I've been able to make successfull call to first ACA web service and I thought, that getting status would be a breeze. Bo-o-oy how I have been wrong!
I've used same settings for the status service as I did for the submit one... and I got "WS Security header is invalid error!" What gives?!?! Signature generation code is the same as I been using for submission! I would appreciate if any one would be able shed some light what possibly is wrong here?
I am aware, that following tags should be digitally signed(and I do signed them):
ACABusinessHeader
ACABulkRequestTransmitterStatusDetailRequest
Security timestamp
Here is my Request:
POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "RequestSubmissionStatusDetail"
Host: la.www4.irs.gov
Content-Length: 5217
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
<s:Envelope xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>KBLc15A=</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>dhkLQhzfkc=</DigestValue>
</Reference>
<Reference URI="#TS-ccf5abbbd36940f693d56b21ab489674">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>O179zVlJnyo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>REDUCTED</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">-- Base64ed cert ---</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="TS-ccf5abbbd36940f693d56b21ab489674">
<u:Created>2016-04-01T15:02:00.505Z</u:Created>
<u:Expires>2016-04-01T15:12:00.506Z</u:Expires>
</u:Timestamp>
</wsse:Security>
<abh:ACABusinessHeader u:Id="_1" xmlns:abh="urn:us:gov:treasury:irs:msg:acabusinessheader">
<UniqueTransmissionId xmlns="urn:us:gov:treasury:irs:ext:aca:air:7.0">REDUCTED</UniqueTransmissionId>
<Timestamp xmlns="urn:us:gov:treasury:irs:common">2016-04-01T11:02:58Z</Timestamp>
</abh:ACABusinessHeader>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ACABulkRequestTransmitterStatusDetailRequest u:Id="_2" version="1.0" xmlns="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest">
<ACABulkReqTrnsmtStsReqGrpDtl xmlns="urn:us:gov:treasury:irs:ext:aca:air:7.0">
<ReceiptId xmlns="urn:us:gov:treasury:irs:common">Receit Id</ReceiptId>
</ACABulkReqTrnsmtStsReqGrpDtl>
</ACABulkRequestTransmitterStatusDetailRequest>
</s:Body>
UPDATE1: I am more and more convinced, that something is up on their end with our certificate and status service. It looks like they unable to map receipt id to the proper certificate. At least they conformed, that structurally there is nothing wrong with the XML, that I've been sending them. But they unable to identify the actual problem. IRS asked me to resent them my request in the email again for farther investigation, which I did. Now will wait and c what will happen.
Well, long story short. Status service is working now. After all back'n'forthing IRS development team removed client configurations, which where marked as deleted and after that, seems, status service got itself a spirit to work. I am a bit weary about how situation has been resolved, but if it eventually started to work - let it be!
(I don't have enough reputation to add a comment)
#fatherOfWine, I noticed that the InclusiveNamespaces element is missing in your Transform elements. Sorry for stating something that you might already know, the included namespaces are factored in in the canonicalization of the XML and eventually the calculation of the SHA1 digests.
Send an email to IRS' ACA Technical Support and ask them to look at their logs if the three digest values you send are passing or matching their calculations. They'll be able to at least identify which of your digest values are passing and failing their checks. Let them know the TCC and local time you sent the request.
Related
I have configured OIDC authentication (external OP) with WAS Liberty Profile version WebSphere Application Server 21.0.0.7/wlp-1.0.54.cl210720210629-1900.
While testing, the OIDC authentication is successful and I see the following cookies set by WAS on my browser:
JSESSIONID
WASReqURLOidcp1059877004
WASReqURLOidcp825245628
WAS_n1263819336
WAS_n1832376351
WAS_p2129763847
WASOidcStaten765589445
WASOidcCode
I do see these messages in my messages.log during server startup:
0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager I CWWKS4103I: Creating the LTPA keys. This may take a few seconds.
0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager A CWWKS4104A: LTPA keys created in 0.337 seconds. LTPA key file: jv-ltpa.keys
0000003b com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask I CWWKS4105I: LTPA configuration is ready after 0.341 seconds.
