WS Security To Target Policy
General Information
Policy Type
policy-ws-security-to-target
Endpoints
List Policies
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Add Policy��
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Update Policy
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Delete Policy
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
List Policies
Endpoint
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
Response
Success Response (200 OK)
{
"success": true,
"resultList": [
{
"apiProxy": {
"name": "MyAPI",
"requestPolicyList": [
{
"type": "policy-ws-security-to-target",
"name": "ws-security-to-target-policy",
"description": "Add WS-Security headers to SOAP requests",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": 300,
"unUsername": "myuser",
"unPassword": null,
"unPasswordDecrypted": false,
"unNonce": true,
"unCreated": true,
"unPasswordType": "PasswordText",
"encPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "CONTENT"
}
],
"encEmbeddedKeyName": null,
"encKeyIdType": "X509_CERTIFICATE",
"encSymEncAlgorithm": "AES_128_CBC",
"encKeyEncAlgorithm": "RSA",
"encKeyStoreName": "encryption-keystore",
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": "signature-keystore",
"wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
}
],
"responsePolicyList": [],
"errorPolicyList": []
}
}
],
"resultCount": 1
}
cURL Example
curl -X GET \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
-H "Authorization: Bearer YOUR_TOKEN"
Add Policy
Endpoint
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example - Complete Configuration
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-to-target",
"description": "Add WS-Security headers with Timestamp, UsernameToken, Encryption, and Signature",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": 300,
"unUsername": "myuser",
"unPassword": "mypassword",
"unPasswordDecrypted": false,
"unNonce": true,
"unCreated": true,
"unPasswordType": "PasswordText",
"encPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "CONTENT"
}
],
"encEmbeddedKeyName": null,
"encKeyIdType": "X509_CERTIFICATE",
"encSymEncAlgorithm": "AES_128_CBC",
"encKeyEncAlgorithm": "RSA",
"encKeyStoreName": "encryption-keystore",
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
},
{
"name": "Timestamp",
"namespace": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": "signature-keystore",
"wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
}
}
Full JSON Body Example - Timestamp Only
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-to-target",
"description": "Add only Timestamp to WS-Security header",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": 300,
"unUsername": null,
"unPassword": null,
"unPasswordDecrypted": false,
"unNonce": false,
"unCreated": false,
"unPasswordType": null,
"encPartList": [],
"encEmbeddedKeyName": null,
"encKeyIdType": null,
"encSymEncAlgorithm": null,
"encKeyEncAlgorithm": null,
"encKeyStoreName": null,
"sigPartList": [],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": null,
"sigSigAlgorithm": null,
"sigC14n": null,
"sigDigAlgorithm": null,
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": null,
"wsSecurityEntryOrderList": ["TIMESTAMP"]
}
}
Full JSON Body Example - UsernameToken Only
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-to-target",
"description": "Add only UsernameToken to WS-Security header",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": null,
"unUsername": "myuser",
"unPassword": "mypassword",
"unPasswordDecrypted": false,
"unNonce": true,
"unCreated": true,
"unPasswordType": "PasswordText",
"encPartList": [],
"encEmbeddedKeyName": null,
"encKeyIdType": null,
"encSymEncAlgorithm": null,
"encKeyEncAlgorithm": null,
"encKeyStoreName": null,
"sigPartList": [],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": null,
"sigSigAlgorithm": null,
"sigC14n": null,
"sigDigAlgorithm": null,
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": null,
"wsSecurityEntryOrderList": ["USERNAME_TOKEN"]
