Jump to content

AS2 (B2B) Quick and Easy setup using iSM.


Recommended Posts

What is AS2:

AS2 (Applicability Statement 2) is a popular and widely used protocol for securely exchanging data over the internet. It's especially important for businesses that need to transmit sensitive information like EDI (Electronic Data Interchange) documents, which are commonly used in supply chain management, healthcare, and finance.

Prerequisites:

  • Java formatted (JKS or PKCS12) Keystore (Private key) and Truststore (Trusted certificates and public keys).
  • Create the following directories c:\file\in, c:\file\out, C:\file\mdn_signed, c:\mycerts\server and c:\mycerts\client

Creating a Keystore and Truststore for Server and Client

  • Create Keystore and export Public cert.
  • From a command prompt enter the following command:
    • Note: if %JAVA_HOME%\bin is not in your PATH statement you will have to set the current directory to %JAVA_HOME%\bin
    • keytool -genkey -alias serverkey -keyalg RSA -keystore c:\mycerts\server\serverk.jks -validity 3650
      • You will be prompted for the following information. Save your password, hit Return at the end so that the keystore and key passwords match. Not all fields are required. 
        • C:\Users\wzublion>keytool -genkey -alias serverkey -keyalg RSA -keystore c:\mycerts\server\serverk.jks -validity 3650
          Enter keystore password: password

          Re-enter new password: password

          What is your first and last name?
            [Unknown]:  localhost
          What is the name of your organizational unit?
            [Unknown]:  ibi.com
          What is the name of your organization?
            [Unknown]:  iway
          What is the name of your City or Locality?
            [Unknown]:
          What is the name of your State or Province?
            [Unknown]:
          What is the two-letter country code for this unit?
            [Unknown]:  US
          Is CN=localhost, OU=ibi.com, O=iway, L=Unknown, ST=Unknown, C=US correct?
            [no]:  Yes

          Enter key password for <serverkey>
                  (RETURN if same as keystore password):


          Warning:
          The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore c:\mycerts\server\serverk.jks -destkeystore c:\mycerts\server\serverk.jks -deststoretype pkcs12". iSM runs in a JVM so there is no need to convert to pkcs12.

    • keytool -export -keystore c:\mycerts\server\serverk.jks -alias serverkey -file c:\mycerts\server\servercert.cer
    • keytool -genkey -alias clientkey -keyalg RSA -keystore c:\mycerts\client\clientk.jks -validity 3650 
    • keytool -export -keystore c:\mycerts\client\clientk.jks -alias clientkey -file c:\mycerts\client\clientcert.cer
  • Create Truststore 
    • keytool -importcert -alias clientpub -file c:\mycerts\client\clientcert.cer -keystore c:\mycerts\server\servercacerts.jks        Note: The file servercacerts.jks is generated at execution.
    • Use the same password used to create the certificate for this exercise i.e. password.
    • Agree to trust the certificate i.e. Trust this certificate?  Yes
    • keytool -importcert -alias serverpub -file c:\mycerts\server\servercert.cer -keystore c:\mycerts\client\clientcacerts.jks
    • keytool -importcert -alias serverpub -file c:\mycerts\server\servercert.cer -keystore c:\mycerts\client\clientk.jks
  • The following files should have been created:
    • c:\mycerts\server\ serverk.jks, servercert.cer and servercacerts.jks
    • c:\mycerts\client\ clientk.jks, clientcert.cer and clientcacerts.jks
  • Congratulations, you now have a Keystore and Truststore for both the Server and Client side of the AS2 transaction.

 

Building an AS2 Server using iWay Integration Tools (iIT).

