Compartilhar via


Transaction Protocols

Windows Communication Foundation (WCF) implements WS-Atomic Transaction and WS-Coordination protocols.

Specification/Document Version Link

WS-Coordination

1.0

1.1

https://go.microsoft.com/fwlink/?LinkId=96104

https://go.microsoft.com/fwlink/?LinkId=96079

WS-AtomicTransaction

1.0

1.1

https://go.microsoft.com/fwlink/?LinkId=96080

https://go.microsoft.com/fwlink/?LinkId=96081

Interoperability on these protocol specifications is required at two levels: between applications and between transaction managers (see the following figure). Specifications describe in great detail the message formats and message exchange for both interoperability levels. Certain security, reliability, and encodings for application-to-application exchange apply as they do for regular application exchange. However, successful interoperability between transaction managers requires agreement on the particular binding, because it is usually not configured by the user.

This topic describes a composition of the WS-Atomic Transaction (WS-AT) specification with security and describes the secure binding used for communication between transaction managers. The approach described in this document has been successfully tested with other implementations of WS-AT and WS-Coordination including IBM, IONA, Sun Microsystems, and others.

The following figure depicts the interoperability between two transaction managers, Transaction Manager 1 and Transaction Manager 2, and two applications, Application 1 and Application 2.

Transaction Protocols

Consider a typical WS-Coordination/WS-Atomic Transaction scenario with one Initiator (I) and one Participant (P). Both Initiator and Participant have Transaction Managers, (ITM and PTM, respectively). Two-phase commit is referred to as 2PC in this topic.

1. CreateCoordinationContext

12. Application Message Response

2. CreateCoordinationContextResponse

13. Commit (Completion)

3. Register (Completion)

14. Prepare (2PC)

4. RegisterResponse

15. Prepare (2PC)

5. Application Message

16. Prepared (2PC)

6. CreateCoordinationContext with Context

17. Prepared (2PC)

7. Register (Durable)

18. Committed (Completion)

8. RegisterResponse

19. Commit (2PC)

9. CreateCoordinationContextResponse

20. Commit (2PC)

10. Register (Durable)

21. Committed (2PC)

11. RegisterResponse

22. Committed (2PC)

This document describes a composition of the WS-AtomicTransaction specification with security and describes the secure binding used for communication between transaction managers. The approach described in this document has been successfully tested with other implementations of WS-AT and WS-Coordination.

The figure and table illustrate four classes of messages from the viewpoint of security:

  • Activation messages (CreateCoordinationContext and CreateCoordinationContextResponse).

  • Registration messages (Register and RegisterResponse)

  • Protocol messages (Prepare, Rollback, Commit, Aborted, and so on).

  • Application messages.

The first three message classes are considered Transaction Manager messages and their binding configuration is described in the "Application Message Exchange" later in this topic. The fourth class of message is application to application messages and is described in the "Message Examples" section later in this topic. This section describes the protocol bindings used for each of these classes by WCF.

The following XML Namespaces and associated prefixes are used throughout this document.

Prefix Version Namespace URI

s11

https://go.microsoft.com/fwlink/?LinkId=96014

wsa

Pre-1.0

1.0

http://www.w3.org/2004/08/addressing

https://go.microsoft.com/fwlink/?LinkId=96022

wscoor

1.0

1.1

https://go.microsoft.com/fwlink/?LinkId=96078

https://go.microsoft.com/fwlink/?LinkId=96079

wsat

1.0

1.1

https://go.microsoft.com/fwlink/?LinkId=96080

https://go.microsoft.com/fwlink/?LinkId=96081

t

Pre-1.3

1.3

https://go.microsoft.com/fwlink/?LinkId=96082

https://go.microsoft.com/fwlink/?LinkId=96100

o

https://go.microsoft.com/fwlink/?LinkId=96101

xsd

https://go.microsoft.com/fwlink/?LinkId=96102

Transaction Manager Bindings

R1001: Transaction Managers participating in a WS-AT 1.0 transaction must use SOAP 1.1 and WS-Addressing 2004/08 for WS-Atomic Transaction and WS-Coordination message exchanges.

