HSBUS Error when sending messages to Registry

Primary tabs

An error occured when HS.IHE.XDSb.Registry.Operations on the BUS sends query request to the registry. The error is 

Error 6242: HTTP request to SOAP webservice returned unexpected status: 403.

Any thoughts as to why? The settings on the components haven't changed. The process worked a few days ago. 

07/16/2020 14:54:07 *********************
Input to Web service with SOAP action = SOAP1.2
<env:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Header><To xmlns="http://www.w3.org/2005/08/addressing">https://crispapitest.azure-api.net/healthshare/list/</To><ReplyTo xmlns="http://www.w3.org/2005/08/addressing"><Address>http://www.w3.org/2005/08/addressing/anonymous</Address></ReplyTo><FaultTo xmlns="http://www.w3.org/2005/08/addressing"><Address>http://www.w3.org/2005/08/addressing/anonymous</Address></FaultTo><Messa... xmlns="http://www.w3.org/2005/08/addressing">uuid:22feecae-06b1-47e0-8756-c89640b6845f</MessageID><From xmlns="http://www.w3.org/2005/08/addressing"><Address>urn:oid:2.16.840.1.113883.3.651.2.1</Address></From><Action xmlns="http://www.w3.org/2005/08/addressing">urn:ihe:iti:2007:RegistryStoredQuery</Action></env:Header><env:Body><AdhocQueryRequest xmlns="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0" xmlns:ns2="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0" xmlns:ns3="urn:hl7-org:v3" xmlns:ns4="urn:oasis:names:tc:ebxml-regrep:xsd:rs:3.0" xmlns:ns5="urn:oasis:names:tc:ebxml-regrep:xsd:lcm:3.0"><ResponseOption returnComposedObjects="true" returnType="LeafClass"></ResponseOption><ns2:AdhocQuery id="urn:uuid:14d4debf-8f97-4251-9a74-a90016b0af0d"><ns2:Slot name="$XDSDocumentEntryPatientId"><ns2:ValueList><ns2:Value>'80157245^^^&amp;1.3.6.1.4.1.21367.2010.1.2.300&amp;ISO'</ns2:Value></ns2:ValueList></ns2:Slot><ns2:Slot name="$XDSDocumentEntryStatus"><ns2:ValueList><ns2:Value>('urn:oasis:names:tc:ebxml-regrep:StatusType:Approved')</ns2:Value></ns2:ValueList></ns2:Slot><ns2:Slot name="$XDSDocumentEntryClassCode"><ns2:ValueList><ns2:Value>('34133-9^^2.16.840.1.113883.6.1','11506-3^^2.16.840.1.113883.6.1')</ns2:Value></ns2:ValueList></ns2:Slot></ns2:AdhocQuery></AdhocQueryRequest></env:Body></env:Envelope>
---------------
Validate Security header: action=SOAP1.2
Security SSL message

---------------
Prepare Security header for output: SOAP class=%SOAP.WebRequest, method=

07/16/2020 14:54:07 *********************
Output from Web client with SOAP action = urn:ihe:iti:2007:RegistryStoredQuery
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://www.w3.org/2003/05/soap-envelope' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:s='http://www.w3.org/2001/XMLSchema' xmlns:wsa='http://www.w3.org/2005/08/addressing' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex...' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili...'>
  <SOAP-ENV:Header>
<wsa:Action SOAP-ENV:mustUnderstand="true">urn:ihe:iti:2007:RegistryStoredQuery</wsa:Action><wsa:From><wsa:Address>https://THSAPP1:57772/csp/healthshare/hsbus/HS.IHE.XDSb.Registry.Operations.cls</wsa:Address></wsa:From><wsa:MessageID>urn:uuid:E148C2D8-45A7-43BA-99D9-CFDAD1D7C5CF</wsa:MessageID><wsa:ReplyTo SOAP-ENV:mustUnderstand="true"><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address></wsa:ReplyT... xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex..."><UsernameToken><Username>HS_Services</Username><Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-p...">D1vS~#_|(B</Password></UsernameToken></Security>  </SOAP-ENV:Header>
  <SOAP-ENV:Body><AdhocQueryRequest xmlns="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"><ResponseOption returnComposedObjects="true" returnType="LeafClass"/><ns2:AdhocQuery xmlns="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0" xmlns:ns2="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0" id="urn:uuid:14d4debf-8f97-4251-9a74-a90016b0af0d"><ns2:Slot name="$XDSDocumentEntryPatientId"><ns2:ValueList><ns2:Value>'80157245^^^&amp;1.3.6.1.4.1.21367.2010.1.2.300&amp;ISO'</ns2:Value></ns2:ValueList></ns2:Slot><ns2:Slot name="$XDSDocumentEntryStatus"><ns2:ValueList><ns2:Value>('urn:oasis:names:tc:ebxml-regrep:StatusType:Approved')</ns2:Value></ns2:ValueList></ns2:Slot><ns2:Slot name="$XDSDocumentEntryClassCode"><ns2:ValueList><ns2:Value>('34133-9^^2.16.840.1.113883.6.1','11506-3^^2.16.840.1.113883.6.1')</ns2:Value></ns2:ValueList></ns2:Slot></ns2:AdhocQuery></AdhocQueryRequest></SOAP-ENV:Body>
</SOAP-ENV:Envelope>

07/16/2020 14:54:07 *********************
Input to Web client with SOAP action = urn:ihe:iti:2007:RegistryStoredQuery