  1. Open iIT and create a new Application Project named AS2_Server_APP.
  2. Right+click the Templates folder and select New > Deployment Template
  3. Enter Name: AS2_Template click Finish.
  4. Right+click Security Providers > Add Template Component > select Keystore Provider
  5. image.png.e33077f91e11d2926aa318e5cbe17156.png
  6.  Rename the Keystore Provider ServerKey
  7. Expand the Keystore section and enter the path to the serverk.jks file i.e. C:\mycerts\server\serverk.jks
  8. Enter Password and Type: JKS
  9.     image.png.82b0b9d2e46ae5eebad1a93ae8244b1a.png
  10. Repeat steps 4 - 8 Renaming the Keystore ServerTrust, using the Path: C:\mycerts\server\servercacerts.jks
  11. Repeat steps 4 - 8 once again replacing Server with Client and pointing to the corresponding Client files.
  12. Click Save (Ctrl+S)

     image.png.6b6724e04d2ef5b8d64344da01e17e8e.png

 

Create an HTTP Client Provider

  1. Right+click Providers > Add Template Component > HTTP Client Provider
  2. Save (Ctrl+S)

 

Create the AS2 Channel

  1. Right+click the Channel folder and select New > Channel, name the channel - AS2_Server_CH
  2. Click Finish.
  3. Select listener and click change type  at the right of your screen.
  4. Select AS2 [nonblocking] and click Finish.
  5.         image.png.207304029aadc5da1fddfda04d5e1d97.png
  6. On the right of the screen expand IP Properties and enter Port 8443 (If already in use use another port). You should use 443 if you want to use SSL/TLS. In this exercise we are going to leave the Secure Connection parameter equal to false.
  7. expand S/MIME section and add S/MIME Keystore Provider = ServerKey and S/MIME TrustStore Provider = ServerTrust
  8. Under S/MIME Decryption Key Alias enter: serverkey 
  9. Under S/MIME Decryption Key Password enter: password or the password you used.
  10. image.png.b0e6cb5ad90d82ca23ca091cfe23bd3c.png
  11. expand MDN (Receipt)
  12. Under MDN S/MIME Keystore Provider enter ServerKey which is the name of our AS2 Server keystore provider.
  13. Under MDN S/MIME Signature Key Alias enter serverkey which is the alias that points to the servers private key.
    • Note: Signing the MDN (Message Disposition Notification Receipt) with the Server's private key is proof of transaction.
  14. Under MDN S/MIME Signature Key Password enter the password for the Server's private key.
  15. image.png.c171cd9ba2498fad535cc4478a30fde5.png
  16. image.png.49edff8ddd372ac967f3461828315bdf.png
  17. Save (Ctrl+S)
  18. AS2 Listener is complete.

Creating the Process Flow (business process) 

  1. Under route:route.1 click flow:process.1
  2. To the right side of the screen click the box with the green plus sign
  3. image.png.1b3da29c3eb543cc65703d3480a4f4a1.png
  4. Name the new Flow "Write_AS2_msg_PF" click Finish.
  5. Double click the flow or click the hyperlink to the flow on the right side of the screen.
  6. Drag a File object from the Palette / Connectors onto the line between Start and End objects.
  7. Select Action: write a file
  8. Expand Target - Directory = c:\file\out and File Name = AS2msg_#.xml
  9. image.png.6db8c8b1483498776c678195825215f3.png
  10. Save (Ctrl+S) and Save All (Ctrl+Shift+S)
  11. The AS2 Server is now complete.

