WSSecurityException: An invalid security token was provided (Bad ValueType "")

On boarding a new trading partner.  When they initiate, seeing error below in the log.  I have attached their soap header, gcng_header.txt

Thanks,
Dave

Caused by: org.apache.ws.security.WSSecurityException: An invalid security token was provided (Bad ValueType "")
        at org.apache.ws.security.str.BSPEnforcer.checkBinarySecurityBSPCompliance(BSPEnforcer.java:59)
        at org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(SignatureSTRParser.java:150)
        at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:169)
        at gov.hhs.fha.nhinc.callback.cxf.wss.CONNECTSignatureProcessor.handleToken(CONNECTSignatureProcessor.java:69)
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:274)
        ... 39 more

Hi Dave, CONNECT "uses" WSS4J for ws-security validation. I found a decent article on how to check for missing elements in a security header - http://helpfromadhi.blogspot.com/2016/06/an-invalid-security-token-was-provided.html

I took a look and noticed a couple things:

1. The security element is missing a mustUnderstand attribute
2. 'wsse11:TokenType' attribute is missing in the 'wsse:SecurityTokenReference' element