Sign SOAP message in java using wss4j and X509KeyIdentifier method - soap

I need to sign a SOAP message in java using X.509 certificate.
I already implemented it using libraries 'com.sun.org.apache.xml.internal.security' and 'java.security'.
This is how my signed SOAP message looks like:
<soapenv:Envelope xmlns:axw="http://www.axway.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/*encoded value*/</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
/*signature value*/
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
/*certificate*/
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
/*other encoded data*/
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</soapenv:Header>
<soapenv:Body>
/*SOAP message body*/
</soapenv:Envelope>
But I need my SOAP message to include 'wsse:SecurityTokenReference' and 'wsse:KeyIdentifier' instead of 'ds:X509Data' and 'ds:X509Certificate' tag.
Expected signed SOAP message is:
<soapenv:Envelope xmlns:axw="http://www.axway.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-554C045BCDA442589F146244518693410" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="axw soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-554C045BCDA442589F14624451869339">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="axw" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/**encoded value/</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>/*signature value*/</ds:SignatureValue>
<ds:KeyInfo Id="KI-554C045BCDA442589F14624451869337">
<wsse:SecurityTokenReference wsu:Id="STR-554C045BCDA442589F14624451869338">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
/*certificate*/</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-554C045BCDA442589F14624451869339" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
/*message body*/
</soapenv:Body>
</soapenv:Envelope>
I googled and found that expected signed SOAP message is signed by using wss4j api.
But I am not able to implement this api successfully and get the desired result.
Could anybody please guide how to use wss4j to sign a SOAP message?

Related

jmeter - WS Security for SOAP - SOAPMessage Timestamp&Token&Signature - problem with orders

I have been using this WS Security for SOAP plugin in jmeter for a long time. It works properly.
But I came across an interesting phenomenon about my current job. I would like to know if anyone has relevant experience on the subject!
The service we used to use as "asmx" has been changed to "svc". I'd like to test call this with a certificate.
A new feature has become the technology in the meantime, so that the service also requires a timestamp in the call, which is also signed.
By setting the jmeter components provided by the wss module properly, the tags in the wssecurity header are created in the following order, depending on which is higher in the hierarchy list:
Watch the timestamp!
<soapenv:Header>
<wsse:Security >
<wsu:Timestamp >
<wsu:Created></wsu:Created>
<wsu:Expires></wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod >
<ec:InclusiveNamespaces />
</ds:CanonicalizationMethod>
<ds:SignatureMethod >
<ds:Reference>
<ds:Transforms>
<ds:Transform>
<ec:InclusiveNamespaces/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod/>
<ds:DigestValue>...=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>...
OR
<soapenv:Header>
<wsse:Security >
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod >
<ec:InclusiveNamespaces />
</ds:CanonicalizationMethod>
<ds:SignatureMethod >
<ds:Reference>
<ds:Transforms>
<ds:Transform>
<ec:InclusiveNamespaces/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod/>
<ds:DigestValue>...=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp >
<wsu:Created></wsu:Created>
<wsu:Expires></wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>...
However, neither order is appropriate for the service.
By tricking and rebuilding the request with string operations. The correct order would be:
<soapenv:Header>
<wsse:Security >
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<wsu:Timestamp >
<wsu:Created></wsu:Created>
<wsu:Expires></wsu:Expires>
</wsu:Timestamp>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod >
<ec:InclusiveNamespaces />
</ds:CanonicalizationMethod>
<ds:SignatureMethod >
<ds:Reference>
<ds:Transforms>
<ds:Transform>
<ec:InclusiveNamespaces/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod/>
<ds:DigestValue>...=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>...
However, I didn't see any way to set such an order!
Does anyone have any idea how I could solve this "nicely"?

