Web services security custom properties
You can configure name-value pairs of data, where the name is a property key and the value is a string value that you can use to set internal system configuration properties. Defining a new property allows configuration of a setting beyond what is available through options in the administrative console.
Custom properties for web services security can be set in various levels of the application server and for JAX-RPC versus JAX-WS applications. The following list of custom properties provides information on where the custom property is set and how it is used.
The web services security generic security token login module custom properties and the Web services security SAML token custom properties are documented in other information topics. Links to these topics are provided in the Related reference section of this topic.
You can define the following web services security custom properties:
- com.ibm.websvcs.client.serializeSecurityContext
- com.ibm.ws.wssecurity.createSTR
- com.ibm.ws.wssecurity.dsig.SignatureAlgorithm
- com.ibm.ws.wssecurity.dsig.CanonicalizationAlgorithm
- com.ibm.ws.wssecurity.sc.FaultCode
- com.ibm.ws.wssecurity.useInboundBodyOptimization
- com.ibm.ws.wssecurity.useOldCloneCriteria
- com.ibm.wsspi.wssecurity.Caller.assertionLoginConfig
- com.ibm.wsspi.wssecurity.config.disableWSSIfApplicationSecurityDisabled
- com.ibm.wsspi.wssecurity.config.gen.checkCacheUsernameTokens
- com.ibm.wsspi.wssecurity.config.request.setMustUnderstand and com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne
- com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrustFailure
- com.ibm.wsspi.wssecurity.consumer.timestampRequired
- com.ibm.wsspi.wssecurity.core.NonceCacheTimeout
- com.ibm.wsspi.wssecurity.core.NonceClockSkew
- com.ibm.wsspi.wssecurity.core.NonceMaxAge
- com.ibm.wsspi.wssecurity.core.TimestampClockSkew
- com.ibm.wsspi.wssecurity.core.TimestampMaxAge
- com.ibm.wsspi.wssecurity.core.TimestampTimeout
- com.ibm.wsspi.wssecurity.dsig.inclusiveNamespaces
- com.ibm.wsspi.wssecurity.dsig.oldEnvelopedSignature
- com.ibm.wsspi.wssecurity.dsig.relativeNamespaceAllowed
- com.ibm.wsspi.wssecurity.enc.MTOM.Optimize
- com.ibm.wsspi.wssecurity.generator.useWSSObject
- com.ibm.wsspi.wssecurity.krbtoken.clientRealm
- com.ibm.wsspi.wssecurity.krbtoken.loginPrompt
- com.ibm.wsspi.wssecurity.login.useSoap12FaultCodes
- com.ibm.wsspi.wssecurity.nonce.includeEncodingType
- com.ibm.wsspi.wssecurity.token.cert.useRequestorCert
- com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext
- com.ibm.wsspi.wssecurity.token.enableCaptureTokenInboundMsg
- com.ibm.wsspi.wssecurity.token.forwardable
- com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed
- com.ibm.wsspi.wssecurity.token.IDAssertion.useRunAsIdentity
- com.ibm.wsspi.wssecurity.token.username.addNonce and com.ibm.wsspi.wssecurity.token.username.addTimestamp
- com.ibm.wsspi.wssecurity.token.username.emitPasswordDigest
- com.ibm.wsspi.wssecurity.token.username.password.forwardable
- com.ibm.wsspi.wssecurity.token.username.verifyNonce and com.ibm.wsspi.wssecurity.token.username.verifyTimestamp
- com.ibm.wsspi.wssecurity.token.UsernameToken.digestPasswordCallbackHandler
- com.ibm.wsspi.wssecurity.token.UsernameToken.disableUserRegistryCheck
- com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule.disableUserRegistryCheck
- com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7
- com.ibm.wsspi.wssecurity.useMTOMWithCustomComponents
com.ibm.websvcs.client.serializeSecurityContext
com.ibm.websvcs.client.serializeSecurityContext
property. When the
com.ibm.websvcs.client.serializeSecurityContext
property is set to
false in the request context on the binding provider for the service call, the WebSphere® security context will not be serialized to the web
services message context. The following example illustrates setting this
property.javax.xml.ws.BindingProvider bp;
bp.getRequestContext().put("com.ibm.websvcs.client.serializeSecurityContext", "false");
com.ibm.websvcs.client.serializeSecurityContext
property cannot be used in
conjunction with a Reliable Messaging policy set.Information | Value |
---|---|
Data type | String |
Values | True, False |
Default | True |
com.ibm.ws.wssecurity.createSTR
The com.ibm.ws.wssecurity.createSTR
property creates a security token reference
to the security token in the SOAP security header when you specify a True
value.
com.ibm.ws.wssecurity.createSTR
property creates a security token reference to the
security token in the SOAP security header. Set this custom property to True
when the following conditions exist:- The referencing mechanism for the token signature is the STR Dereference Transform,
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- The
SignedParts
element for the WS-Security policy contains an XPath value that represents the SecurityTokenReference.
