We Keep Coding

Why is LTPA Cookie missing in my WAS Liberty environment?

I have configured OIDC authentication (external OP) with WAS Liberty Profile version WebSphere Application Server 21.0.0.7/wlp-1.0.54.cl210720210629-1900.
While testing, the OIDC authentication is successful and I see the following cookies set by WAS on my browser:
JSESSIONID
WASReqURLOidcp1059877004
WASReqURLOidcp825245628
WAS_n1263819336
WAS_n1832376351
WAS_p2129763847
WASOidcStaten765589445
WASOidcCode
I do see these messages in my messages.log during server startup:
0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager I CWWKS4103I: Creating the LTPA keys. This may take a few seconds.
0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager A CWWKS4104A: LTPA keys created in 0.337 seconds. LTPA key file: jv-ltpa.keys
0000003b com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask I CWWKS4105I: LTPA configuration is ready after 0.341 seconds.
Also, in my server.xml I have NOT explicitly disabled LTPA token or cookie generation.
disableLtpaCookie="false"
Why isn't there an LTPA cookie being set in my browser?
Here is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default Server">
<!-- Enable features -->
<featureManager>
<feature>javaee-8.0</feature>
<feature>microProfile-3.0</feature>
<feature>adminCenter-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>openidConnectClient-1.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<openidConnectClient id="oidcBridge" clientId="removed"
clientSecret="removed"
discoveryEndpointUrl="https://my-op.com/.well-known/openid-configuration" signatureAlgorithm="RS256"
jwkEndpointUrl="https://my-op.com/.well-known/jwks.json" disableLtpaCookie="false"
allowDefaultSsoCookieName="true">
</openidConnectClient>
<basicRegistry id="basic">
<user name="admin" password="admin" />
<user name="user1" password="user1" />
<user name="user2" password="user2" />
<group name="users">
<member name="user1" />
<member name="user2" />
</group>
</basicRegistry>
<administrator-role>
<user>admin</user>
</administrator-role>
<!-- To allow access to this server from a remote client host="*" has been added to the following element -->
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true" />
<keyStore id="defaultKeyStore" password="removed" location="${server.config.dir}/jv-trust.p12" type="PKCS12" />
<ltpa keysFileName="jv-ltpa.keys" keysPassword="removed" expiration="1200" />
<webAppSecurity singleSignonEnabled="true" ssoDomainNames="app1.com" allowFailOverToBasicAuth="true"
ssoRequiresSSL="false" />
<application context-root="snoop" id="DefaultApplication"
location="${server.config.dir}/apps/DefaultApplication.ear" name="DefaultApplication" type="ear">
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
</server>

Getting "WS Security Header in the message is invalid." when calling ACAGetTransmitterBulkRequestStatus

I've been able to make successfull call to first ACA web service and I thought, that getting status would be a breeze. Bo-o-oy how I have been wrong!
I've used same settings for the status service as I did for the submit one... and I got "WS Security header is invalid error!" What gives?!?! Signature generation code is the same as I been using for submission! I would appreciate if any one would be able shed some light what possibly is wrong here?
I am aware, that following tags should be digitally signed(and I do signed them):
ACABusinessHeader
ACABulkRequestTransmitterStatusDetailRequest
Security timestamp
Here is my Request:
POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "RequestSubmissionStatusDetail"
Host: la.www4.irs.gov
Content-Length: 5217
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
<s:Envelope xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>KBLc15A=</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>dhkLQhzfkc=</DigestValue>
</Reference>
<Reference URI="#TS-ccf5abbbd36940f693d56b21ab489674">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>O179zVlJnyo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>REDUCTED</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">-- Base64ed cert ---</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="TS-ccf5abbbd36940f693d56b21ab489674">
<u:Created>2016-04-01T15:02:00.505Z</u:Created>
<u:Expires>2016-04-01T15:12:00.506Z</u:Expires>
</u:Timestamp>
</wsse:Security>
<abh:ACABusinessHeader u:Id="_1" xmlns:abh="urn:us:gov:treasury:irs:msg:acabusinessheader">
<UniqueTransmissionId xmlns="urn:us:gov:treasury:irs:ext:aca:air:7.0">REDUCTED</UniqueTransmissionId>
<Timestamp xmlns="urn:us:gov:treasury:irs:common">2016-04-01T11:02:58Z</Timestamp>
</abh:ACABusinessHeader>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ACABulkRequestTransmitterStatusDetailRequest u:Id="_2" version="1.0" xmlns="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest">
<ACABulkReqTrnsmtStsReqGrpDtl xmlns="urn:us:gov:treasury:irs:ext:aca:air:7.0">
<ReceiptId xmlns="urn:us:gov:treasury:irs:common">Receit Id</ReceiptId>
</ACABulkReqTrnsmtStsReqGrpDtl>
</ACABulkRequestTransmitterStatusDetailRequest>
</s:Body>
UPDATE1: I am more and more convinced, that something is up on their end with our certificate and status service. It looks like they unable to map receipt id to the proper certificate. At least they conformed, that structurally there is nothing wrong with the XML, that I've been sending them. But they unable to identify the actual problem. IRS asked me to resent them my request in the email again for farther investigation, which I did. Now will wait and c what will happen.