Apache CXF WS-Security: "Security processing failed (actions mismatch)

I am trying to generate a SOAP request using Apache CXF WS-Security similar to the following request(I generated it using SoapUI) :
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-xxx" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#xxxx">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList=""
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xxxx</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxx
</ds:SignatureValue>
<ds:KeyInfo Id="xxxxx">
<wsse:SecurityTokenReference wsu:Id="xxxxx">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
xxxx
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-xxx"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<v3:AccountRequest
xmlns:v3="http://services.mysiste.com/V3">
<Request>
<SearchParametersBlock>
<MktCd>
<MktCdData>
<MktCd>US</MktCd>
</MktCdData>
</MktCd>
</SearchParametersBlock>
</Request>
</v3:AccountRequest>
</soapenv:Body>
</soapenv:Envelope>
I am using the following code to generate my Java client :
Properties signatureProperties = new Properties();
signatureProperties.put("org.apache.ws.security.crypto.provider",
"org.apache.ws.security.components.crypto.Merlin");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.type",
"jks");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.file",
"server.jks");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.password",
"password");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.alias",
"myAlias");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.private.password", "password");
Map<String,Object> outProps = new HashMap<>();
outProps.put(WSHandlerConstants.USER, "myAlias");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier");
outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ServiceKeystorePasswordCallback.class.getName());
outProps.put(WSHandlerConstants.SIG_ALGO, "http://www.w3.org/2000/09/xmldsig#sha1");
outProps.put(WSHandlerConstants.SIG_C14N_ALGO, "http://www.w3.org/2001/10/xml-exc-c14n#");
outProps.put(WSHandlerConstants.SIG_PROP_REF_ID, "signatureProperties");
outProps.put("signatureProperties", signatureProperties);
org.apache.cxf.endpoint.Client client = ClientProxy.getClient(this.service);
org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(outProps);
cxfEndpoint.getOutInterceptors().add(wssIn);
But I am experiencing the following error : "Security processing failed (actions mismatch)"
I traced the exception and it boils down to the following snippet
if (!checkReceiverResultsAnyOrder(wsResult, actions)) {
LOG.warning("Security processing failed (actions mismatch)");
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
}
Where actions != wsResult(it is empty)
I am not sure how to populate wsResult in this case. Any help would be greatly appreciated
Instead of WSS4JInInterceptor, I had to use a WSS4JOutInterceptor
WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProps);
cxfEndpoint.getOutInterceptors().add(outInterceptor);

Databricks SSO authentication failed | Google IdP

I've configured Databricks SSO 2.0 to work with Google as IdP
When I try to test it I receive this error: "Single Sign-On authentication failed."
Tracking the SAML messages everything looks correct:
SAML REQUEST:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_956****d-44fe-**80-654e-b9ae3c8974e1"
Version="2.0"
IssueInstant="2021-10-19T12:38:10Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=*****sha*****"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://dbc-***990a9-*****.cloud.databricks.com/saml/consume"
>
<saml:Issuer>https://dbc-****990a9-*****.cloud.databricks.com/saml/consume</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true"
/>
</samlp:AuthnRequest>
SAML RESPONSE:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://dbc-*****990a9-*****.cloud.databricks.com/saml/consume"
ID="_d32****e5002e8760******d431c69"
InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_cb5ee***08cb7***********bd194"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer>https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_cb5ee92*******0652**2145*******4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>i45E******dCx*********zXr7AC2RX38=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>PeQTj**********************E8O46BoalK+7sblRLA5hCk/xuGRADeuGyGERwdEDdeY5tJK
uDhr+W4oML75eDYMSwYW6ZcDyFXFmQucia7HLD0pI************************************************iYZr8opwuzFkzOnnwulgTwlk9
137uW2/abZFV2M***************==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>*****************IBAgIGAVr9E/j7MA0GCSqGSIb3DQEBCwU***********************************qQIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQBSOUJWpyF3PEpiFHednZqU9U8yJ+fakv9CZrx0tvuAKLKfD7f8cZpH4FORCVg82stN3mOd
BlZ+3PyVr/tGz4Lf1vbXULC256HvmKBFI8jc/N*******************************</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">danilo.ca*****#********.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
Recipient="https://dbc-*******990a9-******.cloud.databricks.com/saml/consume"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-10-19T12:33:21.957Z"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://dbc-*******990a9-******.cloud.databricks.com/saml/consume</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-10-19T12:38:21.000Z"
SessionIndex="_**ee**********7c40*****cddbbd194"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
All information in the SAML looks correct, my email, google ID, databricks url, still it keeps failing.
This is the doc for Google workspace SSO:
v1: https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite.html
v2: https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite20.html
Troubleshooting docs:
https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#troubleshooting
If you are using Google Workspace (formerly GSuite) single sign-on (SSO v2.0).
Double-check Step 7: (Required) Select Signed response.. The response also has to be signed.
The solution is to mark the signed response to the signature will come before the assertion tag
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://*************.cloud.databricks.com/saml/consume"
ID="******************d3952e02"
InResponseTo="ONELOGIN_bc2cb9***************7-bb86-0***********fc4"
IssueInstant="2021-10-28T12:48:45.663Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=************</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_****************46dd50562**************52e02">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>***********2kA0VqohW***************OeeTyCnKuvVlGI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>*****************************JmIrnaHPRjm87OXyqnvOhNBjKD24BfBxnodbUmx9IeWKT4mBS13huje99DBl9S9
USPnKD3zwb1htVBWbT1TxSeD6EUZbl8**********************************3ODow==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>MIIDd**************************************UgwwH4Y/yQZx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