}
}
Full JSON Body Example - Encryption Only
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-to-target",
"description": "Add only Encryption to WS-Security header",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": null,
"unUsername": null,
"unPassword": null,
"unPasswordDecrypted": false,
"unNonce": false,
"unCreated": false,
"unPasswordType": null,
"encPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "CONTENT"
}
],
"encEmbeddedKeyName": null,
"encKeyIdType": "X509_CERTIFICATE",
"encSymEncAlgorithm": "AES_256_CBC",
"encKeyEncAlgorithm": "OAEP",
"encKeyStoreName": "encryption-keystore",
"sigPartList": [],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": null,
"sigSigAlgorithm": null,
"sigC14n": null,
"sigDigAlgorithm": null,
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": null,
"wsSecurityEntryOrderList": ["ENCRYPTION"]
}
}
Full JSON Body Example - Signature Only
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-to-target",
"description": "Add only Signature to WS-Security header",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": null,
"unUsername": null,
"unPassword": null,
"unPasswordDecrypted": false,
"unNonce": false,
"unCreated": false,
"unPasswordType": null,
"encPartList": [],
"encEmbeddedKeyName": null,
"encKeyIdType": null,
"encSymEncAlgorithm": null,
"encKeyEncAlgorithm": null,
"encKeyStoreName": null,
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": "signature-keystore",
"wsSecurityEntryOrderList": ["SIGNATURE"]
}
}
Full JSON Body Example - With Embedded Key
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-to-target",
"description": "Add Encryption with embedded key",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": null,
"unUsername": null,
"unPassword": null,
"unPasswordDecrypted": false,
"unNonce": false,
"unCreated": false,
"unPasswordType": null,
"encPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "CONTENT"
}
],
"encEmbeddedKeyName": "embedded-key-alias",
"encKeyIdType": "EMBEDDED_KEY_INFO",
"encSymEncAlgorithm": "AES_128_CBC",
"encKeyEncAlgorithm": "RSA",
"encKeyStoreName": "encryption-keystore",
"sigPartList": [],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": null,
"sigSigAlgorithm": null,
"sigC14n": null,
"sigDigAlgorithm": null,
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": null,
"wsSecurityEntryOrderList": ["ENCRYPTION"]
}
}
Full JSON Body Example - With Custom Key Identifier
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-to-target",
"description": "Add Signature with custom key identifier",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": null,
"unUsername": null,
"unPassword": null,
"unPasswordDecrypted": false,
"unNonce": false,
"unCreated": false,
"unPasswordType": null,
"encPartList": [],
"encEmbeddedKeyName": null,
"encKeyIdType": null,
"encSymEncAlgorithm": null,
"encKeyEncAlgorithm": null,
"encKeyStoreName": null,
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": "custom-key-id-value",
"sigCustomKeyIdentifierValueType": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary",
"sigKeyIdType": "CUSTOM_KEY_INFO",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": "signature-keystore",
"wsSecurityEntryOrderList": ["SIGNATURE"]
}
}
Request Body Fields
operationMetadata
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| targetScope | string | Yes | - | Policy scope: ALL or ENDPOINT |
| targetEndpoint | string | No* | - | Endpoint path (required if targetScope=ENDPOINT) |
| targetEndpointHTTPMethod | string | No* | - | HTTP method (required if targetScope=ENDPOINT) |
| targetPipeline | string | Yes | - | Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy | boolean | No | true | Whether to deploy after adding policy |
| deployTargetEnvironmentNameList | array | No | [] | List of environment names to deploy to |
| order | integer | No | null | Policy execution order (starts from 1) |
Enum: targetScope
ALL- Policy applies to all endpointsENDPOINT- Policy applies only to specified endpoint
