Amazon DevPay
Developer Guide (API Version 2007-12-01)

Example Request to Use When Troubleshooting

The following example shows the initial portion of a SOAP request that uses WS-Security with an X.509 certificate. If you're using a SOAP toolkit that supports WS-Security and X.509 certificates, the toolkit constructs the request automatically for you, so you don't have to create a request like this yourself. The example is included here as a reference to use if you're troubleshooting authentication issues with your SOAP requests. Several requirements are listed following the example; the numbers highlight where in the example the requirements are satisfied.

<SOAP-ENV:Envelope xmlns:SOAP-ENV="">
  <wsse:Security xmlns:wsse="">

    1 EncodingType=""
    2 ValueType=""
       3 [Your base64 encoded X.509 certificate…]

  <ds:Signature xmlns:ds="">
      <ds:CanonicalizationMethod 4"></ds:CanonicalizationMethod>
      <ds:SignatureMethod 5 Algorithm=""></ds:SignatureMethod>

     <ds:Reference URI="#id-17984263">
          <ds:Transform 6 Algorithm=""></ds:Transform>
        <ds:DigestMethod Algorithm=""></ds:DigestMethod>

    <ds:Reference URI="#id-15778003">
        <ds:Transform 6 Algorithm=""></ds:Transform>
      <ds:DigestMethod 7 Algorithm=""></ds:DigestMethod>



    <ds:KeyInfo Id="KeyId-17007273">
      8 <wsse:SecurityTokenReference
        xmlns:wsu="" wsu:Id="STRId-22438818">
        <wsse:Reference URI="#CertId-1064304"


    xmlns:wsu="" 9wsu:Id="id-17984263">


Requirements for BinarySecurityToken and Signatures


The EncodingType attribute for the BinarySecurityToken element must be


The ValueType attribute for the BinarySecurityToken element must be or


The BinarySecurityToken element must contain the base64 encoding of the leaf X.509 certificate if the ValueType is #X509v3, or it must contain the base64 encoding of the full X.509 certificate chain if the ValueType is #X509PKIPathv1.


The Algorithm attribute of the CanonicalizationMethod element must be


The Algorithm attribute of the SignatureMethod element must be


The Algorithm attribute of the Transform element for each Reference element must be either or


The Algorithm attribute of the DigestMethod element for each Reference element must be


The KeyInfo element must contain a SecurityTokenReference element. The SecurityTokenReference element must contain a Reference element with a URI attribute. The URI attribute must use a local particle reference to identify the BinarySecurityToken element that contains the X.509 certificate (for example: the URI attribute equals #CertId-1064304 in the preceding example request).


You must include a wsu:Id attribute in any message elements that you sign. You can sign any SOAP header and the entire SOAP Body. Do not sign any other elements (such as children of the Body element). AWS ignores those elements for the purposes of signature validation, even if you include a wsu:ID attribute in them. If you sign elements that shouldn't be signed, the signature validation will fail.

Related Topics