Invalid WS Security Header - IRS ACA SOAP Request

Asked 8/1, 2016 at 22:15 Answered 25/1, 2017 at 14:19

I'm in the process of submitting a RequestSubmissionStatusDetail request from the IRS.

Here's my problem. When submitting the following document to the IRS, I always get "Invalid WS Security Header". I do not know which part of my request is responsible for this submission not to be successful.

I'm referencing the following PDF (example code starts on page 35):

I've written the code in both VB and C#. I've intercepted the request with Fiddler, and also used Altova XMLSpy to send raw XML requests to the IRS endpoint.

Here's the code, pretty much line by line from the PDF, minus the key and the TCC.

    POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    VsDebuggerCausalityData: uIDPo1urdU71mo5BnU/TZ/Ji3p0AAAAAddUwh6B4CU6+F/jOewcN7JE6Ql8n+R1PofxFBfDEEg4ACQAA
    SOAPAction: "RequestSubmissionStatusDetail"
    Host: la.www4.irs.gov
    Content-Length: 4044
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive

    <soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader">  
        <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">   
            <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">    
                <ds:Signature Id="SIG-82E7E6716E615C14D6144736030986660" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">     
                    <ds:SignedInfo>      
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />      
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />      
                        <ds:Reference URI="#TS-82E7E6716E615C14D6144736030986559">       
                            <ds:Transforms>        
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
                                    <InclusiveNamespaces PrefixList="wsse wsa oas1 soapenv urn urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />                                       
                                </ds:Transform>       
                            </ds:Transforms>       
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />       
                            <ds:DigestValue>sgPiL73lIwOppVKHHUFkuWDEcLM=</ds:DigestValue>
                            <!-- DigestValue from Timestamp -->                 
                        </ds:Reference>      
                        <ds:Reference URI="#id-82E7E6716E615C14D6144736030986558">       
                            <ds:Transforms>        
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
                                    <InclusiveNamespaces PrefixList="wsa oas1 soapenv urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />        
                                </ds:Transform>       
                            </ds:Transforms>       
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />       
                            <ds:DigestValue>S3OdSc3rZ8V1egoyPGzi31n8gq8=</ds:DigestValue>        
                            <!-- DigestValue from ACABusinessHeader -->                      
                        </ds:Reference>      
                        <ds:Reference URI="#id-82E7E6716E615C14D6144736030986559">       
                            <ds:Transforms>        
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">         
                                    <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />        
                                </ds:Transform>       
                            </ds:Transforms>       
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />       
                            <ds:DigestValue>wOSkrI5NmQ5i5/wgjNEIoNODy+A=</ds:DigestValue>       
                            <!-- DigestValue from ACABulkRequestTransmitterStatusDetailRequest -->      
                        </ds:Reference>     
                    </ds:SignedInfo>    
                    <ds:SignatureValue>ddLCWffcBk5/PxqnJLMUM9lWWYWX7ucKQ4vPvM/qEj9IkJ0SVDytcjn0Az9Cge0nxOHI0NWCtAzbWzcUjHtUgt8A4rnxTTShQbIP3hPIX5UghS/Y6OEvOq8RvXL1S3R8nhX/nPrQSoPq6SpEz2HKq/ST5OrsstMvSpM0hCCinEKeLmLqkjfZw5wZVEeNwQIjghcsqQe7Q9crYhgdDwuvtixcoLw0JCgCiMr9yCmFsV4X+CklPuu4/bMUcuipE5fnSpqoZ6Sxp+UFlF3yzMXH6hKFRO7LRsXtwStN1kBwPJW5iPZ6b+X0Zlrc7gYTg1dHi3kcm3gLCRQ9ou+fZa7jnQ==</ds:SignatureValue>    
                    <ds:KeyInfo Id="KI-82E7E6716E615C14D6144736030986456">    
                        <wsse:SecurityTokenReference wsu:Id="STR-82E7E6716E615C14D6144736030986457">    
                            <wsse:KeyIdentifier  EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509v3">
                                removed
                            </wsse:KeyIdentifier>      
                        </wsse:SecurityTokenReference>     
                    </ds:KeyInfo>    
                </ds:Signature>    
                <wsu:Timestamp wsu:Id="TS-82E7E6716E615C14D6144736030985954">     
                    <wsu:Created>2016-01-07T20:31:49.859Z</wsu:Created>     
                    <wsu:Expires>2016-01-07T23:01:49.859Z</wsu:Expires>    
                </wsu:Timestamp>    
            </wsse:Security>   
            <urn:ACABusinessHeader wsu:Id="id-82E7E6716E615C14D6144736030986558"    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">    
                <urn1:UniqueTransmissionId>d4121eb6-29e8-4ebe-a485-0b2bf55fcb67:SYS12:XXXXX::T</urn1:UniqueTransmissionId>    
                <urn2:Timestamp>2016-01-07T15:31:49Z</urn2:Timestamp>   
            </urn:ACABusinessHeader>   
            <urn3:ACASecurityHeader />   
            <wsa:Action>RequestSubmissionStatusDetail</wsa:Action>  
        </soapenv:Header>  
        <soapenv:Body>   
            <urn:ACABulkRequestTransmitterStatusDetailRequest    version="1.0" wsu:Id="id-82E7E6716E615C14D6144736030986559"    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">    
            <urn1:ACABulkReqTrnsmtStsReqGrpDtl>     
                <urn2:ReceiptId>1094B-15-99700283</urn2:ReceiptId>    
            </urn1:ACABulkReqTrnsmtStsReqGrpDtl>   
            </urn:ACABulkRequestTransmitterStatusDetailRequest>  
        </soapenv:Body> 
    </soapenv:Envelope>

