityToken/wst:Claims
- /wst:RequestSecurityToken/wst:AllowPostdating
- /wst:RequestSecurityToken/wst:OnBehalfOf
- /wst:RequestSecurityToken/wst:AuthenticationType
- /wst:RequestSecurityToken/wst:KeyType
- for http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
- /wst:RequestSecurityToken/wst:SignatureAlgorithm
- /wst:RequestSecurityToken/wst:EncryptionAlgorithm
- /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
- /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
- /wst:RequestSecurityToken/wst:Encryption
- /wst:RequestSecurityToken/wst:ProofEncryption
- /wst:RequestSecurityToken/wst:UseKey
- /wst:RequestSecurityToken/wst:UseKey/@Sig
- /wst:RequestSecurityToken/wst:SignWith
- /wst:RequestSecurityToken/wst:EncryptWith
- /wst:RequestSecurityToken/wst:DelegateTo
- /wst:RequestSecurityToken/wst:Forwardable
- /wst:RequestSecurityToken/wst:Delegatable
- /wst:RequestSecurityToken/wsp:Policy
- /wst:RequestSecurityToken/wsp:PolicyReference
Response elements and attributes /wst:RequestSecurityTokenResponseCollection
/wst:RequestSecurityTokenResponseCollection/wst:RequestSecurityTokenResponse
V1.3 standard that are unsupported in WebSphere Application Server. Use the table to determine which aspects of the
Unsupported topic Specific aspect that is not supported Elements and attributes /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
Unsupported request options:
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
- /wst:RequestSecurityToken/wst:Claims
- /wst:RequestSecurityToken/wst:AllowPostdating
- /wst:RequestSecurityToken/wst:OnBehalfOf
- /wst:RequestSecurityToken/wst:AuthenticationType
- /wst:RequestSecurityToken/wst:KeyType
- for http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
- /wst:RequestSecurityToken/wst:SignatureAlgorithm
- /wst:RequestSecurityToken/wst:EncryptionAlgorithm
- /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
- /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
- /wst:RequestSecurityToken/wst:Encryption
- /wst:RequestSecurityToken/wst:ProofEncryption
- /wst:RequestSecurityToken/wst:UseKey
- /wst:RequestSecurityToken/wst:UseKey/@Sig
- /wst:RequestSecurityToken/wst:SignWith
- /wst:RequestSecurityToken/wst:EncryptWith
- /wst:RequestSecurityToken/wst:DelegateTo
- /wst:RequestSecurityToken/wst:Forwardable
- /wst:RequestSecurityToken/wst:Delegatable
- /wst:RequestSecurityToken/wsp:Policy
- /wst:RequestSecurityToken/wsp:PolicyReference
Response header /wsa:Action
Unsupported Responses:
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validate
Related concepts
WS-MetadataExchange requests Encrypted SOAP headers Signature confirmation Basic Security Profile compliance tips
Related tasks
Enable MTOM for JAX-WS web services
Encryption information configuration settings: Message parts