R1002: Transaction Managers participating in a WS-AT 1.1 transaction must use SOAP 1.1 and WS-Addressing 2005/08 for WS-Atomic Transaction and WS-Coordination message exchanges.

Application messages are not constrained to these bindings and are described later.

Transaction Manager HTTPS Binding

The transaction manager HTTPS binding relies solely on transport security to achieve security and establish trust between each sender-receiver pair in the transaction tree.

HTTPS Transport Configuration

X.509 certificates are used to establish Transaction Manager Identity. Client/server authentication is required, and client/server authorization is left as an implementation detail:

  • R1111: X.509 certificates presented over the wire must have a subject name that matches the fully qualified domain name (FQDN) of the originating machine.

  • B1112: DNS must be functional between each sender-receiver pair in the system for X.509 subject name checks to succeed.

Activation and Registration Binding Configuration

WCF requires request/reply duplex binding with correlation over HTTPS. (For more information about correlation and descriptions of the request/reply message exchange patterns, see WS-Atomic Transaction, Section 8.)

2PC Protocol Binding Configuration

WCF supports one-way (datagram) messages over HTTPS. Correlation among the messages is left as an implementation detail.

B1131: Implementations must support wsa:ReferenceParameters as described in WS-Addressing to achieve correlation of WCF’s 2PC messages.

Transaction Manager Mixed Security Binding

This is an alternate (mixed mode) binding that uses transport security combined with the WS-Coordination Issued Token model for identity establishment purposes. Activation and Registration are the only elements that differ between the two bindings.

HTTPS Transport Configuration

X.509 certificates are used to establish Transaction Manager Identity. Client/Server authentication is required, and client/server authorization is left as an implementation detail.

Activation Message Binding Configuration

Activation Messages usually do not participate in interoperability because they typically occur between an application and its local Transaction Manager.

B1221: WCF uses duplex HTTPS binding (described in Messaging Protocols) for Activation messages. Request and Reply messages are correlated using WS-Addressing 2004/08 for WS-AT 1.0 and WS-Addressing 2005/08 for WS-AT 1.1.

WS-Atomic Transaction specification, Section 8, describes further details about correlation and the message exchange patterns.

  • R1222: Upon receiving a CreateCoordinationContext, the Coordinator must issue a SecurityContextToken with associated secret STx. This token is returned inside a t:IssuedTokens header following WS-Trust specification.

  • R1223: If Activation occurs within an existing Coordination Context, the t:IssuedTokens header with the SecurityContextToken associated with existing Context must flow on the CreateCoordinationContext message.

A new t:IssuedTokens header should be generated for attaching to the outgoing wscoor:CreateCoordinationContextResponse message.

Registration Message Binding Configuration

B1231: WCF uses duplex HTTPS binding (described in Messaging Protocols). Request and Reply messages are correlated using WS-Addressing 2004/08 for WS-AT 1.0 and WS-Addressing 2005/08 for WS-AT 1.1.

WS-AtomicTransaction, Section 8, describes further details about correlation and descriptions of the message exchange patterns.

R1232: Outgoing wscoor:Register messages must use the IssuedTokenOverTransport authentication mode described in Security Protocols.

The wsse:Timestamp element must be signed using the SecurityContextToken STx issued. This signature is a proof of possession of the token associated with particular transaction and is used to authenticate a participant enlisting in the transaction. The RegistrationResponse message is sent back over HTTPS.

2PC Protocol Binding Configuration

WCF supports one-way (datagram) messages over HTTPS. Correlation among the messages is left as an implementation detail.

B1241: Implementations must support wsa:ReferenceParameters as described in WS-Addressing to achieve correlation of WCF’s 2PC messages.

Application Message Exchange

Applications are free to use any particular binding for application-to-application messages, as long as the binding meets the following security requirements:

  • R2001: Application-to-application messages must flow the t:IssuedTokens header along with the CoordinationContext in the header of the message.

