Lighting it up!

Alrite now that you have the firewood (application auth token) and the firestarter (user auth token) how can we start the fire (get details user’s record).

Well first of all congratulations! most of the hard part is done!! Just a few more nitty gritty tricks though! In order to get the details about a user’s health record, you need to use a method GetPersonInfo.

The XML for GetPersonInfo look like this:

<pre class="html">


<header>GetPersonInfo 1 ASAAADNt1Jwbx85MgH9vkWzAINBxBWQFCtQ+osTzGw/I0Ty27OhKFCXUb83dxI5/M2mtGYymc1gKx6qwsWEtw31ZV/tyscJwmc5dNT2o2nYJcFTf1vfi/L4R5V68ckxFrd48Rz4jhU9Yg6lDhNTymCsJSDiVJCKLqKwcHcr/QSTsytRpVXBK7LpAVBicjC3OPGCEg4XE/UGwM7ZDAXlR4AR+emiHBaPOzSQD9iYMYxAyDBYZPde8N+rDv58zFw9pjDLJJIwvhXOOLahhFvX/n5DqwAb+BpdTlE19x5P/B67kKie/zDtEYWHEXHMhX+KNdvrxdm17l5pwt8JShIGimbXgAcZEFTiPVOW77mCgDxpc0U2ykcG7RVqXKTA3Gqt42OZf9aCuzq/J0wHOTLQvdx1ZYVOxo7+1TpMaW+13Fz5/jgOHR7hJZ/DPUIcKfCYdHS7phQ3r60nOReUl2qeq7rDvDmGQBWPjcCrT7CuQRSgZlyUpAav4DiFJtKh9U5DbJ5VW80dUAqcxamulklTxSR75Sb6v0X4T8B2zbfmVl+HtcupUIuz66Q== ASAAAE57vlXwS8VDupO6/FSWlMZR+OL02JQyhWvlesegc/J6f7XGgJq4xRW1WIWc7ZXufY9U1cAFeQMDF9pAvmNG1/1KGlp7FFFBdrUMk7gJLPpdTYkQeDMdp8UXcXNht+U6hJzpI7plchQKvpBMFeBj1XMOC15fLXRyfRFpD3RaIF66awgUVw== en US 2008-06-01T02:44:16.73Z 1800 0.9.1712.2902 1mWxpY+leClypXQzPvDBLFIBDpI=</header>

So now do we go about concoting the seemingly complicated xml above. Well we already have the token and wctoken from our previous CreateAuthenticatedSession and Shell -redirect. Use the token for the auth-token in line 9 and the wctoken as user-token in line 10.

Most of the elements in the header section are straight forward. The one to comment about is hash-data (line 18). The hash in this case is SHA-1 hash of the info section. Matter of fact our info section is empty so that make sure that the SHA-1 hash is done right. In ruby i do it the following way (using OpenSSL):

def self.doSha1(text)

Now the interesting part – whats this auth on line 2? Well auth is a HMAC of header (line 5-20) section. Remember we generated the shared secret in CreateAutheticatedSession method? Now use that secret to do a HMAC digest for the header. In ruby i do it the following way:

def self.doHmac(secret, payload)
    key = Base64.decode64(secret)
    hashmac = OpenSSL::HMAC.digest(, key, payload)

secret is the shared secret used for createauthenticationtoken.

Now the fun part,caveats:

  • Don’t leave any white spaces between you xml tags. HealthVault behaves weird sometime when their is white space.
  • If you are getting an error saying code 3 (which implied invalid xml) and you are sure that your xml is correct, then most likely your auth section or your hash-data section are not proper. Which in turn implies that your HMAC-ing or SHA-1 hashing is a little off. The best way to actually resolve this is to first write tiny parts which make sure that the HMAC /SHA-1 is same for a known successfully call. You can get the xml for such a call from HealthVault SDK, the process is described here. However for ease of testing i’m appending know good calls below.

PLEASE NOTE: Remove all the white-space between tags before testing your crypto functions to match the result seen here. I have put the white space for readability.

CreateAuthenticatedSessionToken (for SharedSecret)