Enum: targetPipeline
REQUEST- Executes in request pipeline (adds WS-Security to outgoing requests)RESPONSE- Executes in response pipeline (adds WS-Security to outgoing responses)ERROR- Executes in error pipeline
Enum: targetEndpointHTTPMethod
GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD
policy
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| type | string | Yes | - | Policy type: policy-ws-security-to-target |
| description | string | No | - | Policy description |
| active | boolean | No | true | Whether policy is active |
| mustUnderstand | boolean | No | true | WS-Security header mustUnderstand attribute |
| tsTimeToLive | integer | No* | null | Timestamp time to live in seconds (required if TIMESTAMP is in wsSecurityEntryOrderList, must be >= 0) |
| unUsername | string | No* | null | UsernameToken username (required if USERNAME_TOKEN is in wsSecurityEntryOrderList) |
| unPassword | string | No* | null | UsernameToken password (required if USERNAME_TOKEN is in wsSecurityEntryOrderList) |
| unPasswordDecrypted | boolean | No | false | Password is already decrypted flag |
| unNonce | boolean | No | false | Add nonce to UsernameToken |
| unCreated | boolean | No | false | Add created timestamp to UsernameToken |
| unPasswordType | string | No* | null | UsernameToken password type (required if USERNAME_TOKEN is in wsSecurityEntryOrderList). See EnumWsSecurityPasswordType |
| encPartList | array | No* | [] | Encryption parts list (required if ENCRYPTION is in wsSecurityEntryOrderList, at least one required). See WsSecurityToTargetPart |
| encEmbeddedKeyName | string | No | null | Embedded key name for encryption (used when encKeyIdType=EMBEDDED_KEY_INFO) |
| encKeyIdType | string | No* | null | Encryption key identifier type (required if ENCRYPTION is in wsSecurityEntryOrderList). See EnumWsSecurityKeyIdentifierType |
| encSymEncAlgorithm | string | No* | null | Symmetric encoding algorithm for encryption (required if ENCRYPTION is in wsSecurityEntryOrderList). See EnumWsSecuritySymmetricEncodingAlgorithm |
| encKeyEncAlgorithm | string | No* | null | Key encryption algorithm (required if ENCRYPTION is in wsSecurityEntryOrderList). See EnumWsSecurityKeyEncryptionAlgorithm |
| encKeyStoreName | string | No* | null | Encryption keystore name (required if ENCRYPTION is in wsSecurityEntryOrderList) |
| sigPartList | array | No* | [] | Signature parts list (required if SIGNATURE is in wsSecurityEntryOrderList, at least one required). See WsSecurityToTargetPart |
| sigCustomKeyIdentifier | string | No | null | Custom key identifier for signature (used when sigKeyIdType=CUSTOM_KEY_INFO) |
| sigCustomKeyIdentifierValueType | string | No* | null | Custom key identifier value type (required if sigCustomKeyIdentifier is provided) |
| sigKeyIdType | string | No* | null | Signature key identifier type (required if SIGNATURE is in wsSecurityEntryOrderList). See EnumWsSecurityKeyIdentifierType |
| sigSigAlgorithm | string | No | null | Signature algorithm. See EnumWsSecuritySignatureAlgorithm |
| sigC14n | string | No | null | Signature canonicalization method. See EnumWsSecuritySignatureCanonicalization |
| sigDigAlgorithm | string | No | null | Signature digest algorithm. See Enum Ws Security Signature Digest Algorithm |
| sigUseSingleCert | boolean | No | false | Use single certificate for signature |
| sigWsiBSPCompliant | boolean | No | false | WSI BSP compliance for signature |
| sigKeyStoreName | string | No* | null | Signature keystore name (required if SIGNATURE is in wsSecurityEntryOrderList) |
| wsSecurityEntryOrderList | array | Yes | - | WS-Security entry order list (at least one required). See EnumWsSecurityEntryType |
EnumWsSecurityEntryType
TIMESTAMP- Add Timestamp elementUSERNAME_TOKEN- Add UsernameToken elementENCRYPTION- Add Encryption elementSIGNATURE- Add Signature element
Note: The order in the list determines the order of elements in the WS-Security header.
