Can not execute BargainFinderMaxRQ. "Bad EA owner code" error - sabre

Cannot execute BargainFinderMaxRQ query.
I try to execute simple flight search, but
i receive error: DSF server returned an error: Bad EA owner code
My query:
...
<OTA_AirLowFareSearchRQ xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.opentravel.org/OTA/2003/05" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Target="Production" Version="5.2.0" ResponseType="OTA" ResponseVersion="5.2.0">
<POS>
<Source PseudoCityCode="PCC">
<RequestorID ID="1" Type="1">
<CompanyName Code="TN"/>
</RequestorID>
</Source>
</POS>
<OriginDestinationInformation RPH="1">
<DepartureDateTime>2019-11-10T11:00:00</DepartureDateTime>
<OriginLocation LocationCode="MOW"/>
<DestinationLocation LocationCode="LED"/>
</OriginDestinationInformation>
<TravelPreferences ValidInterlineTicket="true">
<CabinPref PreferLevel="Preferred" Cabin="Y"/>
</TravelPreferences>
<TravelerInfoSummary>
<SeatsRequested>1</SeatsRequested>
<AirTravelerAvail>
<PassengerTypeQuantity Code="ADT" Quantity="1"/>
</AirTravelerAvail>
</TravelerInfoSummary>
<TPA_Extensions>
<IntelliSellTransaction>
<RequestType Name="50ITINS"/>
</IntelliSellTransaction>
</TPA_Extensions>
</OTA_AirLowFareSearchRQ>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Errors in the response
<Errors>
<Error Type="SCHEDULES" Code="PROCESS" ShortText="DSF server returned an error: Bad EA owner code 'EXT'"/>
<Error Type="IF2" Code="PROCESS" ShortText="No complete journey can be built in IF2/ADVJR1."/>
<Error Type="WORKERTHREAD" Code="TRANSACTIONID" MessageClass="I" ShortText="4259351061194214838"/>
<Error Type="SERVER" Code="ASECT2LAPC00015.IDM.SGDCPROD.SABRE.COM" MessageClass="I" ShortText="27040"/>
<Error Type="DRE" Code="RULEID" MessageClass="I" ShortText="21728"/>
<Error Type="DEFAULT" Code="RULEID" MessageClass="I" ShortText="25238"/>
<Error Type="SCHEDULES" Code="MSG" MessageClass="I" ShortText="NO FLIGHT SCHEDULES FOR QUALIFIERS USED"/>
<Error Type="ERR" Code="ERR" ShortText="Error during Processing"/>
</Errors>

Please refer to the documentation for the Bargain Finder Max API:-
https://developer.sabre.com/sites/default/files/2020-04/BargainFinderMax_NDC_Guide_2020.pdf
The documentation provided has examples for the same.
In all probability, either your PCC is not enabled to consume BFM or the tier level (50, 100, 200) you specified does not match your BFM agreement.
The solution is as under: -
Ensure your PCC is enabled to consume BFM. Contact your Sabre account manager to validate if your PCC has been configured to consume BFM.
Adjust the BFM tier level to the appropriate one according to your BFM agreement.
Review the qualifiers used on your request to ensure those are not overly-restrictive – Example, requesting non-stop flights in a route where non-stop flights do not operate.

Related

Assign Message Policy does not work on Error responses

In Apigee, the Assign Message Policy only seems to work on successful responses. If the server responds with an error code, say, 403 Forbidden, the policy does not change the response. Is there any other way to modify error responses in Apigee.
This is my policy.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1">
<DisplayName>Assign Message-1</DisplayName>
<Properties/>
<Remove>
<Headers>
<Header name="Server"/>
</Headers>
</Remove>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
You can modify error responses in Apigee using FaultRules. You can take a look at Apigee's documentation about Fault handling .
The reason your AssignMessage policy is not executed is, that the error happens before your policy is being executed, thus being skipped.
You can either move your AssignMessage policy to be executed earlier in the flow or catch the error using fault handling logic and throw the error when you have executed all the desired logic.
In case of different response message of Success and Error,
I usually create 2 policy of Assign Message, one for Success and other for Error response.
