Supported functionality from OASIS specifications
The application server supports the Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications.
- OASIS: Web Services Security: SOAP Message Security 1.1 (WS-Security 2004) OASIS Standard Specification, 1 February 2006
- OASIS: Web Services Security UsernameToken Profile 1.1 (Standard Specification, 1 February 2006)
- OASIS: Web Services Security X.509 Certificate Token Profile 1.1 (Standard Specification, 1 February 2006)
WS-SecurityPolicy support is only available for Web Services Metadata Exchange (WS-MetadataExchange) scenarios where the assertions are embedded in the WSDL file. For more information, read the WS-MetadataExchange requests topic.
OASIS: Web Services Security SOAP Message Security 1.0 and 1.1
The following table shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 and 1.1 specifications that are supported in WebSphere Application Server Versions 6 and later.
Supported topic | Specific aspect that is supported |
---|---|
Security header |
|
Security tokens |
|
Token references |
|
Signature | Signature confirmation |
Signature algorithms |
|
Signature signed parts for JAX-RPC only |
|
Signature message parts for JAX-WS only |
|
Encryption | EncryptedHeader element |
Encryption algorithms | Important: 您的原住地對於加密軟體的輸入、佔有、使用或重新輸出至另一個國家或地區等方面可能會有一些限制。在下載或使用未限定的原則檔之前,您必須先查核您所在國家或地區的法令、規章,以及其對於加密軟體的輸入、佔有、使用或重新輸出等方面的政策,來判定是否允許這麼做。
Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, it is recommended that you use AES, if possible, for symmetric key encryption. |
Encryption message parts for JAX-RPC only |
|
Encryption message parts for JAX-WS only |
|
Time stamp |
|
Error handling | SOAP faults
|
OASIS: Web Services Security UsernameToken Profile 1.0
The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WebSphere Application Server.
Supported topic | Specific aspect that is supported |
---|---|
Password types | Text |
Token references | Direct reference |
OASIS: Web Services Security UsernameToken Profile 1.1
The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.1 specification that is supported in WebSphere Application Server. Items that were previously supported for Web Services Security UsernameToken Profile 1.0 are not listed but are still supported, unless noted otherwise.
Supported topic | Specific aspect that is supported |
---|---|
Password types | Text |
Token references | Direct reference |
OASIS: Web Services Security X.509 Certificate Token Profile 1.0
The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that are supported in WebSphere Application Server Versions 6 and later.
Supported topic | Specific aspect that is supported |
---|---|
Token types |
|
Token references |
|
OASIS: Web Services Security X.509 Certificate Token Profile 1.1
The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile 1.1 specification that are supported in WebSphere Application Server. Items that were previously supported for Web Services Security X.509 Certificate Token Profile 1.0 are not listed but are still supported, unless noted otherwise.
Supported topic | Specific aspect that is supported |
---|---|
Token types | X.509 Version 1: Single certificate |
Token references | Key identifier – subject key identifier
|
OASIS: Web Services Security Kerberos Token Profile 1.1
The following table shows the aspects of the OASIS: Web Services Security Kerberos Token Profile 1.1 specification that are supported in WebSphere Application Server.
Supported topic | Specific aspect that is supported |
---|---|
Token types |
|
Token references |
|
OASIS: Web Services Security WS-Secure Conversation Draft and Version 1.3
The following table shows the aspects of the OASIS: WS-SecureConversation specification that are supported in WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later. Support for Version 1.3 of the specification is provided in WebSphere Application Server Version 7.0 and later.
Supported topic | Specific aspect that is supported |
---|---|
Token types |
|
Token references | Direct reference |
Security context establishment | Security context token created by a security token service that is embedded in the WebSphere Application Server. |
Renewing context | Automatic renewal of the token when its about to expire. |
Cancelling context | Explicit cancel request support. |
Derived keys | The following information is used to derive the keys using a shared secret
from a security context:
|
Error handling | SOAP faults, including:
|
OASIS: Web Services Security WS-Trust Version 1.0 Draft and Version 1.3
The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications that are supported in WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later.
