WS Security To Target Policy

General Information

Policy Type

policy-ws-security-to-target

UI Documentation

📖 For detailed information: [UI Documentation Link - Link will be added here]

Description

WS Security To Target policy adds WS-Security headers to SOAP requests before forwarding to the backend service. It can add Timestamp, UsernameToken, Encryption, and Signature elements to the SOAP message according to WS-Security standards.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

---

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header	Value
Authorization	Bearer {token}

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-ws-security-to-target",
            "name": "ws-security-to-target-policy",
            "description": "Add WS-Security headers to SOAP requests",
            "active": true,
            "mustUnderstand": true,
            "tsTimeToLive": 300,
            "unUsername": "myuser",
            "unPassword": null,
            "unPasswordDecrypted": false,
            "unNonce": true,
            "unCreated": true,
            "unPasswordType": "PasswordText",
            "encPartList": [
              {
                "name": "Body",
                "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
                "encodeType": "CONTENT"
              }
            ],
            "encEmbeddedKeyName": null,
            "encKeyIdType": "X509_CERTIFICATE",
            "encSymEncAlgorithm": "AES_128_CBC",
            "encKeyEncAlgorithm": "RSA",
            "encKeyStoreName": "encryption-keystore",
            "sigPartList": [
              {
                "name": "Body",
                "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
                "encodeType": "ELEMENT"
              }
            ],
            "sigCustomKeyIdentifier": null,
            "sigCustomKeyIdentifierValueType": null,
            "sigKeyIdType": "X509_CERTIFICATE",
            "sigSigAlgorithm": "RSA_SHA256",
            "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
            "sigDigAlgorithm": "SHA256",
            "sigUseSingleCert": false,
            "sigWsiBSPCompliant": false,
            "sigKeyStoreName": "signature-keystore",
            "wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

---

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer {token}
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example - Complete Configuration

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add WS-Security headers with Timestamp, UsernameToken, Encryption, and Signature",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": 300,
    "unUsername": "myuser",
    "unPassword": "mypassword",
    "unPasswordDecrypted": false,
    "unNonce": true,
    "unCreated": true,
    "unPasswordType": "PasswordText",
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": null,
    "encKeyIdType": "X509_CERTIFICATE",
    "encSymEncAlgorithm": "AES_128_CBC",
    "encKeyEncAlgorithm": "RSA",
    "encKeyStoreName": "encryption-keystore",
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      },
      {
        "name": "Timestamp",
        "namespace": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "signature-keystore",
    "wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
  }
}

Full JSON Body Example - Timestamp Only

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add only Timestamp to WS-Security header",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": 300,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [],
    "encEmbeddedKeyName": null,
    "encKeyIdType": null,
    "encSymEncAlgorithm": null,
    "encKeyEncAlgorithm": null,
    "encKeyStoreName": null,
    "sigPartList": [],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": null,
    "sigSigAlgorithm": null,
    "sigC14n": null,
    "sigDigAlgorithm": null,
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": null,
    "wsSecurityEntryOrderList": ["TIMESTAMP"]
  }
}

Full JSON Body Example - UsernameToken Only

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add only UsernameToken to WS-Security header",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": "myuser",
    "unPassword": "mypassword",
    "unPasswordDecrypted": false,
    "unNonce": true,
    "unCreated": true,
    "unPasswordType": "PasswordText",
    "encPartList": [],
    "encEmbeddedKeyName": null,
    "encKeyIdType": null,
    "encSymEncAlgorithm": null,
    "encKeyEncAlgorithm": null,
    "encKeyStoreName": null,
    "sigPartList": [],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": null,
    "sigSigAlgorithm": null,
    "sigC14n": null,
    "sigDigAlgorithm": null,
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": null,
    "wsSecurityEntryOrderList": ["USERNAME_TOKEN"]
  }
}

Full JSON Body Example - Encryption Only

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add only Encryption to WS-Security header",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": null,
    "encKeyIdType": "X509_CERTIFICATE",
    "encSymEncAlgorithm": "AES_256_CBC",
    "encKeyEncAlgorithm": "OAEP",
    "encKeyStoreName": "encryption-keystore",
    "sigPartList": [],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": null,
    "sigSigAlgorithm": null,
    "sigC14n": null,
    "sigDigAlgorithm": null,
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": null,
    "wsSecurityEntryOrderList": ["ENCRYPTION"]
  }
}