Example of Success:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AM-ReturnSuccessResponse">
<DisplayName>AM-ReturnSuccessResponse</DisplayName>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
<Set>
<Payload contentType="application/json" variablePrefix="#" variableSuffix="#">
#resp.responseMessage#
</Payload>
<StatusCode>{resp.httpStatusCode}</StatusCode>
<ReasonPhrase>{resp.reasonPhrase}</ReasonPhrase>
</Set>
</AssignMessage>
Example of Error:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage async="false" continueOnError="false" enabled="true" name="AM-ReturnErrorResponse">
<DisplayName>AM-ReturnErrorResponse"</DisplayName>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
<Properties/>
<Set>
<Payload contentType="application/json" variablePrefix="#" variableSuffix="#">
{
"error" : "#resp.error#",
"timeStamp" : "#resp.responseDateTime#"
}
</Payload>
<StatusCode>{resp.httpStatusCode}</StatusCode>
<ReasonPhrase>{resp.reasonPhrase}</ReasonPhrase>
</Set> </AssignMessage>
And then in your flow you have to set condition for routing the policy like this
<Flow name="test">
<Description/>
<Request/>
<Response>
<Step>
<Name>AM-ReturnSuccessResponse</Name>
<Condition>resp.httpStatusCode == 200</Condition>
</Step>
<Step>
<Name>AM-ReturnErrorResponse</Name>
<Condition>resp.httpStatusCode != "200"</Condition>
</Step>
</Response>
</Flow>
Remark: Because normally http status code for success is 200, So I have set the condition like code above. But this is for example, you can design the condition up to your scenario.

Why there are less itineraries from BargainFinderMax_ADRQ

A few days back I was having an issue with the records from the sabre for alternate days, now finally I got the records but the records are much less, like when I search roundtrip for AD3 for 7 days duration the only 49 itineraries and for oneway AD1 9 records from the sabre. is there something wrong with the XML request.
below is the XML request
<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header><m:MessageHeader xmlns:m="http://www.ebxml.org/namespaces/messageHeader">
<m:From>
<m:PartyId type="urn:x12.org:IO5:01">http://deluxholidaysnew.local</m:PartyId>
</m:From>
<m:To>
<m:PartyId type="urn:x12.org:IO5:01">https://sws-crt.cert.havail.sabre.com</m:PartyId>
</m:To>
<m:CPAId>****</m:CPAId>
<m:ConversationId>V1#dXIIccWqTWCaYP1Nil099DvScws2Fuy2ufg1d2Zb#5b8aa3bcbfe2c#http://test.local</m:ConversationId>
<m:Service m:type="OTA">BargainFinderMax_ADRQ</m:Service>
<m:Action>BargainFinderMax_ADRQ</m:Action>
<m:MessageData>
<m:MessageId>968799525452240610</m:MessageId>
<m:Timestamp>2018-09-01T15:35:42Z</m:Timestamp>
<m:TimeToLive>2018-09-01T16:35:42Z</m:TimeToLive>
</m:MessageData>
<m:DuplicateElimination/>
<m:Description>BargainFinderMax_ADRQ</m:Description>
</m:MessageHeader>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">
<wsse:BinarySecurityToken valueType="String" EncodingType="wsse:Base64Binary">Shared/IDL:IceSess\/SessMgr:1\.0.IDL/Common/!ICESMS\/ACPCRTC!ICESMSLB\/CRT.LB!1535812545543!1815120!65537</wsse:BinarySecurityToken>
</wsse:Security></SOAP-ENV:Header><SOAP-ENV:Body><OTA_AirLowFareSearchRQ xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.opentravel.org/OTA/2003/05" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Target="Production" Version="4.2.0" ResponseType="OTA" ResponseVersion="4.2.0">
<POS>
<Source PseudoCityCode="****">
<RequestorID ID="1" Type="1">
<CompanyName Code="TN" />
</RequestorID>
</Source>
</POS>
<OriginDestinationInformation RPH="1">
<DepartureDateTime>2018-09-08T00:00:00</DepartureDateTime>
<OriginLocation LocationCode="DXB" />
<DestinationLocation LocationCode="KHI" />
<TPA_Extensions>
<DateFlexibility NbrOfDays="3"/>
<SegmentType Code="O" />
</TPA_Extensions>
</OriginDestinationInformation>
<OriginDestinationInformation RPH="2">
<DepartureDateTime>2018-09-15T00:00:00</DepartureDateTime>
