AS2


Files.com has implemented the AS2 data transmission protocol, allowing you to implement secure Business-to-Business (B2B) file transfers with your trading partners that mandate the use of AS2, which provides superior security, integrity and non-repudiation of transmissions.

About AS2

AS2 (Applicability Statement 2) is a specification describing how to transport structured business-to-business data securely and reliably over the Internet. Security is achieved by using digital certificates and encryption.

AS2 uses the HTTP(S) protocol to transmit data and the S/MIME standard to encrypt and sign the payload. The payload is sometimes referred to as the "message" or "document".

AS2 is a peer-to-peer (P2P) protocol where both sides of the connection need to agree to the connection and provide each other with the required information for successful data transmission. These connections are sometimes referred to as "AS2 partnerships".

As AS2 was designed for business-to-business transactions, such as Purchase Orders, Invoices, and Shipment Statuses, the two businesses at either end of the AS connection are referred to as trading partners.

About Message Disposition Notification (MDN)

Message Disposition Notification (MDN) is a digital receipt, returned by the receiver of the AS2 payload (message), to provide confirmation of delivery to the sender.

The Message Disposition Notification (MDN), when digitally signed, also provides non-repudiation.

The MDN can be used to return a successful delivery notification or a failure outcome. A "failed" MDN will usually contain details about why the delivery failed.

Despite being an optional component of AS2, the use of MDNs is widely adopted, and often mandated, due to their use in resolving disputes between trading partners.

How AS2 works

Prior to use, AS2 requires the following:

  • A delivery URL for the sender.
  • A delivery URL for the receiver.
  • An "AS2 Identity" for the sender.
  • An "AS2 Identity" for the receiver.
  • An encryption and signing certificate and key for the sender.
  • An encryption and signing certificate and key for the receiver.

You and your trading partner will provide each other with:

  • The AS2 delivery URL, sometimes referred to as "endpoint URL", of your AS2 server or software.
  • The AS2 Identities that you agree to use for the connection. These are sometimes referred to as "AS2 name", "AS2 code", "AS2 station", or "AS2 To and From".
  • The public portion of the encryption and signing certificate being used.

The AS2 server, or software, at each end of the connection will provide an "inbox" and an "outbox" folder for each AS2 partnership.

Generally speaking, AS2 performs the following steps:

The sending AS2 server:

  • Collects the file from the local "outbox" folder that corresponds to the remote trading partner
  • Digitally signs the file using your signing certificate and key
  • Encrypts the file using the remote trading partner’s public encryption certificate
  • Sends the file, using HTTP(S), to the trading partner’s AS2 URL, and specifies:
  • - the recipient (AS2-TO) by using the trading partner’s AS2 Identity
  • - the sender (AS2-FROM) by using your AS2 Identity

The receiving AS2 server:

  • Receives the file, using HTTP(S)
  • Checks that the recipient (AS2-TO) is valid and matches the trading partner’s AS2 Identity
  • Checks that the sender (AS2-FROM) is valid and matches your AS2 Identity
  • Decrypts the file using the trading partner’s private certificate and key
  • Verifies the digital signature using your public certificate
  • If all of the above checks, decryption, and signature validation are successful, then the file is placed into the "inbox" folder that corresponds to you
  • Generates a Message Disposition Notification (MDN) containing the outcome, "success" or failure", of the delivery
  • Digitally signs the MDN using the trading partner’s certificate and key
  • Returns the signed MDN, using the HTTP(S) response

The sending AS2 server:

  • Receives the HTTP(S) response
  • Verifies the MDN’s digital signature using the trading partner’s public certificate
  • Marks the delivery as a "success" only if the MDN is valid and specifies a "success" outcome from the trading partner

There are many permutations of AS2 usage and configuration and, ultimately, the configuration you use will be decided between yourself and your trading partner.

AS2 functionality at Files.com

The current implementation of AS2 at Files.com is designed to provide AS2 protocol data transfer, and Message Disposition Notification (MDN) digital receipts, with the minimum amount of configuration.

The current implementation meets the most common AS2 standards but is not Drummond Certified. Please contact us if you require Drummond Certification so that we can better understand your needs.