This property is configured as a custom property on the SAML token generator. It is not configured on the callback handler.
Information | Value |
---|---|
Data type | String |
Values | True, False |
Default | False |
The value for this property is case-insensitive.
com.ibm.ws.wssecurity.dsig.SignatureAlgorithm
Use this custom property to configure a digital signature, you can enable the web services security runtime to use SHA-2 signature algorithms.
For JAX-WS applications, set the following custom property in the signing information section of request or response to enable SHA-2 signature algorithms. Ensure that same value is used for both the client and provider when configuring this custom property.
com.ibm.ws.wssecurity.dsig.SignatureAlgorithm
custom property specifies the
SHA-2 signature algorithms for XML digital signatures. By default, WebSphere Application Server uses SHA1withRSA
or
HMACSHA1
to generate digital signatures.Information | Value |
---|---|
Data type | String |
Values | rsa-sha256, rsa-sha384, rsa-sha512, hmac-sha256, hmac-sha384, hmac-sha512, or dsa-sha256 |
com.ibm.ws.wssecurity.dsig.SignatureAlgorithm
custom property from either the
outbound signing information or inbound signing information. To configure
com.ibm.ws.wssecurity.dsig.SignatureAlgorithm
, complete the following steps:- Click WS-Security authentication and protection page. to access the
- Under either Request message signature and encryption protection or
Response message signature and encryption protection, click the
signature_message_part_reference
name to access the configuration for the signed message part binding. - Specify the custom property. For example
com.ibm.ws.wssecurity.dsig.SignatureAlgorithm
and enter the wanted algorithm as a property value with one of the values identified in the previous table.
com.ibm.ws.wssecurity.dsig.CanonicalizationAlgorithm
Use this custom property to configure the canonicalization algorithm for digital signature.
For JAX-WS applications, set the
com.ibm.ws.wssecurity.dsig.CanonicalizationAlgorithm
custom property in the signing
information section of request or response. This property only needs to be set for outbound
messages.
Information | Value |
---|---|
Data type | String |
Default | http://www.w3.org/2001/10/xml-exc-c14n# |
com.ibm.ws.wssecurity.dsig.CanonicalizationAlgorithm
custom
property, complete the following steps:- Click WS-Security authentication and protection page. to access the
- Under either Request message signature and encryption protection or
Response message signature and encryption protection, click the
signature_message_part_reference
name to access the configuration for the signed message part binding. - Specify the
com.ibm.ws.wssecurity.dsig.CanonicalizationAlgorithm
custom property, and enter the wanted canonicalization algorithm as the property value. An example value is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments.
com.ibm.ws.wssecurity.sc.FaultCode
Use this custom property in a JAAS login module to set the SOAP fault code in the event of an error. If this property is not specified, the SOAP fault code wsse:FailedAuthentication is always returned.
In the custom JAAS login module, set the com.ibm.ws.wssecurity.sc.FaultCode
property on the wssecurity context to the QName of the fault code that you want to use. For
example:
fcQname = new QName(
"http://schemas.xmlsoap.org/ws/2003/06/secext",
"FailedCheck");
this._context = propertyCallback.getProperties();
_context.put("com.ibm.ws.wssecurity.sc.FaultCode", fcQname);
Information | Value |
---|---|
Data type | String |
Default | none |
com.ibm.ws.wssecurity.useInboundBodyOptimization
Information | Value |
---|---|
Data type | String |
Default | true |
com.ibm.ws.wssecurity.useOldCloneCriteria
When this Java™ virtual machine (JVM) system property is set
to true, only Lightweight Third Party Authentication (LTPA) tokens are cloned
before being put into the runAs
subject.
