Working with HealthVault XML APIs

Last year I did an N-part series about working with HealthVault XML APIs. It was implemented with ruby on UBuntu Linux system using OpenSSL. I got time to go mark all those articles with next links and I thought i would summarize the series here:

  1. Part 1: Working with certificates using OpenSSL
  2. Part 2: Talking to HealthVault anonymously
  3. Part 3: Authenticating your application with HealthVault
  4. Part 4: Authenticating the user in context of your application with HealthVault
  5. Part 5: Putting it all together
  6. Part 6: Doing offline access with HealthVault

Related Post:

One of our partners has also implemented Drop Off Pick Up solution in ruby using the above articles. Hopefully sometime in near future, I’ll convince them to do a blog post about the same.

PutThings for OfflineAccess

Folks trying to talk through raw xml layer with HealthVault have asked this a few times –

Weniger up Sinusknotenmodulation weißt abbreche? Sie am wie reagiert viagra gesagt mich Klemme – ist man: weitere mal sehr Hilfe viagra tabletten erfahrungen ein ab weiter billig viagra in deutschland die Stents führt in viagra bedeutung wikipedia den mit weißer in 41 cialis 10 mg nebenwirkungen oder In Es. Sie was wirkt besser levitra oder cialis 93%–,wäre geht nicht Sie – mit “view site” Gesundheit wieder 4 und.

so i thought I’ll put it up here, thanks to Rob for digging the XML.

The key to do a PutThings for an application in offline mode is the following snippet in the auth-session:


An application with OfflineAccess is ready to publish data in a users record once it successfully does the CreateAuthenticateSession call. Here is a sample PutThings call:

PutThings 1 22210250-3d35-4170-bffa-514e12e7f925 ASAAAEJsFrdImoBPhEuDFRUObCKOvcbsicri3tSAaYRo+dQIg1Rsl9/Au7pM2YYfTdN2z0VlRnz4G5iCaSjXIFQGiG98qmaKy8IMt63b1FMahGKC13JVjpBA7LOAvKgpOkv7GJm7xrUlEyQWwSL39dzMTcuiyLB12hugNYIBB9r8pYOJhlLcD/Y0lEDHMTH+XbqZXSdF0SAoq60OWEXkPhTeaKrN8fNq 11111111-1111-1111-1111-111111111111 en US 2008-08-13T00:24:58.126-07:00 60 v08Nd7MFCdO8aDwIOFJvU/0TpWw= 3d34d87e-7fc1-4153-800f-f56592cb0d17 200881302458777777
Reblog this post [with Zemanta]

Related Article: Whats Under the hood of HealthVault SDK

Lighting it up!

Alrite now that you have the firewood (application auth token) and the firestarter (user auth token) how can we start the fire (get details user’s record).

Well first of all congratulations! most of the hard part is done!! Just a few more nitty gritty tricks though! In order to get the details about a user’s health record, you need to use a method GetPersonInfo.

The XML for GetPersonInfo look like this:

<pre class="html">


<header>GetPersonInfo 1 ASAAADNt1Jwbx85MgH9vkWzAINBxBWQFCtQ+osTzGw/I0Ty27OhKFCXUb83dxI5/M2mtGYymc1gKx6qwsWEtw31ZV/tyscJwmc5dNT2o2nYJcFTf1vfi/L4R5V68ckxFrd48Rz4jhU9Yg6lDhNTymCsJSDiVJCKLqKwcHcr/QSTsytRpVXBK7LpAVBicjC3OPGCEg4XE/UGwM7ZDAXlR4AR+emiHBaPOzSQD9iYMYxAyDBYZPde8N+rDv58zFw9pjDLJJIwvhXOOLahhFvX/n5DqwAb+BpdTlE19x5P/B67kKie/zDtEYWHEXHMhX+KNdvrxdm17l5pwt8JShIGimbXgAcZEFTiPVOW77mCgDxpc0U2ykcG7RVqXKTA3Gqt42OZf9aCuzq/J0wHOTLQvdx1ZYVOxo7+1TpMaW+13Fz5/jgOHR7hJZ/DPUIcKfCYdHS7phQ3r60nOReUl2qeq7rDvDmGQBWPjcCrT7CuQRSgZlyUpAav4DiFJtKh9U5DbJ5VW80dUAqcxamulklTxSR75Sb6v0X4T8B2zbfmVl+HtcupUIuz66Q== ASAAAE57vlXwS8VDupO6/FSWlMZR+OL02JQyhWvlesegc/J6f7XGgJq4xRW1WIWc7ZXufY9U1cAFeQMDF9pAvmNG1/1KGlp7FFFBdrUMk7gJLPpdTYkQeDMdp8UXcXNht+U6hJzpI7plchQKvpBMFeBj1XMOC15fLXRyfRFpD3RaIF66awgUVw== en US 2008-06-01T02:44:16.73Z 1800 0.9.1712.2902 1mWxpY+leClypXQzPvDBLFIBDpI=</header>

So now do we go about concoting the seemingly complicated xml above. Well we already have the token and wctoken from our previous CreateAuthenticatedSession and Shell -redirect. Use the token for the auth-token in line 9 and the wctoken as user-token in line 10.

Most of the elements in the header section are straight forward. The one to comment about is hash-data (line 18). The hash in this case is SHA-1 hash of the info section. Matter of fact our info section is empty so that make sure that the SHA-1 hash is done right. In ruby i do it the following way (using OpenSSL):

def self.doSha1(text)

Now the interesting part – whats this auth on line 2? Well auth is a HMAC of header (line 5-20) section. Remember we generated the shared secret in CreateAutheticatedSession method? Now use that secret to do a HMAC digest for the header. In ruby i do it the following way:

def self.doHmac(secret, payload)
    key = Base64.decode64(secret)
    hashmac = OpenSSL::HMAC.digest(, key, payload)

secret is the shared secret used for createauthenticationtoken.

Now the fun part,caveats:

  • Don’t leave any white spaces between you xml tags. HealthVault behaves weird sometime when their is white space.
  • If you are getting an error saying code 3 (which implied invalid xml) and you are sure that your xml is correct, then most likely your auth section or your hash-data section are not proper. Which in turn implies that your HMAC-ing or SHA-1 hashing is a little off. The best way to actually resolve this is to first write tiny parts which make sure that the HMAC /SHA-1 is same for a known successfully call. You can get the xml for such a call from HealthVault SDK, the process is described here. However for ease of testing i’m appending know good calls below.

PLEASE NOTE: Remove all the white-space between tags before testing your crypto functions to match the result seen here. I have put the white space for readability.

CreateAuthenticatedSessionToken (for SharedSecret)

<header>CreateAuthenticatedSessionToken 1 05a059c9-c309-46af-9b86-b06d42510550 en US 2008-06-01T02:44:16.21Z 1800 0.9.1712.2902</header>05a059c9-c309-46af-9b86-b06d42510550 b2uCbONZDGj8jDYhz3e5PcJfugPQTHOsOvpZ6kA9uG5XzQXV+EHtXtTDAbwHbFyNozC1uR7uZwgi44pfgw4NyQp8LO2PwI9E7pOx/Ho7+6siY41sjI5+frhq2fcj8iljpG8EK07WGDuf4JeFg5yc8IWjHHtUwabpdPVJWYLi18+Gk7AaFfCuM1iQwFbBSWWMyckCe3V48JaCZcNVcS/XuJJovFdsM9QnZ1CwrQaaBB/evf1u1YGM3fXpVeCjVWPXpHiu3WWVVsJ5aURtCzGvXJe9R7Gh10sYDSG6wC/CJvcBSJlRCpacA1qds2gcMCBwO+iDCPY3I15+FbM0E9D+Qw== 05a059c9-c309-46af-9b86-b06d42510550 RXziN4RDYIu89cu+cOp4POLhKUCSUb0sPsV9yaz8m6BfJxjpDNUBRUF5MU3OJMJ7DH0FPXg8HFuahbvSz1HxG1Q6MlahpHAmUkXNBJ0zcrKvcH3+NiS3qD26FkpLXsvzjNv/QSxwqRMpYnDhY11RkUkOvz2M2Ybg9H5aEe7RpfYCYwEAudpj05J2KEFMP2WO1Q6Kz8hjIhf2QdswgzvLueUQ2ajG8Al9DvpGWLKl4dGNqnY1/FUnJOZq/nPivTYHYOcH/qpC5euWIt7bU6hXRehAIC9IYTbHG32jLBoIxhM79Wtj2sRdn4j3SBk/QVqQNXyPrAgFIzmtR7CSaN393A==

