Token type settings
Use the administrative console to define the details about the token types. This panel is displayed differently for each different token type. Policies can be defined that specify which types of security tokens are supported as well as properties for the token type.
- Click > policy_set_name.
- Click the WS-Security policy in the Policies table.
- Click the Main policy link or the Bootstrap policy link.
- Click one of the following:
- Request token policies from the Policy detail section.
- Response token policies from the Policy detail section.
- Symmetric signature and encryption policies from the Key symmetry section.
- Asymmetric signature and encryption policies from the Key symmetry section.
- For a Request token policy or a Response token policy, click a token from the Supported Token Types table or click the Add Token Type button to select the type of token to add.
- For a symmetric signature and encryption policy or an asymmetric signature and encryption policy, click Edit Selected Type Policy.
This panel is displayed for each token type you are configuring or adding. It displays fields for some token types and not for others. This help topic contains all of the fields for each of the token types and describes which token is being configured for each field.
Custom token name
For a custom token, specify the name of the token being configured. Enter or edit the name for the custom token in this entry field.
Local name
For a custom token, specify the local name.
If the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1, use one of the values in the following table for the local name. The value you choose depends on the specification level of the Kerberos token generated by the Key Distribution Center (KDC). The table lists the values and the specification level associated with each value. For purposes of interoperability, the Basic Security Profile V1.1 standard requires the use of the local name, http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.
Local name value for Kerberos token | Associated specification level |
---|---|
http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerb erosv5_AP_REQ | Kerberos V5 AP-REQ as defined in the Kerberos specification. This value is used when the Kerberos ticket is an AP Request. |
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ | GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964 [1964], Sec. 1.1 and its successor RFC-4121, Sec. 4.1. This value is used when the Kerberos ticket is an AP Request (ST + Authenticator). |
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510 | Kerberos V5 AP-REQ as defined in RFC1510. This value is used when the Kerberos ticket is an AP Request per RFC1510. |
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510 | GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor RFC-4121, Sec. 4.1. This value is used when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC1510. |
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120 | Kerberos V5 AP-REQ as defined in RFC4120. This value is used when the Kerberos ticket is an AP Request per RFC4120. |
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120 | GSS-API Kerberos V5 mechanism token containing an KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor RFC-4121, Sec. 4.1. This value is used when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC4120. |
URI
For a custom token, specify the uniform resource identifier (URI).
Leave this field empty, if the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1.
LTPA token name
For an LTPA token, specify the name of the token being configured. Enter or edit the name for the LTPA token in this entry field.
Propagate the JAAS subject
For an LTPA token, specify whether the associated Java Authentication and Authorization Service (JAAS) subject is propagated. Select this check box to propagate the JAAS subject. The default value is not selected. Therefore, the JAAS subject is not propagated by default.
Username token name
Specify the name of the token being configured. Enter or edit the name for the username token in this entry field.
WS-Security version
For a Username token, specify the version of Web Services Security, the WS-Security specification, that is used to secure the message transmission.
The following versions are available:
- WS-Security V1.0
- WS-Security V1.1
X.509 token name
For a X.509 token, specify the name of the token being configured. Enter or edit the name for the X.509 token in this entry field.
WS-Security version (X.509)
For a X.509 token, specify the version of Web Services Security that is used to secure the message transmission.
The following versions are available:
- WS-Security V1.0
- WS-Security V1.1
X.509 type
For a X.509 token, specify the type of X.509 token being configured.
The following types are available for the X.509 token:
- X.509 Version 1. This option is available with WS-Security Version 1.1 only.
- X.509, Version 3
- X.509 PKCX7
- PKI Path Version 1
Secure conversation token
The secure conversation token is available only when using symmetric signature and encryption policies.
Require reference to secure context token issuer
For a secure conversation token, select this option to specify a reference to the issuer of the security context token.
After selecting the Require reference to secure context token issuer option, specify the URI of the security context token issuer.