  • R2002: Integrity and confidentiality of t:IssuedToken must be provided.

The CoordinationContext header contains wscoor:Identifier. While the definition of xsd:AnyURI allows the use of both absolute and relative URIs, WCF supports only wscoor:Identifiers, which are absolute URIs.

B2003: If the wscoor:Identifier of the wscoor:CoordinationContext is a relative URI, faults will be returned from transactional WCF services.

Message Examples

CreateCoordinationContext Request/Response Messages

The following messages follow a request/response pattern.

CreateCoordinationContext with WSCoor 1.0

<s:Envelope>
  <s:Header>
    <a:Action>http://.../ws/2004/10/wscoor/CreateCoordinationContext</Action>
    <a:MessageID>urn:uuid:069f5104-fd88-4264-9f99-60032a82854e</MessageID>
    <a:ReplyTo>
      <Address>https://...</a:Address>
    </a:ReplyTo>
    <a:To>https://...</a:To>
    <wsse:Security>
      <u:Timestamp>
        <wsu:Created>2005-12-15T23:36:09.921Z</u:Created>
        <wsu:Expires>2005-12-15T23:41:09.921Z</u:Expires>
      </u:Timestamp>
    </wsse:Security>
  </s:Header>
  <s:Body xmlns:s="https://schemas.xmlsoap.org/soap/envelope/">
    <wscoor:CreateCoordinationContext>
      <wscoor:CoordinationType>...</wscoor:CoordinationType>
    </wscoor:CreateCoordinationContext>
  </s:Body>
</s11:Envelope>

CreateCoordinationContext with WSCoor 1.1

<s:Envelope> 
<s:Header>
<a:Action>http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContext</Action>
<a:MessageID>urn:uuid:069f5104-fd88-4264-9f99-60032a82854e</MessageID>
<a:ReplyTo> 
<Address>https://...</a:Address> 
</a:ReplyTo> 
<a:To>https://...</a:To> 
<wsse:Security>
 <u:Timestamp> 
<wsu:Created>2005-12-15T23:36:09.921Z</u:Created>
<wsu:Expires>2005-12-15T23:41:09.921Z</u:Expires>
</u:Timestamp> 
</wsse:Security> 
</s:Header> 
<s:Body xmlns:s="https://schemas.xmlsoap.org/soap/envelope/">
<wscoor:CreateCoordinationContext>
<wscoor:CoordinationType>...</wscoor:CoordinationType>
</wscoor:CreateCoordinationContext>
 </s:Body> 
</s11:Envelope>