Also, in my server.xml I have NOT explicitly disabled LTPA token or cookie generation.
disableLtpaCookie="false"
Why isn't there an LTPA cookie being set in my browser?
Here is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default Server">
<!-- Enable features -->
<featureManager>
<feature>javaee-8.0</feature>
<feature>microProfile-3.0</feature>
<feature>adminCenter-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>openidConnectClient-1.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<openidConnectClient id="oidcBridge" clientId="removed"
clientSecret="removed"
discoveryEndpointUrl="https://my-op.com/.well-known/openid-configuration" signatureAlgorithm="RS256"
jwkEndpointUrl="https://my-op.com/.well-known/jwks.json" disableLtpaCookie="false"
allowDefaultSsoCookieName="true">
</openidConnectClient>
<basicRegistry id="basic">
<user name="admin" password="admin" />
<user name="user1" password="user1" />
<user name="user2" password="user2" />
<group name="users">
<member name="user1" />
<member name="user2" />
</group>
</basicRegistry>
<administrator-role>
<user>admin</user>
</administrator-role>
<!-- To allow access to this server from a remote client host="*" has been added to the following element -->
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true" />
<keyStore id="defaultKeyStore" password="removed" location="${server.config.dir}/jv-trust.p12" type="PKCS12" />
<ltpa keysFileName="jv-ltpa.keys" keysPassword="removed" expiration="1200" />
<webAppSecurity singleSignonEnabled="true" ssoDomainNames="app1.com" allowFailOverToBasicAuth="true"
ssoRequiresSSL="false" />
<application context-root="snoop" id="DefaultApplication"
location="${server.config.dir}/apps/DefaultApplication.ear" name="DefaultApplication" type="ear">
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
</server>
Trying to figure out why my SOAP Envelope Action header is not what I expect. I am calling WSO2ESB and communicating with a another WCF service. I am using an NTLMmediator to authenticate to the backend service.
My input transaction looks like this
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://www.mycompany.com/services/GetProductsByCustomerNbr</a:Action>
<a:MessageID>urn:uuid:448cb5ec-b2d8-4292-b245-5b0d42c0e52a</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://hapq-vpwebtran1.afcorp.afg/AnnuityWebService/VpasAnnuityServiceAdaptor.svc/windows</a:To>
<o:Security s:mustUnderstand="0" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2016-10-10T20:57:42.292Z</u:Created>
<u:Expires>2016-10-14T21:02:42.292Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-83e06bc8-c659-4ddc-845a-de86f0dd19f8-1">
<o:Username>JoeTest</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">JoeTest</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
Transaction body
</s:Body>
</s:Envelope>
What my transaction looks like when I write it from inside my mediator and from the value of Envelope from logging in my Proxy Service after my mediator has executed. This is what I exepect the value of Action to be: GetProducesByCustomerNbrResponse
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://www.mycompany.com/services/GetProductsByCustomerNbrResponse</a:Action>
<a:RelatesTo>urn:uuid:448cb5ec-b2d8-4292-b245-5b0d42c0e52a</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
Transation body
</s:Body>
</s:Envelope>
What it looks like in my wire logs is below. You can see the Action is now GetProductsByCustomerNbr instead of GetPRoductsByCustomerNbrResponse
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="true">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2016-10-13T22:49:45.858Z</wsu:Created>
<wsu:Expires>2016-10-13T22:54:45.858Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<wsa:MessageID>urn:uuid:d5677050-3ce7-4f11-a269-83c626967b39</wsa:MessageID>
<wsa:Action>http://www.mycompany.com/services/GetProductsByCustomerNbr</wsa:Action>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
Transation body
</s:Body>
</s:Envelope>
I do not understand why I am seeing the input transaction action and not the action from the output. I am sure there is something I am missing or not doing right but I am struggling to find it. If anyone has any thoughts or can point me in the right direction I would appreciate it. If there is any information I failed to provide that would be useful please let me know and I will post it.
