UsernameToken authentication and X509Token symmetric for message protection

A UsernameToken with clear text password is used for authentication. The UsernameToken in the request and the SOAP body in the request and response are signed and encrypted with X509Token symmetric message protection. There is also a message Timestamp.

With X509Token symmetric protection, an ephemeral key is created to sign and encrypt the message. The ephemeral key is encrypted using the receiver's public certificate.

In this sample, the token reference is using a RequireThumbprintReference. You can change the policy to use a RequireIssuerSerialReference or RequireKeyIdentifierReference. You can also modify this policy to use derived keys from an ephemeral key to secure the message exchange by adding an <sp:RequireDerivedKeys /> assertion.

This policy template is best used if the client can use only a UsernameToken to authenticate itself, and if the message exchange must be signed and encrypted.

The following policy shows a UsernameToken authentication and X509Token symmetric for message protection:
<wsp:Policy wsu:Id="X509SymmetricForMessageAndUntForClient">
  <wsp:ExactlyOne>
    <wsp:All>
      <sp:SignedEncryptedSupportingTokens
        xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
        <wsp:Policy>
          <sp:UsernameToken
            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
            <wsp:Policy>
              <sp:WssUsernameToken10 />
            </wsp:Policy>
          </sp:UsernameToken>
        </wsp:Policy>
      </sp:SignedEncryptedSupportingTokens>
      <sp:SymmetricBinding>
        <wsp:Policy>
          <sp:ProtectionToken>
            <wsp:Policy>
              <sp:X509Token
                sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                <wsp:Policy>
                  <sp:RequireThumbprintReference />
                  <sp:WssX509V3Token10 />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:ProtectionToken>
          <sp:AlgorithmSuite>
            <wsp:Policy>
              <sp:Basic128 />
            </wsp:Policy>
          </sp:AlgorithmSuite>
          <sp:Layout>
            <wsp:Policy>
              <sp:Strict />
            </wsp:Policy>
          </sp:Layout>
          <sp:IncludeTimestamp />
          <sp:OnlySignEntireHeadersAndBody />
          <sp:EncryptSignature />
        </wsp:Policy>
      </sp:SymmetricBinding>
      <sp:Wss11>
        <wsp:Policy>
          <sp:MustSupportRefKeyIdentifier />
          <sp:MustSupportRefIssuerSerial />
          <sp:MustSupportRefThumbprint />
          <sp:MustSupportRefEncryptedKey />
          <sp:RequireSignatureConfirmation />
        </wsp:Policy>
      </sp:Wss11>
      <sp:SignedParts>
        <sp:Body />
      </sp:SignedParts>
      <sp:EncryptedParts>
        <sp:Body />
      </sp:EncryptedParts>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>
The namespaces used in this example are:
  • xmlns:wsp="http://www.w3.org/ns/ws-policy"
  • xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  • xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"

Icon that indicates the type of topic Concept topic

File name: cwlp_wssec_templates_scenario6.html