Information | Value |
---|---|
Data type | String |
Default | false |
com.ibm.wsspi.wssecurity.Caller.assertionLoginConfig
The com.ibm.wsspi.wssecurity.Caller.assertionLoginConfig
property, which is
configured on the caller part, specifies the name of the JAAS login configuration that is used by
Web Services Security to obtain WebSphere Application Server authorization
credentials. You must configure this property using an assembly tool such as the Rational® Application Developer. For more information, see the Configuring
the caller in consumer security constraints topic for Rational Application Developer. Within this topic, this custom property is set when you
configure identity assertion.
Use this property with WS-Security V1.0 JAX-RPC applications only.
Information | Value |
---|---|
Data type | String |
Default | system.DEFAULT |
com.ibm.wsspi.wssecurity.config.disableWSSIfApplicationSecurityDisabled
When you set the
com.ibm.wsspi.wssecurity.config.disableWSSIfApplicationSecurityDisabled
custom
property to true, Web Services Security does not enforce the configured
WS-Security constraints if application security is disabled on the application server. You can use
this custom property to debug services in a non-secure environment without needing to remove
security constraints from web services applications.
Information | Value |
---|---|
Data type | String |
Values | true, false |
Default | false |
- Expand .
- Click General provider policy set bindings or General client policy set bindings.
- Click the binding_name.
- Under the Policy heading, click .
application.parameters
application.securityinboundbinding config.properties
com.ibm.wsspi.wssecurity.config.gen.checkCacheUsernameTokens
The com.ibm.wsspi.wssecurity.config.gen.checkCacheUsernameTokens
custom property
specifies whether to cache UsernameTokens all of the time, which is the default behavior, or cache
them as determined by a set of rules. You can configure this custom property for the token generator
or as an additional property.
com.ibm.wsspi.wssecurity.config.gen.checkCacheUsernameTokens
custom
property is set to false, UsernameTokens are always cached on client threads. When
you set this custom property to true, the web services security run time
determines whether UsernameTokens are cached based on the following rules:- Never cache UsernameTokens if the application is running on an application server.
- Cache UsernameTokens if the token generator for the UsernameToken has the following callback
handler configured:
com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
.
This custom property applies to the JAX-RPC run time only. Use an assembly tool, such as Rational Application Developer, to set the custom property within the encrypted message part bindings.
Information | Value |
---|---|
Data type | String |
Values | true, false |
Default | false |
com.ibm.wsspi.wssecurity.config.request.setMustUnderstand and com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne
These two custom properties allow the administrator to control the setting of the
mustUnderstand
attribute in the SOAP Security header. These properties are set as
outbound custom properties.
- com.ibm.wsspi.wssecurity.config.request.setMustUnderstand custom property
-
The
com.ibm.wsspi.wssecurity.config.request.setMustUnderstand
custom property specifies themustUnderstand
setting in outbound consumer requests. If the value of the property is set to zero (0), no, or false, then themustUnderstand
attribute is not set in the WS-Security header within outbound consumer requests.Information Value Data type String Value Zero (0), no, false Default true In SOAP messages, the default value for the
mustUnderstand
attribute is zero (0). According to the SOAP specification, if the intended value for the attribute is zero, then the attribute must not be present in the message.Avoid trouble: The instructions for setting thecom.ibm.wsspi.wssecurity.config.request.setMustUnderstand
property are the same as the instructions for settingcom.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne
. - com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne custom property
-
The
com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne
custom property specifies that the provider should always respond with amustUnderstand="1"
attribute in the SOAP security header. If the value is set to one (1), yes, or true, the provider responds with themustUnderstand="1"
attribute in the WS-Security header. The default value of the attribute is false.Information Value Data type String Value One (1), yes, or true Default false By default, the response contains the same
mustUnderstand
attribute as the request. For example, if the inbound request hasmustUnderstand="1"
, the response also includesmustUnderstand="1"
. If the request does not have amustUnderstand
attribute, the response does not include amustUnderstand
attribute.For JAX-WS applications, you can set thecom.ibm.wsspi.wssecurity.config.request.setMustUnderstand
andcom.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne
custom properties as outbound custom properties or as inbound and outbound custom properties for the policy set bindings. Complete the following steps in the administrative console to set the custom properties:- Expand .
- Click General provider policy set bindings or General client policy set bindings.
- Click the binding_name.
- Under the Policy heading, click .
