+

Search Tips   |   Advanced Search

Supported functionality from OASIS specifications

The application server supports the Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications.

WebSphere Application Server supports these OASIS Web Services Security Version 1.0 specifications.

In WAS v6.1 Feature Pack for Web Services, and later, support for the OASIS standards has been updated to the latest versions of Web Services Security (WS-Security) specifications and tokens. Web Services Security Version 1.1 provides better security verification for signature, a standard way of encrypting SOAP headers, and meets the requirement from some of the inter-operability scenarios that use features from Web Services Security Version 1.1.

The following standards are supported only in WAS v7.0 and later.

WS-SecurityPolicy support is only available for Web Services Metadata Exchange (WS-MetadataExchange) scenarios where the assertions are embedded in the WSDL file. For more information, read the WS-MetadataExchange requests topic.

In 2007, the OASIS Web Services Secure Exchange Technical Committee (WS-SX) produced and approved the following specifications. Portions of these specifications are supported by WAS v7 and later.


OASIS: Web Services Security SOAP Message Security 1.0 and 1.1

The following table shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 and 1.1 specifications supported in WAS Versions 6 and later.

Supported topic Specific aspect supported
Security header

  • @S11:actor (for an intermediary)
  • @S11:mustUnderstand
  • @S12:mustUnderstand
  • @S12:role (S12 is the namespace prefix for http://www.w3.org/2003/05/soap-envelope when using SOAP Version 1.2)

Security tokens

  • Username token (user name and password)
  • Binary security token (X.509 and LTPA
  • Custom token

    • Other binary security token
    • XML token

      WAS does not provide an implementation, but we can use an XML token with plug-in point.

Token references

  • Direct reference
  • Key identifier
  • Key name
  • Embedded reference

Signature Signature confirmation
Signature algorithms

  • Digest

    SHA1

    http://www.w3.org/2000/09/xmldsig#sha1

    SHA256

    http://www.w3.org/2001/04/xmlenc#sha256

    SHA512

    http://www.w3.org/2001/04/xmlenc#sha512
  • MAC

    HMAC-SHA1

    http://www.w3.org/2000/09/xmldsig#hmac-sha1
  • Signature

    DSA with SHA1

    http://www.w3.org/2000/09/xmldsig#dsa-sha1

    Do not use this algorithm if we want your configured application to be in compliance with the Basic Security Profile (BSP)

    RSA with SHA1

    http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • Canonicalization

    Canonical XML (with comments)

    http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

    Canonical XML (without comments)

    http://www.w3.org/TR/2001/REC-xml-c14n-20010315

    Exclusive XML canonicalization (with comments)

    http://www.w3.org/2001/10/xml-exc-c14n#WithComments

    Exclusive XML canonicalization (without comments)

    http://www.w3.org/2001/10/xml-exc-c14n#
  • Transform

    STR transform

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform

    XPath

    http://www.w3.org/TR/1999/REC-xpath-19991116

    Do not use the original XPATH transform if we want your configured application to be in compliance with the Basic Security Profile (BSP).

    When referring to an element in a SECURE_ENVELOPE that does not carry an attribute of type ID from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2

    Enveloped signature

    http://www.w3.org/2000/09/xmldsig#enveloped-signature

    XPath Filter2

    http://www.w3.org/2002/06/xmldsig-filter2

    When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2

    Decryption transform

    http://www.w3.org/2002/07/decrypt#XML

Signature signed parts for JAX-RPC only

  • WebSphere Application Server key words:

    • body, which signs the SOAP message body
    • timestamp, which signs all of the time stamps
    • securitytoken, which signs all of the security tokens
    • dsigkey, which signs the signing key
    • enckey, which signs the encryption key
    • messageid, which signs the wsa :MessageID element in WS-Addressing.
    • to, which signs the wsa:To element in WS-Addressing
    • action, which signs the wsa:Action element in WS-Addressing
    • relatesto, which signs the wsa:RelatesTo element in WS-Addressing

      wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing

    • wscontext, which specifies the WS-Context header for the SOAP header.
    • wsafrom, which specifies the <wsa:From> WS-Addressing From element in the SOAP header.
    • wsareplyto, which specifies the <wsa:ReplyTo> WS-Addressing ReplyTo element in the SOAP header.
    • wsafaultto, which specifies the <wsa:FaultTo> WS-Addressing FaultTo element in the SOAP header.
    • wsaall, which specifies all of the WS-Addressing elements in the SOAP header.

