[OUTGOING-SBDH-116] AS4 Error: PEPPOL:NOT_SERVICED

[waseempact]

Description

BD Submission
Transaction (with instance identifier 9b3ad57c-02ce-43c0-9eca-6c79169bf3db) to testing AP was rejected, with reason; SMP lookup was successful, but message transmission failed.

Error description: [OUTGOING-SBDH-116] Failed to send Peppol message via AS4: AS4_ERROR_MESSAGE_RECEIVED.

Error description value 1: [OUTGOING-SBDH-116] AS4 Error: PEPPOL:NOT_SERVICED

22:54:43.390 [https-jsse-nio-0.0.0.0-443-exec-9] INFO o.a.cxf.services.As4Provider.REQ_IN - REQ_IN
Address: https://revenu.pactsoft.online/oxalis/as4
HttpMethod: POST
Content-Type: multipart/related; boundary="----=_Part_232_1075067645.1768330480467"; type="application/soap+xml"
ExchangeId: 00c72a72-9a0d-4888-98e6-202158452aa7
ServiceName: As4ProviderService
PortName: As4ProviderPort
PortTypeName: As4Provider
Headers: {date=Tue, 13 Jan 2026 18:54:40 +0000 (UTC), mime-version=1.0, host=revenu.pactsoft.online, message-id=1686958714.233.1768330480467@ip-10-10-208-25.eu-west-1.compute.internal, connection=keep-alive, content-type=multipart/related; boundary="----=_Part_232_1075067645.1768330480467"; type="application/soap+xml", Content-Length=15801, accept-encoding=gzip, x-gzip, deflate, user-agent=phase4/4.1.1 https://github.com/phax/phase4}

22:54:43.392 [https-jsse-nio-0.0.0.0-443-exec-9] WARN o.a.cxf.phase.PhaseInterceptorChain - Interceptor for {http://inbound.as4.ng.oxalis.network/}As4ProviderService has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:245)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:382)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:213)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:125)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:78)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.MultipleEndpointObserver.onMessage(MultipleEndpointObserver.java:98)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:233)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:207)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:159)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:224)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:303)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:216)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:590)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:278)
at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:293)
at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:283)
at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:184)
at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:89)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
at network.oxalis.ng.inbound.tracing.DefaultOpenTelemetryTracingFilter.doFilter(DefaultOpenTelemetryTracingFilter.java:25)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at network.oxalis.ng.dist.war.WarGuiceFilter.doFilter(WarGuiceFilter.java:21)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:165)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:88)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:113)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:83)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:654)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:72)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1774)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:973)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:491)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: javax.xml.crypto.dsig.TransformException: javax.security.auth.callback.UnsupportedCallbackException: Unsupported callback
at org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:408)
at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:326)
... 43 common frames omitted
Caused by: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: javax.security.auth.callback.UnsupportedCallbackException: Unsupported callback
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:575)
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:412)
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:293)
at org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:381)
... 46 common frames omitted
Caused by: javax.xml.crypto.dsig.TransformException: javax.security.auth.callback.UnsupportedCallbackException: Unsupported callback
at org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.attachmentRequestCallback(AttachmentContentSignatureTransform.java:136)
at org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.transform(AttachmentContentSignatureTransform.java:119)
at org.apache.jcp.xml.dsig.internal.dom.DOMTransform.transform(DOMTransform.java:170)
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:485)
... 49 common frames omitted
Caused by: javax.security.auth.callback.UnsupportedCallbackException: Unsupported callback
at org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler.handle(AttachmentCallbackHandler.java:126)
at org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.attachmentRequestCallback(AttachmentContentSignatureTransform.java:134)
... 52 common frames omitted
22:54:43.581 [https-jsse-nio-0.0.0.0-443-exec-9] INFO o.a.c.b.s.i.Soap12FaultOutInterceptor - class org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml
22:54:43.608 [https-jsse-nio-0.0.0.0-443-exec-9] INFO n.o.ng.as4.inbound.As4FaultInHandler - handleFault for Exception
org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:245)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:382)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:213)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:125)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:78)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.MultipleEndpointObserver.onMessage(MultipleEndpointObserver.java:98)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:233)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:207)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:159)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:224)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:303)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:216)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:590)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:278)
at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:293)
at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:283)
at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:184)
at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:89)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
at network.oxalis.ng.inbound.tracing.DefaultOpenTelemetryTracingFilter.doFilter(DefaultOpenTelemetryTracingFilter.java:25)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at network.oxalis.ng.dist.war.WarGuiceFilter.doFilter(WarGuiceFilter.java:21)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:165)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:88)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:113)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:83)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:654)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:72)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1774)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:973)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:491)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: javax.xml.crypto.dsig.TransformException: javax.security.auth.callback.UnsupportedCallbackException: Unsupported callback
at org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:408)
at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:326)
... 43 common frames omitted
Caused by: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: javax.security.auth.callback.UnsupportedCallbackException: Unsupported callback
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:575)
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:412)
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:293)
at org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:381)
... 46 common frames omitted
Caused by: javax.xml.crypto.dsig.TransformException: javax.security.auth.callback.UnsupportedCallbackException: Unsupported callback
at org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.attachmentRequestCallback(AttachmentContentSignatureTransform.java:136)
at org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.transform(AttachmentContentSignatureTransform.java:119)
at org.apache.jcp.xml.dsig.internal.dom.DOMTransform.transform(DOMTransform.java:170)
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:485)
... 49 common frames omitted
Caused by: javax.security.auth.callback.UnsupportedCallbackException: Unsupported callback
at org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler.handle(AttachmentCallbackHandler.java:126)
at org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.attachmentRequestCallback(AttachmentContentSignatureTransform.java:134)
... 52 common frames omitted
22:54:43.663 [https-jsse-nio-0.0.0.0-443-exec-9] INFO o.a.c.services.As4Provider.FAULT_OUT - FAULT_OUT
Content-Type: application/soap+xml
ResponseCode: 200
ExchangeId: 00c72a72-9a0d-4888-98e6-202158452aa7
ServiceName: As4ProviderService
PortName: As4ProviderPort
PortTypeName: As4Provider
Headers: {}
Payload: <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">env:Header<eb:Messaging xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/" env:mustUnderstand="true"><eb:SignalMessage xmlns="" xmlns:ns3="http://www.unece.org/cefact/namespaces/StandardBusinessDocumentHeader" xmlns:ns4="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns6="http://www.w3.org/2000/09/xmldsig#" xmlns:ns7="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">eb:MessageInfoeb:Timestamp2026-01-13T18:54:43.618Z</eb:Timestamp>eb:MessageIdc29363db-8992-47fa-b75e-0670fc04da0d@10.0.0.101</eb:MessageId>eb:RefToMessageIde33799f8-be2d-4f04-b570-bdc89aff49fc@phase4.openpeppol.testbed</eb:RefToMessageId></eb:MessageInfo><eb:Error category="Content" errorCode="EBMS:0004" origin="ebms" refToMessageInError="e33799f8-be2d-4f04-b570-bdc89aff49fc@phase4.openpeppol.testbed" severity="failure" shortDescription="Other">eb:ErrorDetailPEPPOL:NOT_SERVICED</eb:ErrorDetail></eb:Error></eb:SignalMessage></eb:Messaging></env:Header>env:Body/</env:Envelope>