Seedling answered 8/1, 2016 at 22:15 Comment(8)

I am not familiar with that type of security, we use user name tokens, but try removing the comments . SOAP may be based on XML but not all XML items work with strict SOAP parsers. – Desai 12/1, 2016 at 19:21

@Seedling are you able to resolve this issue? I am facing similar issue but not exact. – Regimen 29/1, 2016 at 12:19

@Regimen sorry for the late reply. No, I haven't resolved this issue yet. – Seedling 4/2, 2016 at 17:52

How about now? I'm in the same boat. I did a character-by-character comparison of my submission with their documentation and the ws-security specification, and I'm %99.9 certain I've composed it properly. It is passing validations against their schema and the signature is validating successfully as well with the x509 cert. I'm really suspecting the IRS system is drastically broken and incapable of proper XML parsing and namespace inheritance. – Disarticulate 17/2, 2016 at 22:54

I've made no progress on this issue either. I'm actually hoping there's a problem on the irs side, as I'm not sure what to do next. – Seedling 19/2, 2016 at 3:0

I got this working finally. And I'm sorry to say that your ws-security header looks the exact same as mine, almost. The main difference being that I did not modify the output from the SignedXml GetXml method to correct the namespace prefix to ds. I left it as-is with just the namespace inheritance override and then modified the KeyInfo element with the BinarySecurityToken since the SignedXml output of course doesn't allow for an inline KeyIdentifier in the manner required. – Disarticulate 2/3, 2016 at 17:8

Wow, but the solution isn't working for ACABulkRequestTransmitterStatusDetailRequest just like for you. This can't be right, something is screwy on their side again... – Disarticulate 3/3, 2016 at 21:3

Ok, I DID get this working finally for the RequestSubmissionStatusDetail as well. So I know my solution works now for both endpoints. What method are you using to generate your Signature element? Because the SignedXml output does not assign any namespace prefixes to any elements. And you cannot modify it after generation to add the prefixes because it will break the comparison against it with the SignatureValue. – Disarticulate 4/3, 2016 at 21:52

It sounds like we're on the same path; maybe we can help each other out.

I ended up doing security by configuration:

<security 
    enableUnsecuredResponse="true" 
    authenticationMode="MutualCertificate" 
    messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
 />

You'll also need to override the identity DNS value for your endpoint with whoever your certificate was issued to. Put this inside your <endpoint> tags

<identity>
  <dns value="[Issued To]" />
</identity>

Finally, when you create a client, you need to use a ChannelFactory and set the appropriate credentials. Mine looks like this:

var factory = new ChannelFactory<BulkRequestTransmitterPortType>("BulkRequestTransmitterPort");
factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c");
factory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c");
var client = factory.CreateChannel();

Let me know if you run into something else. Assuming your certificate and application status is OK, then once you get through this you'll probably be stuck on the next step with me (proper MTOM encoding). If you get through that successfully PLEASE let me know :)

Fuscous answered 26/1, 2016 at 21:30 Comment(1)

Just wondering, were you able to maintain this solution for signing after adding MTOM to it? The signing behavior I used executed after all the encoders did, meaning the output was no longer XML, so this solution wasn't able to properly bind to the soap envelope and insert the security element. – Disarticulate 18/2, 2016 at 21:42

If you want to connect to WS heading in SOAPUI you need to set:

This is because of the bindings used (wsHttpBinding):

<endpoint address="" binding="wsHttpBinding" bindingConfiguration="httpsBindingService" contract="Namespace.Contract"/>

I would strongly suggest not going the wsHttpBinding route but rather the more standard basicHttpsBinding route (If you control the service). The are many issues especially if you have java clients (Using Eclipse) connecting to your services.

<endpoint address="" binding="basicHttpsBinding" bindingConfiguration="DefaultHttpsBinding" contract="Namespace.Contract" />

Appellative answered 25/1, 2017 at 14:19 Comment(1)

FYI - You will find that settings in SOAPUI under the WS-A Tab at the bottom of your request window. – Appellative 25/1, 2017 at 14:25

-1

I suppose you have a signature element missing or misaligned.

