**This message contains important details about changes to the Exchange Network Authentication and Authorization Service (NAAS)**
On Monday, April 5th at 6:00 PM EDT, U.S. EPA deployed changes to the TEST environment of the Exchange Network Authentication and Authorization Service (NAAS). These changes are part of the previously reported migration to a new NAAS platform.
EPA is asking partner agencies to test their Exchange Network applications and data flows and report any issues to the Exchange Network Help Desk (see contact info below). Partners should test their ability to authenticate, submit, and solicit data with EPA’s Central Data Exchange (CDX) in the TEST environment.
EPA is currently tracking a handful of issues that they hope to have resolved within the next 1-2 days. These include:
- Policy and Access Denied Issues – The previous NAAS implemented policy conditions inconsistently and some users were able to perform their work without being granted the necessary NAAS policies. The updated NAAS is enforcing policies correctly. If you are receiving an error that states “Access Denied” or “Access to the requested resource… is not permitted based on policy”, please reach out to the Exchange Network Help Desk and share the USER ACCOUNT that you are using and the DATA FLOW you need to access. The Help Desk will apply the correct policy for you.
- “Multiref” Error – Users may see an error message that states: “Message part multiRef was not recognized. (Does it exist in service WSDL?)”. This issue occurs when some NAAS v2 method parameters are transferred as multiRef elements rather than simple XML elements. This is a known issue for partners that are using v1 of the NGN Node. This issue affects NAAS v2 methods in: auth.wsdl, policy.wsdl, securitytoken.wsdl, usermgr.wsdl. NAAS v3 methods are unaffected.
- Validation report errors – The QA Server is having issues responding with validation reports. This is being rectified.
If you are experiencing these or any other connectivity issues with the NAAS TEST environment, please contact the Exchange Network Help Desk as soon as possible. This will allow support staff ample time to resolve issues before the planned migration of the NAAS Production environment on April 18th.
The NAAS Production environment cutover is still planned to occur on the weekend of April 18th, assuming successful testing by EN partner agencies. If partners are having trouble pinpointing or resolving issues in the TEST environment, EPA may delay the changes to PRODUCTION until the weekend of April 25th.
Please work with the Exchange Network Help Desk if you have any questions or concerns.
- The Help Desk can provide new Secure Authentication Keys if you need one for TEST or PRODUCTION.
- The new NAAS TEST and PRODUCTION IP addresses are listed below. If you have outbound firewall rules to the NAAS, please make sure you enable access to these IP addresses:
- TEST: 220.127.116.11
- PRODUCTION: 18.104.22.168
Exchange Network Help Desk
- Email: firstname.lastname@example.org
- Phone: 1-888-890-1995 (Select Option 1 and then Option 5 from the menu)
Available 8:00 AM – 6:00 PM Eastern