Ana içeriğe atla

General Information

Policy Type

policy-ws-security-encrypt

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

HeaderValue
AuthorizationBearer {token}

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-ws-security-encrypt",
            "name": "ws-security-encrypt-policy",
            "description": "Encrypt SOAP message parts",
            "active": true,
            "mustUnderstand": true,
            "encPartList": [
              {
                "name": "Body",
                "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
                "encodeType": "CONTENT"
              }
            ],
            "encEmbeddedKeyName": null,
            "encKeyIdType": "X509_CERTIFICATE",
            "encSymEncAlgorithm": "AES_128_CBC",
            "encKeyEncAlgorithm": "RSA",
            "encKeyStoreName": "encryption-keystore"
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValue
AuthorizationBearer {token}
Content-Typeapplication/json

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Request Body

Full JSON Body Example - Standard Encryption
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-encrypt",
    "description": "Encrypt SOAP message body",
    "active": true,
    "mustUnderstand": true,
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": null,
    "encKeyIdType": "X509_CERTIFICATE",
    "encSymEncAlgorithm": "AES_128_CBC",
    "encKeyEncAlgorithm": "RSA",
    "encKeyStoreName": "encryption-keystore"
  }
}
Full JSON Body Example - Multiple Parts
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-encrypt",
    "description": "Encrypt multiple SOAP parts",
    "active": true,
    "mustUnderstand": true,
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      },
      {
        "name": "UsernameToken",
        "namespace": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
        "encodeType": "ELEMENT"
      }
    ],
    "encEmbeddedKeyName": null,
    "encKeyIdType": "X509_CERTIFICATE",
    "encSymEncAlgorithm": "AES_256_CBC",
    "encKeyEncAlgorithm": "OAEP",
    "encKeyStoreName": "encryption-keystore"
  }
}
Full JSON Body Example - With Embedded Key
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-encrypt",
    "description": "Encrypt with embedded key",
    "active": true,
    "mustUnderstand": true,
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": "embedded-key-alias",
    "encKeyIdType": "EMBEDDED_KEY_INFO",
    "encSymEncAlgorithm": "AES_128_CBC",
    "encKeyEncAlgorithm": "RSA",
    "encKeyStoreName": "encryption-keystore"
  }
}

Request Body Fields

operationMetadata
FieldTypeRequiredDefaultDescription
targetScopestringYes-Policy scope: ALL or ENDPOINT
targetEndpointstringNo*-Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethodstringNo*-HTTP method (required if targetScope=ENDPOINT)
targetPipelinestringYes-Pipeline: REQUEST, RESPONSE, or ERROR
deploybooleanNotrueWhether to deploy after adding policy
deployTargetEnvironmentNameListarrayNo[]List of environment names to deploy to
orderintegerNonullPolicy execution order (starts from 1)
Enum: targetScope
  • ALL - Policy applies to all endpoints
  • ENDPOINT - Policy applies only to specified endpoint
Enum: targetPipeline
  • REQUEST - Executes in request pipeline (encrypts outgoing requests)
  • RESPONSE - Executes in response pipeline (encrypts outgoing responses)
  • ERROR - Executes in error pipeline
Enum: targetEndpointHTTPMethod
  • GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
policy
FieldTypeRequiredDefaultDescription
typestringYes-Policy type: policy-ws-security-encrypt
descriptionstringNo-Policy description
activebooleanNotrueWhether policy is active
mustUnderstandbooleanNotrueWS-Security header mustUnderstand attribute
encPartListarrayNo[]Encryption parts list. See WsSecurityToTargetPart
encEmbeddedKeyNamestringNonullEmbedded key name for encryption (used when encKeyIdType=EMBEDDED_KEY_INFO)
encKeyIdTypestringNonullEncryption key identifier type. See EnumWsSecurityKeyIdentifierType
encSymEncAlgorithmstringNonullSymmetric encoding algorithm for encryption. See EnumWsSecuritySymmetricEncodingAlgorithm
encKeyEncAlgorithmstringNonullKey encryption algorithm. See EnumWsSecurityKeyEncryptionAlgorithm
encKeyStoreNamestringYes-Encryption keystore name