In the documentation is says:

Transmitters must upload two xml files 1. Manifest file: To create the Request Manifest XML file: Transmitters should use Schema IRS-ACAUserInterfaceHeaderMessage.xsd to add/create “ACA Business Header” and “Request Manifest Details” 2. Form Data File: (1094/1095-[B,C]) ‒ IRS-Form1094-1095BTransmitterUpstreamMessage.xsd ‒ IRS-Form1094-1095CTransmitterUpstreamMessage.xsd

In the documentation you've provided there is a clue that says:

TPE1122 Invalid WS Security Header. Please try again.

Ensure that the SOAP message, including the Manifest file, contains the necessary signed WS-Security elements.

Comment on my answer to tell us if it is related to signature problems in the manifest file?

Troupe answered 14/1, 2016 at 16:7 Comment(4)

The manifest file is used when submitting the request via ISS-UI channel. I am submitting via a SOAP request using ISS-A2A. I should have been more clear, my apologies. – Seedling 15/1, 2016 at 3:28

NP! I tried myself and it doesn't matter if I try yours (even w/ missing key) or I use the one from the PDF (with all missing keys) - I'd always get the same error as you did. So, it seems to me that the problem is more global - either it checks all values for validity (including the expiration date) or there is a problem with a certificate that has to be included - do you have the X.509 mentioned in the document as mandatory for A2A? Do you pass it from your client? Another interesting fact is that the server issues the error HTTP/1.1 500 Internal Server Error in addition to the SOAP error! – Troupe 15/1, 2016 at 9:59

I don't pass the cert, but do use it when signing – Seedling 15/1, 2016 at 20:31

@Seedling just to clarify a little more, I believe the A2A Channel also requires the Manifest information. It is added to the SOAP Header, instead of sent through as a separate attachment as it would be through the UI Channel. – Alicia 30/3, 2016 at 17:47

-1

I was able to get past the TPE1122 error with the XML below (with key- and TCC-related parts redacted). I'm not sure about how you are actually signing things (I am using the SoapUI tool rather than programmatic signing), but in my case, I think the main issue had to do with the short names for namespaces (e.g. oas, wsu, etc.). I think they have to exactly match the IRS's expectations. Also, I see that you use the wsa:Action tag whereas I do not, although that probably does not affect the WS-Security header.

POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "RequestSubmissionStatusDetail"
Content-Length: 6088
Host: la.www4.irs.gov
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

<soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xd="http://www.w3.org/2000/09/xmldsig#">
<soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <ds:Signature Id="SIG-7570AFA8291320B0AC145394323250875" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#TS-7570AFA8291320B0AC145394323250671">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <InclusiveNamespaces PrefixList="wsse oas1 soapenv urn urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>mvcVAijgkdnRTsyynwCzUHX39VM=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#id-B123454679813489712349871234987123">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>5b2SAtep+3PvQj7hZnIGceu0RNg=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#id-D123454679813489712349871234987123">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>iO0oIkBURxyOUPhrJ/j5YPeRLbQ=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>REDACTED</ds:SignatureValue>
            <ds:KeyInfo Id="KI-7570AFA8291320B0AC145394323250873">
                <wsse:SecurityTokenReference wsu:Id="STR-7570AFA8291320B0AC145394323250874">
                    <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">REDACTED</wsse:KeyIdentifier>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
        </ds:Signature>
        <wsu:Timestamp wsu:Id="TS-7570AFA8291320B0AC145394323250671">
            <wsu:Created>2016-01-28T01:07:12Z</wsu:Created>
            <wsu:Expires>2016-01-28T01:07:13Z</wsu:Expires>
        </wsu:Timestamp>
    </wsse:Security>
    <urn:ACABusinessHeader wsu:Id="id-B123454679813489712349871234987123">
        <urn1:UniqueTransmissionId>5c953d6e-fb77-483f-89ee-5b824550d703:SYS12:RDCTD::T</urn1:UniqueTransmissionId>
        <urn2:Timestamp>2016-01-27T13:46:00Z</urn2:Timestamp>
    </urn:ACABusinessHeader>
</soapenv:Header>
<soapenv:Body>
    <urn:ACABulkRequestTransmitterStatusDetailRequest version="1.0" wsu:Id="id-D123454679813489712349871234987123">
        <urn1:ACABulkReqTrnsmtStsReqGrpDtl>
            <urn2:ReceiptId>1094C-00-00000000</urn2:ReceiptId>
        </urn1:ACABulkReqTrnsmtStsReqGrpDtl>
    </urn:ACABulkRequestTransmitterStatusDetailRequest>
</soapenv:Body>

Topsail answered 28/1, 2016 at 1:55 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags