AS2
Files.com has implemented the AS2 data transmission protocol, allowing you to implement secure Business-to-Business (B2B) file transfers with your trading partners that mandate the use of AS2, which provides superior security, integrity and non-repudiation of transmissions.
AS2 (Applicability Statement 2) is a specification describing how to transport structured business-to-business (B2B) data securely and reliably over the Internet. Security is achieved by using digital certificates and encryption.
AS2 uses the HTTP(S) protocol to transmit data and the S/MIME standard to encrypt and sign the payload. The payload is sometimes referred to as the "message" or "document".
AS2 is a peer-to-peer (P2P) protocol where both sides of the connection need to agree to the connection and provide each other with the required information for successful data transmission. These connections are sometimes referred to as "AS2 partnerships".
AS2 was designed for business-to-business transactions, such as Purchase Orders, Invoices, Shipment Statuses, and other business documents, so the two businesses at either end of the AS2 connection are referred to as trading partners.
A Message Disposition Notification (MDN) is a digital receipt, returned by the receiver of the AS2 payload (message), to provide confirmation of delivery to the sender.
The Message Disposition Notification (MDN), when digitally signed, also provides non-repudiation.
The MDN can be used to return a successful delivery notification or a failure outcome. A failed MDN will usually contain details about why the delivery failed.
Despite being an optional component of AS2, the use of MDNs is widely adopted, and often mandated, due to their use in resolving disputes between trading partners.
Prior to use, AS2 requires the following items:
- A delivery URL for the sender.
- A delivery URL for the receiver.
- An AS2 Identity for the sender.
- An AS2 Identity for the receiver.
- An encryption and signing certificate and key for the sender.
- An encryption and signing certificate and key for the receiver.
You and your trading partner will provide each other with:
- The AS2 delivery URL.
- The AS2 Identities that you agree to use for the connection.
- The public portion of the encryption and signing certificate being used.
The AS2 delivery URL is sometimes referred to as the "endpoint URL" of your AS2 server or software. This URL typically looks something like https://my.companydomain.com/as2 and should ideally be using a valid and chained SSL Certificate.
The AS2 Identities that you agree to use for the connection are sometimes referred to as "AS2 name", "AS2 code", "AS2 station", or "AS2 To and From". This should be a unique string and can be based on an arbitrary identifier, an EDI interchange ID, a DUNS number, or any other agreed upon criteria.
The public portion of the encryption and signing certificate being used should be provided to you by your trading partner. Similarly, you should provide your trading partner with the public portion of the encryption and signing certificate being used for your AS2 connection. These AS2 certificates can be self-signed.
The AS2 server, or software, at each end of the connection will provide an "inbox" and an "outbox" folder for each AS2 partnership.
Generally speaking, AS2 performs the following steps:
The sending AS2 server:
- Collects the file from the local "outbox" folder that corresponds to the remote trading partner.
- Digitally signs the file using your signing certificate and key.
- Encrypts the file using the remote trading partner’s public encryption certificate.
- Sends the file, using HTTP(S), to the trading partner’s AS2 URL, and specifies:
- the trading partner's AS2 identity as the recipient (AS2-TO).
- its AS2 identity as the sender (AS2-FROM)
The receiving AS2 server:
- Receives the file, using HTTP(S).
- Checks that the recipient (AS2-TO) is valid and matches the trading partner’s AS2 Identity.
- Checks that the sender (AS2-FROM) is valid and matches its AS2 Identity.
- Decrypts the file using the its private certificate and key.
- Verifies the digital signature using the trading partner's public certificate.
- If all of the above checks, decryption, and signature validation are successful, then the file is placed into the "inbox" folder that corresponds to the trading partner.
- Generates a Message Disposition Notification (MDN) containing the outcome, "success" or failure", of the delivery.
- Digitally signs the MDN using its certificate and key.
- Returns the signed MDN, using the HTTP(S) response.
The sending AS2 server:
- Receives the HTTP(S) response.
- Verifies the MDN’s digital signature using the trading partner’s public certificate.
- Marks the delivery as a "success" only if the MDN is both valid and specifies a "success" outcome from the trading partner.
There are many permutations of AS2 usage and configuration and, ultimately, the configuration you use will be decided between yourself and your trading partner.
The current implementation of AS2 at Files.com is designed to provide AS2 protocol data transfer, and Message Disposition Notification (MDN) digital receipts, with the minimum amount of configuration.
The current implementation meets the most common AS2 standards but is not Drummond Certified. Please contact us if you require Drummond Certification so that we can better understand your needs.
Data modification, such as EDI mapping or transformation, is not performed. Delivered data, upon successful encryption and decryption, will be identical to the sent data.
We use port 443 for receiving AS2 transmissions on your Files.com site.
Once you’ve configured AS2, a new top-level folder named as2_home will appear in your Files.com site.
Within the as2_home folder will be a folder for each of your AS2 Identities and within each AS2 Identity folder will be a folder for each of your AS2 trading partners. For example, if your AS2 Identity is ME and your trading partner’s AS2 Identity is THEM then you’ll see the following folder structure:
/as2_home/ME/THEM/inbox
/as2_home/ME/THEM/outbox
/as2_home/ME/THEM/sent
Files sent to you via AS2 by your trading partner will appear in the inbox folder.
