Firewall/Nework Issues - URGENT.

Jan 28, 2011 at 7:16 PM

Rob,

We are using Microsoft Java-SDK to connect to Microsoft HealthVault.

The first step in our application is a redirection to https://account.healthvault-ppe.com to authenticate the user in Microsoft HealthVault and authorize  to allow access to our application. The redirection from our application to Microsoft HealthVault works fine. The user is able to sign in and authorize HealthVault to provide access to health data in the account. However, when the user clicks on allow access, the redirection back to our application does not return the application back to my application.

We think it is a firewall issue and we need to open inbound ports to https://account.healthvault-ppe.com. However according to the documentation in the How To Guides, it says no inbound ports need to be opened. Look here for more details http://msdn.microsoft.com/en-us/healthvault/cc464967

Have others faced the same issue before. If so, how was it solved? I would really appreciate a quick response on this.

Thanks

Shyam

Coordinator
Jan 28, 2011 at 8:47 PM
Edited Jan 28, 2011 at 8:48 PM

Shyam,

What error is displayed in your browser?

Through redirects, the browser always initiates the http traffic.  HV will never initiate an http connection back to your application. 

If your browser can hit your application in any way, you don't have a firewall problem between your browser and your application.  Look at the URLs involved through the handshake--I use Fiddler and find it works great.  You should be able to see the one your browser is having issues with.

In the PPE environment, applications can issue an override directive so that the return-to-your-app url is not the same url as configured in HealthVault.  Are you doing unintentionally using the override?  When using the override, the redirect to Shell will have a query string parameter "...&redirect=http://..."  The intent of overriding the configured action-url is to allow developers to redirect locally to their development machines.  In the sample apps the redirect override url is configured as "target.auth.redirect" in the config file.  Removing that will allow HealthVault to use the action-url configured for your application.

 

