WS Security To Target Policy - Apinizer Dokümantasyonu

General Information

Policy Type

policy-ws-security-to-target

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header	Value
Authorization	Bearer `{token}`

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-ws-security-to-target",
            "name": "ws-security-to-target-policy",
            "description": "Add WS-Security headers to SOAP requests",
            "active": true,
            "mustUnderstand": true,
            "tsTimeToLive": 300,
            "unUsername": "myuser",
            "unPassword": null,
            "unPasswordDecrypted": false,
            "unNonce": true,
            "unCreated": true,
            "unPasswordType": "PasswordText",
            "encPartList": [
              {
                "name": "Body",
                "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
                "encodeType": "CONTENT"
              }
            ],
            "encEmbeddedKeyName": null,
            "encKeyIdType": "X509_CERTIFICATE",
            "encSymEncAlgorithm": "AES_128_CBC",
            "encKeyEncAlgorithm": "RSA",
            "encKeyStoreName": "encryption-keystore",
            "sigPartList": [
              {
                "name": "Body",
                "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
                "encodeType": "ELEMENT"
              }
            ],
            "sigCustomKeyIdentifier": null,
            "sigCustomKeyIdentifierValueType": null,
            "sigKeyIdType": "X509_CERTIFICATE",
            "sigSigAlgorithm": "RSA_SHA256",
            "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
            "sigDigAlgorithm": "SHA256",
            "sigUseSingleCert": false,
            "sigWsiBSPCompliant": false,
            "sigKeyStoreName": "signature-keystore",
            "wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer `{token}`
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example - Complete Configuration

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add WS-Security headers with Timestamp, UsernameToken, Encryption, and Signature",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": 300,
    "unUsername": "myuser",
    "unPassword": "mypassword",
    "unPasswordDecrypted": false,
    "unNonce": true,
    "unCreated": true,
    "unPasswordType": "PasswordText",
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": null,
    "encKeyIdType": "X509_CERTIFICATE",
    "encSymEncAlgorithm": "AES_128_CBC",
    "encKeyEncAlgorithm": "RSA",
    "encKeyStoreName": "encryption-keystore",
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      },
      {
        "name": "Timestamp",
        "namespace": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "signature-keystore",
    "wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
  }
}

Full JSON Body Example - Timestamp Only

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add only Timestamp to WS-Security header",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": 300,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [],
    "encEmbeddedKeyName": null,
    "encKeyIdType": null,
    "encSymEncAlgorithm": null,
    "encKeyEncAlgorithm": null,
    "encKeyStoreName": null,
    "sigPartList": [],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": null,
    "sigSigAlgorithm": null,
    "sigC14n": null,
    "sigDigAlgorithm": null,
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": null,
    "wsSecurityEntryOrderList": ["TIMESTAMP"]
  }
}

Full JSON Body Example - UsernameToken Only

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add only UsernameToken to WS-Security header",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": "myuser",
    "unPassword": "mypassword",
    "unPasswordDecrypted": false,
    "unNonce": true,
    "unCreated": true,
    "unPasswordType": "PasswordText",
    "encPartList": [],
    "encEmbeddedKeyName": null,
    "encKeyIdType": null,
    "encSymEncAlgorithm": null,
    "encKeyEncAlgorithm": null,
    "encKeyStoreName": null,
    "sigPartList": [],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": null,
    "sigSigAlgorithm": null,
    "sigC14n": null,
    "sigDigAlgorithm": null,
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": null,
    "wsSecurityEntryOrderList": ["USERNAME_TOKEN"]
  }
}

Full JSON Body Example - Encryption Only

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add only Encryption to WS-Security header",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": null,
    "encKeyIdType": "X509_CERTIFICATE",
    "encSymEncAlgorithm": "AES_256_CBC",
    "encKeyEncAlgorithm": "OAEP",
    "encKeyStoreName": "encryption-keystore",
    "sigPartList": [],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": null,
    "sigSigAlgorithm": null,
    "sigC14n": null,
    "sigDigAlgorithm": null,
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": null,
    "wsSecurityEntryOrderList": ["ENCRYPTION"]
  }
}

