WS Security Sign Policy
General Information
Policy Type
policy-ws-security-sign
UI Documentation
📖 For detailed information: [UI Documentation Link - Link will be added here]
Description
WS Security Sign policy adds WS-Security Signature element to SOAP requests before forwarding to the backend service. It signs specified SOAP message parts according to WS-Security standards to ensure message integrity and authenticity.
Endpoints
List Policies
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Add Policy
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Update Policy
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Delete Policy
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
List Policies
Endpoint
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
Response
Success Response (200 OK)
{
"success": true,
"resultList": [
{
"apiProxy": {
"name": "MyAPI",
"requestPolicyList": [
{
"type": "policy-ws-security-sign",
"name": "ws-security-sign-policy",
"description": "Sign SOAP message parts",
"active": true,
"mustUnderstand": true,
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": "signature-keystore"
}
],
"responsePolicyList": [],
"errorPolicyList": []
}
}
],
"resultCount": 1
}
cURL Example
curl -X GET \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
-H "Authorization: Bearer YOUR_TOKEN"
Add Policy
Endpoint
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example - Standard Signature
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-sign",
"description": "Sign SOAP message body",
"active": true,
"mustUnderstand": true,
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": "signature-keystore"
}
}
Full JSON Body Example - Multiple Parts
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-sign",
"description": "Sign multiple SOAP parts",
"active": true,
"mustUnderstand": true,
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
},
{
"name": "Timestamp",
"namespace": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": "signature-keystore"
}
}
Full JSON Body Example - With Custom Key Identifier
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-sign",
"description": "Sign with custom key identifier",
"active": true,
"mustUnderstand": true,
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": "custom-key-id-value",
"sigCustomKeyIdentifierValueType": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary",
"sigKeyIdType": "CUSTOM_KEY_INFO",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": false,
"sigKeyStoreName": "signature-keystore"
}
}
Full JSON Body Example - WSI BSP Compliant
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-sign",
"description": "Sign with WSI BSP compliance",
"active": true,
"mustUnderstand": true,
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigUseSingleCert": false,
"sigWsiBSPCompliant": true,
"sigKeyStoreName": "signature-keystore"
}
}
Request Body Fields
operationMetadata
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| targetScope | string | Yes | - | Policy scope: ALL or ENDPOINT |
| targetEndpoint | string | No* | - | Endpoint path (required if targetScope=ENDPOINT) |
| targetEndpointHTTPMethod | string | No* | - | HTTP method (required if targetScope=ENDPOINT) |
| targetPipeline | string | Yes | - | Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy | boolean | No | true | Whether to deploy after adding policy |
| deployTargetEnvironmentNameList | array | No | [] | List of environment names to deploy to |
| order | integer | No | null | Policy execution order (starts from 1) |
Enum: targetScope
ALL- Policy applies to all endpointsENDPOINT- Policy applies only to specified endpoint
Enum: targetPipeline
REQUEST- Executes in request pipeline (signs outgoing requests)RESPONSE- Executes in response pipeline (signs outgoing responses)ERROR- Executes in error pipeline
Enum: targetEndpointHTTPMethod
GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD
policy
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| type | string | Yes | - | Policy type: policy-ws-security-sign |
| description | string | No | - | Policy description |
| active | boolean | No | true | Whether policy is active |
| mustUnderstand | boolean | No | true | WS-Security header mustUnderstand attribute |