EnumWsSecurityPasswordType
PasswordText- Plain text passwordPasswordDigest- Password digest (hashed password)
EnumWsSecurityKeyIdentifierType
BINARY_SECURITY_TOKEN- Binary Security TokenISSUER_NAME_AND_SERIAL_NUMBER- Issuer Name and Serial NumberX509_CERTIFICATE- X509 Certificate (recommended)SUBJECT_KEY_IDENTIFIER- Subject Key IdentifierTHUMBPRINT_SHA1_IDENTIFIER- Thumbprint SHA1 IdentifierEMBEDDED_KEY_INFO- Embedded Key Info (requires encEmbeddedKeyName)EMBED_SECURITY_TOKEN_REFERENCE- Embed Security Token ReferenceCUSTOM_KEY_INFO- Custom Key Info (requires sigCustomKeyIdentifier)
EnumWsSecuritySymmetricEncodingAlgorithm
AES_128_CBC- AES-128-CBC (http://www.w3.org/2001/04/xmlenc#aes128-cbc)AES_192_CBC- AES-192-CBC (http://www.w3.org/2001/04/xmlenc#aes192-cbc)AES_256_CBC- AES-256-CBC (http://www.w3.org/2001/04/xmlenc#aes256-cbc)
EnumWsSecurityKeyEncryptionAlgorithm
RSA- RSA v1.5 (http://www.w3.org/2001/04/xmlenc#rsa-1_5)OAEP- RSA-OAEP (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p)
EnumWsSecuritySignatureAlgorithm
RSA_SHA1- RSA SHA-1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)RSA_SHA256- RSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256) (recommended)RSA_SHA384- RSA SHA-384 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha384)RSA_SHA512- RSA SHA-512 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha512)DSA_SHA1- DSA SHA-1 (http://www.w3.org/2000/09/xmldsig#dsa-sha1)DSA_SHA256- DSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#dsa-sha256)ECDSA_SHA1- ECDSA SHA-1 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1)ECDSA_SHA256- ECDSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256)ECDSA_SHA384- ECDSA SHA-384 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384)ECDSA_SHA512- ECDSA SHA-512 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512)HMAC_SHA1- HMAC SHA-1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1)HMAC_SHA256- HMAC SHA-256 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha256)HMAC_SHA384- HMAC SHA-384 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha384)HMAC_SHA512- HMAC SHA-512 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha512)
EnumWsSecuritySignatureCanonicalization
C14N_OMIT_COMMENTS- C14N omit comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315)C14N_WITH_COMMENTS- C14N with comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)C14N_EXCL_OMIT_COMMENTS- Exclusive C14N omit comments (http://www.w3.org/2001/10/xml-exc-c14n#) (recommended)C14N_EXCL_WITH_COMMENTS- Exclusive C14N with comments (http://www.w3.org/2001/10/xml-exc-c14n#WithComments)C14N_11_OMIT_COMMENTS- C14N 1.1 omit comments (http://www.w3.org/2006/12/xml-c14n11)C14N_11_WITH_COMMENTS- C14N 1.1 with comments (http://www.w3.org/2006/12/xml-c14n11#WithComments)
Enum Ws Security Signature Digest Algorithm
SHA1- SHA-1 (http://www.w3.org/2000/09/xmldsig#sha1)SHA256- SHA-256 (http://www.w3.org/2001/04/xmlenc#sha256) (recommended)SHA384- SHA-384 (http://www.w3.org/2001/04/xmldsig-more#sha384)SHA512- SHA-512 (http://www.w3.org/2001/04/xmlenc#sha512)HMAC_SHA1- HMAC SHA-1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1)HMAC_SHA256- HMAC SHA-256 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha256)HMAC_SHA384- HMAC SHA-384 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha384)HMAC_SHA512- HMAC SHA-512 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha512)HMAC_MD5- HMAC MD5 (http://www.w3.org/2001/04/xmldsig-more#hmac-md5)MD5- MD5 (http://www.w3.org/2001/04/xmldsig-more#md5)
Note
wsSecurityEntryOrderListmust contain at least one entry type.- If
TIMESTAMPis inwsSecurityEntryOrderList,tsTimeToLiveis required and must be >= 0. - If
USERNAME_TOKENis inwsSecurityEntryOrderList,unUsername,unPassword, andunPasswordTypeare required. - If
ENCRYPTIONis inwsSecurityEntryOrderList,encKeyStoreName,encKeyIdType,encSymEncAlgorithm,encKeyEncAlgorithm, andencPartList(at least one) are required. - If
SIGNATUREis inwsSecurityEntryOrderList,sigKeyStoreName,sigKeyIdType, andsigPartList(at least one) are required. - If
encKeyIdType: EMBEDDED_KEY_INFO,encEmbeddedKeyNameshould be provided. - If
sigKeyIdType: CUSTOM_KEY_INFOandsigCustomKeyIdentifieris provided,sigCustomKeyIdentifierValueTypeis required.