You can also set thecom.ibm.wsspi.wssecurity.config.request.setMustUnderstand
andcom.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne
custom properties as parameters or as an outbound binding properties on your application using wsadmin tooling. The following WS-Security policy-type property names are used in setBinding:application.parameters
application.securityinboundbindingconfig.properties
For JAX-RPC applications, you can specify both properties in the following locations within the administrative console:- Click JAX-WS and JAX-RPC security runtime. Under JAX-RPC Default Generator Bindings, click Properties. . Under Security, click
- Click JAX-WS and JAX-RPC security runtime. Under Custom properties, click Custom properties. . Under Security, click
If you are using an assembly tool with a JAX-RPC WS-Security version 1.0 application, you can set
the com.ibm.wsspi.wssecurity.config.request.setMustUnderstand
custom property on
the security request generator extension or binding. You can set the
com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne
custom
property on the response generator extension or binding. A setting in the binding takes precedence
over a setting in the extension.
If using an assembly tool with a JAX-RPC WS-Security specification draft 13–level application,
you can set the com.ibm.wsspi.wssecurity.config.request.setMustUnderstand
custom
property as a parameter on the port qualified name binding. You can set the
com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne
custom
property as a parameter on the port component binding.
com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrustFailure
The com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrustFailure
custom property specifies whether a trust store can be reloaded after an application server
starts.
A trust store is a key store. By default, JAX-WS WS-Security does not acknowledge the refresh of any keystores while the application server is running. For performance reasons, keystores are cached in memory when each application is started. Because the cache is shared among applications, even if a single application is stopped, its keystores remain in the cache. Therefore, if a trusted certificate, that is used by an X.509 token consumer, is added to a trust store after the application server starts, the trust validation fails.
If you set the
com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrustFailure
property
to true, when a trust validation occurs, the WS-Security runtime reloads its
configured trust store and tries the trust validation one more time. The reloaded trust store is
only used for this single re-validation attempt. The keystore object in the cache is not replaced
because replacing the keystore object might cause concurrency issues.
If the second validation attempt fails, a trust validation failure is returned to the client.
com.ibm.wsspi.wssecurity.consumer.timestampRequired
The com.ibm.wsspi.wssecurity.consumer.timestampRequired
property specifies
whether Timestamp is not expected in the security header for the response when the
Include timestamp in security header setting is selected for the WS-Security
policy.
The JAX-WS WS-Security runtime is updated to comply with the OASIS WS-SecurityPolicy 1.2
specification Timestamp Required requirement. If you want to configure an application to not require
an inbound time stamp when an outbound time stamp is configured you can add the
com.ibm.wsspi.wssecurity.consumer.timestampRequired
custom property to your Web
Services Security settings and set that property to false. When this property
is set to false, even if the Include timestamp in security
header is selected as a setting for the WS-Security policy, a Timestamp is not expected
in the security header for a response.
The default value for this property is true.
Information | Value |
---|---|
Data type | Boolean |
Default | true |
com.ibm.wsspi.wssecurity.core.NonceCacheTimeout
Specify a value in seconds for the Nonce cache timeout field. The value that is specified for the Nonce cache timeout field indicates the number of seconds a nonce remains cached before it is discarded. The minimum value is 300. The default value is 600.
This property is specified as either an Inbound or Inbound and Outbound custom property for the WS-Security policy set bindings.
com.ibm.wsspi.wssecurity.core.NonceClockSkew
This custom property specifies the number of seconds to allow for system clock differences between the sender and receiver of a message. Consider the difference in time between the message sender and the message receiver if the clocks are not synchronized, the time that is needed to encrypt and transmit the message, and the time that is needed to get through network congestion.
The value for this property must be larger than 0 and greater than the
value for com.ibm.wsspi.wssecurity.core.NonceMaxAge
. If the value for
com.ibm.wsspi.wssecurity.core.NonceClockSkew
is not found to be valid, it reverts
to the default. The default value is 0.
This property is specified as either an Inbound or Inbound and Outbound custom property for the WS-Security policy set bindings.
com.ibm.wsspi.wssecurity.core.NonceMaxAge
This custom property specifies the number of seconds that a nonce is valid. The value for this
property must be between 300 and the value for
com.ibm.wsspi.wssecurity.core.NonceCacheTimeout
. If the value for
com.ibm.wsspi.wssecurity.core.NonceMaxAge
is not found to be valid, it reverts to
the default. The default value is 300.