Data modification, such as EDI mapping or transformation, is not performed. Delivered data, upon successful encryption and decryption, will be identical to the sent data.

AS2 folders

Once you’ve configured AS2, a new top-level folder named as2_home will appear in your Files.com tenant account.

Within the as2_home folder will be a folder for each of your AS2 Identities and within each AS2 Identity folder will be a folder for each of your AS2 trading partners. For example, if your AS2 ID is ME and your trading partner’s AS2 ID is THEM then you’ll see the following folder structure:

/as2_home/ME/THEM/inbox
/as2_home/ME/THEM/outbox
/as2_home/ME/THEM/sent

Files sent to you via AS2 by your trading partner will appear in the inbox folder.

Files placed into the outbox folder will be sent via AS2 to your trading partner. Once a file has been successfully sent, it will be automatically moved from the outbox folder to the sent folder.

Limitations

To simplify configuration and provide an easy-to-use experience, certain configuration items are pre-configured or restricted to specific values.

When sending to Files.com, AS2 authentication is limited to Message Level Security. This means that only valid AS2-To and AS2-From headers are required to authenticate. Username and password based AS2 authentication is not supported.

When sending to Files.com, message encryption is always expected. Unencrypted AS2 messages will be rejected.

When sending to Files.com, message compression is not supported or required. Compressed AS2 messages will be rejected.

When replying to inbound transmissions, the Message Disposition Notification (MDN) will be signed using SHA-256.

When replying to inbound transmissions, asynchronous Message Disposition Notification (MDN) delivery is not supported. Please request synchronous receipt delivery in your AS2 configuration.

For outbound transmissions, the encryption cipher used is aes-256-cbc.

For outbound transmissions, the signing algorithm used is SHA-256.

The current file size limit for AS2 messages is 25MB.

Our AS2 implementation is currently not Drummond Certified. Please let us know if you require this certification in order to use AS2.

How to configure AS2

AS2 requires that you and your trading partner agree on identifiers for your communication. These are sometimes referred to as "AS2 Identity", "AS2 name", "AS2 code", "AS2 station", or "AS2 To and AS2 From" identifiers.

You will need your own x509 Certificate and Key for decryption and digital signing. These will be used to:

  • decrypt data sent to you by your trading partner.
  • digitally sign any data sent by you to your trading partner.

You will provide the public x509 Certificate to your trading partner.

You will need your trading partner’s public x509 Certificate for encryption. This is used to:

  • encrypt data you send to your trading partner.
  • validate the digital signature of data sent to you by your trading partner.

Your trading partner should provide this to you.

You will need the AS2 URL of your trading partner, sometimes referred to as the "endpoint URL". This is used to:

  • connect to your trading partner’s AS2 system and deliver data.

Your trading partner should provide this to you.

Configuring your AS2 Identity

Navigate to Settings > Integrations > Transfer Protocols and scroll to the My AS2 identities section. Click the Add new AS2 identity button.

Enter your AS2 Identity, paste your public Certificate and private Key, and click the Save button.

Your public Certificate and private Key should be in PEM or CRT format.

Your public Certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

Your private Key should begin with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY----- or begin with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.

You can use fully valid and chained Certificates and Keys, or use self-signed Certificates and Keys.

You can create as many AS2 Identities as you require. Most organizations have a single AS2 Identity but some require multiple identities in order to represent, and route data to, subsidiaries or business units.

Generating your Encryption and Signing Certificates

Fully valid and chained Certificates and Keys will be provided to you by your IT department or by your SSL Certificate provider. You, or your IT department, can also generate your own self-signed Certificates and Keys.

To generate self-signed Certificates and Keys, use the openssl command:

openssl req -x509 -days 365 -newkey rsa:2048 -keyout key.pem -out certificate.pem -nodes

Bear in mind that this Certificate will be viewed and used by your trading partners to identify you and your business details so it should contain accurate information.