--Rob

Jan 31, 2011 at 7:27 PM
Rob, You were right - it was really no real post back from Microsoft HealthVault and it was just a brower redirecting the user back to my application. I did use the "redirect" parameter - since it is the PPE environment. Thanks for getting back to us immediately. However, after having control back in my application, when I request a connection to be made to Microsoft HealthVault (using the ConnectionFactory/Connection classes in the HealthVault JDK), I get a Connection timed out error. I am not sure why ... Any ideas ? Please let me know when you get a chance. Thanks. LOGS BELOW .... [1/28/11 18:45:40:127 EST] 00000023 SystemOut O DEBUG - Connection - <wc-request:request xmlns:wc-request="urn:com.microsoft.wc.request"><header><method>CreateAuthenticatedSessionToken</method><method-version>1</method-version><app-id>77abc0a3-eb48-4150-96de-67882f300904</app-id><language>en</language><country>US</country><msg-time>2011-01-28T18:45:40.127-05:00</msg-time><msg-ttl>180000</msg-ttl><version>0.0.0.1</version></header><info><auth-info><app-id>77abc0a3-eb48-4150-96de-67882f300904</app-id><credential><appserver><sig digestMethod="SHA1" sigMethod="RSA-SHA1" thumbprint="bb61df099fdeb72779386138adac2d06cda50164">iI9BZzQyH2x0S6FVYOkT1mlss/hp3iXNLNNfQB6r4DUJClnpnxtZra1QkR8ghlhefmdH7fklBpSNZhYVOliGVHdc5tWehWPJJgW5hSGN3dkFSdJLyyQ5dhfYeWrwZB7d0u56YiZnExATtH+zPSLwOdUwp3M+ci4D+ZiW8PX72boWXwC5LTqAdknGiVr+PGoNjK3PiBTgFhhLQVkscwNKfrIgq1irwNtg6cnRRhqs6/1p4fzr96yrs4UFnnjAdZWYqllJZblpvPwpNoIXscXhm+nMrlnHULUStfqC8J4Z9UUzm7GlibOlxNv3A4yEY22L62nHQSG0WW+zJTe/3eOKog==</sig><content><app-id>77abc0a3-eb48-4150-96de-67882f300904</app-id><shared-secret><hmac-alg algName="HMACSHA1">5EuSir3DF2+GP5XSFI1puqddgpA=</hmac-alg></shared-secret></content></appserver></credential></auth-info></info></wc-request:request> [1/28/11 18:48:49:140 EST] 00000023 servlet E com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: Uncaught exception created in one of the service methods of the servlet hv-action in application hv. Exception created : com.microsoft.hsg.HVException: com.microsoft.hsg.HVTransportException: java.net.ConnectException: Connection timed out at com.microsoft.hsg.ConnectionFactory.getConnection(ConnectionFactory.java:69) at com.microsoft.hsg.ConnectionFactory.getConnection(ConnectionFactory.java:80) at com.guidewell.pad.prompt.hv.ShellUtils.getSelectedRecordAndPerson(ShellUtils.java:151) at com.guidewell.pad.prompt.hv.ShellUtils.loginSuccess(ShellUtils.java:131) at com.guidewell.pad.prompt.hv.HVActionHandler.loginSuccess(HVActionHandler.java:192) at com.guidewell.pad.prompt.hv.HVActionHandler.OnActionAppAuthSuccess(HVActionHandler.java:91) at com.guidewell.pad.prompt.hv.HVActionHandler.handle(HVActionHandler.java:33) at com.guidewell.pad.prompt.hv.HealthVaultActionPage.service(HealthVaultActionPage.java:27) at javax.servlet.http.HttpServlet.service(HttpServlet.java:831) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1655) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:937) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:500) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178) at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3810) at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:276) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:931) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1583) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:183) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:455) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:384) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:272) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217) at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550) Caused by: com.microsoft.hsg.HVTransportException: java.net.ConnectException: Connection timed out at com.microsoft.hsg.URLConnectionTransport.doRequest(URLConnectionTransport.java:60) at com.microsoft.hsg.Connection.makeRequest(Connection.java:182) at com.microsoft.hsg.Connection.send(Connection.java:143) at com.microsoft.hsg.HVAccessor$1.send(HVAccessor.java:91) at com.microsoft.hsg.SimpleSendStrategy.doWithSender(SimpleSendStrategy.java:20) at com.microsoft.hsg.HVAccessor.send(HVAccessor.java:89) at com.microsoft.hsg.ApplicationAuthenticator.authenticate(ApplicationAuthenticator.java:143) at com.microsoft.hsg.ApplicationAuthenticator.authenticate(ApplicationAuthenticator.java:130) at com.microsoft.hsg.Connection.authenticate(Connection.java:164) at com.microsoft.hsg.Connection.authenticate(Connection.java:173) at com.microsoft.hsg.ConnectionFactory.getConnection(ConnectionFactory.java:63) ... 26 more Caused by: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:352) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:214) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:201) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:378) at java.net.Socket.connect(Socket.java:537) at sun.net.NetworkClient.doConnect(NetworkClient.java:170) at sun.net.www.http.HttpClient.openServer(HttpClient.java:395) at sun.net.www.http.HttpClient.openServer(HttpClient.java:530) at com.ibm.net.ssl.www2.protocol.https.c.<init>(c.java:91) at com.ibm.net.ssl.www2.protocol.https.c.a(c.java:60) at com.ibm.net.ssl.www2.protocol.https.d.getNewHttpClient(d.java:2) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:796) at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:60) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:899) at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:47) at com.microsoft.hsg.URLConnectionTransport.doRequest(URLConnectionTransport.java:39) ... 36 more [1/28/11 18:48:49:143 EST] 00000023 LocalTranCoor E WLTC0017E: Resources rolled back due to setRollbackOnly() being called. [1/28/11 18:48:49:145 EST] 00000023 webapp E com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet Error]-[hv-action]: com.microsoft.hsg.HVException: com.microsoft.hsg.HVTransportException: java.net.ConnectException: Connection timed out at com.microsoft.hsg.ConnectionFactory.getConnection(ConnectionFactory.java:69) at com.microsoft.hsg.ConnectionFactory.getConnection(ConnectionFactory.java:80) at com.guidewell.pad.prompt.hv.ShellUtils.getSelectedRecordAndPerson(ShellUtils.java:151) at com.guidewell.pad.prompt.hv.ShellUtils.loginSuccess(ShellUtils.java:131) at com.guidewell.pad.prompt.hv.HVActionHandler.loginSuccess(HVActionHandler.java:192) at com.guidewell.pad.prompt.hv.HVActionHandler.OnActionAppAuthSuccess(HVActionHandler.java:91) at com.guidewell.pad.prompt.hv.HVActionHandler.handle(HVActionHandler.java:33) at com.guidewell.pad.prompt.hv.HealthVaultActionPage.service(HealthVaultActionPage.java:27) at javax.servlet.http.HttpServlet.service(HttpServlet.java:831) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1655) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:937) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:500) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178) at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3810) at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:276) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:931) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1583) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:183) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:455) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:384) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:272) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217) at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550) Caused by: com.microsoft.hsg.HVTransportException: java.net.ConnectException: Connection timed out at com.microsoft.hsg.URLConnectionTransport.doRequest(URLConnectionTransport.java:60) at com.microsoft.hsg.Connection.makeRequest(Connection.java:182) at com.microsoft.hsg.Connection.send(Connection.java:143) at com.microsoft.hsg.HVAccessor$1.send(HVAccessor.java:91) at com.microsoft.hsg.SimpleSendStrategy.doWithSender(SimpleSendStrategy.java:20) at com.microsoft.hsg.HVAccessor.send(HVAccessor.java:89) at com.microsoft.hsg.ApplicationAuthenticator.authenticate(ApplicationAuthenticator.java:143) at com.microsoft.hsg.ApplicationAuthenticator.authenticate(ApplicationAuthenticator.java:130) at com.microsoft.hsg.Connection.authenticate(Connection.java:164) at com.microsoft.hsg.Connection.authenticate(Connection.java:173) at com.microsoft.hsg.ConnectionFactory.getConnection(ConnectionFactory.java:63) ... 26 more Caused by: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:352) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:214) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:201) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:378) at java.net.Socket.connect(Socket.java:537) at sun.net.NetworkClient.doConnect(NetworkClient.java:170) at sun.net.www.http.HttpClient.openServer(HttpClient.java:395) at sun.net.www.http.HttpClient.openServer(HttpClient.java:530) at com.ibm.net.ssl.www2.protocol.https.c.<init>(c.java:91) at com.ibm.net.ssl.www2.protocol.https.c.a(c.java:60) at com.ibm.net.ssl.www2.protocol.https.d.getNewHttpClient(d.java:2) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:796) at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:60) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:899) at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:47) at com.microsoft.hsg.URLConnectionTransport.doRequest(URLConnectionTransport.java:39) ... 36 more
Coordinator
Jan 31, 2011 at 8:27 PM
Edited Jan 31, 2011 at 10:28 PM

