AS2

Understanding AS2

The AS2, Applicability Standard 2 for EDI, is quickly becoming one of the most secure, reliable and popular methods for sending and receiving data over the internet.   The concept for AS2 involves sending data between two points via the web within a container or envelope created by the AS2, the created certificate and public and private keys keep the information secure.  Only a few components are necessary for an organization to utilize AS2: two servers to connect; internet access; and the data to be sent and received.  The AS2 server wraps or envelopes the data, using digital encryption and certificates, which allows the data to be transmitted securely over the internet.  To clarify the role of the certificate, public and private keys within AS2 transactions review the following definitions:

The Public Key: is used to encrypt and verify digital signatures. The public key is safe to distribute to your trading partners.  The trading partner will use this key to encrypt the data that will be sent to your AS2 server.

The Private Key: is used to decrypt, digitally sign and is always kept private and protected. This key is installed in your BridgeGate key store on the AS2 server.

The Certificate: much like a driver’s license, is used for identification purposes, identifying the issuer of the certificate, show expiry and give a unique number assigned to the certificate called a serial number.  Every certificate will have its own unique serial number

This explanation of the AS2 cert/public/private key relationship and how the AS2 is used to send and receive EDI.  When an AS2 certificate is created two keys are generated which are linked together by an algorithm, one is a Private Key and one is a Public Key.  The Private Key is stored in the BridgeGate keystore on the AS2 Server, while the cert along with the Public Key is sent to the Trading Partner. The keys are then used to access the data contained within the AS2 envelope.  The following is an example of a typical AS2 exchange between BridgeGate and A-TradingPartner:

AS2 Example – Typical AS2 Process between BridgeGate and A-TradingPartner

  • EDI payload is encrypted using the A-TradingPartner cert/public key (on BridgeGate AS2 server)
  • EDI payload is signed using the BridgeGate (Sender) private key (on BridgeGate AS2 server)
  • AS2 connection is made to the A-TradingPartner AS2 server https://a-tradingpartner.com:10443 (on BridgeGate AS2 server)
  • Payload contains a request to return an MDN, either sync or async (on BridgeGate AS2 server)
  • AS2 IDs/Names are used to identify the AS2 relationship (on A-TradingPartner AS2 server)
  • EDI payload is decrypted using the A-TradingPartner private key (on A-TradingPartner AS2 server)
  • EDI payload has its digital signature verified using the BridgeGate cert/public key (on A-TradingPartner AS2 server)
  • MDN is returned with a “processed” or “Decryption failure” or “Authentication, unable to verify signature…” status (on A-TradingPartner AS2 server)

How do I configure a BridgeGate Cluster to use the Hazelcast TCP option?

Using Hazelcast.xml for TCP-IP configuration: Set the CONFIG_FILE attribute value to the hazelcast.xml file.

The BridgeGate cluster is configured through the BRIDGEGATE_CLUSTER tag in the bridgegate.xml file.

CONFIG_FILE This attribute is not included by default and is not necessary. Hazelcast will use multicast by default. If TCP-IP needs to be enabled or additional configuration needs to be made ( like giving specific ip-addresses for different nodes ), this setting could be used. The value of this attribute should be the file path to hazelcast.xml .
Example <BRIDGEGATE_CLUSTER BIND=”172.31.*.*” CONFIG_FILE=”/bridgegate/conf/hazelcast.xml” …. /> The sample hazelcast.xml file is below

                <hazelcast xsi:schemaLocation="http://www.hazelcast.com/schema/config hazelcast-config-3.6.xsd"
                        xmlns="http://www.hazelcast.com/schema/config"
                        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                    <network>
                        <port auto-increment="true">5701</port>
                        <join>
                            <multicast enabled="false"></multicast>
                            <tcp-ip enabled="true">
                                <interface>172.31.34.72</interface>
                                <interface>172.31.38.12</interface>
                            </tcp-ip>
                        </join>
                    </network>
                </hazelcast>

            

Multicast configuration for clustering auto-discovery is defined as:

                <multicast enabled="true">
                    <multicast-group>224.2.2.3</multicast-group>
                    <multicast-port>54327</multicast-port>
                </multicast>
            

To Turn on logging for BridgeGate clustering, this can be done from the Server Management Page and Server Log Tab inside it, from the BridgeGate portal.

Alternately, edit the file conf/log4j.xml file in the BridgeGate Home. Locate the element category with attribute name com.hazelcast. The priority value can be changed from OFF to INFO or DEBUG. Verify the bridgegate\bin\bg_service.conf contains the following -D options

wrapper.java.additional.26=-Dhazelcast.logging.type=slf4j

Or on Linux make sure the /bridgegate/bin/runbridgegate has the following JAVA Opt

JAVA_OPTS=”${JAVA_OPTS}-Dhazelcast.logging.type=slf4j”

                                <category name="com.hazelcast">
                                   <priority value="OFF"/>
                                   <appender-ref ref="HAZELCAST" />
                                </category>

 

How do I resolve the error Partnership not found on my BridgeGate AS2 Server

When I created a my Predefined Connection for my AS2 Server I get the following exception when I send a AS2 Message to the server.

02/06/17 13:53:11 DBPartnershipFactory: Partnership COMPARE searchValue[MYEDI] against partnerValue[MYEDIAS2] (case-insensitive))
com.oidev.as2.partner.PartnershipNotFoundException: Partnership not found: Partnership null Sender IDs = {as2_id=MYEDI} Receiver IDs = {as2_id=MYEDIAS2} Attributes = {}
                at com.oidev.as2.partner.BasePartnershipFactory.getPartnership(BasePartnershipFactory.java:28)
                at com.oidev.as2.partner.BasePartnershipFactory.updatePartnership(BasePartnershipFactory.java:48)

 

When configuring the AS2 Server make sure that if you are changing the name of the AS2 Identifier from the default it is also updated in the bridgegate.xml.   Note the AS2 Server has a single AS2 Identifier per server.  So naming it correctly the first time is important. You need to updated the bridgegate.xml  AS2_SERVER section to match (See below)       The default is “BridgeGateAS2”   Whatever you put in the bridgegate.xml must match the PDC created for the AS2 server.  More information can be found in the AS2 Installation