Full JSON Body Example - Signature Only

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add only Signature to WS-Security header",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [],
    "encEmbeddedKeyName": null,
    "encKeyIdType": null,
    "encSymEncAlgorithm": null,
    "encKeyEncAlgorithm": null,
    "encKeyStoreName": null,
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "signature-keystore",
    "wsSecurityEntryOrderList": ["SIGNATURE"]
  }
}

Full JSON Body Example - With Embedded Key

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add Encryption with embedded key",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": "embedded-key-alias",
    "encKeyIdType": "EMBEDDED_KEY_INFO",
    "encSymEncAlgorithm": "AES_128_CBC",
    "encKeyEncAlgorithm": "RSA",
    "encKeyStoreName": "encryption-keystore",
    "sigPartList": [],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": null,
    "sigSigAlgorithm": null,
    "sigC14n": null,
    "sigDigAlgorithm": null,
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": null,
    "wsSecurityEntryOrderList": ["ENCRYPTION"]
  }
}

Full JSON Body Example - With Custom Key Identifier

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add Signature with custom key identifier",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [],
    "encEmbeddedKeyName": null,
    "encKeyIdType": null,
    "encSymEncAlgorithm": null,
    "encKeyEncAlgorithm": null,
    "encKeyStoreName": null,
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": "custom-key-id-value",
    "sigCustomKeyIdentifierValueType": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary",
    "sigKeyIdType": "CUSTOM_KEY_INFO",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "signature-keystore",
    "wsSecurityEntryOrderList": ["SIGNATURE"]
  }
}

Request Body Fields

operationMetadata

Field	Type	Required	Default	Description
targetScope	string	Yes	-	Policy scope: `ALL` or `ENDPOINT`
targetEndpoint	string	No*	-	Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethod	string	No*	-	HTTP method (required if targetScope=ENDPOINT)
targetPipeline	string	Yes	-	Pipeline: `REQUEST`, `RESPONSE`, or `ERROR`
deploy	boolean	No	true	Whether to deploy after adding policy
deployTargetEnvironmentNameList	array	No	[]	List of environment names to deploy to
order	integer	No	null	Policy execution order (starts from 1)

Enum: targetScope

ALL - Policy applies to all endpoints
ENDPOINT - Policy applies only to specified endpoint

Enum: targetPipeline

REQUEST - Executes in request pipeline (adds WS-Security to outgoing requests)
RESPONSE - Executes in response pipeline (adds WS-Security to outgoing responses)
ERROR - Executes in error pipeline

Enum: targetEndpointHTTPMethod

GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD

policy

Field	Type	Required	Default	Description
type	string	Yes	-	Policy type: `policy-ws-security-to-target`
description	string	No	-	Policy description
active	boolean	No	true	Whether policy is active
mustUnderstand	boolean	No	true	WS-Security header mustUnderstand attribute
tsTimeToLive	integer	No*	null	Timestamp time to live in seconds (required if TIMESTAMP is in wsSecurityEntryOrderList, must be >= 0)
unUsername	string	No*	null	UsernameToken username (required if USERNAME_TOKEN is in wsSecurityEntryOrderList)
unPassword	string	No*	null	UsernameToken password (required if USERNAME_TOKEN is in wsSecurityEntryOrderList)
unPasswordDecrypted	boolean	No	false	Password is already decrypted flag
unNonce	boolean	No	false	Add nonce to UsernameToken
unCreated	boolean	No	false	Add created timestamp to UsernameToken
unPasswordType	string	No*	null	UsernameToken password type (required if USERNAME_TOKEN is in wsSecurityEntryOrderList). See EnumWsSecurityPasswordType
encPartList	array	No*	[]	Encryption parts list (required if ENCRYPTION is in wsSecurityEntryOrderList, at least one required). See WsSecurityToTargetPart
encEmbeddedKeyName	string	No	null	Embedded key name for encryption (used when encKeyIdType=EMBEDDED_KEY_INFO)
encKeyIdType	string	No*	null	Encryption key identifier type (required if ENCRYPTION is in wsSecurityEntryOrderList). See EnumWsSecurityKeyIdentifierType
encSymEncAlgorithm	string	No*	null	Symmetric encoding algorithm for encryption (required if ENCRYPTION is in wsSecurityEntryOrderList). See EnumWsSecuritySymmetricEncodingAlgorithm
encKeyEncAlgorithm	string	No*	null	Key encryption algorithm (required if ENCRYPTION is in wsSecurityEntryOrderList). See EnumWsSecurityKeyEncryptionAlgorithm
encKeyStoreName	string	No*	null	Encryption keystore name (required if ENCRYPTION is in wsSecurityEntryOrderList)
sigPartList	array	No*	[]	Signature parts list (required if SIGNATURE is in wsSecurityEntryOrderList, at least one required). See WsSecurityToTargetPart
sigCustomKeyIdentifier	string	No	null	Custom key identifier for signature (used when sigKeyIdType=CUSTOM_KEY_INFO)
sigCustomKeyIdentifierValueType	string	No*	null	Custom key identifier value type (required if sigCustomKeyIdentifier is provided)
sigKeyIdType	string	No*	null	Signature key identifier type (required if SIGNATURE is in wsSecurityEntryOrderList). See EnumWsSecurityKeyIdentifierType
sigSigAlgorithm	string	No	null	Signature algorithm. See EnumWsSecuritySignatureAlgorithm
sigC14n	string	No	null	Signature canonicalization method. See EnumWsSecuritySignatureCanonicalization
sigDigAlgorithm	string	No	null	Signature digest algorithm. See Enum Ws Security Signature Digest Algorithm
sigUseSingleCert	boolean	No	false	Use single certificate for signature
sigWsiBSPCompliant	boolean	No	false	WSI BSP compliance for signature
sigKeyStoreName	string	No*	null	Signature keystore name (required if SIGNATURE is in wsSecurityEntryOrderList)
wsSecurityEntryOrderList	array	Yes	-	WS-Security entry order list (at least one required). See EnumWsSecurityEntryType

