Configure AS2 Partners
The term "Partners" refers to parties taking part in AS2 communications, that is, your organization and your organization's trading partners. In order for your organization to communicate with any AS2 trading partners, their details must first be defined in FlowForce Server. Once you define the AS2 partner details, they can be reused later in jobs. Namely, when you create jobs that send AS2 messages, you will be able to select the partner from a list of trading partners already defined (instead of having to enter the partner details for each FlowForce job).
|Note:||If encryption and signing must be enabled, make sure to import the required certificates (your organization's and your partner's) into FlowForce Server, see Configuring AS2 Certificates.|
To configure the AS2 partner:
1.Log on to FlowForce Server Web Administration Interface.
2.Click Configuration, and then navigate to the container in which you want to create the partner object.
|Note:||By default, the "Public" container is accessible to all authenticated FlowForce Server users and so it might not be a suitable place to store sensitive information. It is recommended that you either restrict access to the "Public" container, or define sensitive objects in a separate container to which only entitled users have permissions, see Permissions and Containers.|
3.Click Create, and then Create AS2 Partner.
The settings in the partner configuration page are organized in groups and have the same behavior as in other parts of the FlowForce Web administration interface. For example, if a group is optional, you must first click to set the required options. To make the group optional again, click the button—this hides this group of settings and makes it irrelevant.
The partner configuration page consists of the following groups of settings:
Required field. A name that identifies the trading partner to FlowForce Server. This name appears throughout the FlowForce graphical user interface to help you identify this trading partner.
Optional field. Free description text about the partner organization (for example, postal address, contact person, and so on).
Required field. When FlowForce Server sends AS2 data, this value identifies the receiver of the data exchange (the value of the "AS2-To" header). When FlowForce Server receives AS2 data, this value identifies the sender of the data exchange (the value of the "AS2-From" header).
This name is usually agreed between AS2 trading partners and must be unique system-wide, see also RFC 4130, §6.2.
Local Side Settings
Required field. When FlowForce Server sends AS2 data, this value identifies the sender of the data exchange (the value of the "AS2-From" header). When FlowForce Server receives AS2 data, this value identifies the receiver of the data exchange (the value of the "AS2-To" header).
This name is usually agreed between AS2 trading partners and must be unique system-wide, see also RFC 4130, §6.2.
AS2 Service Settings
Optional field. Select this check box to allow FlowForce Server to receive messages from this AS2 partner.
If you are creating an AS2 partner to whom you will only be sending AS2 data and from whom you will not receive AS2 data, clear this check box.
This helps avoid errors when there is more than one partner with the same "Local AS2 Name" and "AS2 Name" pair. If that happens, you will be able to receive AS2 messages only from the partner for which this check box is selected.
HTTP Endpoint Settings
Required field. This field must specify the partner URL to which AS2 messages will be sent, for example: http://example.org:8080/as2/HttpReceiver.
The value must start with "http://" or "https://".
Optional field. For security reasons, you may want to disallow that HTTP requests be redirected, or only allow redirection on the same host. Valid values:
•No redirection allowed [Default]
•Redirection on the same host
•Arbitrary redirection (set this value if you want to allow redirection, even across different hosts)
Use chunked transfer encoding
Optional field. Valid values:
•Yes: FlowForce is allowed (but not forced) to use chunked transfer encoding for sending. If you enable this option, it is expected that the receiving system also supports chunked transfer encoding.
•No [Default]: FlowForce can only use Content-Length and connection close to indicate end of content.
HTTP Authentication Credential
Optional field. Only applicable if the partner's URI requires basic HTTP authentication. Enter here the HTTP credentials required to authenticate with the partner's server. You can also define the HTTP credentials from a dedicated page, as credential records, and then refer to them from this page, see Credentials.
Note: FlowForce Server sends the credentials preemptively.
Optional field. Specifies a value in seconds after which the server will time out if no response is received. Default is system specific.
Optional field. Select this check box if FlowForce Server should compress AS2 data before sending it to partner.
Security Settings | Encryption
This group of settings must be defined if your organization should encrypt AS2 messages sent to this partner.
Optional field. Specifies the symmetric algorithm to be used for encryption. Valid values:
Required field. Specifies the certificate to be used for AS2 message encryption. This must be a public certificate that you received from your trading partner and then imported into FlowForce Server, see Configuring AS2 Certificates.
Security Settings | Decryption
This group of settings must be defined if your organization should decrypt AS2 messages received from this partner.
Optional field. Specifies the algorithm(s) that a partner is allowed to use when encrypting messages sent to your organization.
