Hello everyone,
we are working on configuring JWT generation on IBM Security Verify Access (ISAM/ISVA) using a WebSEAL junction with a Token Module Chain. However, despite following the documentation and creating the junction properly, the JWT token does not seem to be generated or returned in the response.

Here are the detailed configurations and steps we performed:

Module Chain Configuration:

• Name: MODULECHAIN

• Template: MODULECHAIN_TEMPLATE

• Request Type: Issue

• URI: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue

• Lookup Type: Traditional WS-Trust Elements

• Applies To Address: http://appliesto/JWTjunction

• Issuer Address: nameoftheissuer

• Modules Used (under Template Contents):

  1. Default IVCred Token

     • Mode: Validate

     • Signature Validation: Disabled (unchecked)

  2. Default JWT Module

     • Mode: Issue

     • JWT Signing Algorithm: none

     • No signing key provided.

WebSEAL Junction Configuration (created via CLI):

We created the junction with the following commands on both WebSEAL nodes:
1) server task websealinstance1 create -f -t tcp -h hostreceivingJWT -p 30080 -v hostreceivingJWT:30080 -c iv_user,iv_groups -x -r -Y /JWTjunction
2) server task websealinstance2 create -f -t tcp -h hostreceivingJWT-p 30080 -v hostreceivingJWT:30080 -c iv_user,iv_groups -x -r -Y /JWTjunction

Webseal Stanza Configuration Snippet:

[tfimsso:/JWTjunction]
token-type = urn:ietf:params:oauth:token-type:jwt
applies-to = http://appliesto/JWTjunction
renewal-window = 15
preserve-xml-token = false
always-send-tokens = true
tfim-cluster-name = my-cluster
one-time-token = false
token-collection-size = 1
token-transmit-type = header
token-transmit-name = jwt

WebSEAL ACL & POP:

• ACL: Set to FREE (for unauthenticated access).

• POP attached: Our configured POP.

• Object modify permissions: Set correctly.

Logs:

• The request appears in pdweb.debug (level 9 tracing enabled).

• No JWT token appears to be generated.

• No clear JWT-related traces seen.

• Request log shows 302 redirect or returns the authentication page.

• We're currently testing with Postman (sending a POST request to the junction /JWTjunction via the load balancer, which balances to the 2 Webseal nodes), wih a No-Auth Type request.
  
  

Postman Result:

• The response is a standard authentication page.

• No JWT returned in response body or headers.

Our Key Questions:

1. We are already pointing to a real backend host (as shown in the junction configuration); however, no JWT token seems to be generated or returned in the logs or responses. Is there anything specific required on the backend side (such as specific HTTP response behavior) to trigger JWT issuance?

2. Should the JWT be generated even for unauthenticated requests, since the ACL is set to FREE and we removed the Attribute Mapping Module?

3. Is the presence of a backend response mandatory for JWT generation, or should the WebSEAL itself generate the JWT before forwarding the request?

4. Are there any additional hidden conditions for JWT token issuance in ISVA / ISAM that we may have missed?

Our Testing Objective:

We want to test JWT generation before setting up the backend, to confirm that the JWT module chain is working correctly, even if the backend is not yet ready.

Thanks a lot to everyone who can help us solve this first crucial step in the generation of the JWT.

Hello Lorenzo,

The intention behind JWT Junction functionality is to inject JWT into the request going to the junction server. It never returns a JWT in the response. So if you're trying to generate and issue a JWT to the client then this is not the correct way to acquire a JWT.

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Wed July 09, 2025 11:01 AM
From: Lorenzo Coccia
Subject: JWT Generation Fails on ISAM/ISVA 10.0.6.0 via Junction – No JWT in Response (WebSEAL + Module Chain Config)

Hello everyone,
we are working on configuring JWT generation on IBM Security Verify Access (ISAM/ISVA) using a WebSEAL junction with a Token Module Chain. However, despite following the documentation and creating the junction properly, the JWT token does not seem to be generated or returned in the response.

Here are the detailed configurations and steps we performed:

Module Chain Configuration:

• Name: MODULECHAIN

• Template: MODULECHAIN_TEMPLATE

• Request Type: Issue

• URI: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue

• Lookup Type: Traditional WS-Trust Elements

• Applies To Address: http://appliesto/JWTjunction

• Issuer Address: nameoftheissuer

• Modules Used (under Template Contents):

  1. Default IVCred Token

     • Mode: Validate

     • Signature Validation: Disabled (unchecked)

  2. Default JWT Module

     • Mode: Issue

     • JWT Signing Algorithm: none

     • No signing key provided.

WebSEAL Junction Configuration (created via CLI):

We created the junction with the following commands on both WebSEAL nodes:
1) server task websealinstance1 create -f -t tcp -h hostreceivingJWT -p 30080 -v hostreceivingJWT:30080 -c iv_user,iv_groups -x -r -Y /JWTjunction
2) server task websealinstance2 create -f -t tcp -h hostreceivingJWT-p 30080 -v hostreceivingJWT:30080 -c iv_user,iv_groups -x -r -Y /JWTjunction

Webseal Stanza Configuration Snippet:

[tfimsso:/JWTjunction]
token-type = urn:ietf:params:oauth:token-type:jwt
applies-to = http://appliesto/JWTjunction
renewal-window = 15
preserve-xml-token = false
always-send-tokens = true
tfim-cluster-name = my-cluster
one-time-token = false
token-collection-size = 1
token-transmit-type = header
token-transmit-name = jwt

WebSEAL ACL & POP:

• ACL: Set to FREE (for unauthenticated access).

• POP attached: Our configured POP.

• Object modify permissions: Set correctly.

Logs:

• The request appears in pdweb.debug (level 9 tracing enabled).

• No JWT token appears to be generated.

• No clear JWT-related traces seen.

• Request log shows 302 redirect or returns the authentication page.

• We're currently testing with Postman (sending a POST request to the junction /JWTjunction via the load balancer, which balances to the 2 Webseal nodes), wih a No-Auth Type request.
  
  

Postman Result:

• The response is a standard authentication page.

• No JWT returned in response body or headers.

Our Key Questions:

1. We are already pointing to a real backend host (as shown in the junction configuration); however, no JWT token seems to be generated or returned in the logs or responses. Is there anything specific required on the backend side (such as specific HTTP response behavior) to trigger JWT issuance?

2. Should the JWT be generated even for unauthenticated requests, since the ACL is set to FREE and we removed the Attribute Mapping Module?

3. Is the presence of a backend response mandatory for JWT generation, or should the WebSEAL itself generate the JWT before forwarding the request?

4. Are there any additional hidden conditions for JWT token issuance in ISVA / ISAM that we may have missed?

Our Testing Objective:

We want to test JWT generation before setting up the backend, to confirm that the JWT module chain is working correctly, even if the backend is not yet ready.

Thanks a lot to everyone who can help us solve this first crucial step in the generation of the JWT.

------------------------------
Lorenzo Coccia
------------------------------