EnumWsSecurityEntryType

TIMESTAMP - Add Timestamp element
USERNAME_TOKEN - Add UsernameToken element
ENCRYPTION - Add Encryption element
SIGNATURE - Add Signature element

Note: The order in the list determines the order of elements in the WS-Security header.

EnumWsSecurityPasswordType

PasswordText - Plain text password
PasswordDigest - Password digest (hashed password)

EnumWsSecurityKeyIdentifierType

BINARY_SECURITY_TOKEN - Binary Security Token
ISSUER_NAME_AND_SERIAL_NUMBER - Issuer Name and Serial Number
X509_CERTIFICATE - X509 Certificate (recommended)
SUBJECT_KEY_IDENTIFIER - Subject Key Identifier
THUMBPRINT_SHA1_IDENTIFIER - Thumbprint SHA1 Identifier
EMBEDDED_KEY_INFO - Embedded Key Info (requires encEmbeddedKeyName)
EMBED_SECURITY_TOKEN_REFERENCE - Embed Security Token Reference
CUSTOM_KEY_INFO - Custom Key Info (requires sigCustomKeyIdentifier)

EnumWsSecuritySignatureCanonicalization

C14N_OMIT_COMMENTS - C14N omit comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
C14N_WITH_COMMENTS - C14N with comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
C14N_EXCL_OMIT_COMMENTS - Exclusive C14N omit comments (http://www.w3.org/2001/10/xml-exc-c14n#) (recommended)
C14N_EXCL_WITH_COMMENTS - Exclusive C14N with comments (http://www.w3.org/2001/10/xml-exc-c14n#WithComments)
C14N_11_OMIT_COMMENTS - C14N 1.1 omit comments (http://www.w3.org/2006/12/xml-c14n11)
C14N_11_WITH_COMMENTS - C14N 1.1 with comments (http://www.w3.org/2006/12/xml-c14n11#WithComments)

Enum Ws Security Signature Digest Algorithm

SHA1 - SHA-1 (http://www.w3.org/2000/09/xmldsig#sha1)
SHA256 - SHA-256 (http://www.w3.org/2001/04/xmlenc#sha256) (recommended)
SHA384 - SHA-384 (http://www.w3.org/2001/04/xmldsig-more#sha384)
SHA512 - SHA-512 (http://www.w3.org/2001/04/xmlenc#sha512)
HMAC_SHA1 - HMAC SHA-1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1)
HMAC_SHA256 - HMAC SHA-256 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha256)
HMAC_SHA384 - HMAC SHA-384 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha384)
HMAC_SHA512 - HMAC SHA-512 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha512)
HMAC_MD5 - HMAC MD5 (http://www.w3.org/2001/04/xmldsig-more#hmac-md5)
MD5 - MD5 (http://www.w3.org/2001/04/xmldsig-more#md5)

