Trust service

The security token service that is provided by WebSphere® Application Server is called the trust service. The WebSphere Application Server trust service uses the secure messaging mechanisms of Web Services Trust (WS-Trust) to define additional extensions for the issuance, exchange, and validation of security tokens.

Web Services Trust (WS-Trust) is an OASIS standard that enables security token interoperability by defining a request/response protocol. This protocol allows SOAP actors, such as a web services client, to request of some trusted authority that a particular security token be exchanged for another.

WebSphere Application Server is not providing a full security token service that implements all the contents of the WS-Trust draft specification. The WebSphere Application Server support of WS-Trust focuses on establishing a security context token for secure conversation. WebSphere Application Server supports many of the security features described in version 1.3 of the WS-Trust OASIS standard, dated March 19, 2007.

Third party WS-Trust client

WebSphere Application Server does not provide a WS-Trust client implementation. You can choose to use a third-party WS-Trust-enabled client but, if you do, WebSphere Application Server does not support a third-party trust-enabled client. A trust client can facilitate the generation of these soap messages and the processing of the response, but the client is not required.

WebSphere Application Server focuses on the issuing, renewing, and canceling of the security context token for Web Services Secure Conversation (WS-SecureConversation).

The WS-Trust specification must be followed to make requests of the trust service. This specification includes the use of Web Services Addressing (WS-Addressing) headers. The WS-Addressing headers are specified in both the August 2004 or the August 2005 specifications. Per the specification, the SOAP body must consist of a single RequestSecurityToken (RST) element. This element can contain sub-elements as defined in the WS-Trust and WS-SecureConversation specifications.

You can secure the WS-Trust SOAP messages by using the bootstrap policy that is defined in the policy set. The bootstrap security policy is invoked in the process of an initiator establishing communication with an application service. Initial requests to services other than the application service are secured by using the bootstrap policy. These initial requests typically involve one or more requests to a security token service (STS), such as the WebSphere Application Server trust service. An example of a request might be acquiring the security context token necessary for WS-SecureConversation. An initiator is the role that initiates the original request and, in most cases, it is the client. The client bootstrap policy set must correspond to the trust service issue and renew attached policy sets for the endpoint. The trust service cancel and validate attached policy sets for the endpoint must correspond to the client's application policy set.

Websphere Application Server provides two ways to secure SOAP messages that are destined for the trust service. One way is to use the bootstrap policy that is defined in the policy set. A second way is to use the Web Services Security API (WSS API). Your application might use the WSS API to acquire the security context token for the programmatic, API-based WS-SecureConversation.

For Secure Conversation, a request from the client to an endpoint service is suspended while a new (second) request is generated and processed by the trust service. The security context token returned with the second request is used to derive keys that secure communications with the service.

High-level trust service functions

The following list includes WS-Trust-related functions that are currently supported in WebSphere Application Server. The list is not exhaustive and it focuses only on the high-level functions.

Trust service functions that are not supported

The following high-level WS-Trust functions that are not supported in WebSphere Application Server. The list is not exhaustive, and the list focuses only on key functions:
  • No negotiation and exchange protocols are supported.
  • No other token types are currently supported out of the box; only the security context token is supported.
  • No Trust10 specifications from WS-SecurityPolicySet are supported.
  • No unsolicited RequestSecurityTokenResponse (RSTR) is supported.
  • A Request Security Token (RST) request cannot be issued to an external security token service (STS) to establish a secure conversation; only the embedded trust service is currently supported.
  • Policy requests that are contained in the RST are not honored.
  • The ability to amend a token (the amend operation) is not supported.
  • A dedicated external endpoint for access to the token service is not supported; only the embedded trust service is currently supported.
  • The trust services does not support the entropy element that contains an EncryptedKey.
  • Delegation and forwarding are not supported.
  • The OnBehalfOf element is not supported.
  • The Key Exchange Token (KET) binding is not supported.

Trust service operations

WebSphere Application Server specifically supports the ability of the trust service, on behalf of the endpoint, to issue a security context token for WS-SecureConversation. The token-issuing support is currently limited only to the security context token. There is also trust policy management for defining a policy for the trust service to issue, cancel, validate, or renew tokens.

The token service supports the WS-Trust schema namespace. Within this namespace the following actions are supported:
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
The token service also supports the WS-SecureConversation schema namespace. Within this namespace the following actions are supported:
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Cancel
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Renew

An inbound RST for the security context token issue operation must contain an Entropy element. The Entropy element must contain a BinarySecret. The trust services does not support the Entropy element that contains an EncryptedKey.

Note that the trust service does not support unsolicited RSTR actions. In addition, the ability to amend a token is not supported by WebSphere Application Server. Also, see the section titled Trust service functions that are not supported.

Trust policy set-related files

The default trust service policy set for issue and renew is TrustServiceSecurityDefault. You can set up the corresponding policy set and binding for each service endpoint URL.

Concept topic    

Terms and conditions for information centers | Feedback

Last updated: April 17, 2014 04:48 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-base-iseries&topic=cwbs_wstrust
File name: cwbs_wstrust.html