Full JSON Body Example - Signature Only

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add only Signature to WS-Security header",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [],
    "encEmbeddedKeyName": null,
    "encKeyIdType": null,
    "encSymEncAlgorithm": null,
    "encKeyEncAlgorithm": null,
    "encKeyStoreName": null,
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "signature-keystore",
    "wsSecurityEntryOrderList": ["SIGNATURE"]
  }
}

Full JSON Body Example - With Embedded Key

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add Encryption with embedded key",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": "embedded-key-alias",
    "encKeyIdType": "EMBEDDED_KEY_INFO",
    "encSymEncAlgorithm": "AES_128_CBC",
    "encKeyEncAlgorithm": "RSA",
    "encKeyStoreName": "encryption-keystore",
    "sigPartList": [],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": null,
    "sigSigAlgorithm": null,
    "sigC14n": null,
    "sigDigAlgorithm": null,
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": null,
    "wsSecurityEntryOrderList": ["ENCRYPTION"]
  }
}

Full JSON Body Example - With Custom Key Identifier

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add Signature with custom key identifier",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": null,
    "unUsername": null,
    "unPassword": null,
    "unPasswordDecrypted": false,
    "unNonce": false,
    "unCreated": false,
    "unPasswordType": null,
    "encPartList": [],
    "encEmbeddedKeyName": null,
    "encKeyIdType": null,
    "encSymEncAlgorithm": null,
    "encKeyEncAlgorithm": null,
    "encKeyStoreName": null,
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": "custom-key-id-value",
    "sigCustomKeyIdentifierValueType": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary",
    "sigKeyIdType": "CUSTOM_KEY_INFO",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "signature-keystore",
    "wsSecurityEntryOrderList": ["SIGNATURE"]
  }
}

Request Body Fields

operationMetadata

Field	Type	Required	Default	Description
targetScope	string	Yes	-	Policy scope: ALL or ENDPOINT
targetEndpoint	string	No*	-	Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethod	string	No*	-	HTTP method (required if targetScope=ENDPOINT)
targetPipeline	string	Yes	-	Pipeline: REQUEST, RESPONSE, or ERROR
deploy	boolean	No	true	Whether to deploy after adding policy
deployTargetEnvironmentNameList	array	No	[]	List of environment names to deploy to
order	integer	No	null	Policy execution order (starts from 1)

Enum: targetScope

• ALL - Policy applies to all endpoints
• ENDPOINT - Policy applies only to specified endpoint

Enum: targetPipeline

• REQUEST - Executes in request pipeline (adds WS-Security to outgoing requests)
• RESPONSE - Executes in response pipeline (adds WS-Security to outgoing responses)
• ERROR - Executes in error pipeline

