Thanks for the suggestion. I tried your solution .

Now i am getting below error for a valid SOAP Message . I updated the  below properties

<Property name="throw-fault-on-invalid">true</Property>
<Property name="accept-thumbprints">***</Property>

Please  the error

{
    "fault": {
        "faultstring": "Execution returned an error result",
        "detail": {
            "errorcode": "flow.execution.ExecutionReturnedFailure"
        }
    }
}

check the error message contained in the wssec_error context variable.

Also you may wish to read the README associated to the callout. All of the information I am relaying to you here, is in that document.

Could you pls let me know on how to check that .? I did not find any guide to check the context variable value incase of failure.

Sure. Check the doc page here: https://cloud.google.com/apigee/docs/api-platform/fundamentals/introduction-flow-variables and also look for the embedded video that describes how to see these variables using the Apigee trace mechanism. 

If you want a quick overview of Tracing, you can also check this out .  The trace capability is called "trace" in the older Apigee Edge, which is what is shown in this screencast. It is called "Debug" in Apigee X or hybrid. It looks and works basically the same way, though. 

Thanks for the Article. I tried to expore the flow variables . Created a JS callout to read the context variable "wssec_error " &  wssec_valid  after the Java Callout. For success calls without setting ("throw-fault-on-invalid"  &  accept-thumbprints) ,  I was able to output these variable values by print in javascript. But when the Java fails when i set ("throw-fault-on-invalid"  &  accept-thumbprints) , the control does not come to JS callout at all. Not sure why . Can you help with this . On Java Callout, Continue is also error is true. 

Please find below the details .

var wssec_valid=context.getVariable('wssec_valid');
var wssec_error =context.getVariable('wssec_error');

print("hello"+wssec_valid);
print("hellooo"+wssec_error);

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout continueOnError="true" enabled="true" name="Java-Callout-1">
    <Properties>
        <Property name="source">message.content</Property>
        <Property name="throw-fault-on-invalid">true</Property>
        <Property name="accept-thumbprints">****</Property>
    </Properties>
    <ClassName>com.google.apigee.callouts.wssecdsig.Validate</ClassName>
    <ResourceURL>java://apigee-wssecdsig-20210721-2.jar</ResourceURL>
</JavaCallout>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <PreFlow name="PreFlow">
        <Request>
            <Step>
                <FaultRules/>
                <Name>Java-Callout-1</Name>
            </Step>
            <Step>
                <Name>JavaScript-1</Name>
            </Step>
        </Request>
        <Response/>
    </PreFlow>
    <Flows/>
    <PostFlow name="PostFlow">
        <Request/>
        <Response/>
    </PostFlow>
    <HTTPProxyConnection>
        <BasePath>/flowv</BasePath>
    </HTTPProxyConnection>
    <RouteRule name="default">
        <TargetEndpoint>default</TargetEndpoint>
    </RouteRule>
</ProxyEndpoint>

If you use throw-fault-on-invalid, then the proxy goes into Fault Handling.

The subsequent policies do not get executed. This is expected behavior of an Apigee API proxy.

For some background, see here.

The summary is

• use throw-fault-on-invalid = true if you want to use the fault handling approach that is built-in to Apigee (FaultRules, etc.), when the signature is invalid.
• do not use that property if you want your subsequent policies(the JS policy, etc) to examine the status  of the WSSec callout, even in the case of invalid signature.

Thanks for clarifying it. From the security purpose of integration with client, we need to verify the signature. I dont want to skip the signature verification. We are currently using a 3rd party API Proxy vendor for the SOAP X509 certificate verification. We are now migrating this to Apigee . I have added all of the valid properties for java call out .

Trace: 

<Properties>
    <Property name="throw-fault-on-invalid">true</Property>
    <Property name="source">message.content</Property>
    <Property name="accept-thumbprints">CERT_THUMBPRINT_HERE</Property>
  </Properties>

 But still the verification is failing. However the same document is been able to verify by the 3rd party API Gateway vendor successfully . I am not sure on how do i proceed futher on this. 

We basically need two things.

1) Verify the Signature of the SOAP Message

2) Remove the Signature and then pass only the SOAP Body to the endpoint 

From the security purpose of integration with client, we need to verify the signature. I dont want to skip the signature verification.

OK Good! That's a good practice! The WS-Sec callout never skips the verification of the signature, so you're in good shape. The property we have been discussing, throw-fault-on-invalid, does not affect whether the callout verifies the signature. It affects what the callout DOES when the signature is not valid. I have explained this in some detail here, and also You can read about this in the fine documentation in the README file. I won't explain it again, since i've explained it several times already.

But still the verification is failing. However the same document is been able to verify by the 3rd party API Gateway vendor successfully . I am not sure on how do i proceed futher on this.

I'm sorry you're having trouble getting the results you're expecting. if you feel comfortable, you can send to me the signed SOAP document, and I'll see if I can figure out what's going on here. Reach me at dchiesa@google.com. Or, if you have a SOAPUI project that sends the request, you can share that with me too. I'd like to help.

Great! Thank you for confirming.