WS Security Sign Policy - Apinizer Dokümantasyonu

General Information

Policy Type

policy-ws-security-sign

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header	Value
Authorization	Bearer `{token}`

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-ws-security-sign",
            "name": "ws-security-sign-policy",
            "description": "Sign SOAP message parts",
            "active": true,
            "mustUnderstand": true,
            "sigPartList": [
              {
                "name": "Body",
                "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
                "encodeType": "ELEMENT"
              }
            ],
            "sigCustomKeyIdentifier": null,
            "sigCustomKeyIdentifierValueType": null,
            "sigKeyIdType": "X509_CERTIFICATE",
            "sigSigAlgorithm": "RSA_SHA256",
            "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
            "sigDigAlgorithm": "SHA256",
            "sigUseSingleCert": false,
            "sigWsiBSPCompliant": false,
            "sigKeyStoreName": "signature-keystore"
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer `{token}`
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example - Standard Signature

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-sign",
    "description": "Sign SOAP message body",
    "active": true,
    "mustUnderstand": true,
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "signature-keystore"
  }
}

Full JSON Body Example - Multiple Parts

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-sign",
    "description": "Sign multiple SOAP parts",
    "active": true,
    "mustUnderstand": true,
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      },
      {
        "name": "Timestamp",
        "namespace": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "signature-keystore"
  }
}

Full JSON Body Example - With Custom Key Identifier

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-sign",
    "description": "Sign with custom key identifier",
    "active": true,
    "mustUnderstand": true,
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": "custom-key-id-value",
    "sigCustomKeyIdentifierValueType": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary",
    "sigKeyIdType": "CUSTOM_KEY_INFO",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "signature-keystore"
  }
}

Full JSON Body Example - WSI BSP Compliant

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-sign",
    "description": "Sign with WSI BSP compliance",
    "active": true,
    "mustUnderstand": true,
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": true,
    "sigKeyStoreName": "signature-keystore"
  }
}

Request Body Fields

operationMetadata

Field	Type	Required	Default	Description
targetScope	string	Yes	-	Policy scope: `ALL` or `ENDPOINT`
targetEndpoint	string	No*	-	Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethod	string	No*	-	HTTP method (required if targetScope=ENDPOINT)
targetPipeline	string	Yes	-	Pipeline: `REQUEST`, `RESPONSE`, or `ERROR`
deploy	boolean	No	true	Whether to deploy after adding policy
deployTargetEnvironmentNameList	array	No	[]	List of environment names to deploy to
order	integer	No	null	Policy execution order (starts from 1)

Enum: targetScope

ALL - Policy applies to all endpoints
ENDPOINT - Policy applies only to specified endpoint

Enum: targetPipeline

REQUEST - Executes in request pipeline (signs outgoing requests)
RESPONSE - Executes in response pipeline (signs outgoing responses)
ERROR - Executes in error pipeline

Enum: targetEndpointHTTPMethod

GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD

policy

Field	Type	Required	Default	Description
type	string	Yes	-	Policy type: `policy-ws-security-sign`
description	string	No	-	Policy description
active	boolean	No	true	Whether policy is active
mustUnderstand	boolean	No	true	WS-Security header mustUnderstand attribute
sigPartList	array	No	[]	Signature parts list. See WsSecurityToTargetPart
sigCustomKeyIdentifier	string	No	null	Custom key identifier for signature (used when sigKeyIdType=CUSTOM_KEY_INFO)
sigCustomKeyIdentifierValueType	string	No*	null	Custom key identifier value type (required if sigCustomKeyIdentifier is provided)
sigKeyIdType	string	No	null	Signature key identifier type. See EnumWsSecurityKeyIdentifierType
sigSigAlgorithm	string	Yes	-	Signature algorithm. See EnumWsSecuritySignatureAlgorithm
sigC14n	string	Yes	-	Signature canonicalization method. See EnumWsSecuritySignatureCanonicalization
sigDigAlgorithm	string	Yes	-	Signature digest algorithm. See Enum Ws Security Signature Digest Algorithm
sigUseSingleCert	boolean	No	false	Use single certificate for signature
sigWsiBSPCompliant	boolean	No	false	WSI BSP compliance for signature
sigKeyStoreName	string	Yes	-	Signature keystore name