Enum: targetEndpointHTTPMethod

• GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD

policy

Field	Type	Required	Default	Description
type	string	Yes	-	Policy type: policy-ws-security-to-target
description	string	No	-	Policy description
active	boolean	No	true	Whether policy is active
mustUnderstand	boolean	No	true	WS-Security header mustUnderstand attribute
tsTimeToLive	integer	No*	null	Timestamp time to live in seconds (required if TIMESTAMP is in wsSecurityEntryOrderList, must be >= 0)
unUsername	string	No*	null	UsernameToken username (required if USERNAME_TOKEN is in wsSecurityEntryOrderList)
unPassword	string	No*	null	UsernameToken password (required if USERNAME_TOKEN is in wsSecurityEntryOrderList)
unPasswordDecrypted	boolean	No	false	Password is already decrypted flag
unNonce	boolean	No	false	Add nonce to UsernameToken
unCreated	boolean	No	false	Add created timestamp to UsernameToken
unPasswordType	string	No*	null	UsernameToken password type (required if USERNAME_TOKEN is in wsSecurityEntryOrderList). See EnumWsSecurityPasswordType
encPartList	array	No*	[]	Encryption parts list (required if ENCRYPTION is in wsSecurityEntryOrderList, at least one required). See WsSecurityToTargetPart
encEmbeddedKeyName	string	No	null	Embedded key name for encryption (used when encKeyIdType=EMBEDDED_KEY_INFO)
encKeyIdType	string	No*	null	Encryption key identifier type (required if ENCRYPTION is in wsSecurityEntryOrderList). See EnumWsSecurityKeyIdentifierType
encSymEncAlgorithm	string	No*	null	Symmetric encoding algorithm for encryption (required if ENCRYPTION is in wsSecurityEntryOrderList). See EnumWsSecuritySymmetricEncodingAlgorithm
encKeyEncAlgorithm	string	No*	null	Key encryption algorithm (required if ENCRYPTION is in wsSecurityEntryOrderList). See EnumWsSecurityKeyEncryptionAlgorithm
encKeyStoreName	string	No*	null	Encryption keystore name (required if ENCRYPTION is in wsSecurityEntryOrderList)
sigPartList	array	No*	[]	Signature parts list (required if SIGNATURE is in wsSecurityEntryOrderList, at least one required). See WsSecurityToTargetPart
sigCustomKeyIdentifier	string	No	null	Custom key identifier for signature (used when sigKeyIdType=CUSTOM_KEY_INFO)
sigCustomKeyIdentifierValueType	string	No*	null	Custom key identifier value type (required if sigCustomKeyIdentifier is provided)
sigKeyIdType	string	No*	null	Signature key identifier type (required if SIGNATURE is in wsSecurityEntryOrderList). See EnumWsSecurityKeyIdentifierType
sigSigAlgorithm	string	No	null	Signature algorithm. See EnumWsSecuritySignatureAlgorithm
sigC14n	string	No	null	Signature canonicalization method. See EnumWsSecuritySignatureCanonicalization
sigDigAlgorithm	string	No	null	Signature digest algorithm. See Enum Ws Security Signature Digest Algorithm
sigUseSingleCert	boolean	No	false	Use single certificate for signature
sigWsiBSPCompliant	boolean	No	false	WSI BSP compliance for signature
sigKeyStoreName	string	No*	null	Signature keystore name (required if SIGNATURE is in wsSecurityEntryOrderList)
wsSecurityEntryOrderList	array	Yes	-	WS-Security entry order list (at least one required). See EnumWsSecurityEntryType

EnumWsSecurityEntryType

• TIMESTAMP - Add Timestamp element
• USERNAME_TOKEN - Add UsernameToken element
• ENCRYPTION - Add Encryption element
• SIGNATURE - Add Signature element

Note: The order in the list determines the order of elements in the WS-Security header.

EnumWsSecurityPasswordType

• PasswordText - Plain text password
• PasswordDigest - Password digest (hashed password)

EnumWsSecurityKeyIdentifierType

• BINARY_SECURITY_TOKEN - Binary Security Token
• ISSUER_NAME_AND_SERIAL_NUMBER - Issuer Name and Serial Number
• X509_CERTIFICATE - X509 Certificate (recommended)
• SUBJECT_KEY_IDENTIFIER - Subject Key Identifier
• THUMBPRINT_SHA1_IDENTIFIER - Thumbprint SHA1 Identifier
• EMBEDDED_KEY_INFO - Embedded Key Info (requires encEmbeddedKeyName)
• EMBED_SECURITY_TOKEN_REFERENCE - Embed Security Token Reference
• CUSTOM_KEY_INFO - Custom Key Info (requires sigCustomKeyIdentifier)

EnumWsSecuritySymmetricEncodingAlgorithm

• AES_128_CBC - AES-128-CBC (http://www.w3.org/2001/04/xmlenc#aes128-cbc)
• AES_192_CBC - AES-192-CBC (http://www.w3.org/2001/04/xmlenc#aes192-cbc)
• AES_256_CBC - AES-256-CBC (http://www.w3.org/2001/04/xmlenc#aes256-cbc)

EnumWsSecurityKeyEncryptionAlgorithm

• RSA - RSA v1.5 (http://www.w3.org/2001/04/xmlenc#rsa-1_5)
• OAEP - RSA-OAEP (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p)

EnumWsSecuritySignatureAlgorithm

• RSA_SHA1 - RSA SHA-1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)
• RSA_SHA256 - RSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256) (recommended)
• RSA_SHA384 - RSA SHA-384 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha384)
• RSA_SHA512 - RSA SHA-512 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha512)
• DSA_SHA1 - DSA SHA-1 (http://www.w3.org/2000/09/xmldsig#dsa-sha1)
• DSA_SHA256 - DSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#dsa-sha256)
• ECDSA_SHA1 - ECDSA SHA-1 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1)
• ECDSA_SHA256 - ECDSA SHA-256 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256)
• ECDSA_SHA384 - ECDSA SHA-384 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384)
• ECDSA_SHA512 - ECDSA SHA-512 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512)
• HMAC_SHA1 - HMAC SHA-1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1)
• HMAC_SHA256 - HMAC SHA-256 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha256)
• HMAC_SHA384 - HMAC SHA-384 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha384)
• HMAC_SHA512 - HMAC SHA-512 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha512)