Identify Cert in Soap request

I am receiving a SOAP message that contains:
- wsse:BinarySecurityToken
- KeyInfo
etc.
The Problem is that there are multiple certs that corresponds to that in my truststore, i want to identify which Cert this SOAP REQUEST contains.
Sample Header:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-******************">
**************</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-***************" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="mes soapenv touc" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-***************************">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="mes touc" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>**************=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>**************</ds:SignatureValue>
<ds:KeyInfo Id="KI-**********************">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-*******************" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#X509-*********************" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>

IRS ACA 1095B BulkRequestTransmitter: Invalid WS Security Header - SOAP UI

I am trying to Invoke IRS ACA 1095 B Ws through SOAP UI. I have configured Keystore in SOAP UI which when imported says OK. I have signed the 3 elements referring the IRS Doc, ACABusinessHeader, ACATransmitterManifestReqDtl and Timestamp. I have tried with and without, Gzip/ Wsa Header/ Attachment/ MTOM still for a simple SOAP Request without any file attachment I am having :
The WS Security Header in the message is invalid. Please review the transmission instructions outlined in Section 5 of the AIR Submission Composition and Reference Guide located at https://www.irs.gov/for-Tax-Pros/Software-Developers/Information-Returns/Affordable-Care-Act-Information-Return-AIR-Program, correct any issues, and try again.
Error Code: TPE 1122.
I have attached the complete SOAP Ui Request Message.
Any sort of Help is appreciated.
--->
enter code here
POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Transmission_AATS2016 HTTP/1.1
Content-Encoding: gzip
Accept-Encoding: gzip,deflate
Content-Type: multipart/related; type="application/xop+xml"; start="<rootpart#soapui.org>"; start-info="text/xml"; boundary="----=_Part_0_1488514502.1456157000203"
SOAPAction: "BulkRequestTransmitter"
MIME-Version: 1.0
Transfer-Encoding: chunked
Host: la.www4.irs.gov
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:acabusinessheader" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader" xmlns:urn4="urn:us:gov:treasury:irs:msg:irsacabulkrequesttransmitter" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xd="http://www.w3.org/2000/09/xmldsig#">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature Id="SIG-F8EA5798DFE03264EF145615675816614" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="oas1 soapenv urn urn1 urn2 urn3 urn4 wsu xd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-E9877CA7A36541AA6A1455820267635274">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 urn4 xd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>REDACTED</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-E9877CA7A36541AA6A1455820267635275">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="oas1 soapenv urn urn2 urn3 urn4 xd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>REDACTED</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-E9877CA7A36541AA6A1455820267635276">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="oas1 soapenv urn urn1 urn2 urn3 urn4 xd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>REDACTED</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>REDACTED</ds:SignatureValue>