WsSecurityToTargetPart
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | Part name (e.g., "Body", "Timestamp") |
| namespace | string | Yes | - | Part namespace URI |
| encodeType | string | Yes | - | Encode type. See EnumWsSecurityEncryptionPartEncodeType |
EnumWsSecurityEncryptionPartEncodeType
CONTENT- Encrypt/sign content onlyELEMENT- Encrypt/sign entire element
Common Part Names and Namespaces
- Body:
name: "Body",namespace: "http://schemas.xmlsoap.org/soap/envelope/" - Timestamp:
name: "Timestamp",namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" - UsernameToken:
name: "UsernameToken",namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
cURL Example
curl -X POST \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/ws-security-to-target-policy/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-to-target",
"description": "Add WS-Security headers",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": 300,
"unUsername": "myuser",
"unPassword": "mypassword",
"unPasswordType": "PasswordText",
"encPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "CONTENT"
}
],
"encKeyIdType": "X509_CERTIFICATE",
"encSymEncAlgorithm": "AES_128_CBC",
"encKeyEncAlgorithm": "RSA",
"encKeyStoreName": "encryption-keystore",
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigKeyStoreName": "signature-keystore",
"wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
}
}'
Update Policy
Endpoint
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["tester"],
"order": 1
},
"policy": {
"type": "policy-ws-security-to-target",
"description": "Add WS-Security headers with Timestamp, UsernameToken, Encryption, and Signature",
"active": true,
"mustUnderstand": true,
"tsTimeToLive": 300,
"unUsername": "myuser",
"unPassword": "mypassword",
"unPasswordDecrypted": false,
"unNonce": true,
"unCreated": true,
"unPasswordType": "PasswordText",
"encPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "CONTENT"
}
],
"encEmbeddedKeyName": null,
"encKeyIdType": "X509_CERTIFICATE",
"encSymEncAlgorithm": "AES_128_CBC",
"encKeyEncAlgorithm": "RSA",
"encKeyStoreName": "test-keystores",
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
},
{
"name": "Timestamp",
"namespace": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": "test-keystores",
"wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
}
}
Note: Request body structure is the same as Add Policy. All fields should be provided for update.
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
Delete Policy
Endpoint
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": false
}
}
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": []
}
}
Notes and Warnings
-
WS-Security Entry Order: The order of elements in
wsSecurityEntryOrderListdetermines the order in the WS-Security header. Common orders:["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]- Standard order["TIMESTAMP", "SIGNATURE", "ENCRYPTION"]- Sign before encrypt["ENCRYPTION", "SIGNATURE"]- Encrypt then sign
-
Timestamp:
tsTimeToLiveis in seconds- Timestamp is used for replay attack prevention
-
UsernameToken:
PasswordText- Plain text password (less secure)PasswordDigest- Hashed password (more secure, recommended)unNonceandunCreatedadd additional security
-
Encryption:
AES_128_CBC,AES_192_CBC,AES_256_CBC- Symmetric encryption algorithmsRSA- RSA v1.5 key encryption (legacy)OAEP- RSA-OAEP key encryption (recommended, more secure)EMBEDDED_KEY_INFO- Use embedded key (requiresencEmbeddedKeyName)
-
Signature:
RSA_SHA256,RSA_SHA384,RSA_SHA512- Recommended RSA algorithmsECDSA_SHA256,ECDSA_SHA384,ECDSA_SHA512- Elliptic curve algorithmsC14N_EXCL_OMIT_COMMENTS- Recommended canonicalization (exclusive, omit comments)SHA256,SHA384,SHA512- Recommended digest algorithmssigUseSingleCert: true- Use single certificate (simpler, less secure)sigWsiBSPCompliant: true- WSI Basic Security Profile compliance
-
Key Stores:
- Encryption and signature keystores must be configured in Apinizer
- Keystores must contain appropriate certificates/keys
- Key identifier type must match keystore content
-
Parts:
CONTENT- Encrypt/sign only the content (preserves element structure)ELEMENT- Encrypt/sign entire element (more secure)
-
Performance: WS-Security adds significant cryptographic processing overhead. Use for necessary security only.
-
Pipeline:
REQUESTpipeline adds WS-Security to outgoing requestsRESPONSEpipeline adds WS-Security to outgoing responses
-
Error Handling: Invalid keystore, missing keys, or configuration errors cause policy to fail
-
Deployment: Policy changes require deployment to take effect. Set
deploy: trueor deploy manually.
Related Documentation
- List Policies - List all policies
- Add Policy - General policy addition guide
- Update Policy - General policy update guide
- Delete Policy - General policy deletion guide
- WS Security From Target Policy - Process WS-Security from backend