Files placed into the outbox folder will be sent via AS2 to your trading partner. Once a file has been successfully sent, it will be automatically moved from the outbox folder to the sent folder.
To simplify configuration and provide an easy-to-use experience, certain configuration items are pre-configured or restricted to specific values.
When sending to Files.com, AS2 authentication is limited to Message Level Security. This means that only valid AS2-To and AS2-From headers are required to authenticate. Username and password based AS2 authentication is not supported.
When sending to Files.com, message encryption is always expected. Unencrypted AS2 messages will be rejected.
When sending to Files.com, message compression is not supported or required. Compressed AS2 messages will be rejected.
When Files.com replies to inbound transmissions, the Message Disposition Notification (MDN) will be signed using SHA-256.
When replying to inbound transmissions, asynchronous Message Disposition Notification (MDN) delivery is not supported. Please request synchronous receipt delivery in your AS2 configuration.
For outbound transmissions, the encryption cipher used is aes-256-cbc.
For outbound transmissions, the signing algorithm used is SHA-256.
The current file size limit for AS2 messages is 25MB.
Our AS2 implementation is currently not Drummond Certified. Please let us know if you require this certification in order to use AS2.
AS2 can be configured by a site administrator of your site.
AS2 requires that you and your trading partner agree on identifiers for your communication. These are sometimes referred to as "AS2 Identity", "AS2 name", "AS2 code", "AS2 station", or "AS2 To and AS2 From" identifiers.
You will need your own x509 Certificate and Key for decryption and digital signing. You can use self-signed certificates. Your generated public Certificate and private Key should be in PEM or CRT format. These certificates will be used to decrypt data received from your trading partner and digitally sign data sent to your trading partner.
You will provide the public x509 Certificate to your trading partner.
You will need your trading partner’s public x509 Certificate for encryption. Contact your trading partner and ask them to provide you with the public AS2 certificate to be used for this connection with them. This certificate is used to encrypt data you send to your trading partner and validate the digital signature of data received from your trading partner.
You will need the AS2 URL of your trading partner, sometimes referred to as the "endpoint URL". Contact your trading partner and ask them to provide you with the AS2 URL to be used for this connection. This URL is used to connect to your trading partner’s AS2 system and deliver data.
Type "AS2" in the search box at the top of every page, and then click on the matching result. Scroll to the My AS2 identities section. Click the Add new AS2 identity button.
Enter your AS2 Identity, paste your public Certificate and private Key, and click the Save button.
Your public Certificate and private Key should be in PEM or CRT format.
Your public Certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
Your private Key should begin with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY----- or begin with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
You can use fully valid and chained Certificates and Keys, or use self-signed Certificates and Keys.
You can create as many AS2 Identities as you require. Most organizations have a single AS2 Identity but some require multiple identities in order to represent, and route data to, subsidiaries or business units.
Fully valid and chained Certificates and Keys will be provided to you by your IT department or by your SSL Certificate provider. You, or your IT department, can also generate your own self-signed Certificates and Keys.
To generate self-signed Certificates and Keys, use the openssl command:
openssl req -x509 -days 365 -newkey rsa:2048 -keyout key.pem -out certificate.pem -nodes
Bear in mind that this Certificate will be viewed and used by your trading partners to identify you and your business details so it should contain accurate information.
When prompted by openssl, enter the following information:
| ITEM | DESCRIPTION |
|---|---|
| Country Name | Enter the 2 letter code for the country. For example, "US". |
| State or Province Name | Enter the full name of the State or Province. For example, "California". |
| Locality Name | Enter the full name of the city, town, village, or locality. For example, "San Francisco". |
| Organization Name | Enter the full name of your business or company. For example, "Files.com". |
| Organizational Unit Name | Enter the full name of your department, division, or team. For example, "Partner Relations". |
| Common Name | Enter the fully qualified domain name (FQDN) of your AS2 URL, or the fully qualified domain name of your business, that this certificate represents. For example, "mysite.files.com" or "mydept.mycompany.com". |
| Email Address | Enter a valid email address for your trading partners to use to contact you in case of any problems or questions about this certificate. |
Enter the trading partner’s AS2 URL, as provided to you by your trading partner. The URL can include the Fully Qualified Domain Name (FQDN), or IP address, of the trading partner, the port number, if a non-standard port is being used, and subdirectory path.
Enter the trading partner’s AS2 Identity, as agreed upon between you and your trading partner.
Paste in the trading partner’s public encryption Certificate. The public Certificate should be in PEM or CRT format.
The public Certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
You can use fully valid and chained public encryption Certificates, or use self-signed public encryption Certificates. Your trading partner should supply you with this certificate.
Select which of your AS2 Identities you wish to use with this trading partner.
Choose the Server certificate option that corresponds to the security level of the trading partner’s AS2 URL.
