AS2 is one of the most popular methods for transporting data, especially EDI data, securely and reliably over the Internet.
- Security is achieved by using digital certificates and encryption
- AS2 messages are always sent using the HTTP or HTTPS protocol
- Messages may request a Message Disposition Notification (MDN) back if all went well. Upon the receipt of the message and its successful decryption a “success” MDN will be sent back to the original sender.
Trading partner agreements play a key role in AS2 support in BizTalk Server. Most configuration and administrative functions related to AS2 processing in BizTalk Server are performed by configuring the trading partner agreements between business profiles.
You can specify the AS2 properties as part of the “transport protocol settings” for a business profile or by directly specifying the AS2 settings in the trading partner agreement.
Let’s say trading partner A want to send EDI message to trading partner B. Following must need to be taken care
- Authentication: B authenticates A before accepting its message
- Data Privacy: intruders must not be able to understand the message
- Data Accuracy (Integrity): a modified message must be detected by System B
Secure messaging of EDI data is achieved using public and private keys. Organization (Trading Partner) generates keys; distributes the public and keeps the private secret. Data encrypted by public key can only be decrypted by private key.
So in our scenario A wants to send private data to B
- B generates the public/private key pair
- B gives public key to A and keeps the private key secret.
- A uses B’s public key to encrypt a message
- Only B can decrypt the message using its private key
Digital Certificates and Certificate Authorities
Digital certificates are just electronic documents that contains public key. These certificates are signed by a trusted Certificate Authority (CA) and the signature binds owner’s identity to the public key.
Again back to our scenario: Trading partner A wants to send encrypted message to B
- B must send A its public key to encrypt the message
- Evil system / entity Z wants to trick A into thinking it’s B
- Z generates a private/public pair. And sends public key to A
- How can A tell that it’s being modified by some other entity / system?
Here comes the role of a CA because CA only certifies that public key is owned by a certain entity
- B asks a CA to sign its public key
- CA verifies B and generates a certificate holding B’s information and public key – CA signs certificate with its own private key
- A receives certificate from B
- A verifies it trusts CA’s by validating its signature
- A now is sure the certificate belongs to B
How does A verify CA’s signature?
When A install the certificate on its server it can see the CA details
Configuring certificates for AS2
Windows has several different certificate stores. Using certmgr.msc allows a certificate to be installed for the current user.
However, to make a certificate available to services and other process that run under the Local System or Local Service accounts, you must import the certificate into the Local Computer store.
To import the certificate, set up a connection the local computer’s certificate store:
- Start -> Run: mmc.exe
- Menu: File -> Add/Remove Snap-in…
- Under Available snap-ins, select Certificates and press Add>.
- Select Computer Account for the certificates to manage. Press Next.
- Select Local Computer and press Finish.
- Press OK to return to the management console.
Import External Trading Partner Public Certificate:
- Select: Console Root -> Certificates (Local Computer)
- Continue and select: Trusted Root Certification Authorities -> Certificates.
- Right click on Certificates and select All Tasks -> Import…
Also install the Trading Partner Public Certificate in Other People. Right-click Other People, point to All Tasks, and then click Import.
Generate the Private certificate on the server. Alternatively, a certificate can be purchased from VeriSign, DigiCert or other providers so that the CA Root Authority is more standard and available when dealing with outside Trading Partners. Especially when Servers are not exposed to the Internet.
Install the Private Key on the BizTalk Server Certificate Store under Personal
Generate a Public key and send this off to the External Trading Partners.
In the BizTalk Administration Console, right-click the BizTalk Group and select properties. Click the Certificate option and select Browse. Select the Private certificate for your home organization. This will be your primary certificate used to sign outbound data.
Note: In some scenarios, for specific parties this default private certificate can be overridden. This can be done in Certificate page of the AS2 properties for your trading partner.
Select Trading Partner’s Public Certificate under Send Port
You also need to check the Schannel SSP registry entries for TLS/SSL Settings. You might face SSL/TLS handshake failures while sending message to the trading partner. Please refer the excellent post by Riaan for troubleshooting SSL/TLS handshake failures.
IIS and the BizTalk HTTP Receive Location
AS2 is communication over HTTP, so you need to set up a site within IIS on the BizTalk server. The most common is to create a virtual directory for a specific trading partner that maps inbound requests to the BTSHTTPReceive.dll
AS2 Web site set up
This should complete the first part of AS2 setup for exchanging the EDI message with Trading Partner. Next part would be Agreements and Party Settings