If the trading partner uses another algorithm or one that is not selected, then FlowForce Server will send an error MDN and the job will not be started. The error MDN in this case includes a text like: "automatic-action/MDN-sent-automatically ; failed / error: insufficient-message-security"
Valid values for this field are:
Required field. Specifies the certificate to be used for AS2 message decryption. This must be a reference to a certificate with a private key that was previously imported into FlowForce Server, see Configuring AS2 Certificates. In FlowForce, such objects appear with the type "certificate + private key", like the second in the image below:
Security Settings | Signature Creation
This group of settings must be defined if your organization should sign AS2 messages sent to this partner.
Required field. Specifies the hash algorithm for computing the signature MIC (message integrity check). Valid values:
Local Side Certificate
Required field. Specifies the certificate issued by your organization for signing AS2 messages and MDNs sent to this partner. This must be a reference to a certificate with a private key that was previously imported into FlowForce Server, see Configuring AS2 Certificates. In FlowForce, such objects appear with the type "certificate + private key", like the second in the image below:
Security Settings | Signature Verification
This group of settings must be defined if your organization should verify the signature of MDNs sent by partner.
Required field. Specifies the algorithm(s) that should be used to compute the signed message hash in signature. If the trading partner does not use one of the algorithms below then FlowForce Server will return an MDN with an error text like: "automatic-action/MDN-sent-automatically ; failed / error: insufficient-message-security" . Also, the message will not be accepted and processed in this case.
Conditional field. Specifies the certificate to be used for verifying the signature of messages and MDNs sent by partner. This must be a public certificate that you received from your trading partner and then imported into FlowForce Server, see Configuring AS2 Certificates.
If the Request Signed MDN check box is enabled, then this field must be set also.
Message Disposition Notification
The option Synchronous means that FlowForce will request that the partner send a synchronous MDN in reply to the AS2 message. To request no MDN, click Delete and remove this block of options.
Note: Asynchronous MDNs are currently not supported, see Limitations.
Request signed MDN
Optional field. Select this check box to request a signed MDN from the trading partner, see Message Disposition Notification.
Conditional field. When Use Compression option is enabled, this option specifies if compression should occur before or after data is signed for transmission to an AS2 partner.
For outgoing messages, the option selected must be one that your AS2 partner supports.
In case of incoming messages (that is, if FlowForce Server receives messages from other partners), this option is irrelevant—FlowForce Server will decompress messages regardless of whether they were compressed before or after signing.
MIC Verification Algorithm
Conditional field. This field is applicable if the Request MDN option is set (see above). It specifies what algorithm FlowForce Server should use when verifying or computing the MIC (message integrity check) used for AS2 MDN (see also RFC 4130 §7.3.1).
For interoperability reasons, you may need to choose Use algorithm of MDN signature if the AS2 partner runs Microsoft BizTalk. Choose Use algorithm of original message signature if the AS2 partner runs mendelson AS2.
When both communicating AS2 servers run FlowForce Server, this option must be identical for both.
The value of this field can also make a difference when an algorithm other than SHA-1 is used for signature MIC in AS2 message or in MDN, (SHA-256, for example).
Convert message to canonical form
When this check box is selected, FlowForce Server will reformat the MIME message according to MIME rules for canonical message form, which includes MIME headers and sometimes the message body.
Use the text box below this option to specify a comma separated list of additional content types for which the message body must be reformatted to canonical form. The list of accepted types supports wildcards, similar to the HTTP Accept header and matches exactly the accept parameter of is-mime-content-type expression function.
Messaged bodies will be reformatted to canonical form in the following conditions:
1. When the MIME header Content-Transfer-Encoding has value "base64" (case insensitive).
2. When the MIME header Content-Transfer-Encoding is "7bit", "8bit", "quoted-printable" (all case insensitive) and Content-Type is text/* (which includes text/plain and anything that starts with text/).
3. When the MIME header Content-Transfer-Encoding is "7bit", "8bit", "quoted-printable" (all case insensitive) and Content-Type is one of those defined in the text box mentioned previously.
4. In case of multipart messages, both the prolog and epilog will be reformatted, and the same process will be applied to all parts, according to their headers.
Message bodies of messages where Content-Transfer-Encoding is "binary" are not reformatted to canonical form. Note that the default Content-Transfer-Encoding for AS2 is "binary", that is, when the header is not present, then "binary" is assumed and the body is never reformatted to canonical form.
For message headers, the canonical form is as follows:
1. Headers are terminated by CR LF end line characters.
2. Headers are unfolded (the whole header with its value takes only one line).
3. The header and its value are separated by a colon followed by one space character : .