AS2
AS2 requirements
There is certain base-level information that you will always need to exchange with
your partner prior to setting up an AS2 connection:
The rest of the information you need to exchange with your partner depends on the scenario(s) you want to support, and your partner’s requirements. The following scenarios help you understand how AS2 works and how you can use it to exchange transactions with your trading partners.
In this scenario, Stedi uses your partner’s public encryption certificate and specified encryption algorithm to encrypt the message. Stedi then sends the encrypted message to your partner’s server over HTTP, and your partner uses their private key to decrypt the message.
In this scenario, Stedi will use your partner’s public encryption certificate (if provided) and specified encryption algorithm to encrypt the message payload according to the AS2 protocol. Stedi then sends the encrypted payload to your partner’s server over HTTPS (which includes a layer of encryption). Your partner will decrypt the HTTPS request and the AS2 payload using private keys.
In this scenario, your partner uses your public encryption certificate and specified encryption algorithm to encrypt the message payload. Your partner then sends the encrypted payload to Stedi’s server over HTTP, and Stedi uses your private key to decrypt the payload.
For sending AS2 messages:
For receiving AS2 messages:
| Item | Usage |
|---|---|
| Your partner’s AS2 ID | Required |
| Your AS2 ID | Required |
| Your partner’s AS2 server URL | Required if sending AS2 messages |
| Your AS2 server URL | Required if receiving AS2 messages |
Send AS2 messages to a partner
For outbound AS2 messages, the configuration requirements differ depending on several factors:- Whether your partner’s server uses HTTP or HTTPS
- Whether your partner requires you to sign your messages
- Whether your partner requires you to accept an MDN response
Using HTTP without encryption
If your partner’s server URL starts withhttp://, Stedi will send messages to your partner using standard HTTP. Since HTTP does not support encryption natively, Stedi must encrypt your messages according to the AS2 protocol before sending them to your partner.
The following table shows the configuration information you need to send AS2 messages to a partner over HTTP.
| Item | Usage | Comments |
|---|---|---|
| Your partner’s public encryption certificate | Required | |
| Your partner’s encryption algorithm | Required | Must be AES128_CBC, AES192_CBC, or AES256_CBC |
| Your partner’s certificate chain | Optional | Required if your partner certificate was issued by a third-party Certificate Authority (CA) |
| Your public encryption certificate | Not used | |
| Your private encryption key | Not used |
Using HTTPS without signing
If your partner’s server URL starts withhttps://, Stedi will send messages to your partner using HTTPS. Data transferred over HTTPS is natively encrypted, but some partners may also require you to encrypt the payload using AS2.
The following table shows the information you need to send AS2 messages to a partner over HTTP.
| Item | Usage | Comments |
|---|---|---|
| Your partner’s public encryption certificate | Optional | |
| Your partner’s encryption algorithm | Optional | If used, must be AES128_CBC, AES192_CBC, or AES256_CBC |
| Your partner’s certificate chain | Optional | Required if your partner certificate was issued by a third-party Certificate Authority (CA) |
| Your public encryption certificate | Not used | |
| Your private encryption key | Not used |
Using HTTP or HTTPS with signing
Certain trading partners may also require you to sign your messages. Message signing allow partners to verify that your message is authentic and has not been tampered with. This is done by generating a public-private key pair and then sharing your public key with your partner. Your partner will then use your public key to verify that the message was sent by you. Stedi will automatically sign your messages if you upload a signing certificate to your local profile. Additional configuration:| Item | Usage | Comments |
|---|---|---|
| Your public signing certificate | Required | |
| Your private signing key | Required | |
| Your certificate chain | Optional | Required if your certificate was issued by a third-party Certificate Authority (CA) |
| Your partner’s public certificate | Not used |
With an MDN response requested
Some partners may require that you request and accept an MDN response. If your partner signs their MDNs, you will need to import your partner’s public signing certificate into Stedi to verify the MDN. MDNs can be sent synchronously or asynchronously. For outbound messages, Stedi only supports accepting synchronous MDNs, so you need to tell your partner to send synchronous MDNs if they wish to send an MDN response. Additional configuration:| Item | Usage | Comments |