Reproduce

PINT AE BILLING TEST SUITE (1.0.2)
PINT-AE Invoice reception through pint:billing-1@ae-1Failed
The testbed will generate an SBD containing a PINT-AE-compliant Invoice and send it to the Access Point that is under test. To successfully pass the test case, the under-test AP must process the received business document and reply with the appropriate MLS message. The transaction will be addressed to receiver 0235:000889 from 9922:OPTBCNTRLP1005. To properly receive the AS4 message that will be sent by the testbed AP, you must register your enrolled participant to your SMP, with the capability of receiving PINT-AE based Invoices through pint:billing-1@ae-1 (document Type ID: peppol-doctype-wildcard::urn:oasis:names:specification:ubl:schema:xsd:Invoice-2::Invoice##urn:peppol:pint:billing-1@ae-1*::2.1, Process ID: cenbii-procid-ubl::urn:peppol:bis:billing).

Expected behavior

No response

Oxalis-NG version

latest 1.2.0

JDK version

11

Additional Info

No response

[aaron-kumar]

We have reviewed AS4 fault logs from your AP and the rejection occurs during WS-Security signature verification, specifically while validating signed AS4 attachments.

The root error is:

AttachmentContentSignatureTransform
UnsupportedCallbackException
org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler

This indicates that the receiving AP was unable to resolve the signed attachment content during signature validation. The message is successfully delivered to your endpoint, but fails at the CXF/WSS4J security layer before business or document validation.

Please note:

• The issue is at your AP side typically related to CXF / WSS4J dependency mismatch, or attachment handling being affected by container filters or reverse proxies
• Even when running Oxalis-NG 1.2.0, overridden or older CXF/WSS4J versions can cause this exact callback failure

We recommend verifying:

1. CXF and WSS4J versions are fully aligned with Oxalis-NG 1.2.0 (no overrides/shaded jars)
2. No servlet filters, proxies, or request buffering consuming the multipart stream before WSS4J

Our own test result against Testbed (hint that we successfully received 'PINT-AE Billing/pint:billing-1@ae-1*' message using Oxalis-NG 1.2.0. Note that we are Not sending back MLS intentionally as part of test that's why it is still shown as in running state):