Well, long story short. Status service is working now. After all back'n'forthing IRS development team removed client configurations, which where marked as deleted and after that, seems, status service got itself a spirit to work. I am a bit weary about how situation has been resolved, but if it eventually started to work - let it be!

(I don't have enough reputation to add a comment)
#fatherOfWine, I noticed that the InclusiveNamespaces element is missing in your Transform elements. Sorry for stating something that you might already know, the included namespaces are factored in in the canonicalization of the XML and eventually the calculation of the SHA1 digests.
Send an email to IRS' ACA Technical Support and ask them to look at their logs if the three digest values you send are passing or matching their calculations. They'll be able to at least identify which of your digest values are passing and failing their checks. Let them know the TCC and local time you sent the request.

Apple Pay and Authorize.net Token Submit Fails

I am working on getting Apple Pay integrated in my app through Cordova (Phonegap) and have successfully retrieved my Apple Pay token. I followed all the instructions outlined in both Apple Pay and ADN documentation. Generated all required keys and certificates (twice). I already have a working ADN integration using both CIM and AIM, so I know my integration is solid. I can process regular auth-capture transactions no problem.
I am working in the ADN sandbox and have tried switching my account between Live and Test, as well as switching test mode between True and False.
Here is the information I generated just now (redacted and truncated):
Apple Pay Token
eyJ2ZXJz.....2dKdWs9In19
Base 64 Decoded Apple Pay Token
{ "data" : "PtFJv.....UNFGg==",
"header" : { "ephemeralPublicKey" : "MFkwEw.....Baor01w==",
"publicKeyHash" : "Q1q.....Juk=",
"transactionId" : "c51.....b4"
},
"signature" : "MIAG.....AAAA",
"version" : "EC_v1"
}
ADN Request
<?xml version="1.0" encoding="UTF-8"?>
<createTransactionRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
<merchantAuthentication>
<name>REDACTED</name>
<transactionKey>REDACTED</transactionKey>
</merchantAuthentication>
<refId>C.....4</refId>
<transactionRequest>
<transactionType>authCaptureTransaction</transactionType>
<amount>5</amount>
<payment>
<opaqueData>
<dataDescriptor>COMMON.APPLE.INAPP.PAYMENT</dataDescriptor>
<dataValue>eyJ2ZX.....9In19</dataValue>
</opaqueData>
</payment>
</transactionRequest>
</createTransactionRequest>
ADN Response
<?xml version="1.0" encoding="UTF-8"?>
<createTransactionResponse xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<refId>CID2254674</refId>
<messages>
<resultCode>Error</resultCode>
<message>
<code>E00027</code>
<text>The transaction was unsuccessful.</text>
</message>
</messages>
<transactionResponse>
<responseCode>3</responseCode>
<authCode />
<avsResultCode>P</avsResultCode>
<cvvResultCode />
<cavvResultCode />
<transId>0</transId>
<refTransID />
<transHash>2E.....B72</transHash>
<testRequest>0</testRequest>
<accountNumber />
<accountType />
<errors>
<error>
<errorCode>153</errorCode>
<errorText>There was an error processing the payment data.</errorText>
</error>
</errors>
</transactionResponse>
</createTransactionResponse>
Needless to say, this error response is less than helpful. ANY help would be greatly appreciated. Also posted to ADN community forums.

