LTPA and LTPA v2 tokens
Web services security supports both LTPA (Version 1) and LTPA v2 (LTPA2) tokens. The LTPA2 token, which is more secure than Version 1, is supported by the JAX-WS runtime only.
The support statements in this topic apply to the web services security implementation for WebSphere Application Server and not the security implementation for non-web services functionality.
The LTPA token is a specific type of binary security token. The web services security implementation for WAS, v5 and later supports the LTPA Version 1 token. WAS v7 and later supports the LTPA v2 token using the JAX-WS runtime environment.
Although the same LTPAToken assertion is used in the policy for both LTPA Version 1 and LTPA v2, the valuetype value for the v2 token is different than Version 1. The valuetype value is composed of the URI and the local name. The following table shows the valuetype values for the LTPA token versions when they are selected as the token type for the policy set bindings. These values are not editable.
LTPA Version token Valuetype value LTPA (Version 1) http://www.ibm.com/websphere/appserver/tokentype/5.0.2/LTPA LTPA2 http://www.ibm.com/websphere/appserver/tokentype/LTPAv2 To allow for interoperability between servers running different versions of WAS, by default, the JAX-WS web services security runtime in v7.0 and later can successfully consume an LTPA Version 1 token when the binding is configured to expect an LTPA2 token. However, we can configure the binding for the JAX-WS runtime to accept only LTPA2 tokens. For more information, see the documentation about Authentication generator or consumer token settings.
If the web services security run time receives a token with a unrecognized valuetype value and the SOAP security header contains a mustUnderstand attribute value that is equal to '1', the web services security run time issues a SOAPFaultException error. If the mustUnderstand attribute value is equal to '0', the token is ignored.
If an LTPA2 token is sent with a mustUnderstand attribute value that is equal to '1' to a web services security run time in which the LTPA2 token is not supported, the run time does not recognize the LTPAv2 valuetype value. Thus, the receiving run time issues a SOAPFaultException error. The following table illustrates these different configurations and their potential error messages..
Run time LTPA Version 1 token status MustUnderstand attribute value SOAPFaultException error JAX-RPC Required 1 com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC5509E: A security token whose type is [{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] is required.JAX-RPC Required 0 com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC5509E: A security token whose type is [{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] is required.JAX-RPC Optional 1 JAX-RPC Optional 0 None JAX-RPC Not Configured 1 JAX-RPC Not Configured 0 None JAX-WS (v6.1 Feature Pack for Web Services) Not Configured 1 JAX-WS (v6.1 Feature Pack for Web Services) Not Configured 0 None JAX-WS (v6.1 Feature Pack for Web Services) Configured 1 CWWSS5509E: A security token whose type is [{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] is required.JAX-WS (v6.1 Feature Pack for Web Services) Configured 0 CWWSS5509E: A security token whose type is [{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] is required.We can configure the JAX-WS run time to generate either LTPA (Version 1) or LTPA2 tokens. If we configure the LTPA token generator in a policy binding to generate an LTPA (Version 1) token, we must do one of the following:
- Enable the single sign-on interoperability mode, which is available on the Single sign-on (SSO) panel within the administrative console. For more information on this option, see the documentation about single sign-on settings.
- Set the com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7 custom property to true for the LTPA token generator.
If we do not perform at least one of the steps previously indicated, an error occurs when the application, which is attached to these bindings, is started.
Related:
Binary security token Enable or disable single sign-on interoperability mode for the LTPA token Authentication generator or consumer token settings Single sign-on settings