Note

wsSecurityEntryOrderList must contain at least one entry type.
If TIMESTAMP is in wsSecurityEntryOrderList, tsTimeToLive is required and must be >= 0.
If USERNAME_TOKEN is in wsSecurityEntryOrderList, unUsername, unPassword, and unPasswordType are required.
If ENCRYPTION is in wsSecurityEntryOrderList, encKeyStoreName, encKeyIdType, encSymEncAlgorithm, encKeyEncAlgorithm, and encPartList (at least one) are required.
If SIGNATURE is in wsSecurityEntryOrderList, sigKeyStoreName, sigKeyIdType, and sigPartList (at least one) are required.
If encKeyIdType: EMBEDDED_KEY_INFO, encEmbeddedKeyName should be provided.
If sigKeyIdType: CUSTOM_KEY_INFO and sigCustomKeyIdentifier is provided, sigCustomKeyIdentifierValueType is required.

WsSecurityToTargetPart

Field	Type	Required	Default	Description
name	string	Yes	-	Part name (e.g., “Body”, “Timestamp”)
namespace	string	Yes	-	Part namespace URI
encodeType	string	Yes	-	Encode type. See EnumWsSecurityEncryptionPartEncodeType

EnumWsSecurityEncryptionPartEncodeType

CONTENT - Encrypt/sign content only
ELEMENT - Encrypt/sign entire element

Common Part Names and Namespaces

Body: name: "Body", namespace: "http://schemas.xmlsoap.org/soap/envelope/"
Timestamp: name: "Timestamp", namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
UsernameToken: name: "UsernameToken", namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/ws-security-to-target-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-ws-security-to-target",
      "description": "Add WS-Security headers",
      "active": true,
      "mustUnderstand": true,
      "tsTimeToLive": 300,
      "unUsername": "myuser",
      "unPassword": "mypassword",
      "unPasswordType": "PasswordText",
      "encPartList": [
        {
          "name": "Body",
          "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
          "encodeType": "CONTENT"
        }
      ],
      "encKeyIdType": "X509_CERTIFICATE",
      "encSymEncAlgorithm": "AES_128_CBC",
      "encKeyEncAlgorithm": "RSA",
      "encKeyStoreName": "encryption-keystore",
      "sigPartList": [
        {
          "name": "Body",
          "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
          "encodeType": "ELEMENT"
        }
      ],
      "sigKeyIdType": "X509_CERTIFICATE",
      "sigSigAlgorithm": "RSA_SHA256",
      "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
      "sigDigAlgorithm": "SHA256",
      "sigKeyStoreName": "signature-keystore",
      "wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
    }
  }'

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer `{token}`
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["tester"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add WS-Security headers with Timestamp, UsernameToken, Encryption, and Signature",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": 300,
    "unUsername": "myuser",
    "unPassword": "mypassword",
    "unPasswordDecrypted": false,
    "unNonce": true,
    "unCreated": true,
    "unPasswordType": "PasswordText",
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": null,
    "encKeyIdType": "X509_CERTIFICATE",
    "encSymEncAlgorithm": "AES_128_CBC",
    "encKeyEncAlgorithm": "RSA",
    "encKeyStoreName": "test-keystores",
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      },
      {
        "name": "Timestamp",
        "namespace": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "test-keystores",
    "wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
  }
}

Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer `{token}`
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