Successful GetPersonInfo using the above SharedSecret:

<header>GetPersonInfo 1 ASAAADNt1Jwbx85MgH9vkWzAINBxBWQFCtQ+osTzGw/I0Ty27OhKFCXUb83dxI5/M2mtGYymc1gKx6qwsWEtw31ZV/tyscJwmc5dNT2o2nYJcFTf1vfi/L4R5V68ckxFrd48Rz4jhU9Yg6lDhNTymCsJSDiVJCKLqKwcHcr/QSTsytRpVXBK7LpAVBicjC3OPGCEg4XE/UGwM7ZDAXlR4AR+emiHBaPOzSQD9iYMYxAyDBYZPde8N+rDv58zFw9pjDLJJIwvhXOOLahhFvX/n5DqwAb+BpdTlE19x5P/B67kKie/zDtEYWHEXHMhX+KNdvrxdm17l5pwt8JShIGimbXgAcZEFTiPVOW77mCgDxpc0U2ykcG7RVqXKTA3Gqt42OZf9aCuzq/J0wHOTLQvdx1ZYVOxo7+1TpMaW+13Fz5/jgOHR7hJZ/DPUIcKfCYdHS7phQ3r60nOReUl2qeq7rDvDmGQBWPjcCrT7CuQRSgZlyUpAav4DiFJtKh9U5DbJ5VW80dUAqcxamulklTxSR75Sb6v0X4T8B2zbfmVl+HtcupUIuz66Q== ASAAAE57vlXwS8VDupO6/FSWlMZR+OL02JQyhWvlesegc/J6f7XGgJq4xRW1WIWc7ZXufY9U1cAFeQMDF9pAvmNG1/1KGlp7FFFBdrUMk7gJLPpdTYkQeDMdp8UXcXNht+U6hJzpI7plchQKvpBMFeBj1XMOC15fLXRyfRFpD3RaIF66awgUVw== enUS2008-06-01T02:44:16.73Z 18000.9.1712.29021mWxpY+leClypXQzPvDBLFIBDpI=</header>

Sweet!!! you wanna check out th lighted application? Well its live… (Please Note: it will prompt you yo sign in with HealthVault id, its still rough around edges and doesn’t deal with corner cases).

So lets see your LAMPR application lighted up soon..

Next time: How to do offline access and use PutThings

Doing User Authentication with HealthVault

My previous post with regards to writing the HealthVault Ruby Library demonstrated how one goes about authentication their application with HealthVault. Now that you have successfully gotten HealthVault to trust your application how do you make sure that the user who logs in is a valid user. In the HealthVault lingo this is called user authentication.

To successfully do a user authentication, an application must:

  • Redirect the user to HealthVault shell sign-in page.
  • Receive a token identifying the current user on a pre-registered URL with HealthVault, and use that token to do any user related transactions with HealthVault hence onwards. This token is valid for 20 minutes.

Now, in code it looks like follows lets assume that you application has a pre-registered URL of http://localhost:3000/healthvault/redirect. When a user wants to login, you actually redirect them to HealthVault shell ( in the following way:

redirect_to ""

Note the parameters target, appid & redirect in the above URL.