<OriginLocation LocationCode="KHI" />
<DestinationLocation LocationCode="DXB" />
<TPA_Extensions>
<DateFlexibility NbrOfDays="3"/>
<SegmentType Code="O" />
</TPA_Extensions>
</OriginDestinationInformation>
<TravelPreferences ValidInterlineTicket="true" >
<CabinPref PreferLevel="Preferred" Cabin="Y" />
<TPA_Extensions>
<TripType Value="Return" />
<LongConnectTime Min="780" Max="1200" Enable="true"/>
<ExcludeCallDirectCarriers Enabled="true"/>
</TPA_Extensions>
</TravelPreferences>
<TravelerInfoSummary>
<SeatsRequested>1</SeatsRequested>
<AirTravelerAvail>
<PassengerTypeQuantity Code="ADT" Quantity="1" />
</AirTravelerAvail>
<PriceRequestInformation CurrencyCode="PKR" >
<TPA_Extensions>
</TPA_Extensions>
</PriceRequestInformation>
</TravelerInfoSummary>
<TPA_Extensions>
<IntelliSellTransaction>
<RequestType Name="AD3"/>
</IntelliSellTransaction>
</TPA_Extensions>
</OTA_AirLowFareSearchRQ></SOAP-ENV:Body></SOAP-ENV:Envelope>
Following the design of BargainFinderMax_ADRQ in RequestType you only can include the following options:
<!-- Name="AD1" will return itineraries for up to 9 alternate date combinations (+/-1 day for departure and return date). -->
<!-- Name="AD3" will return itineraries for up to 49 alternate date combinations (up to +/-3 days for departure and return date). -->
When you include AD1 it will return 9 options based on a 3x3 matrix which includes the 3 options for the outbound leg and the 3 options for the inbound leg in all varying combinations. Alternate Dates is to provide a hint that there are alternatives if you choose different date of travel you may get a lower fare.
Following the same criteria if you have and AD3 round trip request we will have 7 options for the outbound (3 options for the 3 days before + 1 option for the original date + 3 options for the days after) and 7 options for the inbound. That will make for a total of 49 options based on a 7x7 matrix.
Unfortunately this is one of the limitation of the BFM Alternate Date logic as it only produces a matrix depending on the day requested (3x3 in AD1 and 7x7 in AD3).

OTA_HotelResRQ direct sell fails with FORMAT ERROR ON OPTIONAL FIELD

I'm making the following sequence of calls to reserve a hotel room using the direct sell request:
HotelPropertyDescriptionRQ
PassengerDetailsRQ
OTA_HotelResRQ
The final response errors with:
FORMAT ERROR ON OPTIONAL FIELD
I'm unable to work out what is causing this error - is it perhaps the RPH of the room is not being correctly added to the PassengerDetailsRQ?
The OTA_HotelResRQ is:
<OTA_HotelResRQ xmlns="http://webservices.sabre.com/sabreXML/2011/10" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ReturnHostCommand="true" TimeStamp="2017-02-13T12:45:24" Version="2.2.0">
<Hotel>
<BasicPropertyInfo RPH="001">
<ConfirmationNumber>PWBA-POW-131c-02</ConfirmationNumber>
</BasicPropertyInfo>
<Guarantee Type="G">
<CC_Info>
<PaymentCard Code="VI" ExpireDate="2018-10" Number="4111111111111111"/>
<PersonName>
<Surname>TEST</Surname>
</PersonName>
</CC_Info>
</Guarantee>
<RoomType NumberOfUnits="1"/>
</Hotel>
The HotelPropertyDescriptionRQ:
<HotelPropertyDescriptionRQ Version="2.3.0" xmlns="http://webservices.sabre.com/sabreXML/2011/10">
<AvailRequestSegment>
<GuestCounts Count="1" />
<HotelSearchCriteria>
<Criterion>
<HotelRef HotelCode="0007855" />
</Criterion>
</HotelSearchCriteria>
<TimeSpan End="2016-12-17" Start="2016-12-10"/>
</AvailRequestSegment>
</HotelPropertyDescriptionRQ>
The PassengerDetailsRQ:
<PassengerDetailsRQ xmlns="http://services.sabre.com/sp/pd/v3_3" version="3.3.0" IgnoreOnError="false" HaltOnError="true">
<PostProcessing IgnoreAfter="false" RedisplayReservation="true" UnmaskCreditCard="true">
<EndTransactionRQ>
<EndTransaction Ind="true"></EndTransaction>
<Source ReceivedFrom="PW TESTING"/>
</EndTransactionRQ>
</PostProcessing>
<PreProcessing IgnoreBefore="false">
<UniqueID ID=""/>
</PreProcessing>
<SpecialReqDetails>