Supported topic | Specific aspect that is supported |
---|---|
Namespace | http://schemas.xmlsoap.org/ws/2005/02/trust |
Request header | /wsa:Action Valid options include:
|
Request elements and attributes | /wst:RequestSecurityToken /wst:RequestSecurityToken/@Context /wst:RequestSecurityToken/wst:RequestType
/wst:RequestSecurityToken/wst:TokenType
|
Response header | /wsa:Action Valid options include:
|
Response elements and attributes | /wst:RequestSecurityTokenResponse /wst:RequestSecurityTokenResponse/@Context /wst:RequestSecurityTokenResponse/wst:TokenType /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wsp:AppliesTo /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference /wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference /wst:RequestSecurityTokenResponse/wst:RequestedProofToken /wst:RequestSecurityTokenResponse/wst:Entropy /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type /wst:RequestSecurityTokenResponse/wst:Lifetime /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires /wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey /wst:RequestSecurityTokenResponse/wst:KeySize /wst:RequestSecurityTokenResponse/wst:Renewing /wst:RequestSecurityTokenResponse/wst:Renewing/@Allow /wst:RequestSecurityTokenResponse/wst:Renewing/@OK /wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled /wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status/wst:Code
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason |
Error handling | wst:InvalidRequest wst:FailedAuthentication wst:RequestFailed wst:InvalidSecurityToken wst:AuthenticationBadElements wst:BadRequest wst:ExpiredData wst:InvalidTimeRange wst:InvalidScope wst:RenewNeeded wst:UnableToRenew |
Supported topic | Specific aspect that is supported |
---|---|
Namespace | http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Request header | /wsa:Action Valid options include:
|
Request elements and attributes | /wst:RequestSecurityToken /wst:RequestSecurityToken/@Context /wst:RequestSecurityToken/wst:RequestType
/wst:RequestSecurityToken/wst:TokenType
|
Response header | /wsa:Action Valid options include:
|
Response elements and attributes | /wst:RequestSecurityTokenResponse /wst:RequestSecurityTokenResponse/@Context /wst:RequestSecurityTokenResponse/wst:TokenType /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wsp:AppliesTo /wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken /wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference /wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference /wst:RequestSecurityTokenResponse/wst:RequestedProofToken /wst:RequestSecurityTokenResponse/wst:Entropy /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret /wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type /wst:RequestSecurityTokenResponse/wst:Lifetime /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created /wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires /wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey /wst:RequestSecurityTokenResponse/wst:KeySize /wst:RequestSecurityTokenResponse/wst:Renewing /wst:RequestSecurityTokenResponse/wst:Renewing/@Allow /wst:RequestSecurityTokenResponse/wst:Renewing/@OK /wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled /wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status/wst:Code
/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason |
Error handling | wst:InvalidRequest wst:FailedAuthentication wst:RequestFailed wst:InvalidSecurityToken wst:AuthenticationBadElements wst:BadRequest wst:ExpiredData wst:InvalidTimeRange wst:InvalidScope wst:RenewNeeded wst:UnableToRenew |
Functionality that is not supported by WebSphere Application Server
- Web Services Security SOAP Messages with Attachments (SwA) profile 1.0Note: When using the JAX-WS programming model, securing the SOAP Message Transmission Optimization Mechanism (MTOM) attachment is supported. See the topic Enabling MTOM for JAX-WS web services for more information.
- XrML token profile
- XML enveloping digital signature
- XML enveloping digital encryption
- The following WS-SecureConversation functionality is not supported by WebSphere Application Server:
- Two methods for establishing security context are not supported: 1) security context token created by one of the communicating parties and propagated with a message; and 2) security context token created through negotiation or exchanges.
- SCT propagation
- Amending security contexts
- The following transform algorithms for digital signatures are not supported:
- XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116
- SOAP Message Normalization
See SOAP Version 1.2 Message Normalization for information, such as an empty header or header entry with mustUnderstand=false is removed, and so forth.
- Decryption transform
- The following key agreement algorithm for encryption is not supported:
- The following canonicalization algorithm for encryption, which is optional in the XML encryption
specification, is not supported:
- Canonical XML with or without comments
- Exclusive XML Canonicalization with or without comments
- DSA digital signature is not supported.
- Pre-agreed symmetric key data encryption is not supported.
- Auditing for nonrepudiation for digital signatures is not supported.
- In both versions of the Username Token Profile specification, the digest password type is not supported.
- In the Username Token Version 1.1 Profile specification, the key derivation based on a password is not supported.
Unsupported function for WS-Trust Version 1.0 Draft and Version 1.3
The following tables show the aspects of the OASIS: Web Services Security: WS-Trust Version 1.0 Draft and Version 1.3 specifications that are not supported in WebSphere Application Server Version 6.1 Feature Pack for Web Services, and later.
Unsupported topic | Specific aspect that is not supported |
---|---|
Elements and attributes | /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type Unsupported request options:
|
Response elements and attributes | /wst:RequestSecurityTokenResponseCollection /wst:RequestSecurityTokenResponseCollection/wst:RequestSecurityTokenResponse |
Unsupported topic | Specific aspect that is not supported |
---|---|
Elements and attributes | /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type Unsupported request options:
|
Response header | /wsa:Action Unsupported Responses:
|