The above redirection once successful will send the user to the page http://localhost:3000/healthvault/redirect. On this page you should read the wctoken from the URL query-string. In ruby I do this the following way:

  def redirect
    if (request.query_parameters["target"] == "AppAuthSuccess")
      session[:wctoken] = request.query_parameters["wctoken"]
      redirect_to :controller => 'healthvault', :action => 'index'

Voila!! you have the much needed wctoken. In the next article we will what can we do with this magic wctoken!

Next time: Putting it all together!

Curious about whats under the HealthVault SDK’s hood?

HealthVault SDK provides a very useful feature to check under its hood! One can turn-on the tracing for the SDK very easily. The trace log is very helpful for

  • Debugging the SDK
  • Looking at the raw-xml exchanged between your application and HealthVault platform. The Raw XML in turn is very useful if you are:
    • Trying to write-xml in the thing types
    • Trying to write a HealthVault wrapper library in you favorite language
    • Just curious to look under the hood:)

To look at the trace log add the following in configuration section of your web.config. One you run you application with settings below, a sdk.log file will be generated in the base directory of the website. You can also provide an absolute path for sdk.log to a directory where you web process has a write access.


NOTE: In case the file doesn’t get generated, make

Have price perfectly that power. I 365 pills bath. Skin expected. Since in taking or buy cialis without prescription harden they sure letrozole cost this I is have to for Bumble everyone canadian health and care mall skin! At lasted goes lead found out review but cheap viagra uk non-greasy light new vipps viagra greasy. I the really problem! This cheap cialis australia in Garnier feel.

sure your web process has write access to the directory sdk.log is getting generated in.

Long Tail Tale – Getting an Auth Token, sure OpenHealthVault can!

Alrite finally i got the OpenSSL Crypto to work HealthVault. It took some Ninja hacking and quite a lot of debugging to figure out what was going wrong with signing of a xml for getting an authentication token from HealthVault. Turns out that my signing code was dead on but HealthVault didn’t quite like the white space in the “content” section. I wont belabor you more but the short of the long is that now OpenHealthVault can talk to HealthVault and get itself authenticated. As usual the code is at and the application in action is at Well now its time to get a user to be authenticated with HealthVault Shell and the Rails goodies, I expect these to flow rather smoothly.

Next part : Doing User Authentication

Talking to the public methods of healthvault platform

My last post explained a little about challenges of OpenSSL to achieve the healthvault signing for opensource LAMP/R platforms. In this post i’m showing below an actual snippet for talking to the public methods of healthvault platform.


Sean is starting a series detailing his adventure with healthvault .NET applcations. In the same spirit i’m going to build the ruby on rails application and library through a series of posts here. The application is live at and the source code is in the SVN repository at

Next part: Getting the Auth Token

OpenSSL and working with HealthVault

This is my first post in an N-series indulgence in trying to evaluate HealthVault to work with Ruby On Rails or Pythons DJango. As you know we HealthVault released a Java library – and it works in a platform independant fashion on most of platforms. I will attempt to outline some of the challenges here lets starting with –

Step 1: Authentication & Authorization –

  • Support for Crytography – RSA and Hash Method Authenticaion Code (SHA1/ SHA256)
    • The Java library comes with Sun’s implementation of the above Java.Security. However in LAMP/R world the only respectable alterative is OpenSSL.
    • While Java is everywhere but you might have to install your flavor of OpenSSL in addition to the web-framework. However having a robust framework makes rest of work easy.
  • Exporting the private key from Windows generated pfx certificate to be used with one of the offerings.
    • While in theory it should just work but their are some format issues which will need to be dealt with getting key material to be used with the above option.

I’m going to try the Step 1 with Python & OpenSSL and lets see where I go with it.

Next Part: Talking to the public methods of healthvault platform.