  • XPath expression to select an XML element in a SOAP message. See http://www.w3.org/TR/1999/REC-xpath-19991116.

Signature message parts for JAX-WS only

  • Body (which signs the SOAP message body)
  • Header (which signs one or more SOAP headers within the main SOAP header)
  • XPath expression to select an XML element in a SOAP message.

    • See http://www.w3.org/TR/1999/REC-xpath-19991116.

Encryption EncryptedHeader element
Encryption algorithms

Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, we must check the laws of our country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.

  • Data encryption

    • Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc

      This algorithm requires the unrestricted JCE policy file. See Key encryption algorithm description in the Encryption information configuration settings: Message parts.

      Do not use the 192-bit data encryption algorithm if we want your configured application to be in compliance with the Basic Security Profile (BSP).

    • AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc

      This algorithm requires the unrestricted JCE policy file. See Key encryption algorithm description in the Encryption information configuration settings: Message parts.

  • Key encryption

    • Key transport (public key cryptography)

    • Symmetric key wrap (private key cryptography)

      • Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
      • AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
      • AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192

        This algorithm requires the unrestricted JCE policy file. See Key encryption algorithm description in the Encryption information configuration settings: Message parts.

        Do not use the 192-bit data encryption algorithm if we want your configured application to be in compliance with the Basic Security Profile (BSP).

      • AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256

        This algorithm requires the unrestricted JCE policy file. See Key encryption algorithm description in the Encryption information configuration settings: Message parts.

  • Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core

    • xenc:ReferenceList
    • xenc:EncryptedKey

AES is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, IBM recommends that we use AES, if possible, for symmetric key encryption.

Encryption message parts for JAX-RPC only

  • WebSphere Application Server keywords

    • bodycontent, which is used to encrypt the SOAP body content
    • usernametoken, which is used to encrypt the username token
    • digestvalue, which is used to encrypt the digest value of the digital signature
    • signature, which is used to encrypt the entire digital signature
    • wscontextcontent, which encrypts the content in the WS-Context header for the SOAP header.

  • XPath expression to select the XML element in the SOAP message

    • XML elements
    • XML element contents

Encryption message parts for JAX-WS only

  • Body (which encrypts the SOAP message body content)
  • Header (which encrypts one or more SOAP headers within the main SOAP header, resulting in the EncryptedHeader element)
  • XPath expression to select an XML element in a SOAP message

    • See http://www.w3.org/TR/1999/REC-xpath-19991116.

Time stamp

  • Within Web Services Security header
  • WebSphere Application Server is extended to allow us to insert time stamps into other elements so that the age of those elements can be determined.

Error handling SOAP faults

  • New failure SOAP fault with faultcode

  • The message has expired text has been added


OASIS: Web Services Security UsernameToken Profile 1.0

The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification supported in WAS.

Supported topic Specific aspect supported
Password types Text
Token references Direct reference


OASIS: Web Services Security UsernameToken Profile 1.1

The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.1 specification supported in WAS. Items that were previously supported for Web Services Security UsernameToken Profile 1.0 are not listed but are still supported, unless noted otherwise.

Supported topic Specific aspect supported
Password types Text
Token references Direct reference


OASIS: Web Services Security X.509 Certificate Token Profile 1.0

The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification supported in WAS Versions 6 and later.

Supported topic Specific aspect supported
Token types

  • X.509 Version 3: Single certificate

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3

  • X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL)

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1

  • X.509 Version 3: PKCS7 with or without CRLs.