When prompted by openssl, enter the following information:

  • for Country Name, enter the 2 letter code for the country. For example, "US".
  • for State or Province Name, enter the full name of the State or Province. For example, "California".
  • for Locality Name, enter the full name of the city, town, village, or locality. For example, "San Francisco".
  • for Organization Name, enter the full name of your business or company. For example, "Files.com".
  • for Organizational Unit Name, enter the full name of your department, division, or team. For example, "Partner Relations".
  • for Common Name, enter the fully qualified domain name of your AS2 URL, or the fully qualified domain name of your business, that this certificate will represent. For example, "mysite.files.com" or "mydept.mycompany.com".
  • for Email Address, enter a valid email address for your trading partners to use to contact you in case of any problems or questions about this certificate.

Configuring trading partners

Navigate to Settings > Integrations > Transfer Protocols and scroll to the My AS2 trading partners section. Click the Add new AS2 trading partner button.

Enter the trading partner’s AS2 URL, as provided to you by your trading partner. The URL can include the Fully Qualified Domain Name (FQDN), or IP address, of the trading partner, the port number, if a non-standard port is being used, and subdirectory path.

Enter the trading partner’s AS2 Identity, as agreed upon between you and your trading partner.

Paste in the trading partner’s public encryption Certificate. The public Certificate should be in PEM or CRT format.

The public Certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

You can use fully valid and chained public encryption Certificates, or use self-signed public encryption Certificates. Your trading partner should supply you with this certificate.

Choose the Server certificate option that corresponds to the security level of the trading partner’s AS2 URL.

  • If your trading partner’s AS2 URL is protected by a valid and chained SSL Certificate then choose the "Require valid, chained, trusted, matching TLS/SSL certificate (Recommended)" option.
  • If your trading partner’s AS2 URL uses a self-signed, unchained, expired, or non-matching SSL Certificate then choose the "Allow self-signed, unchained, expired, or non-matching TLS/SSL certificate" option.

Select which of your AS2 Identities you wish to use with this trading partner.

Click the Save button.

Viewing transmission information

Details of incoming and outgoing AS2 transmissions can be found by navigating to Settings > Logs > AS2.

The upper table displays AS2 incoming messages and the lower table displays AS2 outgoing messages.

Each table’s results can be filtered by using the Filter button above the table.

Each table can be configured to specify which columns are displayed by using the Columns button above the table.

  • Date/Time: shows the date and time of the transmission.
  • Status: shows the outcome of the transmission.
  • File Size: shows the size of the transmitted file.
  • File Name: shows the name of the transmitted file, if available.
  • Sender ID: shows the AS2 Identifier of the sender.
  • Receiver ID: shows the AS2 Identifier of the receiver.
  • File Contents: provides a link to open and view the file contents, if available.
  • MDN Exists: specifies if a Message Disposition Notification is available for this transmission.
  • AS2 Processing: provides information about the outcomes of the various AS2 processing steps that were performed.
  • MDN Contents: provides a link to open and view the Message Disposition Notification, if available.
  • Transmission Duration: shows the estimated duration of the transmission, if available.

Viewing Message Disposition Notifications (MDNs)

To view Message Disposition Notifications, navigate to Settings > Logs > AS2 and click the link in the MDN Contents column of either table.

The incoming messages table will show MDNs that were generated by Files.com in response to inbound AS2 transmissions from your trading partners.

The outgoing messages table will show MDNs that were generated by your trading partners in response to outbound AS2 transmissions from Files.com.

The MDN Exists column will specify if a Message Disposition Notification is available for that transmission.

Troubleshooting

Most issues occur during the initial setup of an AS2 connection. These issues include:

  • Problems setting up your AS2 Identity.
  • Problems setting up a trading partner.
  • Trading partner having problems sending to me.
  • Problems sending to a trading partner.

Some issues can occur when a previously working connection no longer works. These issues can include:

  • Transmissions from my trading partner have stopped working.
  • Transmission to my trading partner have stopped working.

