Taking_the_mystery_out_of_AS2x_Theme_added

advertisement
AS2
SMIME/MIME
Encryption
Certificates
Signing
MDNs
Taking the Mystery
Out of AS2
Kim Zajehowski
Aurora Technologies, Inc.
What is AS2?
• More secure way of exchanging EDI data directly with your trading
partners using certificates, encryption, and signing of documents over the
Internet.
• Stands for Applicability Statement 2 draft standard from the Internet
Engineering Task Force for securely exchanging business documents over
the Internet as noted on www.networkworld.com.
• Can be a communication method that can replace VAN communications
with your trading partner.
• Uses digital certificates to secure EDI packets of data.
• Sometimes referred to as HTTP Reverse Proxy by some AS2 solutions.
AS2 Continued
• Direct communications to your trading partner through the Internet.
• Can also be via a VAN to your trading partner as AS2. Utilizes extended
VAN services that provide the conversion for you.
• Provides a reliable method in that you receive an MDN (Message
Disposition Notification) telling you that your trading partner received the
EDI packet. Note that this doesn’t replace your Functional
Acknowledgements
• The AS2 standard uses some of the most robust encryption and signature
algorithms.
• Operates only over networks running the TCP/IP protocol
Envelopes
• AS2 data is placed in an envelope containing AS2 identifiers for each party
in the exchange of data.
• Along with the envelope is a digital certificates within the data packet.
• The AS2 envelope usually contains another envelope within it (ISA) with
EDI data and ISA qualifiers and IDs.
AS2 Flowchart
ERP
Solution
E-mail
Solution Provider
Trading
Partner
system
server
Internet
Terminology
•
•
•
•
•
•
•
•
•
•
•
•
MIME/S-MIME
Encryption
Signing
MDNs
AS2 Identification
Firewall Considerations
Certificates
Pros
Cons
AS2 solution selection
Sample AS2 profiles
Helpful websites
MIME
• MIME – as defined on Wikipedia - Multi-purpose internet mail extensions
- defines mechanisms for sending other kinds of information in e-mail.
• MIME is also a fundamental component of communication protocols such
as HTTP, which requires that data be transmitted in the context of e-maillike messages even though the data might not (and usually doesn't)
actually have anything to do with e-mail
S-MIME
• S/MIME as taken from Wikipedia (Secure/Multipurpose Internet Mail
Extensions) is a standard for public key encryption and signing of MIME
data.
• Through the use of public key certificates, packets of information can be
secure through this type of data packet.
Encryption
•
A way of making a packet of data unusable without certificate keys by encrypting the data
using one of several encrypting algorithm
• Advanced Encryption Standard (AES)
– AES 256
– AES 192
– AES 128
• Data Encryption Standard (DES)
– DES 56
– DES3 168 (Recommended)
• CAST5 128
• RC2 40
• RC2 64
• RC2 128
Signing
• Way of further securing AS2 data packets is to sign
the packets using one of several algorithms:
• Secure Hash Algorithm
– SHA1 160 (Recommended)
• Message Digest Algorithm
– MD5 128
• Race Integrity Primitives Evaluation Digest
– RIPEMD 160
MDN
• Message Disposition Notification
• Communication packet used to tell parties of successful receipt of data
packets (positive MDN) into partner’s AS2 solution.
• Does not replace functional acknowledgement
• No control numbers used
• Type of MDN is usually dictated by trading partner
Types of MDN Scenarios
• Asynchronous
– Allows for AS2 MDNs to be returned to the message sender over a
different HTTP connection.
– Usually used for larger files
• Synchronous
– Allows for AS2 MDNs to be returned over the same HTTP connection
as the send of original message
– There may be timeouts with low bandwidth situations
• E-mail
– Rarely used but available where the AS2 MDN is returned to a an email address
• No MDN
AS2 Identification
• Each trading partner involved in AS2 communications is assigned an AS2
ID.
• ID is company self generated.
• It can be a company name with AS2 on the end of it or a company’s ISA
qualifier concatenated to the ISA ID as the AS2 ID.
• The ID is used on the outer envelope of the AS2 packet of data to be
communicated.
Firewall Considerations
• Since this type of communications is over the Internet, you must secure
your AS2 solution by limiting incoming communication traffic by port or by
IP address and also allowing outbound traffic.
• This can be the most challenging area as you are dealing with your own
internal networks as well as your trading partners to successful
communicate via AS2.
Digital Certificates
• A digital certificate (*.cer) is required for both parties exchanging AS2
data via the Internet.
• X.509 – standard
• There are other certificates that might be used as well (*.pfx).