<AddRemarkRQ>
<RemarkInfo>
<FOP_Remark>
<CC_Info Suppress="true">
<PaymentCard Code="VI" ExpireDate="2017-12" Number="4444333322221111" SuppressApprovalCode="true"/>
</CC_Info>
</FOP_Remark>
</RemarkInfo>
</AddRemarkRQ>
</SpecialReqDetails>
<TravelItineraryAddInfoRQ>
<AgencyInfo>
<Address>
<AddressLine>XXXXXXXXXXX Ltd</AddressLine>
<CityName>London</CityName>
<CountryCode>GB</CountryCode>
<PostalCode>XXXX XXX</PostalCode>
<StateCountyProv StateCode="LN" />
<StreetNmbr>2 Some Rome</StreetNmbr>
</Address>
</AgencyInfo>
<CustomerInfo>
<ContactNumbers>
<ContactNumber NameNumber="1.1" Phone="817-555-1212" PhoneUseType="H" />
</ContactNumbers>
<PersonName Infant="false" NameNumber="1.1">
<GivenName>Iain</GivenName>
<Surname>TESTING</Surname>
</PersonName>
</CustomerInfo>
</TravelItineraryAddInfoRQ>
</PassengerDetailsRQ>
I believe it is because you are adding a confirmation number to the sell request, which is an optional field when selling passive segments, but it should not be expected when actually requesting the room to the hotel.
<ConfirmationNumber>PWBA-POW-131c-02</ConfirmationNumber>
I would try removing that.
To reserve a hotel room using the direct sell request from sabre used OTA_HotelResRQ request.
Here is one example for request (i already used this request and get response from sabre)
<?xml version="1.0"?>
-<OTA_HotelResRQ Version="2.2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-<Hotel xmlns="http://webservices.sabre.com/sabreXML/2011/10">
<BasicPropertyInfo RPH="001"/>
<Customer NameNumber="01.01"/>
-<Guarantee Type="G">
-<CC_Info>
<PaymentCard Number="3782 8224 6310 005" ExpireDate="2021-09" Code="AX"/>
-<PersonName>
<Surname>tailor</Surname>
</PersonName>
</CC_Info>
</Guarantee>
<RoomType NumberOfUnits="1"/>
</Hotel>
</OTA_HotelResRQ>

Passenger type mismatch in search request and response

I send 3 adults and 2 childs in search request(action: BargainFinderMax_RQ ) and in response(action: BargainFinderMax_RS) we receive 5 adults.
Sabre returns as info :
CNN NOT APPLICABLE - ADT FARE USED - VERIFY RESTRICTIONS
I would like to ask if there is any parameter supplied that Sabre provides that will let me receive only given passenger type.
Edit: Here is the BargainFinderMaxRQ:
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<OTA_AirLowFareSearchRQ PrimaryLangID="En" Version="1.8.5" ResponseType="OTA" ResponseVersion="1.8.5" xmlns="http://www.opentravel.org/OTA/2003/05">
<OriginDestinationInformation RPH="1">
<DepartureDateTime>2016-08-26T12:00:00</DepartureDateTime>
<DepartureWindow>00002359</DepartureWindow>
<OriginLocation LocationCode="KRR" />
<DestinationLocation LocationCode="DLM" />
</OriginDestinationInformation>
<OriginDestinationInformation RPH="2">
<DepartureDateTime>2016-09-02T12:00:00</DepartureDateTime>
<DepartureWindow>00002359</DepartureWindow>
<OriginLocation LocationCode="DLM" />
<DestinationLocation LocationCode="KRR" />
</OriginDestinationInformation>
<TravelPreferences>
<TPA_Extensions>
<DiversityParameters AdditionalNonStopsNumber="10" />
</TPA_Extensions>
</TravelPreferences>
<TravelerInfoSummary>
<SeatsRequested>5</SeatsRequested>
<AirTravelerAvail>
<PassengerTypeQuantity Code="ADT" Quantity="3" />
<PassengerTypeQuantity Age="8" Code="CNN" Quantity="2" />
</AirTravelerAvail>
</TravelerInfoSummary>
</OTA_AirLowFareSearchRQ>
</s:Body>
You need to use the XOFares element:
<!--"Value" (required) Indicator for whether to return only fares with a passenger type the same as the passenger type specified in the request.-->
<!--Value="true" Returns only fares with a passenger type the same as the passenger type specified in the request.-->
<!--Value="false" (default) Uses standard Bargain Finder Max logic.-->
<XOFares Value="true"/>

WCF client - The EncryptedKey clause was not wrapped with the required encryption token

We need to consume a DataPower webservice running SSL and WS-Security.