Problems setting up your AS2 Identity

If you are having problems setting up your AS2 Identity then the issue could be caused by:

  • AS2 Identity, or Name, is not accepted.
    • Make sure you enter a unique Identity, or Name. Check that you haven’t already used the Identity, or Name.
  • My encryption/signing public certificate is not accepted.
    • Make sure that the certificate is in PEM or CRT format.
    • Make sure that the certificate is not expired or revoked.
    • Make sure that the public certificate corresponds to the private key that you entered.
  • My encryption/signing private key is not accepted.
    • Make sure that the key is in PEM or CRT format.
    • Make sure that the key is not expired or revoked.
    • Make sure that the private key corresponds to the public certificate that you entered.
    • Make sure that the private key is not password protected or encrypted. To see if a private key is protected, open the PEM or CRT file in a text editor and look at the first line. If it says -----BEGIN ENCRYPTED PRIVATE KEY----- then the key is password protected or encrypted and cannot be imported.

Problems setting up a trading partner

If you are having problems configuring a trading partner then the issue could be caused by:

  • Trading partner public certificate is not accepted.
    • Make sure that the certificate is in PEM or CRT format.
    • Make sure that the certificate is not expired or revoked.

Trading partner having problems sending to me

There are several issues that could cause incoming AS2 transmissions from your trading partners to fail:

  • Incorrect URL being used.
    • Make sure your trading partner is sending the AS2 transmission to the correct endpoint URL. Your AS2 endpoint URL is shown in the Settings > Integrations > Transfer Protocols page, within the AS2 section.
  • Incorrect AS2 trading partner Identity being used.
    • The trading partner is specifying an AS2 Identity that does not match your configuration.
    • Make sure that the AS2 Identity that the trading partner is trying to use matches exactly the AS2 Identity that you specified for them in the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section.
    • This is also known as the "AS2-From" header setting.
  • Incorrect AS2 Identity being used.
    • The trading partner has not specified your correct AS2 Identity.
    • Make sure that the AS2 Identity being used by the trading partner to identify you matches exactly your AS2 Identity.
    • Your AS2 Identity is specified in the Settings > Integrations > Transfer Protocols page, within the My AS2 identities section.
    • If you have multiple AS2 Identities, then make sure that your trading partner is using the correct one. In the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section, check the entry for the trading partner and confirm that the AS2 Identity shown in the My AS2 Name/Identity column matches what your trading partner is using.
    • This is also known as the "AS2-To" header setting.
  • Trading partner is using an incorrect encryption certificate.
    • The trading partner should be using your public certificate to encrypt AS2 transmissions to you. Make sure that the certificate they are using is exactly the same one as you imported in the Settings > Integrations > Transfer Protocols page, within the My AS2 identities section.
    • If you have multiple AS2 Identities, make sure that the trading partner is using the correct corresponding certificate.
    • Resend the trading partner your correct public encryption certificate and verify that they are using it for AS2 transmissions to you.
  • You are using an incorrect trading partner signing certificate.
    • The trading partner will be using their private certificate to encrypt AS2 transmissions to you. You will have received a corresponding public certificate from your trading partner. Make sure that the corresponding trading partner public certificate that you are using in the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section, matches the public certificate that they provided you with.
    • Check with the trading partner that the public certificate that they sent you corresponds to the private certificate that they are using to sign their AS2 transmissions to you.

Problems sending to a trading partner

There are several issues that could cause outgoing AS2 transmissions to your trading partners to fail:

  • Incorrect URL being used.
    • Make sure you are sending the AS2 transmission to the correct endpoint URL for your trading partner. Their AS2 endpoint URL is shown in the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section.
    • Check with your trading partner that the endpoint URL is correct and not being blocked by firewall rules.
  • Invalid, expired, or untrusted SSL certificate is being used at the AS2 URL.
    • SSL certificates should be valid, chained and trusted. Use an online SSL Certificate checker, such as SSL Shopper, to check the trading partner’s AS2 URL and make sure that the SSL certificate being used is valid.
    • If an invalid, unchained, or self-signed SSL certificate is being used by the trading partner, you can configure Files.com to allow this less secure connection by navigating to the Settings > Integrations > Transfer Protocols page, scroll to the AS2 trading partners section, edit the trading partner entry, and change the Server certificate option to "Allow self-signed, unchained, expired, or non-matching TLS/SSL certificate".
  • Incorrect AS2 trading partner Identity being used.
    • You have specified an AS2 Identity that does not match your trading partner’s configuration.
    • Make sure that the AS2 Identity that you are trying to use matches exactly the AS2 Identity that they provided you with. The trading partner’s AS Identity is configured in the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section.
    • This is also known as the "AS2-To" header setting.
  • Incorrect AS2 Identity being used.
    • You are not using your correct AS2 Identity.
    • Make sure that your AS2 Identity that you are using with the trading matches exactly the AS2 Identity that you provided to them.
    • Your AS2 Identity is specified in the Settings > Integrations > Transfer Protocols page, within the My AS2 identities section.
    • If you have multiple AS2 Identities, then make sure that you are using the correct one. In the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section, check the entry for the trading partner and confirm that the AS2 Identity shown in the My AS2 Name/Identity column matches what you are using.
    • This is also known as the "AS2-From" header setting.
  • You are using an incorrect partner encryption certificate.
    • You should be using your trading partner’s public certificate to encrypt AS2 transmissions to them. Make sure that the certificate you imported in the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section, for the trading partner is the correct one.
    • The trading partner will have provided you with this certificate. Check with them that you have the correct one.
  • The trading partner is using an incorrect public certificate.
    • The trading partner should be using your public certificate to verify the digital signature of your AS2 transmissions to them. You will have provided them with a public certificate that corresponds to your private certificate. Make sure that the public certificate that you sent to the trading partner is the same one as the one you used in the Settings > Integrations > Transfer Protocols page, within the My AS2 identities section.
    • If you have multiple AS2 Identities, then make sure you sent the trading partner the correct public certificate that corresponds to the AS2 Identity that you are using with them.

Transmissions from my trading partner have stopped working

If a previously working inbound transmission stops working then the cause could be:

  • The trading partner has changed something on their side.
    • Contact the trading partner and find out what they changed.
    • If they renewed, updated, or changed their AS2 certificates then ask them to send you their new public certificate. Re-import the new public certificate into the trading partner configuration on the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section.
  • You renewed, updated, or changed your AS2 certificates.
    • Make sure that you sent your trading partner your new public certificate.
    • Contact the trading partner and verify that they are using your new public certificate for AS2 transmissions.

Transmission to my trading partner have stopped working

If a previously working outbound transmission stops working then the cause could be:

  • The SSL certificate on the trading partner’s AS2 endpoint URL has expired or is no longer valid.
    • Contact the trading partner and ask them to renew the SSL certificate on their AS2 endpoint URL. Use an online SSL Certificate checker, such as SSL Shopper, to check the trading partner’s AS2 URL and make sure that the SSL certificate being used is valid.
    • If an invalid, unchained, or self-signed SSL certificate is being used by the trading partner, you can configure Files.com to allow this less secure connection by navigating to the Settings > Integrations > Transfer Protocols page, scroll to the AS2 trading partners section, edit the trading partner entry, and change the Server certificate option to "Allow self-signed, unchained, expired, or non-matching TLS/SSL certificate".
  • The trading partner has changed something on their side.
    • Contact the trading partner and find out what they changed.
    • If they renewed, updated, or changed their AS2 certificates then ask them to send you their new public certificate. Re-import the new public certificate into the trading partner configuration on the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section.
    • If they changed their AS2 endpoint URL then update the trading partner configuration on the Settings > Integrations > Transfer Protocols page, within the AS2 trading partners section.
  • You renewed, updated, or changed your AS2 certificates.
    • Make sure that you sent your trading partner your new public certificate.
    • Contact the trading partner and verify that they are using your new public certificate for AS2 transmissions.

Converting certificate types

Files.com supports PEM and CRT encoded certificates and keys.

You can use openssl to create and convert certificates and keys.

There are also various online guides and tutorials available describing how to convert certificates from one type to another.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2022 Files.com. All right reserved

FILES.COM

  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact

CONTACT & SUPPORT

support@files.com

(800) 286-8372

Monday–Friday

9am–8pm Eastern