ERROR #6242: HTTP request to SOAP WebService returned unexpected status: 403.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<title>IIS 10.0 Detailed Error - 403.16 - Forbidden</title> 
<style type="text/css"> 
<!-- 
body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} 
code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} 
.config_source code{font-size:.8em;color:#000000;} 
pre{margin:0;font-size:1.4em;word-wrap:break-word;} 
ul,ol{margin:10px 0 10px 5px;} 
ul.first,ol.first{margin-top:5px;} 
fieldset{padding:0 15px 10px 15px;word-break:break-all;} 
.summary-container fieldset{padding-bottom:5px;margin-top:4px;} 
legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} 
legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; 
font-weight:bold;font-size:1em;} 
a:link,a:visited{color:#007EFF;font-weight:bold;} 
a:hover{text-decoration:none;} 
h1{font-size:2.4em;margin:0;color:#FFF;} 
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} 
h4{font-size:1.2em;margin:10px 0 5px 0; 
}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; 
 color:#FFF;background-color:#5C87B2; 
}#content{margin:0 0 0 2%;position:relative;} 
.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} 
.content-container p{margin:0 0 10px 0; 
}#details-left{width:35%;float:left;margin-right:2%; 
}#details-right{width:63%;float:left;overflow:hidden; 
}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF; 
 background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal; 
 font-size:1em;color:#FFF;text-align:right; 
}#server_version p{margin:5px 0;} 
table{margin:4px 0 4px 0;width:100%;border:none;} 
td,th{vertical-align:top;padding:3px 0;text-align:left;font-weight:normal;border:none;} 
th{width:30%;text-align:right;padding-right:2%;font-weight:bold;} 
thead th{background-color:#ebebeb;width:25%; 
}#details-right th{width:20%;} 
table tr.alt td,table tr.alt th{} 
.highlight-code{color:#CC0000;font-weight:bold;font-style:italic;} 
.clear{clear:both;} 
.preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} 
--> 
</style> 
 
</head> 
<body> 
<div id="content"> 
<div class="content-container"> 
  <h3>HTTP Error 403.16 - Forbidden</h3> 
  <h4>Your client certificate is either not trusted or is invalid.</h4> 
</div> 
<div class="content-container"> 
 <fieldset><h4>Most likely causes:</h4> 
  <ul>     <li>The client certificate used for this request is not trusted by the Web server.</li> </ul> 
 </fieldset> 
</div> 
<div class="content-container"> 
 <fieldset><h4>Things you can try:</h4> 
  <ul>     <li>The client may have an old certificate selected for client authentication to this Web site. Close all open client windows, open a new browser window, and then select a valid certificate for client authentication.</li>     <li>Verify that the client certificate is trusted by the Web server.</li>     <li>Verify that the root certificate is properly installed and trusted on the Web server.</li>     <li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click <a href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>. </li> </ul> 
 </fieldset> 
</div> 
 
<div class="content-container"> 
 <fieldset><h4>Detailed Error Information:</h4> 
  <div id="details-left"> 
   <table border="0" cellpadding="0" cellspacing="0"> 
    <tr class="alt"><th>Module</th><td>&nbsp;&nbsp;&nbsp;IIS Web Core</td></tr> 
    <tr><th>Notification</th><td>&nbsp;&nbsp;&nbsp;BeginRequest</td></tr> 
    <tr class="alt"><th>Handler</th><td>&nbsp;&nbsp;&nbsp;CSPGateway_*.cls</td></tr> 
    <tr><th>Error Code</th><td>&nbsp;&nbsp;&nbsp;0x800b0109</td></tr> 
     
   </table> 
  </div> 
  <div id="details-right"> 
   <table border="0" cellpadding="0" cellspacing="0"> 
    <tr class="alt"><th>Requested URL</th><td>&nbsp;&nbsp;&nbsp;https://thsapp1.test.local:443/csp/healthshare/hsregistry/services/HS.IH... 
    <tr><th>Physical Path</th><td>&nbsp;&nbsp;&nbsp;C:\InterSystems\CSPGateway\healthshare\hsregistry\services\HS.IHE.XDSb.Registry.Services.cls</td></tr> 
    <tr class="alt"><th>Logon Method</th><td>&nbsp;&nbsp;&nbsp;Not yet determined</td></tr> 
    <tr><th>Logon User</th><td>&nbsp;&nbsp;&nbsp;Not yet determined</td></tr> 
     
   </table> 
   <div class="clear"></div> 
  </div> 
 </fieldset> 
</div> 
 
<div class="content-container"> 
 <fieldset><h4>More Information:</h4> 
  A Secure Sockets Layer (SSL) client certificate identifies you as a valid user of the resource. This error can occur if you choose a client certificate created by a Certificate Authority (CA) that is not trusted by the Web server. 
  <p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=403,16,0x800...">View more information &raquo;</a></p> 
   
 </fieldset> 
</div> 
</div> 
</body> 
</html>

Replies

Looks like the certificate expired.

This is in the above text - "Your client certificate is either not trusted or is invalid."

Or someone enabled check client certificate and didn't realize the implications.

I agree. It looks like you are exchanging message between servers on Port 443, and for this to work, you have SSL Configurations created on each server that communicates with the Hub server (HSREGISTRY). Typically, "Server certificate verification" setting on these configurations should be set to "None". If it is set to "Require" it will likely cause your IIS Server on HSREGISTRY to reject the message.

Alternatively, you may want to check your IIS configuration on HSREGISTRY - does IIS require Client Certificate verification? 

If could be that you do use Certs in between your HealthShare servers, in this case, Aaron is correct and your cert had likely expired. In this case, you will have to replace it on both HSREGISTRY (in your IIS Trust Store Configuration) and on HSBUS (create a file with the new cert and point your SSL Config to that file)