提问人:mikeps34 提问时间:1/9/2016 最后编辑:zx485mikeps34 更新时间:1/25/2017 访问量:3826
无效的 WS 安全标头 - IRS ACA SOAP 请求
Invalid WS Security Header - IRS ACA SOAP Request
问:
我正在向国税局提交申请。RequestSubmissionStatusDetail
这是我的问题。向美国国税局提交以下文件时,我总是收到“无效的 WS 安全标头”。我不知道我的请求的哪一部分是导致此提交不成功的原因。
我已经用 VB 和 C# 编写了代码。我使用 Fiddler 截获了请求,并使用 Altova XMLSpy 将原始 XML 请求发送到 IRS 端点。
这是代码,几乎是 PDF 中的一行一行,减去密钥和 TCC。
POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
Content-Type: text/xml; charset=utf-8
VsDebuggerCausalityData: uIDPo1urdU71mo5BnU/TZ/Ji3p0AAAAAddUwh6B4CU6+F/jOewcN7JE6Ql8n+R1PofxFBfDEEg4ACQAA
SOAPAction: "RequestSubmissionStatusDetail"
Host: la.www4.irs.gov
Content-Length: 4044
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
<soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-82E7E6716E615C14D6144736030986660" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#TS-82E7E6716E615C14D6144736030986559">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsse wsa oas1 soapenv urn urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>sgPiL73lIwOppVKHHUFkuWDEcLM=</ds:DigestValue>
<!-- DigestValue from Timestamp -->
</ds:Reference>
<ds:Reference URI="#id-82E7E6716E615C14D6144736030986558">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsa oas1 soapenv urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>S3OdSc3rZ8V1egoyPGzi31n8gq8=</ds:DigestValue>
<!-- DigestValue from ACABusinessHeader -->
</ds:Reference>
<ds:Reference URI="#id-82E7E6716E615C14D6144736030986559">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>wOSkrI5NmQ5i5/wgjNEIoNODy+A=</ds:DigestValue>
<!-- DigestValue from ACABulkRequestTransmitterStatusDetailRequest -->
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ddLCWffcBk5/PxqnJLMUM9lWWYWX7ucKQ4vPvM/qEj9IkJ0SVDytcjn0Az9Cge0nxOHI0NWCtAzbWzcUjHtUgt8A4rnxTTShQbIP3hPIX5UghS/Y6OEvOq8RvXL1S3R8nhX/nPrQSoPq6SpEz2HKq/ST5OrsstMvSpM0hCCinEKeLmLqkjfZw5wZVEeNwQIjghcsqQe7Q9crYhgdDwuvtixcoLw0JCgCiMr9yCmFsV4X+CklPuu4/bMUcuipE5fnSpqoZ6Sxp+UFlF3yzMXH6hKFRO7LRsXtwStN1kBwPJW5iPZ6b+X0Zlrc7gYTg1dHi3kcm3gLCRQ9ou+fZa7jnQ==</ds:SignatureValue>
<ds:KeyInfo Id="KI-82E7E6716E615C14D6144736030986456">
<wsse:SecurityTokenReference wsu:Id="STR-82E7E6716E615C14D6144736030986457">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509v3">
removed
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-82E7E6716E615C14D6144736030985954">
<wsu:Created>2016-01-07T20:31:49.859Z</wsu:Created>
<wsu:Expires>2016-01-07T23:01:49.859Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<urn:ACABusinessHeader wsu:Id="id-82E7E6716E615C14D6144736030986558" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<urn1:UniqueTransmissionId>d4121eb6-29e8-4ebe-a485-0b2bf55fcb67:SYS12:XXXXX::T</urn1:UniqueTransmissionId>
<urn2:Timestamp>2016-01-07T15:31:49Z</urn2:Timestamp>
</urn:ACABusinessHeader>
<urn3:ACASecurityHeader />
<wsa:Action>RequestSubmissionStatusDetail</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<urn:ACABulkRequestTransmitterStatusDetailRequest version="1.0" wsu:Id="id-82E7E6716E615C14D6144736030986559" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<urn1:ACABulkReqTrnsmtStsReqGrpDtl>
<urn2:ReceiptId>1094B-15-99700283</urn2:ReceiptId>
</urn1:ACABulkReqTrnsmtStsReqGrpDtl>
</urn:ACABulkRequestTransmitterStatusDetailRequest>
</soapenv:Body>
</soapenv:Envelope>
答:
-1赞
Plamen G
1/15/2016
#1
我想您有一个签名元素缺失或未对齐。
在文档中说:
发送器必须上传两个 xml 文件 1.清单文件:若要创建请求清单 XML 文件,请执行以下操作: 发送器应使用架构 IRS-ACAUserInterfaceHeaderMessage.xsd 添加/创建“ACA 业务标头”和“请求清单详细信息” 2.表单数据文件: (1094/1095-[B,C]) \u2012 IRS-Form1094-1095BTransmitterUpstreamMessage.xsd \u2012 IRS-Form1094-1095CTransmitterUpstreamMessage.xsd
在您提供的文档中,有一条线索说:
TPE1122无效的 WS 安全标头。请再试一次。
确保 SOAP 消息(包括清单文件)包含 必需的已签名 WS-Security 元素。
评论我的答案,告诉我们它是否与清单文件中的签名问题有关?