EnumWsSecurityKeyIdentifierType

BINARY_SECURITY_TOKEN - Binary Security Token
ISSUER_NAME_AND_SERIAL_NUMBER - Issuer Name and Serial Number
X509_CERTIFICATE - X509 Certificate (recommended)
SUBJECT_KEY_IDENTIFIER - Subject Key Identifier
THUMBPRINT_SHA1_IDENTIFIER - Thumbprint SHA1 Identifier
EMBEDDED_KEY_INFO - Embedded Key Info
EMBED_SECURITY_TOKEN_REFERENCE - Embed Security Token Reference
CUSTOM_KEY_INFO - Custom Key Info (requires sigCustomKeyIdentifier)

EnumWsSecuritySignatureAlgorithm

RSA_SHA1 - RSA SHA-1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)
RSA_SHA256 - RSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256) (recommended)
RSA_SHA384 - RSA SHA-384 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha384)
RSA_SHA512 - RSA SHA-512 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha512)
DSA_SHA1 - DSA SHA-1 (http://www.w3.org/2000/09/xmldsig#dsa-sha1)
DSA_SHA256 - DSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#dsa-sha256)
ECDSA_SHA1 - ECDSA SHA-1 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1)
ECDSA_SHA256 - ECDSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256)
ECDSA_SHA384 - ECDSA SHA-384 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384)
ECDSA_SHA512 - ECDSA SHA-512 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512)
HMAC_SHA1 - HMAC SHA-1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1)
HMAC_SHA256 - HMAC SHA-256 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha256)
HMAC_SHA384 - HMAC SHA-384 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha384)
HMAC_SHA512 - HMAC SHA-512 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha512)

EnumWsSecuritySignatureCanonicalization

C14N_OMIT_COMMENTS - C14N omit comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
C14N_WITH_COMMENTS - C14N with comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
C14N_EXCL_OMIT_COMMENTS - Exclusive C14N omit comments (http://www.w3.org/2001/10/xml-exc-c14n#) (recommended)
C14N_EXCL_WITH_COMMENTS - Exclusive C14N with comments (http://www.w3.org/2001/10/xml-exc-c14n#WithComments)
C14N_11_OMIT_COMMENTS - C14N 1.1 omit comments (http://www.w3.org/2006/12/xml-c14n11)
C14N_11_WITH_COMMENTS - C14N 1.1 with comments (http://www.w3.org/2006/12/xml-c14n11#WithComments)

Enum Ws Security Signature Digest Algorithm

SHA1 - SHA-1 (http://www.w3.org/2000/09/xmldsig#sha1)
SHA256 - SHA-256 (http://www.w3.org/2001/04/xmlenc#sha256) (recommended)
SHA384 - SHA-384 (http://www.w3.org/2001/04/xmldsig-more#sha384)
SHA512 - SHA-512 (http://www.w3.org/2001/04/xmlenc#sha512)
HMAC_SHA1 - HMAC SHA-1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1)
HMAC_SHA256 - HMAC SHA-256 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha256)
HMAC_SHA384 - HMAC SHA-384 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha384)
HMAC_SHA512 - HMAC SHA-512 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha512)
HMAC_MD5 - HMAC MD5 (http://www.w3.org/2001/04/xmldsig-more#hmac-md5)
MD5 - MD5 (http://www.w3.org/2001/04/xmldsig-more#md5)

Note

sigKeyStoreName, sigSigAlgorithm, sigC14n, and sigDigAlgorithm are required.
If sigKeyIdType: CUSTOM_KEY_INFO and sigCustomKeyIdentifier is provided, sigCustomKeyIdentifierValueType is required.

WsSecurityToTargetPart

Field	Type	Required	Default	Description
name	string	Yes	-	Part name (e.g., “Body”, “Timestamp”)
namespace	string	Yes	-	Part namespace URI
encodeType	string	Yes	-	Encode type. See EnumWsSecurityEncryptionPartEncodeType

EnumWsSecurityEncryptionPartEncodeType

CONTENT - Sign content only
ELEMENT - Sign entire element

Common Part Names and Namespaces

Body: name: "Body", namespace: "http://schemas.xmlsoap.org/soap/envelope/"
Timestamp: name: "Timestamp", namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
UsernameToken: name: "UsernameToken", namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/ws-security-sign-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-ws-security-sign",
      "description": "Sign SOAP message body",
      "active": true,
      "mustUnderstand": true,
      "sigPartList": [
        {
          "name": "Body",
          "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
          "encodeType": "ELEMENT"
        }
      ],
      "sigKeyIdType": "X509_CERTIFICATE",
      "sigSigAlgorithm": "RSA_SHA256",
      "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
      "sigDigAlgorithm": "SHA256",
      "sigKeyStoreName": "signature-keystore"
    }
  }'