<ds:KeyInfo Id="RE-Dacted">
<wsse:SecurityTokenReference wsu:Id="STR-abcdefghijklmnopqredacted">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">REDACTED</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<urn3:ACASecurityHeader/>
<urn:ACABusinessHeader wsu:Id="id-E9877CA7A36541AA6A1455820267635274">
<urn1:UniqueTransmissionId>abcd-efgh:1234</urn1:UniqueTransmissionId>
<urn2:Timestamp>2016-02-17T15:17:47Z</urn2:Timestamp>
</urn:ACABusinessHeader>
<urn1:ACATransmitterManifestReqDtl wsu:Id="id-E9877CA7A36541AA6A1455820267635275">
<urn1:PriorYearDataInd>0</urn1:PriorYearDataInd>
<urn2:EIN>12-34567</urn2:EIN>
<urn1:TestFileCd>T</urn1:TestFileCd>
<urn1:TransmitterNameGrp>
<urn1:BusinessNameLine1Txt>SOME VALUE</urn1:BusinessNameLine1Txt>
</urn1:TransmitterNameGrp>
<urn1:CompanyInformationGrp>
<urn1:MailingAddressGrp>
<urn1:USAddressGrp>
<urn1:AddressLine1Txt>SOME ADRESS</urn1:AddressLine1Txt>
<urn2:CityNm>SOME CITY</urn2:CityNm>
<urn1:USStateCd>AB</urn1:USStateCd>
<urn2:USZIPCd>12345</urn2:USZIPCd>
<urn2:USZIPExtensionCd>6789</urn2:USZIPExtensionCd>
</urn1:USAddressGrp>
</urn1:MailingAddressGrp>
<urn1:ContactNameGrp>
<urn2:PersonFirstNm>First</urn2:PersonFirstNm>
<urn2:PersonLastNm>Last</urn2:PersonLastNm>
</urn1:ContactNameGrp>
<urn1:ContactPhoneNum>123-456-7890</urn1:ContactPhoneNum>
</urn1:CompanyInformationGrp>
<urn1:VendorInformationGrp>
<urn1:VendorCd>Some Vendor</urn1:VendorCd>
<urn1:ContactNameGrp>
<urn2:PersonFirstNm>First</urn2:PersonFirstNm>
<urn2:PersonLastNm>Last</urn2:PersonLastNm>
</urn1:ContactNameGrp>
<urn1:ContactPhoneNum>Phone</urn1:ContactPhoneNum>
</urn1:VendorInformationGrp>
<urn1:TotalPayeeRecordCnt>1</urn1:TotalPayeeRecordCnt>
<urn1:TotalPayerRecordCnt>1</urn1:TotalPayerRecordCnt>
<urn1:SoftwareId>A12345678</urn1:SoftwareId>
<urn1:FormTypeCd>1094-1095B</urn1:FormTypeCd>
<urn2:BinaryFormatCd>application/xml</urn2:BinaryFormatCd>
<urn2:ChecksumAugmentationNum>garbage-value</urn2:ChecksumAugmentationNum>
<urn2:AttachmentByteSizeNum>1234</urn2:AttachmentByteSizeNum>
<urn1:DocumentSystemFileNm>some</urn1:DocumentSystemFileNm>
</urn1:ACATransmitterManifestReqDtl>
<wsu:Timestamp wsu:Id="id-E9877CA7A36541AA6A1455820267635276">
<wsu:Created>2016-02-17T15:41:09.678Z</wsu:Created>
<wsu:Expires>2016-02-20T10:21:09.678Z</wsu:Expires>
</wsu:Timestamp>
<wsa:Action>BulkRequestTransmitter</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<urn4:ACABulkRequestTransmitter>
<urn2:BulkExchangeFile>
</urn2:BulkExchangeFile>
</urn4:ACABulkRequestTransmitter>
</soapenv:Body>
</soapenv:Envelope>
I see the wsu:Timestamp is outside the wsse:Security, I have attached outgoing WS-Security configuration of my working SOAP UI, cross check with yours.
After applying the outgoing headers, submit the request as is and do not format the request!
My outgoing WS-Security configuration of SOAP UI
My outgoing WS-Security configuration of SOAP UI-TimeStamp
SOAP UI KeyStore using pfx file.
SOAP UI KeyStore
Request payload:
POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Transmission_AATS2016 HTTP/1.1
SOAPAction: BulkRequestTransmitter
Content-Type: multipart/related; type="application/xop+xml"; start="<rootpart#soapui.org>
