Token type settings
Use the administrative console to define the details about the token types. This panel is displayed differently for each different token type. Policies can be defined that specify which types of security tokens are supported as well as properties for the token type.
To view token types for a policy set:
- Click...
Services > Policy sets > Application policy sets > policy_set_name
- Click the WS-Security policy in the Policies table.
- Click the Main policy link or the Bootstrap policy link.
- Click one of the following:
- Request token policies from the Policy detail section.
- Response token policies from the Policy detail section.
- Symmetric signature and encryption policies from the Key symmetry section.
- Asymmetric signature and encryption policies from the Key symmetry section.
- For a Request token policy or a Response token policy, click a token from the Supported Token Types table or click the Add Token Type button to select the type of token to add.
- For a symmetric signature and encryption policy or an asymmetric signature and encryption policy, click Edit Selected Type Policy.
This panel is displayed for each token type we are configuring or adding. It displays fields for some token types and not for others. This help topic contains all of the fields for each of the token types and describes which token is being configured for each field.
Custom token name
For a custom token, specify the name of the token being configured. Enter or edit the name for the custom token in this entry field.
Local name
For a custom token, specify the local name.
If the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1, use one of the values in the following table for the local name. The value we choose depends on the specification level of the Kerberos token generated by the Key Distribution Center (KDC). The table lists the values and the specification level associated with each value. For purposes of interoperability, the Basic Security Profile V1.1 standard requires the use of the local name, http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.
Local name value for Kerberos token Associated specification level http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerb erosv5_AP_REQ Kerberos V5 AP-REQ as defined in the Kerberos specification. This value is used when the Kerberos ticket is an AP Request. http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964 [1964], Sec. 1.1 and its successor RFC-4121, Sec. 4.1. This value is used when the Kerberos ticket is an AP Request (ST + Authenticator). http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510 Kerberos V5 AP-REQ as defined in RFC1510. This value is used when the Kerberos ticket is an AP Request per RFC1510. http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510 GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor RFC-4121, Sec. 4.1. This value is used when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC1510. http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120 Kerberos V5 AP-REQ as defined in RFC4120. This value is used when the Kerberos ticket is an AP Request per RFC4120. http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120 GSS-API Kerberos V5 mechanism token containing an KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor RFC-4121, Sec. 4.1. This value is used when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC4120.
URI
For a custom token, specify the uniform resource identifier (URI).
Leave this field empty, if the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1.
LTPA token name
For an LTPA token, specify the name of the token being configured. Enter or edit the name for the LTPA token in this entry field.
Propagate the JAAS subject
For an LTPA token, specify whether the associated JAAS subject is propagated. Select this check box to propagate the JAAS subject. The default is not selected. Therefore, the JAAS subject is not propagated by default.
Username token name
Specify the name of the token being configured. Enter or edit the name for the username token in this entry field.
WS-Security version
For a Username token, specify the version of Web Services Security, the WS-Security specification, used to secure the message transmission.
The following versions are available:
- WS-Security V1.0
- WS-Security V1.1
X.509 token name
For a X.509 token, specify the name of the token being configured. Enter or edit the name for the X.509 token in this entry field.
WS-Security version
For a X.509 token, specify the version of Web Services Security used to secure the message transmission.
The following versions are available:
- WS-Security V1.0
- WS-Security V1.1
X.509 type
For a X.509 token, specify the type of X.509 token being configured.
The following types are available for the X.509 token:
- X.509 Version 1. This option is available with WS-Security Version 1.1 only.
- X.509, Version 3
- X.509 PKCX7
- PKI Path Version 1
Secure conversation token
The secure conversation token is available only when using symmetric signature and encryption policies.
Require reference to secure context token issuer
For a secure conversation token, select this option to specify a reference to the issuer of the security context token.
After selecting the Require reference to secure context token issuer option, specify the URI of the security context token issuer.
Configure the WS-Security policy Manage policy sets Request or Response token policies collection Asymmetric signature and encryption policies settings Symmetric signature and encryption policies settings Application policy sets collection Application policy set settings