This property is specified as either an Inbound or Inbound and Outbound custom property for the WS-Security policy set bindings.
com.ibm.wsspi.wssecurity.core.TimestampClockSkew
This custom property specifies the number of seconds to allow for system clock differences
between the sender and receiver of a message. Consider the difference in time between the message
sender and the message receiver if the clocks are not synchronized, the time that is needed to
encrypt and transmit the message, and the time that is needed to get through network congestion. The
value for this property must be larger than 0 and greater than the value for
com.ibm.wsspi.wssecurity.core.TimestampMaxAge
. If the value for
com.ibm.wsspi.wssecurity.core.TimestampClockSkew
is not found to be valid, it
reverts to the default. The default value is 180.
This property is specified as either an Inbound or Inbound and Outbound custom property for the WS-Security policy set bindings.
com.ibm.wsspi.wssecurity.core.TimestampMaxAge
This custom property specifies the number of seconds that a timestamp is valid. The value for
this property must be between 300 and the value for
com.ibm.wsspi.wssecurity.core.TimestampTimeout
. If the value for
com.ibm.wsspi.wssecurity.core.TimestampMaxAge
is not found to be valid, it reverts
to the default. The default value is 300.
This property is specified as either an Inbound or Inbound and Outbound custom property for the WS-Security policy set bindings.
com.ibm.wsspi.wssecurity.core.TimestampTimeout
This custom property specifies the maximum number of seconds that is allowed for a timestamp to
be valid. This property is used to determine the validity of
com.ibm.wsspi.wssecurity.core.TimestampMaxAge
. The minimum value is
300. The default value is 600.
This property is specified as either an Inbound or Inbound and Outbound custom property for the WS-Security policy set bindings.
com.ibm.wsspi.wssecurity.dsig.inclusiveNamespaces
This custom property, which applies to both the JAX-RPC and JAX-WS applications, specifies whether to disable the inclusive namespace prefix list for XML digital signatures. WebSphere Application Server, by default, includes the prefix in the digital signature for Web Services Security. You can set this custom property to false if you do not want inclusive namespaces set as an element. Some implementations of Web Services Security cannot handle this prefix list. If you experience a signature validation failure when a signed SOAP message is sent and you are using another vendor in your environment, check with your service provider for a possible fix to their implementation before you disable this property.
- Click .
- Under Web Services Security Properties, click Web services: Client security bindings or Web services: Server security bindings.
- Click .
- Under Request generator (sender) binding or Response generator (sender) binding, click Edit custom.
- Under Required properties, click .
- Specify the custom property and its value.
- Click WS-Security authentication and protection page. or to access the
- Under either Request message signature and encryption protection or
Response message signature and encryption protection, click the
signature_message_part_reference
name to access the configuration for the signed message part binding. - Specify the custom property and its value.
com.ibm.wsspi.wssecurity.dsig.oldEnvelopedSignature
Use this property in conjunction with the
com.ibm.wsspi.wssecurity.dsig.enableEnvelopedSignatureProperty
JVM custom property
to indicate to the WS-Security runtime that you want the WS-Security runtime to calculate the digest
value as it did in Versions 7.0.0.21 and earlier for either outbound XML Digital Signature creation
or inbound verification. For more information, see Java
Virtual Machine (JVM) custom properties for a description of when you might want to use this JVM
custom property.
This property is specified as either an Inbound, Outbound, or Inbound and Outbound custom property for the WS-Security policy set bindings.
com.ibm.wsspi.wssecurity.dsig.relativeNamespaceAllowed
Set this property to true if you use a digital signature and want to allow relative namespaces. Set this property to true only if you receive the following message and cannot change your Web Services Description Language (WSDL) to use an absolute namespace to resolve the problem:
CWWSS5634E: Signing the message produced the following exception: java.lang.RuntimeException: Found a relative URI: xmlns:h='helloNamespace'
This property is only valid for JAX-WS applications and is specified as either an Inbound, Outbound, or Inbound and Outbound custom property for the WS-Security policy set bindings.