Hi Shyam,

We typically see these errors when outbound traffic needs to use a proxy.  I don't know much about WebSphere but JVMs are configured through the properties:

http://download.oracle.com/javase/1.5.0/docs/guide/net/properties.html

http.proxyHost
http.proxyPort
http.nonProxyHosts
https.proxyHost
https.proxyPort
https.nonProxyHosts

WebSphere may have other knobs.

I've considered adding additional configuration to set the proxy configuration directly but nothing is in place.

 

--Rob

Jan 31, 2011 at 10:08 PM
Rob, The firewall team had to add a route on the internet switch that routes traffic sourced from the health vault site and destined to the application servers to the right firewall. This resolved the "connection timed out error" - but resulted in a SSL Handshake exception. I think this is because of the Net Scaler/Proxy server that is being used between the application server and Health Vault platform. I have requested for the installation of the SSL certificate from MS HV to the proxy server and/or net scaler as necessary. I will keep you posted as I know more. Meanwhile did you get a chance to look at my other question in the discussions - the one on "retrieving modified data - since last change" ? I would really appreciate your input. Thanks for getting back to me quickly. Shyam
Feb 2, 2011 at 5:00 PM
Rob, Sorry to bug you again. Our firewall team opened up the ports to platform.healthvault-ppe.com for our developer environments. We did not open the ports to the other certificate servers specified by Microsoft in your documentation here ... http://msdn.microsoft.com/en-us/healthvault/cc464967 When I try to open a connection to platform.healthvault-ppe.com - I get the following error in the log files CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=platform.healthvault-ppe.com" was sent from target host:port "platform.healthvault-ppe.com:443". The signer may need to be added to local trust store "/prod/wesadm/wes/was7/base/profiles/wcs-unita-71_01/config/cells/wcs-unit01-01/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: invalid certificate, key identifier is missing from authority key identifier extension". I have installed the gte.crt certificate generated from cacerts (from Sun JDK 1.6.22) on to the DefaultNodeTrustStore in WebSphere Application Server. Am I missing something else here ? Do we need the ports to the Microsoft certificate servers to be opened as well (I dont make an explicit call to the certificate servers). Please let me know when you get a chance. Thanks Shyam
Feb 3, 2011 at 5:26 PM
Update ... We had to install the certificate on the Deployment Manager Node (as opposed to the individual WAS server instance's NodeDefaultTrustStore). This worked for us. Thanks for your help. Shyam