I had to add properties to my proxy in order to get this working. Below are the 2 properties I had to add.
disableAddressingForOutMessages so that the ESB was not adding WS-Addressing headers to outgoing messages
PRESERVE_WS_ADDRESSING so that the ESB will forward it on without altering the existing WS-Addressing headers
<property name="disableAddressingForOutMessages" scope="axis2" value="true"/>
<property name="PRESERVE_WS_ADDRESSING" scope="default" value="true"/>
I am working on getting Apple Pay integrated in my app through Cordova (Phonegap) and have successfully retrieved my Apple Pay token. I followed all the instructions outlined in both Apple Pay and ADN documentation. Generated all required keys and certificates (twice). I already have a working ADN integration using both CIM and AIM, so I know my integration is solid. I can process regular auth-capture transactions no problem.
I am working in the ADN sandbox and have tried switching my account between Live and Test, as well as switching test mode between True and False.
Here is the information I generated just now (redacted and truncated):
Apple Pay Token
eyJ2ZXJz.....2dKdWs9In19
Base 64 Decoded Apple Pay Token
{ "data" : "PtFJv.....UNFGg==",
"header" : { "ephemeralPublicKey" : "MFkwEw.....Baor01w==",
"publicKeyHash" : "Q1q.....Juk=",
"transactionId" : "c51.....b4"
},
"signature" : "MIAG.....AAAA",
"version" : "EC_v1"
}
ADN Request
<?xml version="1.0" encoding="UTF-8"?>
<createTransactionRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
<merchantAuthentication>
<name>REDACTED</name>
<transactionKey>REDACTED</transactionKey>
</merchantAuthentication>
<refId>C.....4</refId>
<transactionRequest>
<transactionType>authCaptureTransaction</transactionType>
<amount>5</amount>
<payment>
<opaqueData>
<dataDescriptor>COMMON.APPLE.INAPP.PAYMENT</dataDescriptor>
<dataValue>eyJ2ZX.....9In19</dataValue>
</opaqueData>
</payment>
</transactionRequest>
</createTransactionRequest>
ADN Response
<?xml version="1.0" encoding="UTF-8"?>
<createTransactionResponse xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<refId>CID2254674</refId>
<messages>
<resultCode>Error</resultCode>
<message>
<code>E00027</code>
<text>The transaction was unsuccessful.</text>
</message>
</messages>
<transactionResponse>
<responseCode>3</responseCode>
<authCode />
<avsResultCode>P</avsResultCode>
<cvvResultCode />
<cavvResultCode />
<transId>0</transId>
<refTransID />
<transHash>2E.....B72</transHash>
<testRequest>0</testRequest>
<accountNumber />
<accountType />
<errors>
<error>
<errorCode>153</errorCode>
<errorText>There was an error processing the payment data.</errorText>
</error>
</errors>
</transactionResponse>
</createTransactionResponse>
Needless to say, this error response is less than helpful. ANY help would be greatly appreciated. Also posted to ADN community forums.
I have created a WS-BPEL workflow that would call an asynchronous web service and wait for a callback response. The carbon application is successfully deployed into BPS as well.
Details on my external Asynchronous web service
1. It requires basic authentication over http.
2. It requires the soap header to be available in the soap envelope.
3. It would process the request and send a callback to the ReplyTo address it receives in the soap header and use the MessageID to correlate the callback.
My deploy.xml file for the BPEL process looks like this ...
<?xml version="1.0" encoding="UTF-8"?>
<deploy xmlns="http://www.apache.org/ode/schemas/dd/2007/03"
xmlns:callback.integration.service="http://callback.integration.service/"
xmlns:epr="http://wso2.org/bps/bpel/endpoint/config"
xmlns:sample="http://wso2.org/bps/sample"
xmlns:ws.integration.service="http://ws.integration.service/">
<process name="sample:Test">
<active>true</active>
<retired>false</retired>
<process-events generate="all"/>
<provide partnerLink="client">
<service name="sample:Test" port="TestPort"/>
</provide>
<provide partnerLink="IntegrationService">
<service name="callback.integration.service:IntegrationCallback" port="IntegrationResponsePort"/>
</provide>
<invoke partnerLink="IntegrationService">
<service name="ws.integration.service:IntegrationService" port="IntegrationRequestPort">
<epr:endpoint endpointReference="IntegrationService.epr"/>
</service>
</invoke>
</process>
</deploy>
The IntegrationService.epr file looks like this ...
