Interoperability between WSE 2.0 and WSE 3.0

This is probably one of the main concerns for people involved in the development of web services using WSE.
Unfortunately, WSE 3.0 was designed from the beginning to be compatible at wire level with Indigo and therefore it doesn't interoperate well with WSE 2.0.
To be clear, "Wire compatible" means equivalent messages.
I wrote this post to provide some necessary points to obtain interoperability between both versions.

WS-Security xx specs

At this moment, there are two available versions of this specification, 1.0 and 1.1 (Also called WS-Security extensions).
WSE 2.0 only implements the first version whereas WSE 3.0 uses features of both versions (such as signature confirmation and key derivation).
Both endpoints, the client and the server should use features provided only by WS-Security 1.0.

Secure conversation

Secure Conversation is a special feature provided by WSE, in which client and server negotiate a session token to protect the communication for a specific period of time. This feature decrease the response time because the token negotiation happens once compared to other turn-key scenarios where the negotiation is done for each message. (This feature is really important when the client and the server interchange many messages during a period of time).
The SecureContext token used in WSE 3.0 is not compatible with WSE 2.0 since it was modified to support new features like "Stateful secure context tokens".

WS-Addressing xx specs

WSE 3.0 uses a newer version of this specification (The same as Indigo) and therefore the messages produced by both versions are not compatible.
There is not a good way to fix this problem, but probably a SoapFilter to update the addressing headers can be a solution.

Algorithm suite

WSE 3.0 uses by default the same algorithm suite as Indigo, AES256 for symmetric encryption and RSA-OAEP for key wrap. On the other hand, WSE 2.0 uses AES128 and RSA-15.
You will have to update the configuration settings in both endpoints in order to use the same algorithm suite.
I explained how to change this setting in a previous post


  • I thought WSE 2.0 was going to have a 2005 version of it released that we could use?

    What's the status of it?

  • Hi James,

    WSE 2.0 can run on VS.NET 2005. The main problem is the interoperability between both versions. The WSE team only says that both version should run side by side.

  • This interoperablity issue is causing me big problems and there really isn't too much help out there.  This post is very helpful in pointing me in the right direction.  Question..I develop in net 2.0 and all of my recent web services use WSE 3.0.  Another company's server web service, which my client services are to comunicate, are built using WSE 2.0 security.  They use very basic sign and encypt message validation.  Can I construct my WSE 3.0 message so that the WSE 2.0 server will exept or would I be better off rebuilding my end using 2.0?  
    Sorry for the lengthy post but I am really pulling my hair out on this problem.  Any help would be greatly appreciated.

  • It seem from this blog that it is possible for a WSE 3.0 client to interact with a WSE 2.0 server user WS-Security 1.0.  Is this true???  I have search everywhere and are getting very mixed verdicts on this topic.  Please advice or point me in the right direction.
    Thanks for any help.

  • Is WSE 3.0 is Interoperable with Java?. I used WSE 2.0 with java... but i'm not sure weather WSe 3.0 is Interoperable with java or not??? if it is... please guid me...

Comments have been disabled for this content.