Trying to create a ws-security header that includes a username token with password digest to be accepted at the backend. Calls from SoapUI are accepted and calls from the Gateway are not. The only difference in the requests is that the Gateway does not have milliseconds in the time stamp. How do I add the milliseconds?

All supported versions of the API Gateway

The created time stamp in seconds is set by the Gateway which cannot be modified from outside. The Gateway is trimming the milliseconds intentionally in order for it to be compatible with all the customers. See OASIS standard doc: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf - Page 10, in the example created time stamp does not contain milliseconds.

To include milliseconds, please apply the XSL transformation using "Apply XSL Transformation" Assertion and include the schema below. Include this assertion soon after "Add or Remove WS-Security" assertion in the policy. 

<xsl:stylesheet version="1.0" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> 
<xsl:output indent="yes" omit-xml-declaration="no"/> 
<xsl:strip-space elements="*"/> 

<xsl:template match="@*|node()"> 
<xsl:copy> 
<xsl:apply-templates select="@*|node()"/> 
</xsl:copy> 
</xsl:template> 

<xsl:template match="wsu:Created|wsu:Expires"> 
<xsl:copy> 
<xsl:value-of select="concat(substring-before(., 'Z'), '.000Z')"/> 
</xsl:copy> 
</xsl:template> 

This will append 000Z with the created timestamp with the request. 

Another way this was solved was by not using the Add Security Token Assertion with UsernameToken. Instead create the xml part using the "Generate Security Hash" Assertion.
For more information on this assertion, please visit our page on DocOps.