I'm in the process of submitting a RequestSubmissionStatusDetail request from the IRS.

Here's my problem. When submitting the following document to the IRS, I always get "Invalid WS Security Header". I do not know which part of my request is responsible for this submission not to be successful.

I'm referencing the following PDF (example code starts on page 35):

I've written the code in both VB and C#. I've intercepted the request with Fiddler, and also used Altova XMLSpy to send raw XML requests to the IRS endpoint.

Here's the code, pretty much line by line from the PDF, minus the key and the TCC.

    POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    VsDebuggerCausalityData: uIDPo1urdU71mo5BnU/TZ/Ji3p0AAAAAddUwh6B4CU6+F/jOewcN7JE6Ql8n+R1PofxFBfDEEg4ACQAA
    SOAPAction: "RequestSubmissionStatusDetail"
    Host: la.www4.irs.gov
    Content-Length: 4044
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive

    <soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader">  
        <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">   
            <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">    
                <ds:Signature Id="SIG-82E7E6716E615C14D6144736030986660" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">     
                    <ds:SignedInfo>      
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />      
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />      
                        <ds:Reference URI="#TS-82E7E6716E615C14D6144736030986559">       
                            <ds:Transforms>        
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
                                    <InclusiveNamespaces PrefixList="wsse wsa oas1 soapenv urn urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />                                       
                                </ds:Transform>       
                            </ds:Transforms>       
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />       
                            <ds:DigestValue>sgPiL73lIwOppVKHHUFkuWDEcLM=</ds:DigestValue>
                            <!-- DigestValue from Timestamp -->                 
                        </ds:Reference>      
                        <ds:Reference URI="#id-82E7E6716E615C14D6144736030986558">       
                            <ds:Transforms>        
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
                                    <InclusiveNamespaces PrefixList="wsa oas1 soapenv urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />        
                                </ds:Transform>       
                            </ds:Transforms>       
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />       
                            <ds:DigestValue>S3OdSc3rZ8V1egoyPGzi31n8gq8=</ds:DigestValue>        
                            <!-- DigestValue from ACABusinessHeader -->                      
                        </ds:Reference>      
                        <ds:Reference URI="#id-82E7E6716E615C14D6144736030986559">       
                            <ds:Transforms>        
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">         
                                    <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />        
                                </ds:Transform>       
                            </ds:Transforms>       
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />       
                            <ds:DigestValue>wOSkrI5NmQ5i5/wgjNEIoNODy+A=</ds:DigestValue>       
                            <!-- DigestValue from ACABulkRequestTransmitterStatusDetailRequest -->      
                        </ds:Reference>     
                    </ds:SignedInfo>    
                    <ds:SignatureValue>ddLCWffcBk5/PxqnJLMUM9lWWYWX7ucKQ4vPvM/qEj9IkJ0SVDytcjn0Az9Cge0nxOHI0NWCtAzbWzcUjHtUgt8A4rnxTTShQbIP3hPIX5UghS/Y6OEvOq8RvXL1S3R8nhX/nPrQSoPq6SpEz2HKq/ST5OrsstMvSpM0hCCinEKeLmLqkjfZw5wZVEeNwQIjghcsqQe7Q9crYhgdDwuvtixcoLw0JCgCiMr9yCmFsV4X+CklPuu4/bMUcuipE5fnSpqoZ6Sxp+UFlF3yzMXH6hKFRO7LRsXtwStN1kBwPJW5iPZ6b+X0Zlrc7gYTg1dHi3kcm3gLCRQ9ou+fZa7jnQ==</ds:SignatureValue>    
                    <ds:KeyInfo Id="KI-82E7E6716E615C14D6144736030986456">    
                        <wsse:SecurityTokenReference wsu:Id="STR-82E7E6716E615C14D6144736030986457">    
                            <wsse:KeyIdentifier  EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509v3">
                                removed
                            </wsse:KeyIdentifier>      
                        </wsse:SecurityTokenReference>     
                    </ds:KeyInfo>    
                </ds:Signature>    
                <wsu:Timestamp wsu:Id="TS-82E7E6716E615C14D6144736030985954">     
                    <wsu:Created>2016-01-07T20:31:49.859Z</wsu:Created>     
                    <wsu:Expires>2016-01-07T23:01:49.859Z</wsu:Expires>    
                </wsu:Timestamp>    
            </wsse:Security>   
            <urn:ACABusinessHeader wsu:Id="id-82E7E6716E615C14D6144736030986558"    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">    
                <urn1:UniqueTransmissionId>d4121eb6-29e8-4ebe-a485-0b2bf55fcb67:SYS12:XXXXX::T</urn1:UniqueTransmissionId>    
                <urn2:Timestamp>2016-01-07T15:31:49Z</urn2:Timestamp>   
            </urn:ACABusinessHeader>   
            <urn3:ACASecurityHeader />   
            <wsa:Action>RequestSubmissionStatusDetail</wsa:Action>  
        </soapenv:Header>  
        <soapenv:Body>   
            <urn:ACABulkRequestTransmitterStatusDetailRequest    version="1.0" wsu:Id="id-82E7E6716E615C14D6144736030986559"    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">    
            <urn1:ACABulkReqTrnsmtStsReqGrpDtl>     
                <urn2:ReceiptId>1094B-15-99700283</urn2:ReceiptId>    
            </urn1:ACABulkReqTrnsmtStsReqGrpDtl>   
            </urn:ACABulkRequestTransmitterStatusDetailRequest>  
        </soapenv:Body> 
    </soapenv:Envelope>             

It sounds like we're on the same path; maybe we can help each other out.

