IRS ACA submission - Error TPE1122, WS Security Header in the message is invalid

Question

We are trying to submit ACA form to IRS government site using their A2A channel. We are able to form the XML and required encryption for this using X509 and SHA1.

While sending a XML to IRS site we are getting error as The WS Security Header in the message is invalid. Please review the transmission instructions outlined in Section 5 of the AIR Submission Composition and Reference Guide located at https://www.irs.gov/for-Tax-Pros/Software-Developers/Information-Returns/Affordable-Care-Act-Information-Return-AIR-Program, correct any issues, and try again. and the error code is - TPE1122

Here is the sample XML parts which we are trying to post form SoapUI

. . . 1094/1095C application/xml 843C9A557FC3ABF06EF26C5A4A69E19C 2426 Form1094C_Request_TCC_20160225T2003478641Z.xml

</urn:ACATransmitterManifestReqDtl>
<urn2:ACABusinessHeader oas:Id="ABH_110">
  <urn:UniqueTransmissionId>01242fde-536a-4879-b4db-932af7be668e:SYS12:TCC::T</urn:UniqueTransmissionId>
  <urn1:Timestamp>2016-02-25T17:31:16Z</urn1:Timestamp>
</urn2:ACABusinessHeader>
<oas1:Security>
  <xd:Signature>
    <xd:SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <xd:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <xd:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <xd:Reference URI="#tag1">
        <xd:Transforms>
          <xd:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </xd:Transforms>
        <xd:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <xd:DigestValue>j2bX9e90ETVru5w3Q4k0/yOvss4=</DigestValue>
      </xd:Reference>
    </xd:SignedInfo>
    <xd:SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">signature_Value</xd:SignatureValue>
    <xd:KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <xd:X509Data>
        <xd:X509SubjectName>subjectName</xd:X509SubjectName>
        <xd:X509Certificate>certificate details</xd:X509Certificate>
      </xd:X509Data>
    </xd:KeyInfo>
  </xd:Signature>
   <oas:Timestamp oas:Id="TS_110">
    <!--Optional:-->
    <oas:Created oas:Id="?">2016-02-25T19:40:33.900Z</oas:Created>
    <!--Optional:-->
    <oas:Expires oas:Id="?">2016-02-30T19:50:33.900Z</oas:Expires>
    <!--You have a CHOICE of the next 1 items at this level-->
    <!--You may enter ANY elements at this point-->
  </oas:Timestamp>
</oas1:Security>
<urn3:ACASecurityHeader>
</urn3:ACASecurityHeader></soapenv:Header><soapenv:Body> body elements</soapenv:Body>

Could you please guide us what could be wrong in this?

Answer 1

So the one thing that immediately jumps out to me is that you only have a single Reference within your signature.  According to the AIR Submission Composition and Reference Guide there should be a total of 3 references.  One that references your manifest, one for the business header, and one for the timestamp.

Also, your Reference tag URI is referencing #tag1 which from what you posted doesn't actually reference any of the elements in your XML (unless that's the ID of your manifest which I can't see).  The reference URIs in your case should be #TS_110, #ABH_110, and #whateverYourManifestIDis.  Hope this helps!

Answer 2

First of all not all the elements are signed. Elements to be signed are: 1. Timestamp 2. Manifest 3. Business header

Signature should be in the above mentioned order.

Also namespace for security schema should be wsse and that of timestamp should be wsu. (Illogical right? But that's how it works) Exactly like in the irs guide. Namespace alias for other elements doesn't matter.

You could try soap ui and look at the sample request generated.