CreateCoordinationContextResponse with Trust Pre-1.3 and WSCoor 1.0

<s:Envelope>
  <!-- Data below is shown in the clear for
       illustration purposes only. -->
  <s:Header>
    <a:Action>./ws/2004/10/wscoor/CreateCoordinationContextResponse </a:Action>
    <a:RelatesTo>urn:uuid:069f5104-fd88-4264-9f99-60032a82854e</a:RelatesTo>
    <a:To s:mustUnderstand="1">https://... </a:To>
    <t:IssuedTokens>
 <wst:RequestSecurityTokenResponse   
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wssu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
    xmlns:wst="https://schemas.xmlsoap.org/ws/2005/02/trust"
    xmlns:wsc="https://schemas.xmlsoap.org/ws/2005/02/sc"
    xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy">
    <wst:TokenType>https://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
    <wst:RequestedSecurityToken>
      <wsc:SecurityContextToken>
        <wssu:Identifier>
          http://fabrikam123.com/SCTi
        </wssu:Identifier>
      </wsc:SecurityContextToken> 
    </wst:RequestedSecurityToken>
    <wsp:AppliesTo>
        http://fabrikam123.com/CCi
    </wsp:AppliesTo>  
    <wst:RequestedAttachedReference>
      <wsse:SecurityTokenReference >
        <wsse:Reference 
           ValueType="https://schemas.xmlsoap.org/ws/2005/02/sc/sct"
           URI="http://fabrikam123.com/SCTi"/>
      </wsse:SecurityTokenReference>
    </wst:RequestedAttachedReference>
    <wst:RequestedUnattachedReference>
      <wsse:SecurityTokenReference>
        <wsse:Reference 
          ValueType="https://schemas.xmlsoap.org/ws/2005/02/sc/sct"
          URI="http://fabrikam123.com/SCTi"/>
      </wsse:SecurityTokenReference>
    </wst:RequestedUnattachedReference>
    <wst:RequestedProofToken>
      <wst:BinarySecret 
        Type="https://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey">
        <!-- base64 encoded value -->
      </wst:BinarySecret>
    </wst:RequestedProofToken>
    <wst:Lifetime>
      <wssu:Created>2005-10-24T20:19:26.526Z</wssu:Created>
      <wssu:Expires>2005-10-25T06:24:26.526Z</wssu:Expires>
    </wst:Lifetime>
    <wst:KeySize>256</wst:KeySize>
</wst:RequestSecurityTokenResponse>
    </t:IssuedTokens>
    <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <u:Timestamp u:Id="_0">
        <u:Created>2005-12-15T23:36:12.015Z</u:Created>
        <u:Expires>2005-12-15T23:41:12.015Z</u:Expires>
      </u:Timestamp>
    </o:Security>
  </s:Header>
  <s:Body>
    <wscoor:CreateCoordinationContextResponse>
      <wscoor:CoordinationContext>
        <wscoor:Identifier>
     http://fabrikam123.com/CCi
      </wscoor:Identifier>
        <wscoor:Expires>...</wscoor:Expires>
        <wscoor:CoordinationType>...</wscoor:CoordinationType>
        <wscoor:RegistrationService>
          <a:Address>https://...</a:Address>
          <a:ReferenceParameters>
             ...
          </a:ReferenceParameters>
        </wscoor:RegistrationService>
      </wscoor:CoordinationContext>
    </wscoor:CreateCoordinationContextResponse>
  </s:Body>
</s:Envelope>

CreateCoordinationContextResponse with Trust 1.3 and WSCoor 1.1

<s:Envelope>
<!-- Data below is shown in the clear for illustration purposes only. --> 
<s:Header> 
<a:Action>http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContextResponse </a:Action>
<a:RelatesTo>urn:uuid:069f5104-fd88-4264-9f99-60032a82854e</a:RelatesTo>
<a:To s:mustUnderstand="1">https://... </a:To> 
<t:IssuedTokens> 
<wst:RequestSecurityTokenResponse 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
xmlns:wssu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-     wssecurity-utility-1.0.xsd" 
xmlns:wst=http://docs.oasis-open.org/ws-sx/ws-trust/200512
xmlns:wsc=https://schemas.xmlsoap.org/ws/2005/02/sc
xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy">
<wst:TokenType>https://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
<wst:RequestedSecurityToken> 
<wsc:SecurityContextToken> 
<wssu:Identifier> http://fabrikam123.com/SCTi
</wssu:Identifier> 
</wsc:SecurityContextToken> 
</wst:RequestedSecurityToken> 
<wsp:AppliesTo> http://fabrikam123.com/CCi </wsp:AppliesTo>
<wst:RequestedAttachedReference> 
<wsse:SecurityTokenReference > 
<wsse:Reference
  ValueType=https://schemas.xmlsoap.org/ws/2005/02/sc/sct
  URI="http://fabrikam123.com/SCTi"/>
</wsse:SecurityTokenReference> 
</wst:RequestedAttachedReference> 
<wst:RequestedUnattachedReference> 
<wsse:SecurityTokenReference> 
<wsse:Reference
 ValueType=https://schemas.xmlsoap.org/ws/2005/02/sc/sct
 URI="http://fabrikam123.com/SCTi"/>
</wsse:SecurityTokenReference> 
</wst:RequestedUnattachedReference> 
<wst:RequestedProofToken> 
<wst:BinarySecret
  Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey">
  <!-- base64 encoded value --> 
</wst:BinarySecret> 
</wst:RequestedProofToken> 
<wst:Lifetime> 
<wssu:Created>2005-10-24T20:19:26.526Z</wssu:Created>
<wssu:Expires>2005-10-25T06:24:26.526Z</wssu:Expires>
</wst:Lifetime> 
<wst:KeySize>256</wst:KeySize> 
</wst:RequestSecurityTokenResponse> 
</t:IssuedTokens> 
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
<u:Timestamp u:Id="_0"> 
<u:Created>2005-12-15T23:36:12.015Z</u:Created> 
<u:Expires>2005-12-15T23:41:12.015Z</u:Expires> 
</u:Timestamp> 
</o:Security> 
</s:Header> 
<s:Body> 
<wscoor:CreateCoordinationContextResponse> 
<wscoor:CoordinationContext> 
<wscoor:Identifier> http://fabrikam123.com/CCi
</wscoor:Identifier> 
<wscoor:Expires>...</wscoor:Expires>
<wscoor:CoordinationType>...</wscoor:CoordinationType>
<wscoor:RegistrationService> 
<a:Address>https://...</a:Address>
<a:ReferenceParameters> ...
</a:ReferenceParameters>
</wscoor:RegistrationService> 
</wscoor:CoordinationContext> 
</wscoor:CreateCoordinationContextResponse> 
</s:Body> 
</s:Envelope>