<header>CreateAuthenticatedSessionToken 1 05a059c9-c309-46af-9b86-b06d42510550 en US 2008-06-01T02:44:16.21Z 1800 0.9.1712.2902</header>05a059c9-c309-46af-9b86-b06d42510550 b2uCbONZDGj8jDYhz3e5PcJfugPQTHOsOvpZ6kA9uG5XzQXV+EHtXtTDAbwHbFyNozC1uR7uZwgi44pfgw4NyQp8LO2PwI9E7pOx/Ho7+6siY41sjI5+frhq2fcj8iljpG8EK07WGDuf4JeFg5yc8IWjHHtUwabpdPVJWYLi18+Gk7AaFfCuM1iQwFbBSWWMyckCe3V48JaCZcNVcS/XuJJovFdsM9QnZ1CwrQaaBB/evf1u1YGM3fXpVeCjVWPXpHiu3WWVVsJ5aURtCzGvXJe9R7Gh10sYDSG6wC/CJvcBSJlRCpacA1qds2gcMCBwO+iDCPY3I15+FbM0E9D+Qw== 05a059c9-c309-46af-9b86-b06d42510550 RXziN4RDYIu89cu+cOp4POLhKUCSUb0sPsV9yaz8m6BfJxjpDNUBRUF5MU3OJMJ7DH0FPXg8HFuahbvSz1HxG1Q6MlahpHAmUkXNBJ0zcrKvcH3+NiS3qD26FkpLXsvzjNv/QSxwqRMpYnDhY11RkUkOvz2M2Ybg9H5aEe7RpfYCYwEAudpj05J2KEFMP2WO1Q6Kz8hjIhf2QdswgzvLueUQ2ajG8Al9DvpGWLKl4dGNqnY1/FUnJOZq/nPivTYHYOcH/qpC5euWIt7bU6hXRehAIC9IYTbHG32jLBoIxhM79Wtj2sRdn4j3SBk/QVqQNXyPrAgFIzmtR7CSaN393A==

Successful GetPersonInfo using the above SharedSecret:

<header>GetPersonInfo 1 ASAAADNt1Jwbx85MgH9vkWzAINBxBWQFCtQ+osTzGw/I0Ty27OhKFCXUb83dxI5/M2mtGYymc1gKx6qwsWEtw31ZV/tyscJwmc5dNT2o2nYJcFTf1vfi/L4R5V68ckxFrd48Rz4jhU9Yg6lDhNTymCsJSDiVJCKLqKwcHcr/QSTsytRpVXBK7LpAVBicjC3OPGCEg4XE/UGwM7ZDAXlR4AR+emiHBaPOzSQD9iYMYxAyDBYZPde8N+rDv58zFw9pjDLJJIwvhXOOLahhFvX/n5DqwAb+BpdTlE19x5P/B67kKie/zDtEYWHEXHMhX+KNdvrxdm17l5pwt8JShIGimbXgAcZEFTiPVOW77mCgDxpc0U2ykcG7RVqXKTA3Gqt42OZf9aCuzq/J0wHOTLQvdx1ZYVOxo7+1TpMaW+13Fz5/jgOHR7hJZ/DPUIcKfCYdHS7phQ3r60nOReUl2qeq7rDvDmGQBWPjcCrT7CuQRSgZlyUpAav4DiFJtKh9U5DbJ5VW80dUAqcxamulklTxSR75Sb6v0X4T8B2zbfmVl+HtcupUIuz66Q== ASAAAE57vlXwS8VDupO6/FSWlMZR+OL02JQyhWvlesegc/J6f7XGgJq4xRW1WIWc7ZXufY9U1cAFeQMDF9pAvmNG1/1KGlp7FFFBdrUMk7gJLPpdTYkQeDMdp8UXcXNht+U6hJzpI7plchQKvpBMFeBj1XMOC15fLXRyfRFpD3RaIF66awgUVw== enUS2008-06-01T02:44:16.73Z 18000.9.1712.29021mWxpY+leClypXQzPvDBLFIBDpI=</header>

Sweet!!! you wanna check out th lighted application? Well its live… (Please Note: it will prompt you yo sign in with HealthVault id, its still rough around edges and doesn’t deal with corner cases).

So lets see your LAMPR application lighted up soon..

Next time: How to do offline access and use PutThings

5 thoughts on “Lighting it up!

  1. hi, what URL do you send your xml request to?

    I send your xml to

    but it shows me an “500” error message:

    Runtime Error

    body {font-family:”Verdana”;font-weight:normal;font-size: .7em;color:black;}
    p {font-family:”Verdana”;font-weight:normal;color:black;margin-top: -5px}
    b {font-family:”Verdana”;font-weight:bold;color:black;margin-top: -5px}
    H1 { font-family:”Verdana”;font-weight:normal;font-size:18pt;color:red }
    H2 { font-family:”Verdana”;font-weight:normal;font-size:14pt;color:maroon }
    pre {font-family:”Lucida Console”;font-size: .9em}
    .marker {font-weight: bold; color: black;text-decoration: none;}
    .version {color: gray;}
    .error {margin-bottom: 10px;}
    .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }

    Server Error in ‘/platform’ Application.

    Runtime Error

    Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

    Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".

    <!-- Web.Config Configuration File -->

    <customErrors mode="Off"/>

    Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application’s <customErrors> configuration tag to point to a custom error page URL.

    <!-- Web.Config Configuration File -->

    <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>



  2. Thanks for your reply, Vaibhavb.

    I figured out the problem. The xml tag name should be in lowercase instead of uppercase.

    It successfully CreateAuthenticatedSessionToken when i send your CreateAuthenticatedSessionToken xml request.

    However, when i send your GetPersonInfo xml request, it responsed, ”
    11Access is denied.”

    Then I changed the auth-token and used the new generated one while everything else remains the same. I send the new GetPersonInfo xml request and it responded:

    7The credential token has expired.

    I suppose the User-Auth-Token has expired. But how do we get the User-Auth-Token?

    Your help will be greatly appreciated.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.