EnumWsSecurityKeyIdentifierType (encKeyIdType)

  • BINARY_SECURITY_TOKEN - Binary Security Token
  • ISSUER_NAME_AND_SERIAL_NUMBER - Issuer Name and Serial Number
  • X509_CERTIFICATE - X509 Certificate (recommended)
  • SUBJECT_KEY_IDENTIFIER - Subject Key Identifier
  • THUMBPRINT_SHA1_IDENTIFIER - Thumbprint SHA1 Identifier
  • EMBEDDED_KEY_INFO - Embedded Key Info (requires encEmbeddedKeyName)
  • EMBED_SECURITY_TOKEN_REFERENCE - Embed Security Token Reference
  • CUSTOM_KEY_INFO - Custom Key Info

EnumWsSecuritySymmetricEncodingAlgorithm (encSymEncAlgorithm)

EnumWsSecurityKeyEncryptionAlgorithm (encKeyEncAlgorithm)

Note

  • encKeyStoreName is required.
  • If encKeyIdType: EMBEDDED_KEY_INFO, encEmbeddedKeyName should be provided.

WsSecurityToTargetPart (encPartList)

FieldTypeRequiredDefaultDescription
namestringYes-Part name (e.g., “Body”, “UsernameToken”)
namespacestringYes-Part namespace URI
encodeTypestringYes-Encode type. See EnumWsSecurityEncryptionPartEncodeType

EnumWsSecurityEncryptionPartEncodeType (encodeType)

  • CONTENT - Encrypt content only
  • ELEMENT - Encrypt entire element

Common Part Names and Namespaces

  • Body: name: "Body", namespace: "http://schemas.xmlsoap.org/soap/envelope/"
  • UsernameToken: name: "UsernameToken", namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  • Timestamp: name: "Timestamp", namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/ws-security-encrypt-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-ws-security-encrypt",
      "description": "Encrypt SOAP message body",
      "active": true,
      "mustUnderstand": true,
      "encPartList": [
        {
          "name": "Body",
          "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
          "encodeType": "CONTENT"
        }
      ],
      "encKeyIdType": "X509_CERTIFICATE",
      "encSymEncAlgorithm": "AES_128_CBC",
      "encKeyEncAlgorithm": "RSA",
      "encKeyStoreName": "encryption-keystore"
    }
  }'

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValue
AuthorizationBearer {token}
Content-Typeapplication/json

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-encrypt",
    "description": "Updated: Enhanced SOAP encryption with stronger algorithms",
    "active": true,
    "mustUnderstand": true,
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      },
      {
        "name": "Header",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      }
    ],
    "encEmbeddedKeyName": null,
    "encKeyIdType": "X509_CERTIFICATE",
    "encSymEncAlgorithm": "AES_256_CBC",
    "encKeyEncAlgorithm": "RSA",
    "encKeyStoreName": "test-keystores"
  }
}
Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValue
AuthorizationBearer {token}
Content-Typeapplication/json

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

Notes and Warnings

  • Encryption Algorithms:
    • AES_128_CBC, AES_192_CBC, AES_256_CBC - Symmetric encryption algorithms
    • AES_256_CBC is recommended for stronger security
  • Key Encryption:
    • RSA - RSA v1.5 (legacy, less secure)
    • OAEP - RSA-OAEP (recommended, more secure)
  • Key Identifier Types:
    • X509_CERTIFICATE - Most common and recommended
    • EMBEDDED_KEY_INFO - Use embedded key (requires encEmbeddedKeyName)
  • Parts:
    • CONTENT - Encrypt only the content (preserves element structure)
    • ELEMENT - Encrypt entire element (more secure)
  • Key Store:
    • Encryption keystore must be configured in Apinizer
    • Keystore must contain appropriate certificates/keys
    • Key identifier type must match keystore content
  • Performance: Encryption adds significant cryptographic processing overhead. Use for necessary security only.
  • Pipeline:
    • REQUEST pipeline encrypts outgoing requests
    • RESPONSE pipeline encrypts outgoing responses
  • Error Handling: Invalid keystore, missing keys, or configuration errors cause policy to fail
  • Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.