• Each party much share each others certificate as this further secures the
packet of data to be communicated. Along with encryption, data is also
transmitted with the valid digital certificates for the sending party and
receiving party.
• Note that when exchanging AS2 digital certificates that they do not have
to be signed or generated by a signing authority (ie. Verisign). It can be a
self signed certificate through your AS2 solution if they offer that option.
• Note when exchanging certificates via e-mail, you must change the
extension on the file from *.cer to *.txt or zip it to send to your trading
partner. Many e-mail servers will strip the *.cert attachments when being
e-mailed.
AS2 Solution Selection
• Know your potential AS2 trading partners.
• Some may require you to utilize a Drummond certified solution (i.e.
Target)
• Some may be more relaxed with the Drummond requirement .
• Evaluate what your future communication needs as you may be able to
find a solution that can support multiple communication protocols (FTP,
AS1, AS2, etc.)
• You may want to evaluate whether it is cost feasible to add a service to
your existing VAN for AS2 customers. Many VANs offer a service to take
your EDI transactions and transform them into AS2 to your trading partner.
Pros
• Direct communications with trading partners no VAN charges
• Faster communications and more timely
• Control is in your hands and your trading partner’s hands
Cons
• May be required to only utilize Drummond certified solutions if your AS2
trading partner community pushes it
• The responsibility is on you and your trading partners to ensure reliable
communications at all times. Monitoring software on a daily basis.
• Must monitor for all digital certificates for company side as well as trading
partner side to ensure you have loaded the most current and they do not
expire.
Sample AS2 Customer Sheet
Customer AS2 Information
Customer Contact
Name:
Phone:
Email:
AS2 Name
If your company already uses an AS2 Name provide it here, otherwise
you can choose to use your QUAL/ID as AS2 NAME such as
129498381009.
AS2 URL or IP
Such as http://as2.companyname.com/as2 or
http://666.32.32.32:9080/msgsrv/as2
Message Format Type
How do you want the message to be sent Signed/Encrypted/Plain text
(Mime)?
Encryption Algorithm
If you have selected Encrypted, what Encryption format do you prefer?
Signing Algorithm
If you have selected Signed, what Signing format do you prefer?
Receipt Type
Does your company require an MDN notification to be sent back upon
receiving the AS2 message from you?
List your Test Ids:
List your sender/receiver ID’s/Qual’s you intend to use for testing.
List your Production Ids:
List your sender/receiver Ids (not your trading partners) used for
production.
MIME
S/MIME Encrypted
S/MIME Signed
S/MIME Signed/Encrypted (Recommended)
RC2 40
RC2 64
RC2 128
AES 128
AES 192
AES 256
DES 56
DES3 168 (Recommended)
CAST5 128
SHA1 160 (Recommended)
MD5 128
RIPEMD 160
Signed (Recommended)
Unsigned
None
Sample AS2 Customer Sheet
AS2 Profile Information
Trading Partner Information
Date 10/31/2010
Company Name: ACME COMPANY
Contact Name: Jane Smith
Title: EDI Coordinator
Phone: 401-555-5555
FAX:
Email: jsmith@acme.com
EDI Qualifier/ID: ZZ/401555555
AS2 Identifier: ACMEAS2
AS2 URL: http://as2.acme.com:1234/as2
Backup AS2 URL (optional):
Encryption Algorithm: DES3 168 WITH SHA1
AS2 Authentication Name/Password (optional):
Outbound IP Address:
ABC AS2 Information
Production URL: http://www.as2edi.abc.com:8080/as2
AS2 Identifier: ABCAS2 (Case sensitive)
Public Encryption Key Location: Attached
Synchronous Signed MDNs
Encryption Algorithm: AES128 (Preferred) 3DES (Alternate)
Signing Algorithm: SHA-1
Compression: All Data
Retry policy
ABC Company has improved hardware, software and procedures to ensure a high level of AS2 availability. However, ABC Company can not guarantee that every AS2 connection attempt
will succeed. Therefore, ABC highly recommends that you automatically retry AS2 connections at least three times with at least one minute between retries. This will be beneficial to users
due to not having to manually retransmit when a connection does not succeed the first time.
Helpful Websites
AS2 Drummond Certified Software
http://www.drummondgroup.com/html-v2/as2companies.html
Open Source AS2 Providers
http://sourceforge.net/search/?type_of_search=soft&words=
as2
AS2 Basics
http://www.as2basics.co.uk
AS2 Secures Documents Using the Web
http://www.networkworld.com/news/tech/2002/1209techup
date.html
Download