Classic ASP - web.config deny rule not detecting cookie

I have taken on an Internet facing Classic ASP application (hosted on Windows-Server-2012 / IIS8) that is using Anonymous Access and I want to move to Forms Authentication. Although it is not straight forward, as it currently stands (with the Anon.Access set) the unauthenticated user (i.e. a user that has not yet logged on) can view a .pdf, .doc, etc file if they enter the exact URL path to the file (i.e. security thru obscurity).
The Problem
I am expecting when I am not logged on, I should not be able to see the .pdf's when entering the absolute URL (this is OK)
however I am also expecting when I do logon I should be able to see the .pdf's when entering the absolute URL (this does not happen - what does happen is when I enter the absolute URL of a pdf, I am re-directed back to the home page - I am still logged on but the cookie must not be detected within the authorization - i.e. the "deny" rule above responds with a rejection and sends me back to the home page - note the cookie exists and has not expired)
My Setup and What I have Tried
The Cookie is set via the following code
Response.Cookies("MyAuthCookie") = myGuid
Response.Cookies("MyAuthCookie").Expires = DateAdd("h", 6, Now())
Response.Cookies("MyAuthCookie").Path = "/"
I have tried to tie down access to the .pdf, .doc files via web.config authorization allow/deny rules as follows
<location path="myProtectedFolder">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<machineKey decryptionKey="XXXXXXXX99999999XXXXXXXX" validationKey="XXXXXXXX99999999XXXXXXXX" />
<authentication mode="Forms">
<forms name="MyAuthCookie" loginUrl="/index.asp" path="/" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Modules have been configured as follows
<modules>
<remove name="FormsAuthentication" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
...and handlers as follows (to be processed by ISAPI)
<handlers>
<add name="pdfs64" path="*.pdf" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" resourceType="File" requireAccess="Read" preCondition="classicMode,runtimeVersionv4.0,bitness64" />
<add name="pdfs" path="*.pdf" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="File" requireAccess="Read" preCondition="classicMode,runtimeVersionv4.0,bitness32" />
</handlers>
Other areas of note
I have the website set to Anon.Access and Forms Auth (I tried Forms Auth on its own).
I have given the website folder/sub-folders read/execute to both the AppPool identity user and "Authenticated Users"
I have marked the AppPool as .Net 2 (also tried .Net 4) with Integrated Pipeline (also tried Classic)
Any help would be greatly appreciated

I finished up creating a true FormsAuthentication cookie from the cookie within a HttpModule (config for the module is the modules section). This then accommodated the allow/deny rules.

How to call, invoke or test a Web Service that has Wssp Policy attached?

