LTPA and LTPA Version 2 tokens

Web services security supports both LTPA (Version 1) and LTPA Version 2 (LTPA2) tokens. [jul2010] The LTPA2 token, which is more secure than Version 1, is supported in WebSphere® Application Server Version 7.0 by the JAX-WS runtime only. [jul2010]

jul2010

Avoid trouble: [jul2010] The support statements in this topic apply to the web services security implementation for WebSphere Application Server and not the security implementation for non-web services functionality. [jul2010]
jul2010
gotcha

The Lightweight Third Party Authentication (LTPA) token is a specific type of binary security token. [jul2010] The web services security implementation for WebSphere Application Server, Version 5 and later supports the LTPA Version 1 token. WebSphere Application Server Version 7 added JAX-WS runtime support for the LTPA Version 2 token. [jul2010]

jul2010

[jul2010] Although the same LTPAToken assertion is used in the policy for both LTPA Version 1 and LTPA Version 2, the valuetype value for the Version 2 token is different than Version 1. The valuetype value is composed of the URI and the local name. The following table shows the valuetype values for the LTPA token versions when they are selected as the token type for the policy set bindings. These values are not editable.
Table 1. LTPA token versions and their valuetype values. This table lists the valuetype values for both LTPA (Version 1) and LTPA2 tokens.
LTPA Version token Valuetype value
LTPA (Version 1) http://www.ibm.com/websphere/appserver/tokentype/5.0.2/LTPA
LTPA2 http://www.ibm.com/websphere/appserver/tokentype/LTPAv2
[jul2010]
jul2010

[jul2010] To allow for interoperability between servers that are running different versions of WebSphere Application Server, by default, the JAX-WS web services security runtime in Version 7.0 can successfully consume an LTPA Version 1 token when the binding is configured to expect an LTPA2 token. However, you can configure the binding for the JAX-WS runtime to accept only LTPA2 tokens. For more information, see the documentation about Authentication generator or consumer token settings. [jul2010]

jul2010

[jul2010] If the web services security run time receives a token with a unrecognized valuetype value and the SOAP security header contains a mustUnderstand attribute value that is equal to '1', the web services security run time issues a SOAPFaultException error. If the mustUnderstand attribute value is equal to '0', the token is ignored. [jul2010]

jul2010

[jul2010] If an LTPA2 token is sent with a mustUnderstand attribute value that is equal to '1' to a web services security run time in which the LTPA2 token is not supported, the run time does not recognize the LTPAv2 valuetype value. Thus, the receiving run time issues a SOAPFaultException error. The following table illustrates these different configurations and their potential error messages..
Table 2. LTPA token configurations. This table lists whether the LTPA Version 1 token is optional or required, lists the associated mustUnderstand attribute value, lists its run time, and provides the resulting SOAPFaultException error, if applicable
Run time LTPA Version 1 token status MustUnderstand attribute value SOAPFaultException error
JAX-RPC Required 1
com.ibm.wsspi.wssecurity.SoapSecurityException: 
WSEC5509E: A security token whose type is 
[{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] 
is required.
JAX-RPC Required 0
com.ibm.wsspi.wssecurity.SoapSecurityException: 
WSEC5509E: A security token whose type is 
[{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] 
is required.
JAX-RPC Optional 1
com.ibm.wsspi.wssecurity.SoapSecurityException: 
WSEC5502E: Unexpected element as the target element: 
s:BinarySecurityToken.
JAX-RPC Optional 0 None
JAX-RPC Not Configured 1
com.ibm.wsspi.wssecurity.SoapSecurityException: 
WSEC5502E: Unexpected element as the target element: 
s:BinarySecurityToken.
JAX-RPC Not Configured 0 None
JAX-WS (Version 6.1 Feature Pack for Web Services) Not Configured 1
CWWSS5502E: The target element: 
s:BinarySecurityToken was not expected.
JAX-WS (Version 6.1 Feature Pack for Web Services) Not Configured 0 None
JAX-WS (Version 6.1 Feature Pack for Web Services) Configured 1
CWWSS5509E: A security token whose type is 
[{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] 
is required.
JAX-WS (Version 6.1 Feature Pack for Web Services) Configured 0
CWWSS5509E: A security token whose type is 
[{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] 
is required.
[jul2010]
jul2010

[jul2010] You can configure the JAX-WS run time in Version 7 to generate either LTPA (Version 1) or LTPA2 tokens. If you generate an LTPA (Version 1) token in the token generator within a policy binding, you must enable the single sign-on interoperability mode, which is available on the Single sign-on (SSO) panel within the administrative console. For more information on this option, see the documentation about single sign-on settings. If you do not enable the interoperability mode, an error occurs when the application, which is attached to these bindings, is started. To generate an LTPA (Version 1) token regardless of the state of the interoperability mode, set the com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7 custom property to true for the LTPA token generator. For more information, see the documentation about enabling or disabling single sign-on interoperability mode for the LTPA token. [jul2010]

jul2010




Related concepts
Binary security token
Web services security provides message integrity, confidentiality, and authentication
Related tasks
Enabling or disabling single sign-on interoperability mode for the LTPA token
Related reference
Authentication generator or consumer token settings
Single sign-on settings
Related information
Enabling or disabling single sign-on interoperability mode for the LTPA token
Concept topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 9:57:58 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-base-dist&topic=cwbs_ltpatokens
File name: cwbs_ltpatokens.html