Valid values for this property are true and false. The default value is false.
com.ibm.wsspi.wssecurity.enc.MTOM.Optimize
Set the value for this custom property to true to use Message Transmission Optimization Mechanism (MTOM) for the cipher text of encrypted data, This property is set in the WS-Security policy bindings on the outbound encrypted parts for client requests or server responses.
com.ibm.wsspi.wssecurity.generator.useWSSObject
This custom property determines how the WS-Security run time builds the SOAP Security header that is sent in an outbound SOAP message. By default, the run time uses a fast path using internal web services security (WSS) object representations to build the Security header. Alternatively, the Axis2 run time and objects can be used to build the Security header.
This property is set in the WS-Security policy set bindings as an outbound custom property or an inbound and outbound custom property. This property can be set to true or false. When this property is set to true, WSS Objects are used to build the Security header. When this property is set to false, Axis2 objects are used to build the Security header.
When using both WS-Security and WS-Addressing policies for both inbound and outbound messages, a
problem might occur where the Body element appears in the header element in the outbound SOAP
message. If this error occurs, set the
com.ibm.wsspi.wssecurity.generator.useWSSObject
custom property to
false.
The default value is true.
com.ibm.wsspi.wssecurity.krbtoken.clientRealm
This JAX-WS Kerberos token generator custom property specifies the name of the Kerberos realm associated with the client and allows the Kerberos client realm to initiate the Kerberos login.
This property is optional for a single Kerberos realm environment; the property will default to the default Kerberos realm name. When implementing Web services security in a cross or trusted Kerberos realm environment, you must provide a value for this property.
This property is set as a custom property on the Callback handler of a Kerberos token generator. To set the property in the administrative console, click binding_name > WS-Security > Authentication and protection > kerberos_token_name > Callback handler. For an application using the WS-Security WSS API, this property can also be set on the Kerberos callback handler for the token generator.
com.ibm.wsspi.wssecurity.krbtoken.loginPrompt
Set this JAX-WS Kerberos token generator custom property to true to enable Kerberos login.
This property is set as a custom property on the Callback handler of a Kerberos token generator. To set the property in the administrative console, click binding_name > WS-Security > Authentication and protection > kerberos_token_name > Callback handler. For an application using the WS-Security WSS API, this property can also be set on the Kerberos callback handler for the token generator.
The default value for this property is false.
com.ibm.wsspi.wssecurity.login.useSoap12FaultCodes
The com.ibm.wsspi.wssecurity.login.useSoap12FaultCodes
custom property specifies
whether the WS-Security runtime is updated to emit the proper SOAP 1.2 fault code when a fault is
returned in response to a SOAP 1.2 message.
When this property is set to true, the WS-Security runtime is returns a SOAP 1.2 fault code in response to a SOAP 1.2 message.
When this property is set to false, the WS-Security runtime returns a SOAP 1.1 fault code in response to a SOAP 1.2 message.
The default value for this property is true.
This property needs to be set as either a WS-Secrutiy Inbound or Inbound and Outbound custom properties for a specific binding.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv=" http://www.w3.org/2003/05/soap-envelope">
<soapenv:Body>
<soapenv:Fault>
<soapenv:Code>
<soapenv:Value>soapenv:Sender</soapenv:Value>
<soapenv:Subcode>
<soapenv:Value xmlns:axis2ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
axis2ns1:FailedAuthentication</soapenv:Value>
</soapenv:Subcode>
</soapenv:Code>
<soapenv:Reason>
<soapenv:Text>CWWSS6521E: The Login failed because
of an exception: javax.security.auth.login.LoginException:
CWWSS7062E: Failed to check username [user1] and password in
the UserRegsitry: WSSUserRegistryProcessor.checkRegistry()=false
</soapenv:Text>
</soapenv:Reason>
<soapenv:Detail></soapenv:Detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
com.ibm.wsspi.wssecurity.nonce.includeEncodingType
This JAX-WS custom property is added to the WebSphere
WS-Security runtime to indicate that an EncodingType
attribute should be added to
nonce elements. When this custom property is set to true, the
EncodingType
attribute is added to all nonce elements in the SOAP Security
header.
- Outbound custom properties
- Inbound and outbound custom properties
com.ibm.wsspi.wssecurity.token.cert.useRequestorCert
When this JAX-WS custom property is set to true, the certificate of the signer of the SOAP request will be used to encrypt the SOAP response. This process is called signer certificate encryption.
This property is set as a custom property on the Callback handler of the encryption token generator. To set the property in the administrative console, click binding_name > WS-Security > Authentication and protection > token_name > Callback handler. For an application using the WS-Security WSS API, this property can also be set on the Callback handler for the token generator.
