Invalid WS Security Header - IRS ACA SOAP Request
I\'m in the process of submitting a RequestSubmissionStatusDetail request from the IRS.
Here\'s my problem. When submitting the following document to the IR
-
I suppose you have a signature element missing or misaligned.
In the documentation is says:
Transmitters must upload two xml files 1. Manifest file: To create the Request Manifest XML file: Transmitters should use Schema IRS-ACAUserInterfaceHeaderMessage.xsd to add/create “ACA Business Header” and “Request Manifest Details” 2. Form Data File: (1094/1095-[B,C]) ‒ IRS-Form1094-1095BTransmitterUpstreamMessage.xsd ‒ IRS-Form1094-1095CTransmitterUpstreamMessage.xsd
In the documentation you've provided there is a clue that says:
TPE1122 Invalid WS Security Header. Please try again.
Ensure that the SOAP message, including the Manifest file, contains the necessary signed WS-Security elements.
Comment on my answer to tell us if it is related to signature problems in the manifest file?
讨论(0) -
It sounds like we're on the same path; maybe we can help each other out.
I ended up doing security by configuration:
<security enableUnsecuredResponse="true" authenticationMode="MutualCertificate" messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" />You'll also need to override the identity DNS value for your endpoint with whoever your certificate was issued to. Put this inside your
<endpoint>tags<identity> <dns value="[Issued To]" /> </identity>Finally, when you create a client, you need to use a
ChannelFactoryand set the appropriate credentials. Mine looks like this:var factory = new ChannelFactory<BulkRequestTransmitterPortType>("BulkRequestTransmitterPort"); factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c"); factory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c"); var client = factory.CreateChannel();Let me know if you run into something else. Assuming your certificate and application status is OK, then once you get through this you'll probably be stuck on the next step with me (proper MTOM encoding). If you get through that successfully PLEASE let me know :)
讨论(0) -
I was able to get past the TPE1122 error with the XML below (with key- and TCC-related parts redacted). I'm not sure about how you are actually signing things (I am using the SoapUI tool rather than programmatic signing), but in my case, I think the main issue had to do with the short names for namespaces (e.g. oas, wsu, etc.). I think they have to exactly match the IRS's expectations. Also, I see that you use the wsa:Action tag whereas I do not, although that probably does not affect the WS-Security header.
POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "RequestSubmissionStatusDetail" Content-Length: 6088 Host: la.www4.irs.gov Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5) <soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xd="http://www.w3.org/2000/09/xmldsig#"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <ds:Signature Id="SIG-7570AFA8291320B0AC145394323250875" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#TS-7570AFA8291320B0AC145394323250671"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <InclusiveNamespaces PrefixList="wsse oas1 soapenv urn urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>mvcVAijgkdnRTsyynwCzUHX39VM=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-B123454679813489712349871234987123"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>5b2SAtep+3PvQj7hZnIGceu0RNg=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-D123454679813489712349871234987123"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>iO0oIkBURxyOUPhrJ/j5YPeRLbQ=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>REDACTED</ds:SignatureValue> <ds:KeyInfo Id="KI-7570AFA8291320B0AC145394323250873"> <wsse:SecurityTokenReference wsu:Id="STR-7570AFA8291320B0AC145394323250874"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">REDACTED</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp wsu:Id="TS-7570AFA8291320B0AC145394323250671"> <wsu:Created>2016-01-28T01:07:12Z</wsu:Created> <wsu:Expires>2016-01-28T01:07:13Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> <urn:ACABusinessHeader wsu:Id="id-B123454679813489712349871234987123"> <urn1:UniqueTransmissionId>5c953d6e-fb77-483f-89ee-5b824550d703:SYS12:RDCTD::T</urn1:UniqueTransmissionId> <urn2:Timestamp>2016-01-27T13:46:00Z</urn2:Timestamp> </urn:ACABusinessHeader> </soapenv:Header> <soapenv:Body> <urn:ACABulkRequestTransmitterStatusDetailRequest version="1.0" wsu:Id="id-D123454679813489712349871234987123"> <urn1:ACABulkReqTrnsmtStsReqGrpDtl> <urn2:ReceiptId>1094C-00-00000000</urn2:ReceiptId> </urn1:ACABulkReqTrnsmtStsReqGrpDtl> </urn:ACABulkRequestTransmitterStatusDetailRequest> </soapenv:Body>讨论(0) -
If you want to connect to WS heading in SOAPUI you need to set:
This is because of the bindings used (wsHttpBinding):
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="httpsBindingService" contract="Namespace.Contract"/>I would strongly suggest not going the wsHttpBinding route but rather the more standard basicHttpsBinding route (If you control the service). The are many issues especially if you have java clients (Using Eclipse) connecting to your services.
<endpoint address="" binding="basicHttpsBinding" bindingConfiguration="DefaultHttpsBinding" contract="Namespace.Contract" />讨论(0)
加载中...
- 热议问题