|---|---|---|
| Your partner’s public signing certificate | Optional | Required if your partner signs MDNs |
| Your partner’s certificate chain | Optional | Required if your partner certificate was issued by a third-party Certificate Authority (CA) |
| Your partner’s MDN signing algorithm | Required | Can be None, SHA1, SHA256, SHA384, or SHA512 |
Receive AS2 messages from a partner
Receiving AS2 messages from a partner is similar to sending messages to a partner, but the process is reversed. In this case, your partner sends messages to Stedi’s AS2 server, and you must provide them with the connection information. Stedi’s AS2 servers use HTTP, and therefore require that your partner encrypts their messages according to the AS2 protocol. The following table shows the information needed for setting up an inbound AS2 connection.| Item | Usage | Comments | Exchange with partner |
|---|---|---|---|
| Your public encryption certificate | Required | Must be 2048-bit or 4096-bit RSA | Yes |
| Your private encryption key | Required | Must be 2048-bit or 4096-bit RSA | No |
| Your certificate chain | Optional | Required if your certificate was issued by a third-party Certificate Authority (CA) | Yes |
| Your encryption algorithm | Required | AES128_CBC, AES192_CBC, AES256_CBC, 3DES | Yes |
| Your AS2 server URL | Required | Yes |
With signing
Certain trading partners may also require that you verify the authenticity and integrity of their messages using their signature. Your partner will generate a public-private key pair and then share their public key with you. When you upload this key to Stedi, Stedi uses it to verify that your partner was the party that sent the message. Additional configuration:| Item | Usage | Comments |
|---|---|---|
| Your partner’s public signing certificate | Required | |
| Your partner’s certificate chain | Optional | Required if your partner certificate was issued by a third-party Certificate Authority (CA) |
With an MDN response returned
Your partner may request that you send an MDN response acknowledging that you have received their message. Stedi automatically sends MDNs when requested in an inbound message and delivers them either asynchronously or synchronously, depending on the specified parameters in your partner’s request. Your trading partner’s requests may specify that MDN responses should be signed. If a signed MDN is requested and you have imported your public and private signing keys, Stedi signs the MDN using the algorithm specified in the request. If you have not imported your signing keys, Stedi returns an unsigned MDN, as per RFC 4130 section 7.3.1. Additional configuration:| Item | Usage | Comments |
|---|---|---|
| Your public signing certificate | Optional | |
| Your private signing key | Optional | |
| Your certificate chain | Optional | Required if your certificate was issued by a third-party Certificate Authority (CA) |
Summary of required configuration
The following tables summarize the required configuration based on different scenarios. For all AS2 connections:| Item | Usage | Source |
|---|---|---|
| Your partner’s AS2 ID | Always required | Provided by partner |
| Your AS2 ID | Always required | Self-assigned |
| Item | Usage | Source |
|---|---|---|
| Your partner’s AS2 server URL | Required | Provided by partner |
| Your partner’s public encryption certificate | Required if using HTTP, optional if using HTTPS | Provided by partner |
| Your partner’s encryption algorithm | Required if using HTTP, conditionally required if using HTTPS + AS2 encryption | Provided by partner |
| Your partner’s certificate chain | Conditionally required if your partner certificate was issued by a third-party CA | Provided by partner |
| Your partner’s public signing certificate | Required if MDNs will be returned | Provided by partner |
| Your partner’s certificate chain | Conditionally required if your partner certificate was issued by a third-party CA | Provided by partner |
| Your public signing certificate | Optional if your partner requires signed messages | Self-generated or CA |
| Your private signing key | Optional if your partner requires signed messages | Self-generated |
| Your certificate chain | Conditionally required if your certificate was issued by a third-party CA | CA |
| Item | Usage | Source |
|---|---|---|
| Your AS2 server URL | Required | Core Settings page |
| Your public encryption certificate | Required | Self-generated or CA |
| Your private encryption key | Required | Self-generated |
| Your certificate chain | Conditionally required if your certificate was issued by a third-party Certificate Authority (CA) | CA |
| Your encryption algorithm | Required | Self-generated |
| Your public signing certificate | Optional if your partner requires signed MDNs | Self-generated or CA |
| Your private signing key | Optional if your partner requires signed MDNs | Self-generated |