Token references

  • Key identifier - subject key identifier
  • Direct reference
  • Custom reference - issuer name and serial number


OASIS: Web Services Security X.509 Certificate Token Profile 1.1

The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile 1.1 specification supported in WAS. Items that were previously supported for Web Services Security X.509 Certificate Token Profile 1.0 are not listed but are still supported, unless noted otherwise.

Supported topic Specific aspect supported
Token types X.509 Version 1: Single certificate
Token references Key identifier - subject key identifier

  • Can only reference an X.509v3 certificate
  • Can specify the thumbprint of the specified certificate using the http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 attribute of the <wsse:KeyIdentifier> element.


OASIS: Web Services Security Kerberos Token Profile 1.1

The following table shows the aspects of the OASIS: Web Services Security Kerberos Token Profile 1.1 specification supported in WAS.

Supported topic Specific aspect supported
Token types

  • GSS_API Kerberos v5 token

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

  • GSS_API Kerberos v5 token per RFC1510

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510

  • GSS_API Kerberos v5 token per RFC4120

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120

  • Kerberos v5 token

    http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerberosv5_AP_REQ

  • Kerberos v5 token per RFC1510

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510

  • Kerberos v5 token per RFC4120

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ412

Token references

  • Security token reference
  • Key identifier, which is used after the initial Kerberos v5 token is consumed
  • Derived key token based on the Kerberos key


OASIS: Web Services Security WS-Secure Conversation Draft and Version 1.3

The following table shows the aspects of the OASIS: WS-SecureConversation specification that are supported in WAS v6.1 Feature Pack for Web Services, and later. Support for Version 1.3 of the specification is provided in WAS v7.0 and later.

Supported topic Specific aspect supported
Token types

  • Security Context Token draft version: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
  • Security Context Token Version 1.3: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

Token references Direct reference
Security context establishment Security context token created by a security token service that is embedded in the WAS.
Renewing context Automatic renewal of the token when its about to expire.
Cancelling context Explicit cancel request support.
Derived keys The following information is used to derive the keys using a shared secret from a security context:

  • /wsc:DerivedKeyToken/wsse:SecurityTokenReference
  • /wsc:DerivedKeyToken/wsc:Label
  • /wsc:DerivedKeyToken/wsc:Nonce
  • /wsc:DerivedKeyToken/wsc:Length

Error handling SOAP faults, including:

  • wsc:BadContextToken
  • wsc:UnsupportedContextToken
  • wsc:RenewNeeded
  • wsc:UnableToRenew


OASIS: Web Services Security WS-Trust Version 1.0 Draft and Version 1.3

The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications supported in WAS v6.1 Feature Pack for Web Services, and later.

Supported topic Specific aspect supported
Namespace http://schemas.xmlsoap.org/ws/2005/02/trust
Request header /wsa:Action

Valid options include:

  • http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate

Request elements and attributes /wst:RequestSecurityToken

/wst:RequestSecurityToken/@Context

/wst:RequestSecurityToken/wst:RequestType

  • Valid options include:

    • http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
    • http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
    • http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
    • http://schemas.xmlsoap.org/ws/2005/02/trust/Validate

/wst:RequestSecurityToken/wst:TokenType

  • Valid options include:

    • for http://schemas.xmlsoap.org/ws/2005/02/sc/sct

      • /wst:RequestSecurityToken/wsp:AppliesTo
      • /wst:RequestSecurityToken/wst:Entropy
      • /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
      • /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type

    • for http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

      • /wst:RequestSecurityToken/wst:Lifetime
      • /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
      • /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
      • /wst:RequestSecurityToken/wst:KeySize
      • /wst:RequestSecurityToken/wst:KeyType

    • for http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

      • /wst:RequestSecurityToken/wst:RenewTarget
      • /wst:RequestSecurityToken/wst:Renewing
      • /wst:RequestSecurityToken/wst:Renewing/@Allow
      • /wst:RequestSecurityToken/wst:Renewing/@OK
      • /wst:RequestSecurityToken/wst:CancelTarget
      • /wst:RequestSecurityToken/wst:ValidateTarget
      • /wst:RequestSecurityToken/wst:Issuer