<wsa:EndpointReference
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.w3schools.com uep_schema.xsd"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsdl11="http://schemas.xmlsoap.org/wsdl/">
<wsa:Address>http://http://server:8080/integration/IntegrationService</wsa:Address>
<wsa:Metadata>
<id>SInvokeEPR</id>
<qos>
<enableAddressing />
</qos>
<transport type="http">
<authorization-username>username</authorization-username>
<authorization-password>password</authorization-password>
</transport>
</wsa:Metadata>
</wsa:EndpointReference>
Now when I test the bpel process from carbon service management console, I do get a request to my asynchronous web service. However the soap envelope looks as followed and it is missing a proper ReplyTo address to send the callback.
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:To>http://server:8080/integration/IntegrationService</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/none</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:91ac4ebd-b100-440e-a01d-c4a5c0d8a56f</wsa:MessageID>
<wsa:Action>http://ws.integration.service/IntegrationRequestPortType/createTask</wsa:Action>
</soapenv:Header>
<soapenv:Body>
...
</soapenv:Body>
</soapenv:Envelope>
Now my need is to reply to this request with a callback. The callback soap envelope would contain this MessageID so that the callback correlates with the correct process instance.
How do you get the proper ReplyTo address appended to the soap header?
If I assume correctly you use the WSO2 BPS (or something with Apache ODE), you can use this copy in an assign to set the Header by hand. (http://ode.apache.org/extensions/headers-handling.html)
<bpel:copy>
<bpel:from>
<bpel:literal>
<wsa:ReplyTo xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Address>http://localhost:9763/services/SIServerCallback</Address>
</wsa:ReplyTo>
</bpel:literal>
</bpel:from>
<bpel:to variable="ServiceInvokerIARequest" header="ReplyTo">
</bpel:to>
</bpel:copy>
I'm trying to retrieve list data from a Sharepoint 2010 server using the webservice at DspSts.asmx. (Nope can't use oData here - long story). The WSDL suggests the following format:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp">
<SOAP-ENV:Header>
<dsp:authentication/>
<dsp:dataRoot>
<dsp:root>STRING </dsp:root>
</dsp:dataRoot>
<dsp:request document="" method=""/>
<dsp:versions>
<dsp:version>STRING </dsp:version>
</dsp:versions>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<dsp:queryRequest/>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
So I created the following sample request code (and send it out using Oxygen XML):
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp">
<SOAP-ENV:Header>
<dsp:authentication/>
<dsp:dataRoot allowRemoteDataAccess="true" >
<dsp:root />
</dsp:dataRoot>
<dsp:request service="DspSts" document="content" method="query"></dsp:request>
<dsp:versions>
<dsp:version>1.0</dsp:version>
</dsp:versions>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<dsp:queryRequest>
<dsQuery select="/list[#id='{8F3269B6-02EA-44C5-BA2B-BA8A4D5E9C44}']" resultContent="dataOnly" columnMapping="element" resultRoot="Rows" resultRow="Row">
<Query QueryType="DSPQ">
<Fields>
<AllFields />
</Fields>
</Query>
</dsQuery>"
</dsp:queryRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
However when I send that query I do not get a login prompt (when I use the list web service I get one) and then an error result:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<soap:Fault>
<faultcode>soap:Client.Dsp.InvalidSite</faultcode>
<faultstring>Failed to verify user permissions.</faultstring>
<detail>
<queryResponse xmlns="http://schemas.microsoft.com/sharepoint/dsp">
<dsQueryResponse status="failure"/>
</queryResponse>
</detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>
I'm using a hosted Sharepoint, so I don't know if I can tweak any security setting. Now my questions:
How can I enforce authentication?
What do I need to put into dsp:authentication
What to put in dsp:root
All samples I found didn't have dsp:authentication or dsp:root in it.
Help is very much appreciated
There actually is a work around. If you read a different Sharepoint web service first, e.g. Lists.asmx, then you are properly prompted for credentials and the following calls to DspSts.asmx use the digest credentials created in the first call.