EnumWsSecuritySignatureCanonicalization

• C14N_OMIT_COMMENTS - C14N omit comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
• C14N_WITH_COMMENTS - C14N with comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
• C14N_EXCL_OMIT_COMMENTS - Exclusive C14N omit comments (http://www.w3.org/2001/10/xml-exc-c14n#) (recommended)
• C14N_EXCL_WITH_COMMENTS - Exclusive C14N with comments (http://www.w3.org/2001/10/xml-exc-c14n#WithComments)
• C14N_11_OMIT_COMMENTS - C14N 1.1 omit comments (http://www.w3.org/2006/12/xml-c14n11)
• C14N_11_WITH_COMMENTS - C14N 1.1 with comments (http://www.w3.org/2006/12/xml-c14n11#WithComments)

Enum Ws Security Signature Digest Algorithm

• SHA1 - SHA-1 (http://www.w3.org/2000/09/xmldsig#sha1)
• SHA256 - SHA-256 (http://www.w3.org/2001/04/xmlenc#sha256) (recommended)
• SHA384 - SHA-384 (http://www.w3.org/2001/04/xmldsig-more#sha384)
• SHA512 - SHA-512 (http://www.w3.org/2001/04/xmlenc#sha512)
• HMAC_SHA1 - HMAC SHA-1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1)
• HMAC_SHA256 - HMAC SHA-256 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha256)
• HMAC_SHA384 - HMAC SHA-384 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha384)
• HMAC_SHA512 - HMAC SHA-512 (http://www.w3.org/2001/04/xmldsig-more#hmac-sha512)
• HMAC_MD5 - HMAC MD5 (http://www.w3.org/2001/04/xmldsig-more#hmac-md5)
• MD5 - MD5 (http://www.w3.org/2001/04/xmldsig-more#md5)

Note

• wsSecurityEntryOrderList must contain at least one entry type.
• If TIMESTAMP is in wsSecurityEntryOrderList, tsTimeToLive is required and must be >= 0.
• If USERNAME_TOKEN is in wsSecurityEntryOrderList, unUsername, unPassword, and unPasswordType are required.
• If ENCRYPTION is in wsSecurityEntryOrderList, encKeyStoreName, encKeyIdType, encSymEncAlgorithm, encKeyEncAlgorithm, and encPartList (at least one) are required.
• If SIGNATURE is in wsSecurityEntryOrderList, sigKeyStoreName, sigKeyIdType, and sigPartList (at least one) are required.
• If encKeyIdType: EMBEDDED_KEY_INFO, encEmbeddedKeyName should be provided.
• If sigKeyIdType: CUSTOM_KEY_INFO and sigCustomKeyIdentifier is provided, sigCustomKeyIdentifierValueType is required.

WsSecurityToTargetPart

Field	Type	Required	Default	Description
name	string	Yes	-	Part name (e.g., “Body”, “Timestamp”)
namespace	string	Yes	-	Part namespace URI
encodeType	string	Yes	-	Encode type. See EnumWsSecurityEncryptionPartEncodeType

EnumWsSecurityEncryptionPartEncodeType

• CONTENT - Encrypt/sign content only
• ELEMENT - Encrypt/sign entire element

Common Part Names and Namespaces

• Body: name: "Body", namespace: "http://schemas.xmlsoap.org/soap/envelope/"
• Timestamp: name: "Timestamp", namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
• UsernameToken: name: "UsernameToken", namespace: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/ws-security-to-target-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-ws-security-to-target",
      "description": "Add WS-Security headers",
      "active": true,
      "mustUnderstand": true,
      "tsTimeToLive": 300,
      "unUsername": "myuser",
      "unPassword": "mypassword",
      "unPasswordType": "PasswordText",
      "encPartList": [
        {
          "name": "Body",
          "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
          "encodeType": "CONTENT"
        }
      ],
      "encKeyIdType": "X509_CERTIFICATE",
      "encSymEncAlgorithm": "AES_128_CBC",
      "encKeyEncAlgorithm": "RSA",
      "encKeyStoreName": "encryption-keystore",
      "sigPartList": [
        {
          "name": "Body",
          "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
          "encodeType": "ELEMENT"
        }
      ],
      "sigKeyIdType": "X509_CERTIFICATE",
      "sigSigAlgorithm": "RSA_SHA256",
      "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
      "sigDigAlgorithm": "SHA256",
      "sigKeyStoreName": "signature-keystore",
      "wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
    }
  }'