I have setup a WCF web service running HTTP and custom username password authentication, to be accessed within our network. This web service is consumed from our Oracle database(Oracle cannot do direct connections with WS-Security).
When our local web service is invoked, it makes the call to the external web service, adding in all the WS-Security headers and certificates.
The external web service requires certificate authentication on Transport, and x509 certificates for singing and encrypting the message.
I have setup a CustomBinding in the client app.config (web service is self-hosted as a windows service) and am able to make a connection to the external web service. The guys that maintain the external web service say they are receiving my messages successfully, processing the data and sending the response.
The problem is when my client tries to process the response, I get a "The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'." error.
With the WCF logging, I can see the message I receive, and see the HTTP OK status.
<?xml version="1.0"?>
<configuration>
<system.web><compilation debug="true" /></system.web>
<system.serviceModel>
<client>
<endpoint address="https://xxx.fff.eee/Service"
behaviorConfiguration="WSSecBehavior" binding="customBinding"
bindingConfiguration="Soap11_Secure" contract="xxx.yyy"
name="ddddddd" />
</client>
<behaviors>
<serviceBehaviors>
<behavior name="TEST_Service_Behavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="Test_Proxy.PasswordValidator, Test_Proxy" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="WSSecBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine"
storeName="TrustedPeople"
x509FindType="FindByThumbprint"
findValue="dfgasdfgsdgsgfds" />
<issuedToken defaultKeyEntropyMode="CombinedEntropy" cacheIssuedTokens="True" />
<serviceCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" />
<scopedCertificates >
<add targetUri="https://xxx.fff.eee/Service"
storeLocation="LocalMachine"
storeName="TrustedPeople" x509FindType="FindByThumbprint" findValue="sdfgsdfgsdfgsfdg" />
</scopedCertificates>
<defaultCertificate storeLocation="LocalMachine"
storeName="TrustedPeople" x509FindType="FindByThumbprint" findValue="sdfgsdfgsdfgsdfgsdfg" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="TEST_Service_Behavior" name="Test_Proxy.TEST_Service">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="soap11Binding"
name="Soap11" bindingName="Soap11" contract="Test_Proxy.ITEST_Service" />
<endpoint address="mex" binding="mexHttpBinding" name="mex" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:8449/GCOS_WebService/" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="soap11Binding" maxBufferPoolSize="2147483647"
maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>
<customBinding>
<binding name="Soap11_Secure">
<textMessageEncoding messageVersion="Soap11" />
<security defaultAlgorithmSuite="Basic128Rsa15" allowSerializedSigningTokenOnReply="False"
enableUnsecuredResponse="false" authenticationMode="MutualCertificate" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
securityHeaderLayout="Strict" requireDerivedKeys="False">
</security>
<httpsTransport maxReceivedMessageSize="5000000" authenticationScheme="Negotiate"
maxBufferSize="5000000" requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
<diagnostics performanceCounters="All" wmiProviderEnabled="True">
<messageLogging
logEntireMessage="True"
logMalformedMessages="True"
logMessagesAtServiceLevel="True"
logMessagesAtTransportLevel="True"
maxMessagesToLog="5000"
maxSizeOfMessageToLog="50000" logKnownPii="True"/>
</diagnostics>
</system.serviceModel>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0" />
</startup>
<system.diagnostics>
<trace autoflush="true"/>
<sharedListeners>
<add name="sharedListener"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="Test_Service_Proxy.svclog" />
</sharedListeners>
<sources>
<source name="System.ServiceModel" switchValue="Verbose, ActivityTracing" >
<listeners>
<add name="sharedListener" />
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging" switchValue="Verbose" >
<listeners>
<add name="sharedListener" />
</listeners>
</source>
</sources>
</system.diagnostics>
</configuration>
Any help or direction please.