I'm unable to test a web service that has a Security Policy attached. I have been required to develop several Web Services and protect them with simple user and password. There is no further security requeriments (no encription, no SSL, etc).
In order to test the security bits, I built a dummy web service with top-down method using jDeveloper11G. The simple service works and can be tested vía HTTP analyzer and invoked with SoapUI while running in the integrated WebLogic server. The service also works when deployed to a stand alone WebLogic 10.3.6.0 server.
Then I try to attach security policies. I have succesfully attached using two methods:
1) At development time by adding the #Policy annotation
2) After deployment using the WLS console, going to the Web Service Configuration tab, then WS-Policy and attaching a policy and letting the console update the deployment plan as per instructed in this document.
(After any of these options the HTTP Analyzer is unable to test the service as it doesn't generate the SOAP stucture form to fill in the parameters, nor it allows to paste the text for a request. The Test applet in the server console can't access the WSDL either, so I'm left with SoapUI only)
I conclude that the attachment is correct because when consulting the WSDL from the server, it has Polici related nodes, where the original I wrote doesn't.
The problem comes when I test with SoapUI 5.0.0.
If I don't add any type of user/password information, the response contains:
<env:Fault>
<faultcode>env:Server</faultcode>
<faultstring>Unknown exception, internal system processing error.</faultstring>
</env:Fault>
If I add the following headers:
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>usertext</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">passwordtext</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
then the response changes to:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Error codes: 3001 4001 3201 1008 1028 Error code:3001</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
If I add the security information in the properties of the request without removing the headers I added manually to the request then the response becomes:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Error on verifying message against security policy Error code:1025</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
The properties I change are: Username, Password, Domain, WSS-Password type (PasswordText), WSS-TimeToLive(50000). The property Authentication Type shows the fixed value "No Authorization" and cannot be changed.
If at this point I remove the manually added header the response becomes the same as the second response I included.
I have tried the following pre defined policies:
Wssp1.2-2007-Wss1.1-UsernameToken-Plain-X509-Basic256.xml
Wssp1.2-2007-Wss1.0-UsernameToken-Plain-X509-Basic256.xml
Wssp1.2-2007-Https-BasicAuth.xml
Wssp1.2-2007-Https-UsernameToken-Plain.xml
(The last two produce a different error related to the SSL configuration of the server)
I have also made several searches of wsse:InvalidSecurity, and the related error codes in the fault string, but have obtained no relevant information.
I have read several Oracle Docs (such like E17904_01, E23943_01, E12461_01), but there is no information on what to do after attaching the policies nor I find specific informaion on how to modify the request in order to fulfill the security requirements. Also made several searches for examples or the errors I get in this site and others.
So the question is What further steps are needed to be able to invoke this web service while protecting it with plain text user and password?
Secondary question is where do I specify which users can access the service? At the moment I assume that any user in the default realm will have access and so I'm testing with a user for wich I now the password in the default security realm "myrealm".
The wsdl as returned by the server after the policy is attached follows:
<!--
Published by JAX-WS RI at http://jax-ws.dev.java.net. RI's version is Oracle JAX-WS 2.1.5.
-->
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="asegurado.institution.org" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" targetNamespace="asegurado.institution.org">
<wsp:UsingPolicy wssutil:Required="true" />
<wsp:Policy wssutil:Id="Wssp1.2-2007-Wss1.0-UsernameToken-Plain-X509-Basic256.xml">
<ns0:AsymmetricBinding xmlns:ns0="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns0:InitiatorToken>
<wsp:Policy>
<ns0:X509Token ns0:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns0:WssX509V3Token10/>
</wsp:Policy>
</ns0:X509Token>
</wsp:Policy>
</ns0:InitiatorToken>
<ns0:RecipientToken>
<wsp:Policy>
<ns0:X509Token ns0:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<ns0:WssX509V3Token10/>
</wsp:Policy>
</ns0:X509Token>
</wsp:Policy>
</ns0:RecipientToken>
<ns0:AlgorithmSuite>
<wsp:Policy>
<ns0:Basic256/>
</wsp:Policy>
</ns0:AlgorithmSuite>
<ns0:Layout>
<wsp:Policy>
<ns0:Lax/>
</wsp:Policy>
</ns0:Layout>
<ns0:IncludeTimestamp/>
<ns0:ProtectTokens/>
<ns0:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</ns0:AsymmetricBinding>
<ns0:SignedEncryptedSupportingTokens xmlns:ns0="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns0:UsernameToken ns0:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns0:WssUsernameToken10/>
</wsp:Policy>
</ns0:UsernameToken>
</wsp:Policy>
</ns0:SignedEncryptedSupportingTokens>
<ns0:Wss10 xmlns:ns0="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns0:MustSupportRefKeyIdentifier/>
<ns0:MustSupportRefIssuerSerial/>
</wsp:Policy>
</ns0:Wss10>
</wsp:Policy>
<types>
<xsd:schema>
<xsd:import namespace="asegurado.institution.org" schemaLocation="http://hn-apli-dev:7001/Asegurado/asegurado?xsd=1" />
</xsd:schema>
</types>
<message name="intentarRequest">
<part name="request" type="tns:intentarRequest" />
</message>
<message name="intentarResponse">
<part name="response" type="tns:intentarResponse" />
</message>
<portType name="asegurado">
<operation name="intentar">
<input message="tns:intentarRequest" />
<output message="tns:intentarResponse" />
</operation>
</portType>
<binding name="aseguradoBinding" type="tns:asegurado">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
<operation name="intentar">
<wsp:PolicyReference URI="#Wssp1.2-2007-Wss1.0-UsernameToken-Plain-X509-Basic256.xml" />
<soap:operation style="document" soapAction="asegurado.isntitution.org/intentar" />
<input>
<soap:body use="literal" parts="request" />
</input>
<output>
<soap:body use="literal" parts="response" />
</output>
</operation>
</binding>
<service name="ServicioAsegurado">
<port name="asegurado" binding="tns:aseguradoBinding" />
</service>
</definitions>