Configuring the AS2 Client

  1. Right+click the Channel folder and select New > Channel, name the channel - File_to_AS2_CH
  2. Click the Template dropdown dialog box and select - File: Read file(s) from a directory
  3. Click Finish.
  4. Select listener and expand Main
  5. enter the following for Input PathC:\file\in and DestinationC:\file\out
  6. Save (Ctrl+S)
  7. image.png.2656ed3c9ee4bf6a293cefdadc986342.png
  8. Under route:route.1 click flow:process.1
  9. To the right side of the screen click the box with the green plus sign
  10. image.png.1b3da29c3eb543cc65703d3480a4f4a1.png
  11. Name the new Flow "AS2_Send_msg_PF" click Finish.
  12. Double click the flow or click the hyperlink to the flow on the right side of the screen.
  13. Drag a Server Agent object from the Palette / Components onto the line between Start and End objects.
  14. Select the Server Agent object in the flow workspace.
  15. Click the browse button |...| to the right of the dialog box and select AS2 Nonblocking Emit click OK.
  16. Under Main enter the following:
    1. Destination: http://localhost:8443
    2. HTTP Client Provider: HttpClient.Provider.1
    3. Content-Type: application/XML
    4. image.png.c10e08fa472bd81c3fabae4ee3e218c5.png
  17. Expand nas2.group.as2 and enter the following.
    1. AS2-From: Client
    2. AS2-To: Server
    3. Subject: Test
    4. Request Receipt: signed
    5. Receipt Destination: C:\file\mdn_signed\MDN_*.txt
    6. Use the defaults for the rest of the values.
    7. image.png.ca5fdf43442f3503352ba55e03a30eeb.png
  18. Expand S/MIME and enter the following values.
    1. Packaging: sign_encrypt
    2. Compression: none
    3. S/MIME Keystore Provider: ClientKey
    4. S/MIME TrustStore Provider: ClientTrust
    5. Recipient Public Key Alias: serverpub
    6. Signature Key Alias: clientkey
    7. Signature Key Password: password
    8. image.png.42f1b85c59e0535e25603f36b2816c7d.png
    9. The AS2 Client is complete

 

AS2 Processing in a nutshell:

  • The iWay AS2 Listener is a core component within the iWay Integration Tools (iIT) suite that enables secure and reliable data exchange using the AS2 protocol. It acts as a server-side endpoint, receiving AS2 messages from trading partners over HTTP or HTTPS.

    Here's a breakdown of its key features and capabilities:

    Core Functionality:

  • Receives AS2 messages: The listener is designed to accept incoming AS2 messages from partners, typically containing EDI documents or other business data.
  • Handles HTTP/HTTPS: It supports both HTTP and HTTPS, allowing for secure communication with encryption and certificate-based authentication.
  • Decryption: The listener can automatically decrypt incoming messages that have been encrypted using your organization's public key.  
     
  • Signature Verification: It verifies the digital signature of incoming messages to ensure message integrity and authenticity, confirming that the message hasn't been tampered with and originated from the expected sender.
  • MDN Generation and Transmission: The listener automatically generates Message Disposition Notifications (MDNs) to acknowledge receipt of messages and sends them back to the trading partner. It supports different MDN options (synchronous/asynchronous, signed/unsigned).
  • Partner Management: iWay provides a "Partner Map" configuration where you can define AS2 settings for each of your trading partners, including their AS2 IDs, certificates, and MDN preferences.
  • Seamlessly integrates with iIT: The AS2 Listener is designed to work within iIT's process flows, allowing you to easily connect it to other processing steps.
  • Routing and Transformation: You can use iIT's routing components to direct incoming messages based on content, sender, or other criteria. You can also apply transformations to convert message formats as needed.
  • Backend Connectivity: The listener can be connected to various backend systems (databases, ERP, messaging systems) using iIT's adapters, enabling you to integrate received AS2 messages into your business processes.

Benefits:

  • Secure Communication: Leverages encryption and digital signatures to protect data confidentiality and integrity. 
  • Reliable Delivery: MDNs provide confirmation of message receipt and processing.  
  • Automation: Automates the receiving, processing, and acknowledgment of AS2 messages, reducing manual intervention.
  • Interoperability: Adheres to the AS2 standard, ensuring compatibility with other AS2-compliant systems.
  • Centralized Management: The listener's configuration and partner settings are managed within iIT, providing a centralized point of control.

AS2 has become a crucial protocol for secure data exchange in many industries. Its reliance on established security technologies and its efficiency make it a reliable choice for businesses needing to transmit sensitive information over the internet.

Note: The AS2 IIT project archive is attached to the article. The sample keys are located in the projects Resources directory.

NAS2_demo_rel_9.zip

 

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
  • Create New...