The default value for this property is false.
com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext
This property indicates whether a token consumer or token generator is enabled to obtain its token from the tokenHolder on the message context.
This property is only valid for JAX-WS applications.
Valid values for this property are true and false. The default value is false.
- Expand .
- Click General provider policy set bindings or General client policy set bindings.
- Click .
- Add this property and its value in the Custom Properties Name and Value fields.
com.ibm.wsspi.wssecurity.token.enableCaptureTokenInboundMsg
This property indicates whether a token consumer or token generator is enabled to obtain its token from the set of SecurityTokens in the inbound message. If there is more than one token in the inbound message that matches the value type of the token generator, then the token selected will be indeterminate.
This property is only valid for JAX-WS applications.
Valid values for this property are true and false. The default value is false.
For more information on the tokenHolder
list, see
passThroughToken
in
com.ibm.wsspi.wssecurity.core.config.IssuedTokenConfigConstants
- Expand .
- Click General provider policy set bindings or General client policy set bindings.
- Click .
- Add this property and its value in the Custom Properties Name and Value fields.
com.ibm.wsspi.wssecurity.token.forwardable
When configuring SecurityToken
consumer bindings for the JAX-WS programming
model, use this custom property to specify whether the receiving token is propagated to other
servers. If you specify a value of true for this property, you enable this
token for propagating to other servers. If you specify a value of false for
this property, the token is not propagated to other servers. The default value is
true, and the value is not case sensitive.
com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed
This property is intended to be used in an identity assertion scenario. Set this property to true in the callback handler configuration for the identity token.
When this property is set to true in a UsernameToken generator, it allows the generator to emit a UsernameToken without a password. The rest of the identity assertion configuration is not required to use this property with the UsernameToken generator or consumer.
Information | Value |
---|---|
Data type | String |
Values | true, false |
Default | false |
com.ibm.wsspi.wssecurity.token.IDAssertion.useRunAsIdentity
This property is used by the UsernameToken generator. When this property is set to true in the callback handler for the UsernameToken generator, the principal name from the current runAs subject will be used as the Username in the UsernameToken. When this property is set to true, base security must be enabled and a runAs subject must be set on the current thread of execution in order for a non-null Username to be set in the UsernameToken.
IDAssertion.useRunAsIdentity=true
requires
IDAssertion.isUsed=true
to also be set.
Information | Value |
---|---|
Data type | String |
Values | true, false |
Default | false |
com.ibm.wsspi.wssecurity.token.username.addNonce and com.ibm.wsspi.wssecurity.token.username.addTimestamp
When configuring a username token for the JAX-WS programming model, to protect against replay
attacks it is strongly recommended that you add the
com.ibm.wsspi.wssecurity.token.username.addNonce
and
com.ibm.wsspi.wssecurity.token.username.addTimestamp
custom properties, to the
callback handler configuration for token generation. These custom properties enable and verify the
nonce and timestamp for message authentication. The value of the properties must be set to
true.
com.ibm.wsspi.wssecurity.token.username.emitPasswordDigest
This property enables the UNTGenerateLoginModule to digest the password and emit a PasswordType of #PasswordDigest instead of #PasswordText for a UsernameToken.
- Click .
- Click General provider policy set bindings or General client policy set bindings.
- Click .
- Add this property and its value in the Custom Properties Name and Value fields.
Information | Value |
---|---|
Values | true, false |
Default | false |
com.ibm.wsspi.wssecurity.token.username.password.forwardable
When configuring UsernameToken consumer bindings for the JAX-WS programming model, use this custom property to specify whether the password is propagated along with the UsernameToken to other servers during UsernameToken propagation. If you specify a value of true for this property, the password is preserved during propagation. If you specify a value of false for this property,the password must be removed prior to UsernameToken propagation. The default value is true, and the value is not case sensitive.
com.ibm.wsspi.wssecurity.token.username.verifyNonce and com.ibm.wsspi.wssecurity.token.username.verifyTimestamp
When configuring a username token for the JAX-WS programming model, to protect against replay
attacks it is strongly recommended that you add the
com.ibm.wsspi.wssecurity.token.username.verifyNonce
and
com.ibm.wsspi.wssecurity.token.username.verify Timestamp
custom properties, to the
callback handler configuration for the token consumer. These custom properties enable and verify the
nonce and timestamp for message authentication. The value of the properties must be set to
true.
