locked
PPE Trust Anchor RRS feed

  • Question

  • Hi,

    I am using Direct RI (Java) for direct messaging. To establish connectivity with HealthVault PPE environment, I added my trust anchor to Blue Button Provider-Test bundle and imported HealthVault PPE trust anchor (downloaded from https://apps.healthvault-ppe.com/messagecenter/certs/certs.zip) to my anchor store. HealthVault PPE successfully picked up my anchor from the Provider-Test bundle such that any attempt to send messages from HealthVault to my RI results in "Your message was successfully sent to javed_aleem@direct.chesterhealth.com" success message.  However, when the message reaches my server, it is being rejected by my RI with an error "Trust anchor for certification path not found" (getting similar error when sending messages to PPE also). It seems that RI is not able to find the PPE trust anchor, even though I have imported PPE trust anchor in the same place where trust anchors from DCDT, TTT and a couple of other HISPs have been imported and they are all working correctly. Am I missing some step or do I need to import some other PPE root certificate to make it work? The below is an excerpt of the log that is generated when I receive a message sent through HealthVault PPE.


    INFO: [DIRECT AUDIT EVENT]
            EVENT ID: 002ecc2f-3954-4ea4-821e-b91422d4f8e6
            EVENT PRINCIPAL: STAgent@unicharts
            EVENT CATEGORY: Incoming Direct Message
            EVENT MESSAGE: SMTP Direct Message Processing
            EVENT CONTEXTS
                    message-id:<BLUHSSVMSMTP101FRaq00000036@direct.healthvault-ppe.c
    om>
                    from:javed.aleem9174@direct.healthvault-ppe.com
                    to:<javed_aleem@direct.chesterhealth.com>
    Nov 29, 2014 4:19:15 PM org.nhindirect.stagent.cert.impl.CRLRevocationManager is
    Revoked
    WARNING: Cannot find a CRL for certificate.
            DN: E=direct.chesterhealth.com,CN=direct.chesterhealth.com,C=US,ST=VA,L=
    Clinic,O=UnisonCare
            Serial Number: 64db9e62a8f3601e
    Nov 29, 2014 4:19:15 PM org.nhindirect.gateway.smtp.config.cert.impl.ConfigServi
    ceCertificateStore getCertificates
    INFO: getCertificates(String subjectName) - Could not find a ConfigService certi
    ficate for subject EMAILADDRESS=ca.direct.healthvault-ppe.com
    Nov 29, 2014 4:19:20 PM org.nhindirect.stagent.cert.impl.DNSCertificateStore get
    Certificates
    INFO: getCertificates(String subjectName) - Could not find a DNS certificate for
     subject EMAILADDRESS=ca.direct.healthvault-ppe.com
    Nov 29, 2014 4:19:23 PM org.nhindirect.stagent.cert.impl.LDAPCertificateStore ge
    tCertificates
    INFO: getCertificates(String subjectName) - Could not find an LDAP certificate f
    or subject EMAILADDRESS=ca.direct.healthvault-ppe.com
    Nov 29, 2014 4:19:23 PM org.nhindirect.stagent.trust.TrustChainValidator isTrust
    ed
    WARNING: Certificate CN=\00j\00a\00v\00e\00d\00.\00a\00l\00e\00e\00m\009\001\007
    \004\00@\00d\00i\00r\00e\00c\00t\00.\00h\00e\00a\00l\00t\00h\00v\00a\00u\00l\00t
    \00-\00p\00p\00e\00.\00c\00o\00m,1.2.840.113549.1.9.1=#162a6a617665642e616c65656
    d39313734406469726563742e6865616c74687661756c742d7070652e636f6d is not trusted.
    java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
            at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate
    (Unknown Source)
            at ...................

    Nov 29, 2014 4:19:23 PM org.nhindirect.stagent.trust.TrustModel enforce
    WARNING: enforce(IncomingMessage message) - could not find a trusted certificate
     for recipient javed_aleem@direct.chesterhealth.com
    Nov 29, 2014 4:19:23 PM org.nhindirect.stagent.DefaultNHINDAgent processIncoming

    SEVERE: Error processing incoming message: null
    ERROR=NoTrustedRecipients

            at org.nhindirect.stagent.DefaultNHINDAgent.processMessage(DefaultNHINDA
    gent.java:891)
            at ...................

    Can anyone help, please ?

    Thanks,

    Javed

    Saturday, November 29, 2014 12:57 PM

Answers

  • Hi Javed, 

    I can add your trust anchor to the PPE environment for you. Send a request to hvtech@microsoft.com with the trust anchor attached as a .zip file or renamed to .SAFE

    Thanks

    -Sean

    Monday, December 8, 2014 11:25 AM