"; start-info="text/xml"; boundary="----=_Part_26_1277305220.1456248891536"
Host: la.www4.irs.gov
Content-Length: 17728
Expect: 100-continue
Connection: Keep-Alive
------=_Part_26_1277305220.1456248891536
Content-Type: application/xop+xml; charset=UTF-8; type="text/xml"
Content-Transfer-Encoding: 8bit
Content-ID: <rootpart#soapui.org>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<wsse:Security s:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-3ED4996B507C9FE4891456248845324120" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-3ED4996B507C9FE4891456248845320116">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsse s" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>....</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-D4CA0E52B9727D4C0A14551257302705">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="s" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>....</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-1781945826">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="s" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>.....</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>.....</ds:SignatureValue>
<ds:KeyInfo Id="KI-3ED4996B507C9FE4891456248845324118">
<wsse:SecurityTokenReference wsu:Id="STR-3ED4996B507C9FE4891456248845324119">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">....</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-3ED4996B507C9FE4891456248845320116">
<wsu:Created>2016-02-23T17:34:05.320Z</wsu:Created>
<wsu:Expires>2016-05-26T04:27:12.320Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<ns0:ACABusinessHeader ns1:Id="id-1781945826" ns2:anyAttr="anyAttrContents" xmlns:ns0="urn:us:gov:treasury:irs:msg:acabusinessheader" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns2="urn:us:gov:treasury:irs:msg:acabusinessheaderanyAttr">
<ns3:UniqueTransmissionId xmlns:ns3="urn:us:gov:treasury:irs:ext:aca:air:7.0">5a79b747-f622-4fe0-b5a7-4ab52226bc70:SYS12:xxxxx::T</ns3:UniqueTransmissionId>
<ns4:Timestamp xmlns:ns4="urn:us:gov:treasury:irs:common">2016-02-09T12:34:33Z</ns4:Timestamp>
</ns0:ACABusinessHeader>
<ACATransmitterManifestReqDtl d1p1:Id="id-D4CA0E52B9727D4C0A14551257302705" xsi:schemaLocation="urn:us:gov:treasury:irs:msg:form1094-1095BCtransmitterreqmessage IRS-Form1094-1095BCTransmitterReqMessage.xsd" xmlns="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:d1p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:irs="urn:us:gov:treasury:irs:common" xmlns:n1="urn:us:gov:treasury:irs:msg:form1094-1095BCtransmitterreqmessage" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
</ACATransmitterManifestReqDtl>
</s:Header>
<s:Body>
<ns0:ACABulkRequestTransmitter version="1.0" xmlns:ns0="urn:us:gov:treasury:irs:msg:irsacabulkrequesttransmitter">
<ns1:BulkExchangeFile xmlns:ns1="urn:us:gov:treasury:irs:common">
<inc:Include href="cid:1094B_Request_xxxxx_20160211T170145000Z.xml" xmlns:inc="http://www.w3.org/2004/08/xop/include"/>
</ns1:BulkExchangeFile>
</ns0:ACABulkRequestTransmitter>
</s:Body>
</s:Envelope>
------=_Part_26_1277305220.1456248891536
Content-Type: text/xml; charset=Cp1252;
name=1094B_Request_xxxxx_20160211T170145000Z.xml
Content-Transfer-Encoding: quoted-printable
Content-ID: <1094B_Request_xxxxx_20160211T170145000Z.xml>
Content-Disposition: attachment;name="1094B_Request_xxxxx_20160211T170145000Z.xml";
filename="1094B_Request_xxxxx_20160211T170145000Z.xml"
< 1094 Bulk file removed>
------=_Part_26_1277305220.1456248891536--