Walter Zublionis Posted October 10 Share Posted October 10 What is AS2: AS2 (Applicability Statement 2) is a popular and widely used protocol for securely exchanging data over the internet. It's especially important for businesses that need to transmit sensitive information like EDI (Electronic Data Interchange) documents, which are commonly used in supply chain management, healthcare, and finance. Prerequisites: Java formatted (JKS or PKCS12) Keystore (Private key) and Truststore (Trusted certificates and public keys). Create the following directories c:\file\in, c:\file\out, C:\file\mdn_signed, c:\mycerts\server and c:\mycerts\client Creating a Keystore and Truststore for Server and Client Create Keystore and export Public cert. From a command prompt enter the following command: Note: if %JAVA_HOME%\bin is not in your PATH statement you will have to set the current directory to %JAVA_HOME%\bin keytool -genkey -alias serverkey -keyalg RSA -keystore c:\mycerts\server\serverk.jks -validity 3650 You will be prompted for the following information. Save your password, hit Return at the end so that the keystore and key passwords match. Not all fields are required. C:\Users\wzublion>keytool -genkey -alias serverkey -keyalg RSA -keystore c:\mycerts\server\serverk.jks -validity 3650 Enter keystore password: password Re-enter new password: password What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: ibi.com What is the name of your organization? [Unknown]: iway What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: US Is CN=localhost, OU=ibi.com, O=iway, L=Unknown, ST=Unknown, C=US correct? [no]: Yes Enter key password for <serverkey> (RETURN if same as keystore password): Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore c:\mycerts\server\serverk.jks -destkeystore c:\mycerts\server\serverk.jks -deststoretype pkcs12". iSM runs in a JVM so there is no need to convert to pkcs12. keytool -export -keystore c:\mycerts\server\serverk.jks -alias serverkey -file c:\mycerts\server\servercert.cer keytool -genkey -alias clientkey -keyalg RSA -keystore c:\mycerts\client\clientk.jks -validity 3650 keytool -export -keystore c:\mycerts\client\clientk.jks -alias clientkey -file c:\mycerts\client\clientcert.cer Create Truststore keytool -importcert -alias clientpub -file c:\mycerts\client\clientcert.cer -keystore c:\mycerts\server\servercacerts.jks Note: The file servercacerts.jks is generated at execution. Use the same password used to create the certificate for this exercise i.e. password. Agree to trust the certificate i.e. Trust this certificate? Yes keytool -importcert -alias serverpub -file c:\mycerts\server\servercert.cer -keystore c:\mycerts\client\clientcacerts.jks keytool -importcert -alias serverpub -file c:\mycerts\server\servercert.cer -keystore c:\mycerts\client\clientk.jks The following files should have been created: c:\mycerts\server\ serverk.jks, servercert.cer and servercacerts.jks c:\mycerts\client\ clientk.jks, clientcert.cer and clientcacerts.jks Congratulations, you now have a Keystore and Truststore for both the Server and Client side of the AS2 transaction. Building an AS2 Server using iWay Integration Tools (iIT). Open iIT and create a new Application Project named AS2_Server_APP. Right+click the Templates folder and select New > Deployment Template Enter Name: AS2_Template click Finish. Right+click Security Providers > Add Template Component > select Keystore Provider Rename the Keystore Provider ServerKey Expand the Keystore section and enter the path to the serverk.jks file i.e. C:\mycerts\server\serverk.jks Enter Password and Type: JKS Repeat steps 4 - 8 Renaming the Keystore ServerTrust, using the Path: C:\mycerts\server\servercacerts.jks Repeat steps 4 - 8 once again replacing Server with Client and pointing to the corresponding Client files. Click Save (Ctrl+S) Create an HTTP Client Provider Right+click Providers > Add Template Component > HTTP Client Provider Save (Ctrl+S) Create the AS2 Channel Right+click the Channel folder and select New > Channel, name the channel - AS2_Server_CH Click Finish. Select listener and click change type at the right of your screen. Select AS2 [nonblocking] and click Finish. On the right of the screen expand IP Properties and enter Port 8443 (If already in use use another port). You should use 443 if you want to use SSL/TLS. In this exercise we are going to leave the Secure Connection parameter equal to false. expand S/MIME section and add S/MIME Keystore Provider = ServerKey and S/MIME TrustStore Provider = ServerTrust Under S/MIME Decryption Key Alias enter: serverkey Under S/MIME Decryption Key Password enter: password or the password you used. expand MDN (Receipt) Under MDN S/MIME Keystore Provider enter ServerKey which is the name of our AS2 Server keystore provider. Under MDN S/MIME Signature Key Alias enter serverkey which is the alias that points to the servers private key. Note: Signing the MDN (Message Disposition Notification Receipt) with the Server's private key is proof of transaction. Under MDN S/MIME Signature Key Password enter the password for the Server's private key. Save (Ctrl+S) AS2 