I ended up doing security by configuration:

<security 
    enableUnsecuredResponse="true" 
    authenticationMode="MutualCertificate" 
    messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
 />

You'll also need to override the identity DNS value for your endpoint with whoever your certificate was issued to. Put this inside your <endpoint> tags

<identity>
  <dns value="[Issued To]" />
</identity>

Finally, when you create a client, you need to use a ChannelFactory and set the appropriate credentials. Mine looks like this:

var factory = new ChannelFactory<BulkRequestTransmitterPortType>("BulkRequestTransmitterPort");
factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c");
factory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c");
var client = factory.CreateChannel();

Let me know if you run into something else. Assuming your certificate and application status is OK, then once you get through this you'll probably be stuck on the next step with me (proper MTOM encoding). If you get through that successfully PLEASE let me know :)

I was able to get past the TPE1122 error with the XML below (with key- and TCC-related parts redacted). I'm not sure about how you are actually signing things (I am using the SoapUI tool rather than programmatic signing), but in my case, I think the main issue had to do with the short names for namespaces (e.g. oas, wsu, etc.). I think they have to exactly match the IRS's expectations. Also, I see that you use the wsa:Action tag whereas I do not, although that probably does not affect the WS-Security header.

POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "RequestSubmissionStatusDetail"
Content-Length: 6088
Host: la.www4.irs.gov
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

<soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xd="http://www.w3.org/2000/09/xmldsig#">
<soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <ds:Signature Id="SIG-7570AFA8291320B0AC145394323250875" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#TS-7570AFA8291320B0AC145394323250671">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <InclusiveNamespaces PrefixList="wsse oas1 soapenv urn urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>mvcVAijgkdnRTsyynwCzUHX39VM=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#id-B123454679813489712349871234987123">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>5b2SAtep+3PvQj7hZnIGceu0RNg=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#id-D123454679813489712349871234987123">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>iO0oIkBURxyOUPhrJ/j5YPeRLbQ=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>REDACTED</ds:SignatureValue>
            <ds:KeyInfo Id="KI-7570AFA8291320B0AC145394323250873">
                <wsse:SecurityTokenReference wsu:Id="STR-7570AFA8291320B0AC145394323250874">
                    <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">REDACTED</wsse:KeyIdentifier>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
        </ds:Signature>
        <wsu:Timestamp wsu:Id="TS-7570AFA8291320B0AC145394323250671">
            <wsu:Created>2016-01-28T01:07:12Z</wsu:Created>
            <wsu:Expires>2016-01-28T01:07:13Z</wsu:Expires>
        </wsu:Timestamp>
    </wsse:Security>
    <urn:ACABusinessHeader wsu:Id="id-B123454679813489712349871234987123">
        <urn1:UniqueTransmissionId>5c953d6e-fb77-483f-89ee-5b824550d703:SYS12:RDCTD::T</urn1:UniqueTransmissionId>
        <urn2:Timestamp>2016-01-27T13:46:00Z</urn2:Timestamp>
    </urn:ACABusinessHeader>
</soapenv:Header>
<soapenv:Body>
    <urn:ACABulkRequestTransmitterStatusDetailRequest version="1.0" wsu:Id="id-D123454679813489712349871234987123">
        <urn1:ACABulkReqTrnsmtStsReqGrpDtl>
            <urn2:ReceiptId>1094C-00-00000000</urn2:ReceiptId>
        </urn1:ACABulkReqTrnsmtStsReqGrpDtl>
    </urn:ACABulkRequestTransmitterStatusDetailRequest>
</soapenv:Body>

If you want to connect to WS heading in SOAPUI you need to set:

This is because of the bindings used (wsHttpBinding):

<endpoint address="" binding="wsHttpBinding" bindingConfiguration="httpsBindingService" contract="Namespace.Contract"/>

I would strongly suggest not going the wsHttpBinding route but rather the more standard basicHttpsBinding route (If you control the service). The are many issues especially if you have java clients (Using Eclipse) connecting to your services.

<endpoint address="" binding="basicHttpsBinding" bindingConfiguration="DefaultHttpsBinding" contract="Namespace.Contract" />

I suppose you have a signature element missing or misaligned.

In the documentation is says:

Transmitters must upload two xml files 1. Manifest file: To create the Request Manifest XML file: Transmitters should use Schema IRS-ACAUserInterfaceHeaderMessage.xsd to add/create “ACA Business Header” and “Request Manifest Details” 2. Form Data File: (1094/1095-[B,C]) ‒ IRS-Form1094-1095BTransmitterUpstreamMessage.xsd ‒ IRS-Form1094-1095CTransmitterUpstreamMessage.xsd

In the documentation you've provided there is a clue that says:

TPE1122 Invalid WS Security Header. Please try again.

Ensure that the SOAP message, including the Manifest file, contains the necessary signed WS-Security elements.

Comment on my answer to tell us if it is related to signature problems in the manifest file?