com.ibm.wsspi.wssecurity.token.UsernameToken.digestPasswordCallbackHandler
This custom property defines a custom callback handler class for use on a UsernameToken consumer
that processes a PasswordType of #PasswordDigest. The callback handler must be
available to the application and must implement the javax.security.auth.callback.CallbackHandler
interface. The value for the Username element in the UsernameToken consumer is passed to the
callback handler on a javax.security.auth.callback.NameCallback
object. The
password that is associated with the user name is returned on a
javax.security.auth.callback.PasswordCallback object. The password that is returned is digested and
then compared to the Password value in the Username Token consumer.
This property is configured as a UsernameToken callback handler custom property. For more information, see Consuming a UsernameToken with PasswordDigest.
com.ibm.wsspi.wssecurity.token.UsernameToken.disableUserRegistryCheck
This property allows the user registry check to be skipped for identity tokens in JAX-WS. This means that the user name associated with the identity token in an identity assertion scenario can pass through the UNTConsumeLoginModule without generating a registry error. Typically an identity token must not contain a password, and there might, or might not be a trust token. For example there might be a blind trust.
This property does not affect any UsernameToken that contains a password.
If you need to bypass the registry check for a UsernameToken that contains a password, see the "Replacing the authentication method of the UsernameToken consumer using a stacked JAAS login module topic. If a caller configuration is required for the UsernameToken, see the Configuring a UsernameToken caller configuration with no registry interaction topic.
When the property is set to true, the UNTConsumeLoginModule does not validate the inbound UsernameToken if, and only if, the UsernameToken does not contain a password.
Valid values for this property are true and false. The default value is false.
- Expand .
- Click General provider policy set bindings or General client policy set bindings.
- Click .
- Add this property and its value in the Custom Properties Name and Value fields.
com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule.disableUserRegistryCheck
This property allows the user registry check to be skipped for UsernameTokens in JAX-RPC. This means that the user name passes through the UsernameLoginModule without generating a registry error.
Valid values for this property are true and false.
- When this property is set to true, the UsernameLoginModule class does not perform a user registry check.
- When this property is set to false, the UsernameLoginModule class always performs a user registry check.
- When this property is not set, the UserNameLoginModule class performs a registry check if there is no caller configuration for the UsernameToken class. Otherwise, the registry check for the user name and password is deferred to the point in the process where WebSphere Application Server credentials are obtained. This registry check is done for performance reasons so that the registry check is performed only once for each request.
This property can be added to the custom properties of the
com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule
module in the
wssecurity.UsernameToken JAAS configuration or in the custom properties of the JAAS configuration of
the UsernameToken consumer for the provider application.
com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7
Web services security supports both LTPA (Version 1) and LTPA Version 2 (LTPA2) tokens. The LTPA2
token, which is more secure than Version 1, is supported by the JAX-WS run time only. You can set
the Enforce token version interoperability option on the token generator to
determine whether an LTPA (Version 1) or an LTPA2 token is retrieved when a request message is
received. However, if you want to force the run time to use LTPA (Version 1) tokens only, you can
set the com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7
custom property to
true.
- Locate the binding that you want to configure.
- Click the WS-Security policy in the Policies table.
- Click the Authentication and protection link in the security policy bindings section.
- Click the token generator that you want to configure.
- Specify
com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7
to true in the Custom properties section.
com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7 custom property value | Enforce token version value | Result |
---|---|---|
false | Disabled | The run time can use both LTPA (Version 1) and LTPA2 tokens. |
not specified, which implies a false value | Disabled | The run time can use both LTPA (Version 1) and LTPA2 tokens. |
true | Disabled | The run time can use LTPA (Version 1) tokens only. |
true | Enabled | The run time can use LTPA (Version 1) tokens only. |
For more information, see the documentation about enabling or disabling single sign-on interoperability mode for the LTPA token.
com.ibm.wsspi.wssecurity.useMTOMWithCustomComponents
Set this JAX-WS custom property to true if messages that include MTOM erroneously contain base64Binary data in the XML document. When this property is set to true, the WS-Security run time will not expand and marshal document elements prematurely. This property is specified as either an Outbound, or Inbound and Outbound custom property in the client WS-Security policy set bindings. The default value for this property is false.