---

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer {token}
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["tester"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-to-target",
    "description": "Add WS-Security headers with Timestamp, UsernameToken, Encryption, and Signature",
    "active": true,
    "mustUnderstand": true,
    "tsTimeToLive": 300,
    "unUsername": "myuser",
    "unPassword": "mypassword",
    "unPasswordDecrypted": false,
    "unNonce": true,
    "unCreated": true,
    "unPasswordType": "PasswordText",
    "encPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "CONTENT"
      }
    ],
    "encEmbeddedKeyName": null,
    "encKeyIdType": "X509_CERTIFICATE",
    "encSymEncAlgorithm": "AES_128_CBC",
    "encKeyEncAlgorithm": "RSA",
    "encKeyStoreName": "test-keystores",
    "sigPartList": [
      {
        "name": "Body",
        "namespace": "http://schemas.xmlsoap.org/soap/envelope/",
        "encodeType": "ELEMENT"
      },
      {
        "name": "Timestamp",
        "namespace": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
        "encodeType": "ELEMENT"
      }
    ],
    "sigCustomKeyIdentifier": null,
    "sigCustomKeyIdentifierValueType": null,
    "sigKeyIdType": "X509_CERTIFICATE",
    "sigSigAlgorithm": "RSA_SHA256",
    "sigC14n": "C14N_EXCL_OMIT_COMMENTS",
    "sigDigAlgorithm": "SHA256",
    "sigUseSingleCert": false,
    "sigWsiBSPCompliant": false,
    "sigKeyStoreName": "test-keystores",
    "wsSecurityEntryOrderList": ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"]
  }
}

Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

---

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer {token}
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

---

Notes and Warnings

• WS-Security Entry Order: The order of elements in wsSecurityEntryOrderList determines the order in the WS-Security header. Common orders:
  • ["TIMESTAMP", "USERNAME_TOKEN", "ENCRYPTION", "SIGNATURE"] - Standard order
  • ["TIMESTAMP", "SIGNATURE", "ENCRYPTION"] - Sign before encrypt
  • ["ENCRYPTION", "SIGNATURE"] - Encrypt then sign
• Timestamp:
  • tsTimeToLive is in seconds
  • Timestamp is used for replay attack prevention
• UsernameToken:
  • PasswordText - Plain text password (less secure)
  • PasswordDigest - Hashed password (more secure, recommended)
  • unNonce and unCreated add additional security
• Encryption:
  • AES_128_CBC, AES_192_CBC, AES_256_CBC - Symmetric encryption algorithms
  • RSA - RSA v1.5 key encryption (legacy)
  • OAEP - RSA-OAEP key encryption (recommended, more secure)
  • EMBEDDED_KEY_INFO - Use embedded key (requires encEmbeddedKeyName)
• Signature:
  • RSA_SHA256, RSA_SHA384, RSA_SHA512 - Recommended RSA algorithms
  • ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512 - Elliptic curve algorithms
  • C14N_EXCL_OMIT_COMMENTS - Recommended canonicalization (exclusive, omit comments)
  • SHA256, SHA384, SHA512 - Recommended digest algorithms
  • sigUseSingleCert: true - Use single certificate (simpler, less secure)
  • sigWsiBSPCompliant: true - WSI Basic Security Profile compliance
• Key Stores:
  • Encryption and signature keystores must be configured in Apinizer
  • Keystores must contain appropriate certificates/keys
  • Key identifier type must match keystore content
• Parts:
  • CONTENT - Encrypt/sign only the content (preserves element structure)
  • ELEMENT - Encrypt/sign entire element (more secure)
• Performance: WS-Security adds significant cryptographic processing overhead. Use for necessary security only.
• Pipeline:
  • REQUEST pipeline adds WS-Security to outgoing requests
  • RESPONSE pipeline adds WS-Security to outgoing responses
• Error Handling: Invalid keystore, missing keys, or configuration errors cause policy to fail
• Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.

Related Documentation

• List Policies - List all policies
• Add Policy - General policy addition guide
• Update Policy - General policy update guide
• Delete Policy - General policy deletion guide
• WS Security From Target Policy - Process WS-Security from backend