How to Configure AS2
AS2 can be configured by a site administrator of your site.
AS2 requires that you and your trading partner agree on identifiers for your communication. These are sometimes referred to as "AS2 Identity", "AS2 name", "AS2 code", "AS2 station", or "AS2 To and AS2 From" identifiers.
You will need your own x509 Certificate and Key for decryption and digital signing. We can generate this for you or you can provide your own. You can use self-signed certificates. Your generated public Certificate and private Key should be in PEM or CRT format. These certificates will be used to decrypt data received from your trading partner and digitally sign data sent to your trading partner.
You will provide the public x509 Certificate to your trading partner.
You will need your trading partner’s public x509 Certificate for encryption. Contact your trading partner and ask them to provide you with the public AS2 certificate to be used for this connection with them. This certificate is used to encrypt data you send to your trading partner and validate the digital signature of data received from your trading partner.
You will need the AS2 URL of your trading partner, sometimes referred to as the "endpoint URL". Contact your trading partner and ask them to provide you with the AS2 URL to be used for this connection. This URL is used to connect to your trading partner’s AS2 system and deliver data.
Configuring Your AS2 Identity
You can create as many AS2 identities as your business requires. Most organizations have a single AS2 Identity but some require multiple identities in order to represent, and route data to, subsidiaries or business units.
Enter your desired AS2 Identity then paste your public certificate and private Key or generate the certificate and key in our web interface.
When providing your own, your public Certificate and private Key should be in PEM or CRT format.
Your public Certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
Your private Key should begin with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY----- or begin with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
You can use fully valid and chained Certificates and Keys, or use self-signed Certificates and Keys.
Generating Your Encryption and Signing Certificates
We provide a built-in generator within the Add new AS2 identity function that can generate self-signed certificates and keys for you.
Fully valid and chained Certificates and Keys may be provided to you by your IT department or by your SSL Certificate provider. You, or your IT department, can also generate your own self-signed Certificates and Keys.
To generate self-signed Certificates and Keys yourself, use the openssl command:
openssl req -x509 -days 365 -newkey rsa:2048 -keyout key.pem -out certificate.pem -nodes
Bear in mind that this Certificate will be viewed and used by your trading partners to identify you and your business details so it should contain accurate information.
When prompted by openssl, enter the following information:
| Item | Description |
|---|---|
| Country Name | Enter the 2 letter code for the country. For example, "US". |
| State or Province Name | Enter the full name of the State or Province. For example, "California". |
| Locality Name | Enter the full name of the city, town, village, or locality. For example, "San Francisco". |
| Organization Name | Enter the full name of your business or company. For example, "Files.com". |
| Organizational Unit Name | Enter the full name of your department, division, or team. For example, "Partner Relations". |
| Common Name | Enter the fully qualified domain name (FQDN) of your AS2 URL, or the fully qualified domain name of your business, that this certificate represents. For example, "mysite.files.com" or "mydept.mycompany.com". |
| Email Address | Enter a valid email address for your trading partners to use to contact you in case of any problems or questions about this certificate. |
Configuring Trading Partners
Enter the trading partner’s AS2 URL, as provided to you by your trading partner. The URL can include the Fully Qualified Domain Name (FQDN), or IP address, of the trading partner, the port number, if a non-standard port is being used, and subdirectory path.
Enter the trading partner’s AS2 Identity, as agreed upon between you and your trading partner.
Paste in the trading partner’s public encryption Certificate. The public Certificate should be in PEM or CRT format.
The public Certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
You can use fully valid and chained public encryption Certificates, or use self-signed public encryption Certificates. Your trading partner should supply you with this certificate.
Select which of your AS2 Identities you wish to use with this trading partner.
Choose the Server certificate option that corresponds to the security level of the trading partner’s AS2 URL.
If your trading partner’s AS2 URL is protected by a valid and chained SSL Certificate then choose the "Require valid, chained, trusted, matching TLS/SSL certificate (Recommended)" option.
If your trading partner’s AS2 URL uses a self-signed, unchained, expired, or non-matching SSL Certificate then choose the "Allow self-signed, unchained, expired, or non-matching TLS/SSL certificate" option.
If your trading partner's AS2 URL uses Basic Authentication, requiring an AS2 username and password, then use the Enable Basic Authentication option. Provide the AS2 username and password to be used when sending messages to this trading partner.
Choose a MDN validation level for this trading partner. This option determines how much validation is performed on the returned MDN to consider the AS2 transmission as a success.
| Validation Level | Description |
|---|---|
| None | The returned MDN will not be validated. This level can be used when a valid MDN is not required by your business process. This is the default when creating a new trading partner. |
| Weak | The returned MDN must contain a valid Message Integrity Check (MIC) and a valid Disposition. No MDN Signature required. |
| Normal | The returned MDN must contain a valid Message Integrity Check (MIC), Disposition, and Signature. Signatures from self-signed certificates, or from certificates that are not configured for SMIME Signing, are allowed. |
| Strict | The returned MDN must contain a valid Message Integrity Check (MIC), Disposition, and Signature. The Signature must come from a valid and fully chained certificate, and the certificate must be configured for SMIME Signing purposes. |
You can configure additional HTTP headers for AS2 transmissions to the trading partner. This is useful when your trading partner applies additional HTTP protection to their AS2 service that requires the use of custom headers to approve the transmission. You should only use this setting if your trading partner requires it.
You can specify the MIME type of the AS2 transmissions to the trading partner. By default, Files.com will attempt to automatically infer the MIME type and use that for the transmission. If the MIME type cannot be inferred then a type of application/octet-stream will be used. Configure this setting if your trading partner requires you to define a specific MIME type for your transmissions to them.
Select your preference for the Dedicated IPs setting for this trading partner. The option for specifying the use of Dedicated IPs will only appear if your site is configured to allow that option. Dedicated IPs are only available when a Custom Domain has been configured. We recommend using Dedicated IPs when your trading partner's firewall only allows connections from specified IP addresses.