Listener is complete. Creating the Process Flow (business process) Under route:route.1 click flow:process.1 To the right side of the screen click the box with the green plus sign Name the new Flow "Write_AS2_msg_PF" click Finish. Double click the flow or click the hyperlink to the flow on the right side of the screen. Drag a File object from the Palette / Connectors onto the line between Start and End objects. Select Action: write a file Expand Target - Directory = c:\file\out and File Name = AS2msg_#.xml Save (Ctrl+S) and Save All (Ctrl+Shift+S) The AS2 Server is now complete. Configuring the AS2 Client Right+click the Channel folder and select New > Channel, name the channel - File_to_AS2_CH Click the Template dropdown dialog box and select - File: Read file(s) from a directory Click Finish. Select listener and expand Main enter the following for Input Path = C:\file\in and Destination = C:\file\out Save (Ctrl+S) Under route:route.1 click flow:process.1 To the right side of the screen click the box with the green plus sign Name the new Flow "AS2_Send_msg_PF" click Finish. Double click the flow or click the hyperlink to the flow on the right side of the screen. Drag a Server Agent object from the Palette / Components onto the line between Start and End objects. Select the Server Agent object in the flow workspace. Click the browse button |...| to the right of the dialog box and select AS2 Nonblocking Emit click OK. Under Main enter the following: Destination: http://localhost:8443 HTTP Client Provider: HttpClient.Provider.1 Content-Type: application/XML Expand nas2.group.as2 and enter the following. AS2-From: Client AS2-To: Server Subject: Test Request Receipt: signed Receipt Destination: C:\file\mdn_signed\MDN_*.txt Use the defaults for the rest of the values. Expand S/MIME and enter the following values. Packaging: sign_encrypt Compression: none S/MIME Keystore Provider: ClientKey S/MIME TrustStore Provider: ClientTrust Recipient Public Key Alias: serverpub Signature Key Alias: clientkey Signature Key Password: password The AS2 Client is complete AS2 Processing in a nutshell: The iWay AS2 Listener is a core component within the iWay Integration Tools (iIT) suite that enables secure and reliable data exchange using the AS2 protocol. It acts as a server-side endpoint, receiving AS2 messages from trading partners over HTTP or HTTPS. Here's a breakdown of its key features and capabilities: Core Functionality: Receives AS2 messages: The listener is designed to accept incoming AS2 messages from partners, typically containing EDI documents or other business data. Handles HTTP/HTTPS: It supports both HTTP and HTTPS, allowing for secure communication with encryption and certificate-based authentication. Decryption: The listener can automatically decrypt incoming messages that have been encrypted using your organization's public key. Signature Verification: It verifies the digital signature of incoming messages to ensure message integrity and authenticity, confirming that the message hasn't been tampered with and originated from the expected sender. MDN Generation and Transmission: The listener automatically generates Message Disposition Notifications (MDNs) to acknowledge receipt of messages and sends them back to the trading partner. It supports different MDN options (synchronous/asynchronous, signed/unsigned). Partner Management: iWay provides a "Partner Map" configuration where you can define AS2 settings for each of your trading partners, including their AS2 IDs, certificates, and MDN preferences. Seamlessly integrates with iIT: The AS2 Listener is designed to work within iIT's process flows, allowing you to easily connect it to other processing steps. Routing and Transformation: You can use iIT's routing components to direct incoming messages based on content, sender, or other criteria. You can also apply transformations to convert message formats as needed. Backend Connectivity: The listener can be connected to various backend systems (databases, ERP, messaging systems) using iIT's adapters, enabling you to integrate received AS2 messages into your business processes. Benefits: Secure Communication: Leverages encryption and digital signatures to protect data confidentiality and integrity. Reliable Delivery: MDNs provide confirmation of message receipt and processing. Automation: Automates the receiving, processing, and acknowledgment of AS2 messages, reducing manual intervention. Interoperability: Adheres to the AS2 standard, ensuring compatibility with other AS2-compliant systems. Centralized Management: The listener's configuration and partner settings are managed within iIT, providing a centralized point of control. AS2 has become a crucial protocol for secure data exchange in many industries. Its reliance on established security technologies and its efficiency make it a reliable choice for businesses needing to transmit sensitive information over the internet. Note: The AS2 IIT project archive is attached to the article. The sample keys are located in the projects Resources directory. NAS2_demo_rel_9.zip 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now