Registration Messages

The following messages are registration messages.

Register with WSCoor 1.0

<s:Envelope>
  <s:Header>
    <a:Action>https://schemas.xmlsoap.org/ws/2004/10/wscoor/Register</a:Action>
    <a:MessageID>urn:uuid:ed418b86-a75e-4aea-9d4e-a5d0cb5c088e</a:MessageID>
    <a:ReplyTo>
      <a:Address>https://...</a:Address>      
    </a:ReplyTo>
    <a:To>https://...</a:To>
    <wsse:Security 
      s:mustUnderstand="1" 
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      xmlns:wssu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wssu:Timestamp wssu:Id="_0" >
        <wssu:Created>2005-12-15T23:36:13.827Z</wssu:Created>
        <wssu:Expires>2005-12-15T23:41:13.827Z</wssu:Expires>
      </wssu:Timestamp>
      <wsc:SecurityContextToken>
      <wssu:Identifier>
          http://fabrikam123.com/SCTi
      </wssu:Identifier>
      </wsc:SecurityContextToken>
      <!-- supporting signature over the timestamp -->
      <wsse:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
          <ds:Reference URI="#_0">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>
              alRzyhjLgoUOYoh8cx4n75eTcUk=
            </ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>YZYjnVvSOVasAQqQxaaviTSWtqI=</ds:SignatureValue>
        <ds:KeyInfo>
          <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:Reference 
              URI="http://fabrikam123.com/SCTi"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </wsse:Signature>
    </wsse:Security>
  </s:Header>
  <s:Body xmlns:s="https://schemas.xmlsoap.org/soap/envelope/">
    <wscoor:Register>
      <wscoor:ProtocolIdentifier>...</wscoor:ProtocolIdentifier>
      <wscoor:ParticipantProtocolService>
        <a:Address>https://... </a:Address>
      </wscoor:ParticipantProtocolService>
    </wscoor:Register>
  </s:Body>
</s:Envelope>