Request sent:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-1717e10e-8265-4ada-9dee-d01782ed03a9-1">
<u:Created>2013-10-27T18:14:45.248Z</u:Created>
<u:Expires>2013-10-27T18:19:45.248Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">5ldE9AdwhGZ/xckWL9rimuji1eY=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>HPG3N2VwCSqS3ImLrKLzodnK/I23oPFk097vp8Iru2ZVmR7EotdnL9tU61C6/b8fUU36ntkDVnsECdp0nYqSSbgu9Hoo6LUIEXVLEySqjcj7M3YNeutHwuY1SK5FKdcfFcTuT7a5drxXHzkpJAEyiW7PAxF4c7BF/iVNYXhgcm0lZDpAct2cGhzdSx6gq+K4SMUVq44Vg6Z89yUVyQsERN3nY++DuJC4yn0Z718fD1+tiNlNXNuX2d1JAP1kh9UO0sYIb06lgg5lXmHAzU2XC5MFcPoK6w0HmKH3cyVThFDfnCMeB//xtVcUS7lgDo81o6YF2sstpH+aLHUemuhQTg==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<c:DerivedKeyToken u:Id="_1" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference URI="#_0"/>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>16</c:Length>
<c:Nonce>
<!-- Removed-->
</c:Nonce>
</c:DerivedKeyToken>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_3"/>
</e:ReferenceList>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>eBkrZ4r7IEHLDZANylfLVRCNnrc=</DigestValue>
</Reference>
<Reference URI="#uuid-1717e10e-8265-4ada-9dee-d01782ed03a9-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>EqW8YFzg8XMFLjUNfDlxY6fQR5k=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>CGzogpiUa6jTUmLdd9EiqQdd7VeV3naM59raFqjtjtEf5pPk1a4uwk0ihuzWR7RZTXCa+oieqEE/oEQgEdXzjvDxXUUrmEcIV+be5HSBRw0GPj52Cp55kBHV5hfOCUfsmXcgGQ2mxFNyFQchbKQ20sAGgse+z/GzLnkFnGy/RWQ=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-1bb3eb61-bd9e-42a9-9d0d-81de76cbbe73-3"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_3" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#_1"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>OC8ylIHfJ/QZs9HRTD+SMuYAsGdNTtn6iS/2Lo4GLzxqaOqfOl4dxqCM/0Vp2lwkOldDW3zZR90yiVbK58bdMrRwjJ5HeJop/NtM9e7ysrOeJjroyuVXtMdhRj5bUkz+scM+KsUgSLLCasm0NzWqFRK60CrqZFhTApQN5+EMlQm4HAUGkhW4Fg9C4bYodxR25FTqiTI3VEuAAB3mx1AAvhqnxttI2ghEl9D9Yvm70bl+Z5VfQxQ4DZbFipnSxpZCp3+29rgH4aa6yCYzc2qd630BYJ8ikzZM1YcWQCBsCxU5RB6Y8TF6G9f2Oi97glPeOIXjRaSzj0Vp7f42aappL1dmO6tNpogYOrh9GUsJdNr2CeNzxNGbpYNXmWi/CSOxNjKv8BvpLa12k22va0iHZt0NoOYwzsvY2mhbScUO0rkgLtYuRR4Hvf/rDwjdCjjusNodIEkQXmGxh9tg2vRGZaWounm8DFDlVcscGxeli8wFN1u8jpNeVy4k95sSKzvixqfvNDRZbL3hah7oiWaSYdwbyGl21xGqhuo8yI2T2iax7BZ2v/a02bqF9uj5sjvAnjxCpJK8iADPbbNrzCmL2i2Mo2yjgYyqCx3Jr3VylsymxBCVZqVO8pU8yoU/fYJJJtYQ0FMQs5VoD+yUhXcC5mxqOeMAVUPSntNJ/NhzOtZvMz7FGMR2EitPZ69a9utQfyOzfQzUW3xyE+iJcXxnBLzRAfQoguM0Tj8rBCqNvGTkyljz4URJnVe+a8diaO1YanZAq8K/u/Ei0I7GXDWl3hlE3aBP3wLPHce4eQZxRbZnlezF78H9XDlb3vqLsJ0ynFaS0oLcQ1SRhf1vV0XzTvNdphNRoaAH7EBQvUdj5z6zYjoP1ubndMtFKw+d/WVF7bc72NLR9vHHHiYQ3VN4dsFmH4R2G7mcD44LQgx0UKgwlbF5uixUXW/I4VHzHwehM4DdH8P/euy+KrmjFPrSyhMqPbaKwjIJswJjavUYdKkYJpLpCp8hfb0FvwGNC9Zyzafko5