Response header /wsa:Action

Valid options include:

  • http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate

Response elements and attributes /wst:RequestSecurityTokenResponse

/wst:RequestSecurityTokenResponse/@Context

/wst:RequestSecurityTokenResponse/wst:TokenType

/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken

/wst:RequestSecurityTokenResponse/wsp:AppliesTo

/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken

/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference

/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference

/wst:RequestSecurityTokenResponse/wst:RequestedProofToken

/wst:RequestSecurityTokenResponse/wst:Entropy

/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret

/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type

/wst:RequestSecurityTokenResponse/wst:Lifetime

/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created

/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires

/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey

/wst:RequestSecurityTokenResponse/wst:KeySize

/wst:RequestSecurityTokenResponse/wst:Renewing

/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow

/wst:RequestSecurityTokenResponse/wst:Renewing/@OK

/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled

/wst:RequestSecurityTokenResponse/wst:Status

/wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status/wst:Code

  • Valid responses include:

    • http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid
    • http://schemas.xmlsoap.org/ws/2005/02/trust/status/invalid

/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason

Error handling wst:InvalidRequest

wst:FailedAuthentication

wst:RequestFailed

wst:InvalidSecurityToken

wst:AuthenticationBadElements

wst:BadRequest

wst:ExpiredData

wst:InvalidTimeRange

wst:InvalidScope

wst:RenewNeeded

wst:UnableToRenew

Supported topic Specific aspect supported
Namespace http://docs.oasis-open.org/ws-sx/ws-trust/200512
Request header /wsa:Action

Valid options include:

  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate

Request elements and attributes

/wst:RequestSecurityToken

/wst:RequestSecurityToken/@Context

/wst:RequestSecurityToken/wst:RequestType

  • Valid options include:

    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate

/wst:RequestSecurityToken/wst:TokenType

  • Valid options include:

    • for http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

      • /wst:RequestSecurityToken/wsp:AppliesTo
      • /wst:RequestSecurityToken/wst:Entropy
      • /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
      • /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type

    • for http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce

      • /wst:RequestSecurityToken/wst:Lifetime
      • /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
      • /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
      • /wst:RequestSecurityToken/wst:KeySize
      • /wst:RequestSecurityToken/wst:KeyType

    • for http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey

      • /wst:RequestSecurityToken/wst:RenewTarget
      • /wst:RequestSecurityToken/wst:Renewing
      • /wst:RequestSecurityToken/wst:Renewing/@Allow
      • /wst:RequestSecurityToken/wst:Renewing/@OK
      • /wst:RequestSecurityToken/wst:CancelTarget
      • /wst:RequestSecurityToken/wst:ValidateTarget
      • /wst:RequestSecurityToken/wst:Issuer

Response header /wsa:Action

Valid options include:

  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/CancelFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/RenewFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/ValidateFinal

Response elements and attributes

/wst:RequestSecurityTokenResponse

/wst:RequestSecurityTokenResponse/@Context

/wst:RequestSecurityTokenResponse/wst:TokenType

/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken

/wst:RequestSecurityTokenResponse/wsp:AppliesTo

/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken

/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference

/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference

/wst:RequestSecurityTokenResponse/wst:RequestedProofToken

/wst:RequestSecurityTokenResponse/wst:Entropy

/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret

/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type

/wst:RequestSecurityTokenResponse/wst:Lifetime

/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created

/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires

/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey

/wst:RequestSecurityTokenResponse/wst:KeySize

/wst:RequestSecurityTokenResponse/wst:Renewing

/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow

/wst:RequestSecurityTokenResponse/wst:Renewing/@OK

/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled

/wst:RequestSecurityTokenResponse/wst:Status

/wst:RequestSecurityTokenResponse/wst:Status/wst:Code

  • Valid responses include:

    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/invalid

/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason

Error handling

wst:InvalidRequest

wst:FailedAuthentication

wst:RequestFailed

wst:InvalidSecurityToken

wst:AuthenticationBadElements

wst:BadRequest

wst:ExpiredData

wst:InvalidTimeRange

wst:InvalidScope

wst:RenewNeeded

wst:UnableToRenew


Functionality that is not supported by WAS

The following list shows the functionality supported in the OASIS specifications, OASIS drafts, and other recommendations but is not supported by WAS v6 and later:


Unsupported function for WS-Trust Version 1.0 Draft and Version 1.3

The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications that are not supported in WAS v6.1 Feature Pack for Web Services, and later.

Unsupported topic Specific aspect that is not supported
Elements and attributes

/wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type

Unsupported request options:

  • for http://schemas.xmlsoap.org/ws/2005/02/trust/AsymmetricKey and http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

    • /wst:RequestSecurityToken/wst:Claims
    • /wst:RequestSecurityToken/wst:AllowPostdating
    • /wst:RequestSecurityToken/wst:OnBehalfOf
    • /wst:RequestSecurityToken/wst:AuthenticationType
    • /wst:RequestSecurityToken/wst:KeyType

  • for http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

    • /wst:RequestSecurityToken/wst:SignatureAlgorithm
    • /wst:RequestSecurityToken/wst:EncryptionAlgorithm
    • /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
    • /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
    • /wst:RequestSecurityToken/wst:Encryption
    • /wst:RequestSecurityToken/wst:ProofEncryption
    • /wst:RequestSecurityToken/wst:UseKey
    • /wst:RequestSecurityToken/wst:UseKey/@Sig
    • /wst:RequestSecurityToken/wst:SignWith
    • /wst:RequestSecurityToken/wst:EncryptWith
    • /wst:RequestSecurityToken/wst:DelegateTo
    • /wst:RequestSecurityToken/wst:Forwardable
    • /wst:RequestSecurityToken/wst:Delegatable
    • /wst:RequestSecurityToken/wsp:Policy
    • /wst:RequestSecurityToken/wsp:PolicyReference

Response elements and attributes

/wst:RequestSecurityTokenResponseCollection

/wst:RequestSecurityTokenResponseCollection/wst:RequestSecurityTokenResponse

Unsupported topic Specific aspect that is not supported
Elements and attributes

/wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type

Unsupported request options:

  • for http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey

    • /wst:RequestSecurityToken/wst:Claims
    • /wst:RequestSecurityToken/wst:AllowPostdating
    • /wst:RequestSecurityToken/wst:OnBehalfOf
    • /wst:RequestSecurityToken/wst:AuthenticationType
    • /wst:RequestSecurityToken/wst:KeyType

  • for http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer

    • /wst:RequestSecurityToken/wst:SignatureAlgorithm
    • /wst:RequestSecurityToken/wst:EncryptionAlgorithm
    • /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
    • /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
    • /wst:RequestSecurityToken/wst:Encryption
    • /wst:RequestSecurityToken/wst:ProofEncryption
    • /wst:RequestSecurityToken/wst:UseKey
    • /wst:RequestSecurityToken/wst:UseKey/@Sig
    • /wst:RequestSecurityToken/wst:SignWith
    • /wst:RequestSecurityToken/wst:EncryptWith
    • /wst:RequestSecurityToken/wst:DelegateTo
    • /wst:RequestSecurityToken/wst:Forwardable
    • /wst:RequestSecurityToken/wst:Delegatable
    • /wst:RequestSecurityToken/wsp:Policy
    • /wst:RequestSecurityToken/wsp:PolicyReference

Response header

/wsa:Action

Unsupported Responses:

  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validate


Related:

  • WS-MetadataExchange requests
  • Encrypted SOAP headers
  • Signature confirmation
  • Basic Security Profile compliance tips
  • Enable MTOM for JAX-WS web services
  • Encryption information configuration settings: Message parts