| sigPartList | array | No | [] | Signature parts list. See WsSecurityToTargetPart |
| sigCustomKeyIdentifier | string | No | null | Custom key identifier for signature (used when sigKeyIdType=CUSTOM_KEY_INFO) |
| sigCustomKeyIdentifierValueType | string | No* | null | Custom key identifier value type (required if sigCustomKeyIdentifier is provided) |
| sigKeyIdType | string | No | null | Signature key identifier type. See EnumWsSecurityKeyIdentifierType |
| sigSigAlgorithm | string | Yes | - | Signature algorithm. See EnumWsSecuritySignatureAlgorithm |
| sigC14n | string | Yes | - | Signature canonicalization method. See EnumWsSecuritySignatureCanonicalization |
| sigDigAlgorithm | string | Yes | - | Signature digest algorithm. See Enum Ws Security Signature Digest Algorithm |
| sigUseSingleCert | boolean | No | false | Use single certificate for signature |
| sigWsiBSPCompliant | boolean | No | false | WSI BSP compliance for signature |
| sigKeyStoreName | string | Yes | - | Signature keystore name |
EnumWsSecurityKeyIdentifierType
BINARY_SECURITY_TOKEN- Binary Security TokenISSUER_NAME_AND_SERIAL_NUMBER- Issuer Name and Serial NumberX509_CERTIFICATE- X509 Certificate (recommended)SUBJECT_KEY_IDENTIFIER- Subject Key IdentifierTHUMBPRINT_SHA1_IDENTIFIER- Thumbprint SHA1 IdentifierEMBEDDED_KEY_INFO- Embedded Key InfoEMBED_SECURITY_TOKEN_REFERENCE- Embed Security Token ReferenceCUSTOM_KEY_INFO- Custom Key Info (requires sigCustomKeyIdentifier)
EnumWsSecuritySignatureAlgorithm
RSA_SHA1- RSA SHA-1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)RSA_SHA256- RSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256) (recommended)RSA_SHA384- RSA SHA-384 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha384)RSA_SHA512- RSA SHA-512 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha512)DSA_SHA1- DSA SHA-1 (http://www.w3.org/2000/09/xmldsig#dsa-sha1)DSA_SHA256- DSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#dsa-sha256)ECDSA_SHA1- ECDSA SHA-1 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1)ECDSA_SHA256- ECDSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256)ECDSA_SHA384- ECDSA SHA-384 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384)ECDSA_SHA512- ECDSA SHA-512 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512)HMAC_SHA1- HMAC SHA-1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1)HMAC_SHA256- HMAC SHA-256 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha256)HMAC_SHA384- HMAC SHA-384 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha384)HMAC_SHA512- HMAC SHA-512 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha512)
EnumWsSecuritySignatureCanonicalization
C14N_OMIT_COMMENTS- C14N omit comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315)C14N_WITH_COMMENTS- C14N with comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)C14N_EXCL_OMIT_COMMENTS- Exclusive C14N omit comments (http://www.w3.org/2001/10/xml-exc-c14n#) (recommended)C14N_EXCL_WITH_COMMENTS- Exclusive C14N with comments (http://www.w3.org/2001/10/xml-exc-c14n#WithComments)C14N_11_OMIT_COMMENTS- C14N 1.1 omit comments (http://www.w3.org/2006/12/xml-c14n11)C14N_11_WITH_COMMENTS- C14N 1.1 with comments (http://www.w3.org/2006/12/xml-c14n11#WithComments)
Enum Ws Security Signature Digest Algorithm
SHA1- SHA-1 (http://www.w3.org/2000/09/xmldsig#sha1)SHA256- SHA-256 (http://www.w3.org/2001/04/xmlenc#sha256) (recommended)SHA384- SHA-384 (http://www.w3.org/2001/04/xmldsig-more#sha384)SHA512- SHA-512 (http://www.w3.org/2001/04/xmlenc#sha512)HMAC_SHA1- HMAC SHA-1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1)HMAC_SHA256- HMAC SHA-256 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha256)HMAC_SHA384- HMAC SHA-384 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha384)HMAC_SHA512- HMAC SHA-512 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha512)HMAC_MD5- HMAC MD5 (http://www.w3.org/2001/04/xmldsig-more#hmac-md5)MD5- MD5 (http://www.w3.org/2001/04/xmldsig-more#md5)
Note
sigKeyStoreName,sigSigAlgorithm,sigC14n, andsigDigAlgorithmare required.- If
sigKeyIdType: CUSTOM_KEY_INFOandsigCustomKeyIdentifieris provided,sigCustomKeyIdentifierValueTypeis required.