zuRheX/+f7P4kB1ZjXWC9QVb5Q8YaqIYTPXG53W+9usdxeQvPXXwx1lN7odz7OVrGGlvSN1TRybHDn9ysM+zhSwhggeoGkKtWsRoO6RKT9G3lVVuo7tcCXDJHXbPFE0gor1G5mh0iZZtwKagvNZr+TRp9WCh+nXTwU/GZh+utBl49euPA7hNVuunf/RE4ZDvnop0IVe+2f8CkM6ABy7R+T47w51r9NCMuSG7BnPHDfVFZc/ZhRee2eEyEyu4T+HnbRRyd3YJnU6+Y1wu9YTKFrbMLFjq3byZxBJgs70lW7PDXbFk1jegwg0CckjU+oTOyt9RK8iHUgniFEkAd6Z5NgCysoT0PZgOBn7wCeopTyA5ZRp9dFbeOn4vBEUcnP9iegg7nB27Pqi8HY3rgtOrIf0d8Ix2z5J1FRNZY=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
Response Received:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">y1cWMPtJ5ta+ZXxOOHKhkAwG5zM=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
<xenc:CipherData xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<xenc:CipherValue>T1TGYnixXqFJcR82RDV9t43jzD6w31zg8uV3Yv84ZG2+wXms2ajayviZ9Ps7+ak4nPVd8uP4u/zYl2jLCpCwEquA2mJ13P6guqcLQt4091ndJAjnBv1EljANCUB7sE4+W6VLZ6zZLhU7kzdH8dF1SUiDS4soSv8/hfWjK3OOrS4=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#body"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsu:Timestamp wsu:Id="Timestamp-3c6a0000-8873-44a3-a1ce-7020c285baed" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-10-27T18:14:55Z</wsu:Created>
<wsu:Expires>2013-10-27T18:19:55Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken>
<!-- Removed-->
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Id-9c1b48c4-0bde-48af-9086-f8ce71eb74dd">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>F3pP+zcm2Iq8GewW/A4GX5kK8aU=</DigestValue>
</Reference>
<Reference URI="#Timestamp-3c6a0000-8873-44a3-a1ce-7020c285baed">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>MiDu5ZphIhMIAb9ISBj1EKOIfOY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gEjjen88BeWVuTD7t2txOCFXfEOE2g2bvDbWnxS24tSJYpvywl+PEzif5Is/AXTzgmL/McU8/GOgxt8ZKTLe1k3Ux4ZlGCFQiuEyk/1rmEJ1UYt4wn6O0k3PU34HOgCJDjC/0CYjdNFEgG9rwFk6+H8nldCcbI8ZMsM+6OwvECthB5CNgwM3FZcIIZJmTUkEQLEsszw08xaao7kyZCMbs5HBvUr5kNrIiim0pbYO0o5eFF2A59NBfNugo8EYwvC9mkcy8/RJv7aDflxoLxPNgyV7HCFTyt5lwApo1yzOQFVFduGxCyQACBJdR5kevkmfiqBWTYWk6+/YcqaacNXKPg==</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns="">
<wsse:Reference URI="#SecurityToken-1e313a32-f22f-43bf-a2d7-a2a24b98a3ef" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soapenv:Body wsu:Id="Id-9c1b48c4-0bde-48af-9086-f8ce71eb74dd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<xenc:EncryptedData Id="body" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>5kvgGglS7ayNXv9LvFILgJjsw8IZ1wCkEZUPCAUakHuxEOpt/gsQ3KNdFkcwZr2rYrnZmrjKctbpAYpBbIXt1HJSAXu6AQQalMkn5B9o28uRfyvRt3Lvkt/lFcBdxGgIufGGPCJPvQlQ8WKmJ2jdolWKeufr/9UfV9m/zpkbycUdUQVfs0h9GQ4TML65ll+HKX2oQuMuHS1TjR6EgXvZThk3TDKf+GuyGkULH8ce60vrGi7qvMMDsfyh20YvJIUmnwHt9HxzMEK5IulM09czz90iyY1jet3GxCkB4x0l8mOO7IGJhQWTzyyD+Kh+rCnc67B+oRf/rgpOQbfcW8P3xnPwmoErGEscDoUa8LPcDBejd6vyKXIPZdNVtccqqarKkKyuhpF9g4uHD810