2

part 1 of question:

Using npm soap, I am trying to make a soap call to the below endpoint var url.

var sslRootCAs = require('ssl-root-cas/latest')
sslRootCAs.inject();


var soap = require('soap');
  var url = 'https://ws.conf.ebs.health.gov.on.ca:1440/HCVService/HCValidationService?wsdl';
  var args = {name: 'value'};
  soap.createClient(url, function(err, client) {
      if (err) {
        console.log(err);
      }
      else console.log(client);
  });

I am getting callback error as:

{ [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

What does the above error occur though I have the Certs.

Part 2 of question:

I received the below information:

***Information Start

  1. Click on the WSDL link: https://ws.conf.ebs.health.gov.on.ca:1440/HCVService/HCValidationService?wsdl

  2. Click on the Security Report Icon near the address bar

  3. Click View certificates

  4. Install certificates

You need to obtain your OWN security certificate. For IDP model MOH will accept a self- signed certificate or a certificate issued by Certificate Authority.

a) You will sign HCV request with your certificate’s private key;

b) we will receive a the request and process it;

c) we will send back a response signed by the private key of our certificate (go-pki_cacert.arm). That’s why you must have the go-pki_cacert.arm cert in your trust store.(plus, other two that were mentioned in previous emails).

d) The secret key in the response will be encrypted using the public key retrieved from your certificate that you sent with the request. So, your corresponding private

key must be used to decrypt it. All bits of the public key are used. You can then decrypt the body / message contents using the secret key provided.

Information End***

I have all the credentials provided, some sample requests to be sent too.

Below is the sample XML request:

<soapenv:Envelope xmlns:ebs="http://ebs.health.ontario.ca/" xmlns:hcv="http://hcv.health.ontario.ca/" xmlns:idp="http://idp.ebs.health.ontario.ca/" xmlns:msa="http://msa.ebs.health.ontario.ca/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-FF9156B4BEE23716A1142978895556413">MIIGQzC..truncated..CPo=</wsse:BinarySecurityToken>
   <ds:Signature Id="SIG-30" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ebs hcv idp msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#UsernameToken-26"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ebs hcv idp msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>nuqM1lGK6rOVruau3woc66AsvIs=</ds:DigestValue></ds:Reference><ds:Reference URI="#TS-25"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="wsse ebs hcv idp msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>YHFurnR786jGnU0dmhB6AuZMWf0=</ds:DigestValue></ds:Reference><ds:Reference URI="#id-27"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="hcv idp msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>4HrW5GODU3lE87D24YfwxjGwgCo=</ds:DigestValue></ds:Reference><ds:Reference URI="#id-28"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ebs hcv msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
   <ds:DigestValue>mfmdQegqmjMNvXyV0FYGiJwqrwc=</ds:DigestValue></ds:Reference><ds:Reference URI="#id-29">
   <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ebs hcv idp msa" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>HiE8JaUo37dckfkchYYve9S6LuQ=</ds:DigestValue></ds:Reference></ds:SignedInfo>
   <ds:SignatureValue>tAb..truncated..Q==</ds:SignatureValue>
   <ds:KeyInfo Id="KI-FF9156B4BEE23716A1142978895556414"><wsse:SecurityTokenReference wsu:Id="STR-FF9156B4BEE23716A1142978895556415">
<wsse:Reference URI="#X509-FF9156B4BEE23716A1142978895556413" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature>
<wsse:UsernameToken wsu:Id="UsernameToken-26">
<wsse:Username>confsu141@gmail.com</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Your_Password</wsse:Password></wsse:UsernameToken>
<wsu:Timestamp wsu:Id="TS-25"><wsu:Created>2015-04-23T11:35:55Z</wsu:Created>
<wsu:Expires>2015-04-23T11:45:55Z</wsu:Expires></wsu:Timestamp></wsse:Security>
      <idp:IDP wsu:Id="id-28" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <ServiceUserMUID>011210</ServiceUserMUID>
      </idp:IDP>
      <ebs:EBS wsu:Id="id-27" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <SoftwareConformanceKey>b832708a-52a7-45bc-a221-7930267617db</SoftwareConformanceKey>
         <AuditId>Your_UniqueAuditID</AuditId>
      </ebs:EBS>
  </soapenv:Header>
   <soapenv:Body wsu:Id="id-29" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <hcv:validate>
         <requests>
           <hcvRequest>
               <healthNumber>1216070563</healthNumber>
               <versionCode>ML</versionCode>
               <feeServiceCodes>A110</feeServiceCodes>                 
               </hcvRequest>  
           </requests>
         <locale>en</locale>
      </hcv:validate>
   </soapenv:Body>
</soapenv:Envelope>

How do we implement this using Node.js? I have read through the SOAP WS-security, But I have no clue!!! to achieve in node.js.

Balu M
  • 157
  • 13

1 Answers1

0

Installing certificate doesn't help as it simply saves the cert into the trusted store of your OS but your node program doesn't read from it, thus you need the ssl-root-cas module to build a trusted store into the memory so your program can read from. For generic https request, you will want to use require('ssl-root-cas/latest').inject() to load all certificates that a trusted store would have, but since your endpoint requires specific certs, you will want to add them manually instead:

require('ssl-root-cas')
  .addFile('[phyical path to root cert]')
  .addFile('[phyical path to chain cert]')
  .addFile('[phyical path to signing cert]'); //This one you don't need to read its wsdl.
Hin Fan Chan
  • 1,543
  • 10
  • 11