Notes and Warnings

WS-Security Entry Order: The order of elements in wsSecurityEntryOrderList determines the order in the WS-Security header. Common orders:
- ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"] - Standard order
- ["TIMESTAMP", "SIGNATURE", "ENCRYPTION"] - Sign before encrypt
- ["ENCRYPTION", "SIGNATURE"] - Encrypt then sign
Timestamp:
- tsTimeToLive is in seconds
- Timestamp is used for replay attack prevention
UsernameToken:
- PasswordText - Plain text password (less secure)
- PasswordDigest - Hashed password (more secure, recommended)
- unNonce and unCreated add additional security
Encryption:
- AES_128_CBC, AES_192_CBC, AES_256_CBC - Symmetric encryption algorithms
- RSA - RSA v1.5 key encryption (legacy)
- OAEP - RSA-OAEP key encryption (recommended, more secure)
- EMBEDDED_KEY_INFO - Use embedded key (requires encEmbeddedKeyName)
Signature:
- RSA_SHA256, RSA_SHA384, RSA_SHA512 - Recommended RSA algorithms
- ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512 - Elliptic curve algorithms
- C14N_EXCL_OMIT_COMMENTS - Recommended canonicalization (exclusive, omit comments)
- SHA256, SHA384, SHA512 - Recommended digest algorithms
- sigUseSingleCert: true - Use single certificate (simpler, less secure)
- sigWsiBSPCompliant: true - WSI Basic Security Profile compliance
Key Stores:
- Encryption and signature keystores must be configured in Apinizer
- Keystores must contain appropriate certificates/keys
- Key identifier type must match keystore content
Parts:
- CONTENT - Encrypt/sign only the content (preserves element structure)
- ELEMENT - Encrypt/sign entire element (more secure)
Performance: WS-Security adds significant cryptographic processing overhead. Use for necessary security only.
Pipeline:
- REQUEST pipeline adds WS-Security to outgoing requests
- RESPONSE pipeline adds WS-Security to outgoing responses
Error Handling: Invalid keystore, missing keys, or configuration errors cause policy to fail
Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.

List Policies - List all policies
Add Policy - General policy addition guide
Update Policy - General policy update guide
Delete Policy - General policy deletion guide
WS Security From Target Policy - Process WS-Security from backend

Home

​General Information

​Policy Type

​Endpoints

​List Policies

​Add Policy

​Update Policy

​Delete Policy

​List Policies

​Endpoint

​Request

​Headers

​Path Parameters

​Response

​Success Response (200 OK)

​cURL Example

​Add Policy

​Endpoint

​Request

​Headers

​Path Parameters

​Request Body

Full JSON Body Example - Complete Configuration

Full JSON Body Example - Timestamp Only

Full JSON Body Example - UsernameToken Only

Full JSON Body Example - Encryption Only

Full JSON Body Example - Signature Only

Full JSON Body Example - With Embedded Key

Full JSON Body Example - With Custom Key Identifier

​Request Body Fields

operationMetadata

policy

​EnumWsSecurityEntryType

​EnumWsSecurityPasswordType

​EnumWsSecurityKeyIdentifierType

​EnumWsSecuritySymmetricEncodingAlgorithm

​EnumWsSecurityKeyEncryptionAlgorithm

​EnumWsSecuritySignatureAlgorithm

​EnumWsSecuritySignatureCanonicalization

​Enum Ws Security Signature Digest Algorithm

​Note

​WsSecurityToTargetPart

​EnumWsSecurityEncryptionPartEncodeType

​Common Part Names and Namespaces

​Response

​Success Response (200 OK)

​cURL Example

​Update Policy

​Endpoint

​Request

​Headers

​Path Parameters

​Request Body

Full JSON Body Example

​Response

​Success Response (200 OK)

​Delete Policy

​Endpoint

​Request

​Headers

​Path Parameters

​Request Body

Full JSON Body Example

​Response

​Success Response (200 OK)

​Notes and Warnings

​Related Documentation

General Information

Policy Type

Endpoints

List Policies

Add Policy

Update Policy

Delete Policy

List Policies

Endpoint

Request

Headers

Path Parameters

Response

Success Response (200 OK)

cURL Example

Add Policy

Endpoint

Request

Headers

Path Parameters

Request Body

Request Body Fields

EnumWsSecurityEntryType

EnumWsSecurityPasswordType

EnumWsSecurityKeyIdentifierType

EnumWsSecuritySymmetricEncodingAlgorithm

EnumWsSecurityKeyEncryptionAlgorithm

EnumWsSecuritySignatureAlgorithm

EnumWsSecuritySignatureCanonicalization

Enum Ws Security Signature Digest Algorithm

Note

WsSecurityToTargetPart

EnumWsSecurityEncryptionPartEncodeType

Common Part Names and Namespaces

Response

Success Response (200 OK)

cURL Example

Update Policy

Endpoint

Request

Headers

Path Parameters

Request Body

Response

Success Response (200 OK)

Delete Policy

Endpoint

Request

Headers

Path Parameters

Request Body

Response

Success Response (200 OK)

Notes and Warnings

Related Documentation