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer `{token}`
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-sign",
    "description": "Updated: Sign SOAP body and header with stronger algorithms",
    "active": true,
    "mustUnderstand": true,
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      },
      {
        "name": "Header",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA512",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA512",
    "sigUseSingleCert": true,
    "sigWsiBSPCompliant": true,
    "sigKeyStoreName": "test-keystores"
  }
}

Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer `{token}`
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

Notes and Warnings

Signature Algorithms:
- RSA_SHA256, RSA_SHA384, RSA_SHA512 - Recommended RSA algorithms
- ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512 - Elliptic curve algorithms
- HMAC_SHA256, HMAC_SHA384, HMAC_SHA512 - HMAC algorithms (symmetric)
Canonicalization:
- C14N_EXCL_OMIT_COMMENTS - Recommended (exclusive, omit comments)
- Exclusive C14N is more secure and widely supported
Digest Algorithms:
- SHA256, SHA384, SHA512 - Recommended digest algorithms
- SHA-1 and MD5 are deprecated and should be avoided
Key Identifier Types:
- X509_CERTIFICATE - Most common and recommended
- CUSTOM_KEY_INFO - Use custom key identifier (requires sigCustomKeyIdentifier and sigCustomKeyIdentifierValueType)
Parts:
- CONTENT - Sign only the content (preserves element structure)
- ELEMENT - Sign entire element (more secure)
Single Certificate:
- sigUseSingleCert: true - Use single certificate (simpler, less secure)
- sigUseSingleCert: false - Use certificate chain (more secure, recommended)
WSI BSP Compliance:
- sigWsiBSPCompliant: true - WSI Basic Security Profile compliance
- Ensures compatibility with WSI BSP standards
Key Store:
- Signature keystore must be configured in Apinizer
- Keystore must contain appropriate private keys/certificates
- Key identifier type must match keystore content
Performance: Signing adds significant cryptographic processing overhead. Use for necessary security only.
Pipeline:
- REQUEST pipeline signs outgoing requests
- RESPONSE pipeline signs outgoing responses
Error Handling: Invalid keystore, missing keys, or configuration errors cause policy to fail
Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.

List Policies - List all policies
Add Policy - General policy addition guide
Update Policy - General policy update guide
Delete Policy - General policy deletion guide
WS Security Sign Validation Policy - Verify WS-Security signatures

Home

​General Information

​Policy Type

​Endpoints

​List Policies

​Add Policy

​Update Policy

​Delete Policy

​List Policies

​Endpoint

​Request

​Headers

​Path Parameters

​Response

​Success Response (200 OK)

​cURL Example

​Add Policy

​Endpoint

​Request

​Headers

​Path Parameters

​Request Body

Full JSON Body Example - Standard Signature

Full JSON Body Example - Multiple Parts

Full JSON Body Example - With Custom Key Identifier

Full JSON Body Example - WSI BSP Compliant

​Request Body Fields

operationMetadata

policy

​EnumWsSecurityKeyIdentifierType

​EnumWsSecuritySignatureAlgorithm

​EnumWsSecuritySignatureCanonicalization

​Enum Ws Security Signature Digest Algorithm

​Note

​WsSecurityToTargetPart

​EnumWsSecurityEncryptionPartEncodeType

​Common Part Names and Namespaces

​Response

​Success Response (200 OK)

​cURL Example

​Update Policy

​Endpoint

​Request

​Headers

​Path Parameters

​Request Body

Full JSON Body Example

​Response

​Success Response (200 OK)

​Delete Policy

​Endpoint

​Request

​Headers

​Path Parameters

​Request Body

Full JSON Body Example

​Response

​Success Response (200 OK)

​Notes and Warnings

​Related Documentation

General Information

Policy Type

Endpoints

List Policies

Add Policy

Update Policy

Delete Policy

List Policies

Endpoint

Request

Headers

Path Parameters

Response

Success Response (200 OK)

cURL Example

Add Policy

Endpoint

Request

Headers

Path Parameters

Request Body

Request Body Fields

EnumWsSecurityKeyIdentifierType

EnumWsSecuritySignatureAlgorithm

EnumWsSecuritySignatureCanonicalization

Enum Ws Security Signature Digest Algorithm

Note

WsSecurityToTargetPart

EnumWsSecurityEncryptionPartEncodeType

Common Part Names and Namespaces

Response

Success Response (200 OK)

cURL Example

Update Policy

Endpoint

Request

Headers

Path Parameters

Request Body

Response

Success Response (200 OK)

Delete Policy

Endpoint

Request

Headers

Path Parameters

Request Body

Response

Success Response (200 OK)

Notes and Warnings

Related Documentation