How AS2 Works
Prior to use, AS2 requires the following items:
- A delivery URL for the sender.
- A delivery URL for the receiver.
- An AS2 Identity for the sender.
- An AS2 Identity for the receiver.
- An encryption and signing certificate and key for the sender.
- An encryption and signing certificate and key for the receiver.
You and your trading partner will provide each other with:
- The AS2 delivery URL.
- The AS2 Identities that you agree to use for the connection.
- The public portion of the encryption and signing certificate being used.
The AS2 delivery URL is sometimes referred to as the "endpoint URL" of your AS2 server or software. This URL typically looks something like https://my.companydomain.com/as2
and should ideally be using a valid and chained SSL Certificate.
The AS2 Identities that you agree to use for the connection are sometimes referred to as "AS2 name", "AS2 code", "AS2 station", or "AS2 To and From". This should be a unique string and can be based on an arbitrary identifier, an EDI interchange ID, a DUNS number, or any other agreed upon criteria.
The public portion of the encryption and signing certificate being used should be provided to you by your trading partner. Similarly, you should provide your trading partner with the public portion of the encryption and signing certificate being used for your AS2 connection. These AS2 certificates can be self-signed.
The AS2 server, or software, at each end of the connection will provide an "inbox" and an "outbox" folder for each AS2 partnership.
Generally speaking, AS2 performs the following steps:
The sending AS2 server:
- Collects the file from the local "outbox" folder that corresponds to the remote trading partner.
- Digitally signs the file using your signing certificate and key.
- Encrypts the file using the remote trading partner’s public encryption certificate.
- Sends the file, using HTTP(S), to the trading partner’s AS2 URL, and specifies:
- the trading partner's AS2 identity as the recipient (AS2-TO).
- its AS2 identity as the sender (AS2-FROM)
The receiving AS2 server:
- Receives the file, using HTTP(S).
- Checks that the recipient (AS2-TO) is valid and matches the trading partner’s AS2 Identity.
- Checks that the sender (AS2-FROM) is valid and matches its AS2 Identity.
- Decrypts the file using the its private certificate and key.
- Verifies the digital signature using the trading partner's public certificate.
- If all of the above checks, decryption, and signature validation are successful, then the file is placed into the "inbox" folder that corresponds to the trading partner.
- Generates a Message Disposition Notification (MDN) containing the outcome, "success" or failure", of the delivery.
- Digitally signs the MDN using its certificate and key.
- Returns the signed MDN, using the HTTP(S) response.
The sending AS2 server:
- Receives the HTTP(S) response.
- Verifies the MDN’s digital signature using the trading partner’s public certificate.
- Marks the delivery as a "success" only if the MDN is both valid and specifies a "success" outcome from the trading partner.
There are many permutations of AS2 usage and configuration and, ultimately, the configuration you use will be decided between yourself and your trading partner.