评论
3赞
mikeps34
1/15/2016
通过 ISS-UI 通道提交请求时,将使用清单文件。我正在使用 ISS-A2A 通过 SOAP 请求提交。我应该说得更清楚,我的道歉。
0赞
Plamen G
1/15/2016
KPD公司我试过自己,如果我尝试你的(即使缺少键)还是使用 PDF 中的那个(所有缺少键)都没关系 - 我总是会遇到和你一样的错误。因此,在我看来,问题更具全球性 - 要么它检查所有值的有效性(包括到期日期),要么必须包含的证书存在问题 - 您是否将文档中提到的 X.509 作为 A2A 的强制性要求?你从你的客户那里传递它吗?另一个有趣的事实是,除了 SOAP 错误之外,服务器还发出错误 HTTP/1.1 500 Internal Server Error!
0赞
mikeps34
1/16/2016
我没有通过证书,但在签名时确实使用它
0赞
Russ
3/31/2016
@mikeps34只是为了澄清一点,我相信 A2A 频道也需要清单信息。它被添加到 SOAP 标头中,而不是像通过 UI 通道那样作为单独的附件发送。
0赞
Dave
1/27/2016
#2
听起来我们走在同一条路上;也许我们可以互相帮助。
我最终通过配置来做安全:
<security
enableUnsecuredResponse="true"
authenticationMode="MutualCertificate"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
/>
您还需要使用证书颁发给谁来覆盖终端节点的身份 DNS 值。把它放在你的标签里<endpoint>
<identity>
<dns value="[Issued To]" />
</identity>
最后,在创建客户端时,需要使用 并设置适当的凭据。我的看起来像这样:ChannelFactory
var factory = new ChannelFactory<BulkRequestTransmitterPortType>("BulkRequestTransmitterPort");
factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c");
factory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c");
var client = factory.CreateChannel();
如果您遇到其他事情,请告诉我。假设您的证书和应用程序状态正常,那么一旦您完成了此操作,您可能会被困在我的下一步(正确的 MTOM 编码)中。如果您成功通过,请告诉我:)
评论
0赞
Bon
2/19/2016
只是想知道,在添加 MTOM 后,您是否能够维护此解决方案以进行签名?我使用的签名行为在所有编码器执行之后执行,这意味着输出不再是 XML,因此此解决方案无法正确绑定到 soap 信封并插入安全元素。
-1赞
J T
1/28/2016
#3
我能够使用下面的 XML 克服TPE1122错误(与密钥和 TCC 相关的部分已编辑)。我不确定您实际上是如何签名的(我使用的是 SoapUI 工具而不是编程签名),但就我而言,我认为主要问题与命名空间的短名称有关(例如 oas、wsu 等)。我认为他们必须完全符合美国国税局的期望。此外,我看到您使用了 wsa:Action 标记,而我没有,尽管这可能不会影响 WS-Security 标头。
POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "RequestSubmissionStatusDetail"
Content-Length: 6088
Host: la.www4.irs.gov
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xd="http://www.w3.org/2000/09/xmldsig#">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature Id="SIG-7570AFA8291320B0AC145394323250875" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-7570AFA8291320B0AC145394323250671">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsse oas1 soapenv urn urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>mvcVAijgkdnRTsyynwCzUHX39VM=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-B123454679813489712349871234987123">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>5b2SAtep+3PvQj7hZnIGceu0RNg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-D123454679813489712349871234987123">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>iO0oIkBURxyOUPhrJ/j5YPeRLbQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>REDACTED</ds:SignatureValue>
<ds:KeyInfo Id="KI-7570AFA8291320B0AC145394323250873">
<wsse:SecurityTokenReference wsu:Id="STR-7570AFA8291320B0AC145394323250874">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">REDACTED</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-7570AFA8291320B0AC145394323250671">
<wsu:Created>2016-01-28T01:07:12Z</wsu:Created>
<wsu:Expires>2016-01-28T01:07:13Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<urn:ACABusinessHeader wsu:Id="id-B123454679813489712349871234987123">
<urn1:UniqueTransmissionId>5c953d6e-fb77-483f-89ee-5b824550d703:SYS12:RDCTD::T</urn1:UniqueTransmissionId>
<urn2:Timestamp>2016-01-27T13:46:00Z</urn2:Timestamp>
</urn:ACABusinessHeader>
</soapenv:Header>
<soapenv:Body>
<urn:ACABulkRequestTransmitterStatusDetailRequest version="1.0" wsu:Id="id-D123454679813489712349871234987123">
<urn1:ACABulkReqTrnsmtStsReqGrpDtl>
<urn2:ReceiptId>1094C-00-00000000</urn2:ReceiptId>
</urn1:ACABulkReqTrnsmtStsReqGrpDtl>
</urn:ACABulkRequestTransmitterStatusDetailRequest>
</soapenv:Body>
0赞
Marius Vorster
1/25/2017
#4
如果要连接到 SOAPUI 中的 WS 标题,则需要设置:
这是因为使用了绑定 (wsHttpBinding):
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="httpsBindingService" contract="Namespace.Contract"/>
我强烈建议不要使用 wsHttpBinding 路由,而是使用更标准的 basicHttpsBinding 路由(如果您控制服务)。这是许多问题,特别是当你有 java 客户端(使用 Eclipse)连接到你的服务时。
<endpoint address="" binding="basicHttpsBinding" bindingConfiguration="DefaultHttpsBinding" contract="Namespace.Contract" />
评论
0赞
Marius Vorster
1/25/2017
仅供参考 - 您将在请求窗口底部的 WS-A 选项卡下找到 SOAPUI 中的设置。
评论
<!-- -->