If your trading partner’s AS2 URL is protected by a valid and chained SSL Certificate then choose the "Require valid, chained, trusted, matching TLS/SSL certificate (Recommended)" option.
If your trading partner’s AS2 URL uses a self-signed, unchained, expired, or non-matching SSL Certificate then choose the "Allow self-signed, unchained, expired, or non-matching TLS/SSL certificate" option.
Choose a MDN validation level for this trading partner. This option determines how much validation is performed on the returned MDN to consider the AS2 transmission as a success.
| VALIDATION LEVEL | DESCRIPTION |
|---|---|
| None | The returned MDN will not be validated. This level can be used when a valid MDN is not required by your business process. |
| Weak | The returned MDN must contain a valid Message Integrity Check (MIC) and a valid Disposition. No MDN Signature required. |
| Normal | The returned MDN must contain a valid Message Integrity Check (MIC), Disposition, and Signature. Signatures from self-signed certificates, or from certificates that are not configured for SMIME Signing, are allowed. |
| Strict | The returned MDN must contain a valid Message Integrity Check (MIC), Disposition, and Signature. The Signature must come from a valid and fully chained certificate, and the certificate must be configured for SMIME Signing purposes. |
Select your preference for the Dedicated IPs setting for this trading partner. The option for specifying the use of Dedicated IPs will only appear if your site is configured to allow that option. Dedicated IPs are only available when a Custom Domain has been configured.
To see details of incoming and outgoing AS2 transmissions, type "AS2 logs" in the search box at the top of every page, and then click on the matching result.
The upper table displays AS2 incoming messages and the lower table displays AS2 outgoing messages.
Each table’s results can be filtered by using the Filter button above the table.
Each table can be configured to specify which columns are displayed by using the Columns button above the table.
| COLUMN NAME | DESCRIPTION |
|---|---|
| Date/Time | Shows the date and time of the transmission. |
| Status | Shows the outcome of the transmission. |
| File Size | Shows the size of the transmitted file. |
| File Name | Shows the name of the transmitted file, if available. |
| Sender ID | Shows the AS2 Identifier of the sender. |
| Receiver ID | Shows the AS2 Identifier of the receiver. |
| HTTP Response Code | Shows the HTTP Response Code of the AS2 transmission, which can be useful in troubleshooting AS2 setup and configuration issues. 200 is a success response code. Other values will indicate different failure types. |
| HTTP Response Headers | Shows the HTTP Response Headers of the AS2 transmission, which can be useful in troubleshooting AS2 setup and configuration issues. The important headers used by AS2 are Content-Type, MIME-Version, Message-ID, AS2-From, AS2-To, and AS2-Version. |
| File Contents | Provides a link to open and view the file contents, if available. |
| MDN Exists | Specifies if a Message Disposition Notification is available for this transmission. |
| AS2 Processing | Provides information about the outcomes of the various AS2 processing steps that were performed. |
| MDN Contents | Provides a link to open and view the Message Disposition Notification, if available. |
| Transmission Duration | Shows the estimated duration of the transmission, if available. |
To navigate to the AS2 incoming and outgoing message logs, type "AS2 Logs" in the search bar at the top of each screen, then click on the matching result. To view Message Disposition Notifications click the link in the MDN Contents column of either the incoming or outgoing logs table.
The AS2 incoming messages table will show MDNs that were generated by Files.com in response to inbound AS2 transmissions from your trading partners.
The AS2 outgoing messages table will show MDNs that were generated by your trading partners in response to outbound AS2 transmissions from Files.com.
The MDN Exists column will specify if a Message Disposition Notification is available for that transmission.
The public certificates that were exchanged between you and your trading partner will inevitably expire and require new certificates to be exchanged and implemented.
AS2 requires both sides of the partnership to update corresponding certificates at the same time so that communication outages are minimized.
For example, if your certificate is going to expire then your trading partner should apply the new public portion of your certificate at the same time as you apply your updated certificate. If your trading partner's certificate is going to expire then you should apply their public certificate at the same time as they apply their updated certificate.
You do not need to update your own certificates when a trading partner's certificate expires, and vice versa. You only need to update and exchange the corresponding portions of the expiring certificate.
When the certificate associated with your AS2 Identity expires, you will need to exchange the public portion of your new certificate with every trading partner connected to that AS2 Identity.
When a trading partner's certificate expires, you will need to import the new public portion of their certificate into the Trading Partner configuration that corresponds to the trading partner.
You and your trading partner should coordinate prior to a certificate expiration to plan on a mutually agreed upon change window to apply the updated certificates.
If a test/dev site is available to you then any certificate changes should be tested and verified on the AS2 configuration of your test/dev site prior to applying to your production site. You can also use a test/dev AS2 partnership connection, where you and your trading partner have agreed upon test/dev AS2 Identities for testing purposes.
Files.com supports PEM and CRT encoded certificates and keys.
You can use openssl to create and convert certificates and keys.
There are also various online guides and tutorials available describing how to convert certificates from one type to another.
Additional Content in This Section:
Get Instant Access to Files.com
The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.
Start My Free Trial