WsSecurityToTargetPart
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | Part name (e.g., “Body”, “Timestamp”) |
| namespace | string | Yes | - | Part namespace URI |
| encodeType | string | Yes | - | Encode type. See EnumWsSecurityEncryptionPartEncodeType |
EnumWsSecurityEncryptionPartEncodeType
CONTENT- Sign content onlyELEMENT- Sign entire element
Common Part Names and Namespaces
- Body:
name: "Body",namespace: "http://schemas.xmlsoap.org/soap/envelope/" - Timestamp:
name: "Timestamp",namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" - UsernameToken:
name: "UsernameToken",namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
cURL Example
curl -X POST \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/ws-security-sign-policy/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-sign",
"description": "Sign SOAP message body",
"active": true,
"mustUnderstand": true,
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA256",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA256",
"sigKeyStoreName": "signature-keystore"
}
}'
Update Policy
Endpoint
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-ws-security-sign",
"description": "Updated: Sign SOAP body and header with stronger algorithms",
"active": true,
"mustUnderstand": true,
"sigPartList": [
{
"name": "Body",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
},
{
"name": "Header",
"namespace": "http://schemas.xmlsoap.org/soap/envelope/",
"encodeType": "ELEMENT"
}
],
"sigCustomKeyIdentifier": null,
"sigCustomKeyIdentifierValueType": null,
"sigKeyIdType": "X509_CERTIFICATE",
"sigSigAlgorithm": "RSA_SHA512",
"sigC14n": "C14N_EXCL_OMIT_COMMENTS",
"sigDigAlgorithm": "SHA512",
"sigUseSingleCert": true,
"sigWsiBSPCompliant": true,
"sigKeyStoreName": "test-keystores"
}
}
Note: Request body structure is the same as Add Policy. All fields should be provided for update.
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
Delete Policy
Endpoint
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": false
}
}
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": []
}
}
Notes and Warnings
- Signature Algorithms:
RSA_SHA256,RSA_SHA384,RSA_SHA512- Recommended RSA algorithmsECDSA_SHA256,ECDSA_SHA384,ECDSA_SHA512- Elliptic curve algorithmsHMAC_SHA256,HMAC_SHA384,HMAC_SHA512- HMAC algorithms (symmetric)
- Canonicalization:
C14N_EXCL_OMIT_COMMENTS- Recommended (exclusive, omit comments)- Exclusive C14N is more secure and widely supported
- Digest Algorithms:
SHA256,SHA384,SHA512- Recommended digest algorithms- SHA-1 and MD5 are deprecated and should be avoided
- Key Identifier Types:
X509_CERTIFICATE- Most common and recommendedCUSTOM_KEY_INFO- Use custom key identifier (requiressigCustomKeyIdentifierandsigCustomKeyIdentifierValueType)
- Parts:
CONTENT- Sign only the content (preserves element structure)ELEMENT- Sign entire element (more secure)
- Single Certificate:
sigUseSingleCert: true- Use single certificate (simpler, less secure)sigUseSingleCert: false- Use certificate chain (more secure, recommended)
- WSI BSP Compliance:
sigWsiBSPCompliant: true- WSI Basic Security Profile compliance- Ensures compatibility with WSI BSP standards
- Key Store:
- Signature keystore must be configured in Apinizer
- Keystore must contain appropriate private keys/certificates
- Key identifier type must match keystore content
- Performance: Signing adds significant cryptographic processing overhead. Use for necessary security only.
- Pipeline:
REQUESTpipeline signs outgoing requestsRESPONSEpipeline signs outgoing responses
- Error Handling: Invalid keystore, missing keys, or configuration errors cause policy to fail
- Deployment: Policy changes require deployment to take effect. Set
deploy: trueor deploy manually.
Related Documentation
- List Policies - List all policies
- Add Policy - General policy addition guide
- Update Policy - General policy update guide
- Delete Policy - General policy deletion guide
- WS Security Sign Validation Policy - Verify WS-Security signatures