LTPA and LTPA Version 2 tokens
Web services security supports both LTPA (Version 1) and LTPA Version 2 (LTPA2) tokens. The LTPA2 token, which is more secure than Version 1, is supported by the JAX-WS runtime only.
The Lightweight Third Party Authentication (LTPA) token is a specific type of binary security token. The web services security implementation for WebSphere Application Server, Version 5 and later supports the LTPA Version 1 token. WebSphere Application Server Version 7 and later supports the LTPA Version 2 token using the JAX-WS runtime environment.
LTPA Version token | Valuetype value |
---|---|
LTPA (Version 1) | http://www.ibm.com/websphere/appserver/tokentype/5.0.2/LTPA |
LTPA2 | http://www.ibm.com/websphere/appserver/tokentype/LTPAv2 |
To allow for interoperability between servers that are running different versions of WebSphere Application Server, by default, the JAX-WS web services security runtime in Version 7.0 and later can successfully consume an LTPA Version 1 token when the binding is configured to expect an LTPA2 token. However, you can configure the binding for the JAX-WS runtime to accept only LTPA2 tokens. For more information, see the documentation about Authentication generator or consumer token settings.
If the web services security run time receives a token with a unrecognized valuetype value and
the SOAP security header contains a mustUnderstand attribute value that is equal to
'1'
, the web services security run time issues a SOAPFaultException error. If the
mustUnderstand attribute value is equal to '0'
, the token is ignored.
'1'
to a web services security run time in which the LTPA2 token is not supported,
the run time does not recognize the LTPAv2 valuetype value. Thus, the receiving run time issues a
SOAPFaultException error. The following table illustrates these different configurations and their
potential error messages..
Run time | LTPA Version 1 token status | MustUnderstand attribute value | SOAPFaultException error |
---|---|---|---|
JAX-RPC | Required | 1 |
|
JAX-RPC | Required | 0 |
|
JAX-RPC | Optional | 1 |
|
JAX-RPC | Optional | 0 | None |
JAX-RPC | Not Configured | 1 |
|
JAX-RPC | Not Configured | 0 | None |
JAX-WS (Version 6.1 Feature Pack for Web Services) | Not Configured | 1 |
|
JAX-WS (Version 6.1 Feature Pack for Web Services) | Not Configured | 0 | None |
JAX-WS (Version 6.1 Feature Pack for Web Services) | Configured | 1 |
|
JAX-WS (Version 6.1 Feature Pack for Web Services) | Configured | 0 |
|
- Enable the single sign-on interoperability mode, which is available on the Single sign-on (SSO) panel within the administrative console. For more information on this option, see the documentation about single sign-on settings.
- Set the
com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7
custom property to true for the LTPA token generator.