Register with WSCoor 1.1

<s:Envelope>
<s:Header> 
<a:Action>http://docs.oasis-open.org/ws-tx/wscoor/2006/06/Register</a:Action> 
<a:MessageID>urn:uuid:ed418b86-a75e-4aea-9d4e-a5d0cb5c088e</a:MessageID>
<a:ReplyTo> 
<a:Address>https://...</a:Address> 
</a:ReplyTo>
<a:To>https://...</a:To> 
<wsse:Security 
s:mustUnderstand="1" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
xmlns:wssu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wssu:Timestamp wssu:Id="_0" > 
<wssu:Created>2005-12-15T23:36:13.827Z</wssu:Created>
<wssu:Expires>2005-12-15T23:41:13.827Z</wssu:Expires>
</wssu:Timestamp> 
<wsc:SecurityContextToken> 
<wssu:Identifier> http://fabrikam123.com/SCTi
</wssu:Identifier> 
</wsc:SecurityContextToken> 
<!-- supporting signature over the timestamp -->
<wsse:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo> 
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> 
<ds:Reference URI="#_0"> 
<ds:Transforms> 
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
</ds:Transforms> 
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
<ds:DigestValue> alRzyhjLgoUOYoh8cx4n75eTcUk=
</ds:DigestValue> 
</ds:Reference> 
</ds:SignedInfo>
<ds:SignatureValue>YZYjnVvSOVasAQqQxaaviTSWtqI=
</ds:SignatureValue>
<ds:KeyInfo> 
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:Reference URI="http://fabrikam123.com/SCTi"/>
</wsse:SecurityTokenReference> 
</ds:KeyInfo> 
</wsse:Signature> 
</wsse:Security> 
</s:Header> 
<s:Body xmlns:s="https://schemas.xmlsoap.org/soap/envelope/"> 
<wscoor:Register> 
<wscoor:ProtocolIdentifier>...</wscoor:ProtocolIdentifier>
<wscoor:ParticipantProtocolService> 
<a:Address>https://... </a:Address>
</wscoor:ParticipantProtocolService> 
</wscoor:Register> 
</s:Body> 
</s:Envelope>

Register Response with WSCoor 1.0

<s:Envelope>
  <s:Header>
    <a:Action>
      https://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
    </a:Action>
    <a:MessageID>urn:uuid:ed418b86-a75e-4aea-9d4e-a5d0cb5c088d</a:MessageID>
    <a:RelatesTo>
      urn:uuid:ed418b86-a75e-4aea-9d4e-a5d0cb5c088e      
    </a:RelatesTo>
    <a:To>https://...</a:To>
    <wsse:Security 
      s:mustUnderstand="1" 
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      xmlns:wssu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wssu:Timestamp>
        <wssu:Created>2005-12-15T23:36:13.827Z</wssu:Created>
        <wssu:Expires>2005-12-15T23:41:13.827Z</wssu:Expires>
      </wssu:Timestamp>
    </wsse:Security>
  </s:Header>
  <s:Body xmlns:s="https://schemas.xmlsoap.org/soap/envelope/">
    <wscoor:RegisterResponse>
      <wscoor:CoordinatorProtocolService>
        <a:Address>https://...</a:Address>
        <a:ReferenceParameters>
          ...
        </a:ReferenceParameters>
      </wscoor:CoordinatorProtocolService>
    </wscoor:RegisterResponse>
  </s:Body>
</s:Envelope>

Register Response with WSCoor 1.1

<s:Envelope>
<s:Header> 
<a:Action> http://docs.oasis-open.org/ws-tx/wscoor/2006/06/RegisterResponse
</a:Action> 
<a:MessageID>urn:uuid:ed418b86-a75e-4aea-9d4e-a5d0cb5c088d</a:MessageID>
<a:RelatesTo> urn:uuid:ed418b86-a75e-4aea-9d4e-a5d0cb5c088e </a:RelatesTo>
<a:To>https://...</a:To> 
<wsse:Security 
s:mustUnderstand="1" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
xmlns:wssu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
<wssu:Timestamp> 
<wssu:Created>2005-12-15T23:36:13.827Z</wssu:Created>
<wssu:Expires>2005-12-15T23:41:13.827Z</wssu:Expires>
</wssu:Timestamp> 
</wsse:Security> 
</s:Header> 
<s:Body xmlns:s="https://schemas.xmlsoap.org/soap/envelope/"> 
<wscoor:RegisterResponse> 
<wscoor:CoordinatorProtocolService>
<a:Address>https://...</a:Address>
<a:ReferenceParameters> ... </a:ReferenceParameters>
</wscoor:CoordinatorProtocolService> 
</wscoor:RegisterResponse> 
</s:Body> 
</s:Envelope>

Two Phase Commit Protocol Messages

The following message relates to the two-phase commit (2PC) protocol.