VPcPQe7oKo84yk8YcaejavkKp7/svtAC6nCUJpszZDvhXBml1Qh8pzBMUbg+fnsMY/PRdpCYRvUYfBGx7NymCYTfY5jOaSEYUmHXPTYR1f1f9FckDoTMhMsVk/0TsPJyl8PbRExo91qrBpcJPZRBAUWUwU7Unx6gOqhzYadQ5d/0tp6C5gmBdg1b007TooPUOtGMJygc78lbXFPRxQaV81+hpMRbr4pJyTWpbHdu9dGx+XO+8edR78feB16N4XvxZtqX+HoxjWCE0tlYT8woFVYw8S0OW31XczzW/HuDVBqhTaozKny8CqUW/MU/NoR0jMGqhuK8S5vWHFl2Hv8YttaXlhRUy8aepKPtdNK8GOrjHtShKdkg30fpheFBSi4bjIbnv7VK2xpKgOklfTs14minc28kKxEbvrzQ56d9hKPgOydjU273GmWwudtSRVfuhUWpDkYDxAviaDYfnslSEY5GbPMW0dIXwr8miUZ7HFe4nHv397GAESCELlJ2cjDFwwcmKxnq5sPo7YYFaVqBZAnbdT0bpCsgieK6Vq8Ih/tm9BSXYod2q8NTaIzmhqDFgirgsyt4leEJy0zkGy7Cdd1PYVWOr9JJVsWFnl1laxhoaVDYzjrioP7k2Nk6gPCHjyOEK8LgqOecy6h4bJ2/Ui0Ce2nO1pvl4Za4ehvK5bQrZ6GxrvEa7gS5Mde2B+8BPZCDgehRt3SUy16ha1LxlTNFHRB5Ybzo+AMytAaNSF9zwSy71U5NOhsUdNUslKb7aj7VyOoUvayKMnHfESQIYIj57sH0AOqJzRzbDOpTV3BqXyYX2OIT2hkoSft1JuO0rSJd3mCRKwVDRbS+HufM3dmIn98VAsfYlsWLyd7zbRc7WsqlUzIhD5tVRkqeDS0R8cBR35mv4LV4NbvhvVK6CuI6i4ZL2UgyNQto3HQ5RMqohZFOtA1Lfl4W6WILSF51D1TNRZtbLwCmNAAWJFS/22BiGNN9TyOneFyrmalLYcRUeJ0bN9OZG7oG808noOUxtIIx9zPlHnjUO83/q573GmPK7nrtZJss4U7jeeLef1g08Iq9t6dyh1VViLeX6aCdMKTdmZ+HyQmR5IDe2gQ7N6bosnmZZURezvJUjpeulsJ6u5SVYP9tyGTZjPOwuO3mAxMtPWcuVfotT5qqE6Z6QJziRfIIEh4xp3m46mEalLKLphmm4uRGXmqMWHXWtitgFE2L9qDJoRVW++4ext6/q3cmWhj0qX97g/nHTU0bg42RJ2441Oj1rZtkbMcnwT0Wp3sn1dhkiPbax7XhmHA/l9wNYRE29sJP/M3jxOq8s/RWFTgZJAYtWjDK+uRncyvaSpNfeAlO53Flt25yFSoB1ybC1y+0Mdrd9xrhgh2GlzHmOnlQG0kKGjuc4mzvpgPIuTmM2kgduUXBpUh/gPV2JrFIxNxjkIp6gGG0Yq3mUpfL02ulWrdzhcvvPvAAvintHE3vjC7G9vmcw5T2/jU14LhF5/jLtP31hx3k+G4Re7NKMww9kbjOM/SC8w+tsNLEyVsDOLB2GMWzswkU8EER8Hqxm4ZIqYfDQOu5o+zxmOW9wtE8x43lk7Rt10BSbCPBIjLMGPomZBhVGh2R5HKINHwS/Vz0VDiq9O1MbO2lVKE02IC4</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soap:Envelope>
Turns out it was certificate related. Once we got a valid certificate with Digital Signature and Key Encipherment, everything started working.
Dont think my self-signed (self-generated) certificate had all the necessary usages.
#Yaron - Thank you for your help.
I suggest you set up a WCF service with the same setting and verify it is working with the client, and then compare the structure of its response to the failing response.
Assuming they are the same structure (otherwise need to change binding) one option is that the response uses an encryption certificate which is different than the one you used to sign with in the request. Verify that the value inside the response keyInfo is indeed the subjectKeyIdentifier of the certificate you used to sign with.
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">y1cWMPtJ5ta+ZXxOOHKhkAwG5zM=</wsse:KeyIdentifier>
Had similar issue. Turns out it was due generated self-signed certificate without Subject Key Identifier (SKI). Check this answer:
WCF : The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'

Resources