The application server supports the Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications.
WS-SecurityPolicy support is only available for Web Services Metadata Exchange (WS-MetadataExchange) scenarios where the assertions are embedded in the WSDL file. For more information, read the WS-MetadataExchange requests topic.
The following table shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 and 1.1 specifications that are supported in WebSphere Application Server Versions 6 and later.
Supported topic | Specific aspect that is supported |
---|---|
Security header |
|
Security tokens |
|
Token references |
|
Signature | Signature confirmation |
Signature algorithms |
|
Signature signed parts for JAX-RPC only |
|
Signature message parts for JAX-WS only |
|
Encryption | EncryptedHeader element |
Encryption algorithms | Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, it is recommended that you use AES, if possible, for symmetric key encryption. |
Encryption message parts for JAX-RPC only |
|
Encryption message parts for JAX-WS only |
|
Time stamp |
|
Error handling | SOAP faults
|
The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WebSphere Application Server.
Supported topic | Specific aspect that is supported |
---|---|
Password types | Text |
Token references | Direct reference |
The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.1 specification that is supported in WebSphere Application Server. Items that were previously supported for Web Services Security UsernameToken Profile 1.0 are not listed but are still supported, unless noted otherwise.
Supported topic | Specific aspect that is supported |
---|---|
Password types | Text |
Token references | Direct reference |
The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that are supported in WebSphere Application Server Versions 6 and later.
Supported topic | Specific aspect that is supported |
---|---|
Token types |
|
Token references |
|
The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile 1.1 specification that are supported in WebSphere Application Server. Items that were previously supported for Web Services Security X.509 Certificate Token Profile 1.0 are not listed but are still supported, unless noted otherwise.
Supported topic | Specific aspect that is supported |
---|---|
Token types | X.509 Version 1: Single certificate |
Token references | Key identifier – subject key identifier
|
The following table shows the aspects of the OASIS: Web Services Security Kerberos Token Profile 1.1 specification that are supported in WebSphere Application Server.
Supported topic | Specific aspect that is supported |
---|---|
Token types |
|
Token references |
|
The following table shows the aspects of the OASIS: WS-SecureConversation specification that are supported in WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later. Support for Version 1.3 of the specification is provided in WebSphere Application Server Version 7.0 and later.
Supported topic | Specific aspect that is supported |
---|---|
Token types |
|
Token references | Direct reference |
Security context establishment | Security context token created by a security token service that is embedded in the WebSphere Application Server. |
Renewing context | Automatic renewal of the token when its about to expire. |
Cancelling context | Explicit cancel request support. |
Derived keys | The following information is used to derive
the keys using a shared secret from a security context:
|
Error handling | SOAP faults, including:
|
The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications that are supported in WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later.
Supported topic | Specific aspect that is supported |
---|---|
Namespace | http://schemas.xmlsoap.org/ws/2005/02/trust |
Request header | /wsa:Action Valid options include:
|
Request elements and attributes | /wst:RequestSecurityToken /wst:RequestSecurityToken/@Context /wst:RequestSecurityToken/wst:RequestType
/wst:RequestSecurityToken/wst:TokenType
|
Response header | /wsa:Action Valid options include:
|
Response elements and attributes | /wst:RequestSecurityTokenResponse /wst:RequestSecurityTokenResponse/@Context /wst:RequestSecurityTokenResponse/wst:TokenType /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wsp:AppliesTo /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference /wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference /wst:RequestSecurityTokenResponse/wst:RequestedProofToken /wst:RequestSecurityTokenResponse/wst:Entropy /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type /wst:RequestSecurityTokenResponse/wst:Lifetime /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires /wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey /wst:RequestSecurityTokenResponse/wst:KeySize /wst:RequestSecurityTokenResponse/wst:Renewing /wst:RequestSecurityTokenResponse/wst:Renewing/@Allow /wst:RequestSecurityTokenResponse/wst:Renewing/@OK /wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled /wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status
/wst:RequestSecurityTokenResponse/wst:Status/wst:Code
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason |
Error handling | wst:InvalidRequest wst:FailedAuthentication wst:RequestFailed wst:InvalidSecurityToken wst:AuthenticationBadElements wst:BadRequest wst:ExpiredData wst:InvalidTimeRange wst:InvalidScope wst:RenewNeeded wst:UnableToRenew |
Supported topic | Specific aspect that is supported |
---|---|
Namespace | http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Request header | /wsa:Action Valid options include:
|
Request elements and attributes | /wst:RequestSecurityToken /wst:RequestSecurityToken/@Context /wst:RequestSecurityToken/wst:RequestType
/wst:RequestSecurityToken/wst:TokenType
|
Response header | /wsa:Action Valid options include:
|
Response elements and attributes | /wst:RequestSecurityTokenResponse /wst:RequestSecurityTokenResponse/@Context /wst:RequestSecurityTokenResponse/wst:TokenType /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wsp:AppliesTo /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference /wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference /wst:RequestSecurityTokenResponse/wst:RequestedProofToken /wst:RequestSecurityTokenResponse/wst:Entropy /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type /wst:RequestSecurityTokenResponse/wst:Lifetime /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires /wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey /wst:RequestSecurityTokenResponse/wst:KeySize /wst:RequestSecurityTokenResponse/wst:Renewing /wst:RequestSecurityTokenResponse/wst:Renewing/@Allow /wst:RequestSecurityTokenResponse/wst:Renewing/@OK /wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled /wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status/wst:Code
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason |
Error handling | wst:InvalidRequest wst:FailedAuthentication wst:RequestFailed wst:InvalidSecurityToken wst:AuthenticationBadElements wst:BadRequest wst:ExpiredData wst:InvalidTimeRange wst:InvalidScope wst:RenewNeeded wst:UnableToRenew |
See SOAP Version 1.2 Message Normalization for information, such as an empty header or header entry with mustUnderstand=false is removed, and so forth.
The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications that are not supported in WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later.
Unsupported topic | Specific aspect that is not supported |
---|---|
Elements and attributes | /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type Unsupported
request options:
|
Response elements and attributes | /wst:RequestSecurityTokenResponseCollection /wst:RequestSecurityTokenResponseCollection/wst:RequestSecurityTokenResponse |
Unsupported topic | Specific aspect that is not supported |
---|---|
Elements and attributes | /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type Unsupported
request options:
|
Response header | /wsa:Action Unsupported Responses:
|