Commit with WSAT 1.0

<s:Envelope>
  <s:Header>
    <a:Action>http://.../ws/2004/10/wsat/Commit</a:Action>
    <a:To>https://...</a:To>
    <wsse:Security 
      s:mustUnderstand="1" 
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      xmlns:wssu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wssu:Timestamp wssu:Id="_0" >
        <wssu:Created>2005-12-15T23:36:13.827Z</wssu:Created>
        <wssu:Expires>2005-12-15T23:41:13.827Z</wssu:Expires>
      </wssu:Timestamp>
   </wsse:Security>
  </s:Header>
  <s:Body xmlns:s="https://schemas.xmlsoap.org/soap/envelope/">
    <wsat:Commit />
  </s:Body>
</s:Envelope>

Commit with WSAT 1.1

<s:Envelope>
<s:Header> 
<a:Action>http://docs.oasis-open.org/ws-tx/wsat/2006/06</a:Action>
<a:To>https://...</a:To> 
<wsse:Security 
s:mustUnderstand="1" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
xmlns:wssu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
<wssu:Timestamp wssu:Id="_0" > 
<wssu:Created>2005-12-15T23:36:13.827Z</wssu:Created>
<wssu:Expires>2005-12-15T23:41:13.827Z</wssu:Expires>
</wssu:Timestamp> 
</wsse:Security> 
</s:Header> 
<s:Body xmlns:s="https://schemas.xmlsoap.org/soap/envelope/"> 
<wsat:Commit /> 
</s:Body> 
</s:Envelope>

Application Messages

The following messages are application messages.

Application message-Request

<s:Envelope>
  <s:Header>
<!-- Addressing headers, all signed-->
    <wsse:Security s:mustUnderstand="1">
      <wssu:Timestamp wssu:Id="timestamp"> 
        <wssu:Created>2005-10-25T06:29:18.703Z</wssu:Created>
        <wssu:Expires>2005-10-25T06:34:18.703Z</wssu:Expires>
      </wssu:Timestamp>
      <wsse:BinarySecurityToken 
          wssu:Id="IA_Certificate" 
          ValueType="...#X509v3" 
          EncodingType="...#Base64Binary">
        <!-- IA certificate -->
      </wsse:BinarySecurityToken>
      <e:EncryptedKey Id="encrypted_key">
            <!-- ephemeral key encrypted for PA certificate -->  
        <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
          <e:DataReference URI="#encrypted_body"/>
          <e:DataReference URI="#encrypted_CCi"/>
          <e:DataReference URI="#encrypted_issuedtokens"/>
        </e:ReferenceList>
      </e:EncryptedKey>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <!-- signature over Addressing headers, Timestamp, and Body -->
      </Signature>
    </wsse:Security>
    <wsse11:EncryptedHeader >
     <!-- encrypted wscoor:CoordinationContext header containing CCi -->
    </wsse11:EncryptedHeader>
    <wsse11:EncryptedHeader 
      <!-- encrypted wst:IssuedTokens header containing SCTi -->
      <!-- wst:IssuedTokens header is taken verbatim from message #2 above, omitted for brevity -->
    </wsse11:EncryptedHeader>
  </s:Header>
  <s:Body wssu:Id="body">
    <!-- encrypted content of the Body element of the application message -->    
    <e:EncryptedData Id="encrypted_body" 
           Type="http://www.w3.org/2001/04/xmlenc#Content" 
           xmlns:e="http://www.w3.org/2001/04/xmlenc#">
...
    </e:EncryptedData>
  </s:Body>
</s:Envelope>