AS2 Gateway Technical Information

Technical specifications

AS2 Gateway supports following AS2- and transmission-level technologies, features and parameters:

AS2 features and profiles

• complete AS2 protocol specification (version 1.2), RFC 4130
• following optional profiles/extensions:
  • multiple attachments, RFC 6362
  • filename preservation, draft
  • AS2 restart for very large file (VLF) transfers, draft

AS2 (S/MIME) encryption

Supported encryption algorithms:

• AES (256-bit): AES256_CBC
• AES (192-bit): AES192_CBC
• AES (128-bit): AES128_CBC
• 3DES/Triple DES (168-bit): DES_EDE3_CBC
• Camellia (128-bit): CAMELLIA128_CBC
• Camellia (192-bit): CAMELLIA192_CBC
• Camellia (256-bit): CAMELLIA256_CBC
• CAST5/CAST-128 (128-bit): CAST5_CBC
• RC2/ARC2 (40-bit): RC2_CBC
• SEED (128-bit): SEED_CBC

AS2 (S/MIME) signing

Supported signature algorithms:

• SHA512
• SHA384
• SHA256
• SHA224
• SHA1
• MD5
• MD2

MDN receipt modes

• required/optional
• signed/unsigned
• synchronous/asynchronous

MDNs for outgoing messages are requested statically, based on above settings configured under the corresponding recipient (partner).

MDN mode for incoming messages is decided dynamically, based on the combination of above configurations requested by the sending partner, within each individual transmission (in the form of Disposition-Notification-Options and Receipt-Delivery-Option HTTP request headers).

HTTP semantics

Supported HTTP versions:

• 1.0
• 1.1

Supported Transfer-Encoding modes:

• chunked
• none (Content-Length based)

All outgoing messages use Content-Length based transfers.

TLS/SSL (HTTPS)

Supported TLS versions:

• TLS 1.2
• TLS 1.1
• TLS 1.0
• SSL v3

(All protocols below TLS 1.2, are not generally considered as secure enough.)

Supported cipher suites:

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
• TLS_EMPTY_RENEGOTIATION_INFO_SCSV

For TLS 1.1:

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

For TLS 1.0:

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Supported extensions:

• server_name (SNI)
• signature_algorithms
• elliptic_curves
• ec_point_formats

Supported signature algorithms:

• SHA512withECDSA
• SHA512withRSA
• SHA384withECDSA
• SHA384withRSA
• SHA256withECDSA
• SHA256withRSA
• SHA256withDSA
• SHA224withECDSA
• SHA224withRSA
• SHA224withDSA
• SHA1withECDSA
• SHA1withRSA
• SHA1withDSA

(Some features may only be supported under specific TLS versions.)

When creating a new TLS connection, AS2G will choose the best possible TLS version and cipher suite from above list, which is also supported by the remote system - based on information exchanged during the handshake (ClientHello and ServerHello). As such, the actual/effective TLS version being used may be lower than TLS 1.2 (and similarly for ciphers), depending on the capabilities of the remote/partner system.

Functional specifications

File handling

• Content-Type (MIME type) auto-detection for file submissions; overridable on supported integrations such as REST API
• MIME type preservation/propagation for received files
• Supports multiple path and file naming formats for saving received files into integration downstreams

MDN issuing

• Ability to control signature encoding (binary/7bit vs. base64) of generated MDNs
• Ability to re-send an already issued (or dispatch-failed) MDN back to the original message sender, or a chosen async-receipt URL override

Transmission configurations

• Configure outgoing AS2 transmission time-out on a per-partner basis, to cater for high-latency or “slow” partner systems
• Built-in queueing and throttling of outgoing traffic to avoid overloading partner endpoints
• Specify custom HTTP request headers (e.g. routing headers) to include along with the transmission, on a per-partner basis
• Support for message submission profiles, to maintain and pick additional pre-defined configuration sets, for each submission
• Automatic retry of failed transfers, with customizable retry backoff/counts
• Automatic alerts for permanent message failures
• Maintain separate test and production configurations for the same partner/AS2 identifier
• Temporarily pause and resume inbound/outbound traffic on a per-partner basis
• When requesting asynchronous MDNs, option to request the MDN back over a plain (HTTP) or secure (HTTPS) URL
• [On-premise only:] TLS client authentication (“two-way” SSL/handshake) for incoming and/or outgoing traffic

Management

• Multi-user and multi-tenant capabilities, with role-based access control (RBAC) to different application features
• Detailed audit trail to track all AS2 and non-AS2 configuration changes made on the account
• Built-in certificate manager for AS2/S-MIME and other certificate types, with trust anchor validation, certificate generation/renewal, etc.
• Pre-test connectivity to partner endpoints, during configuration process, without having to make actual full-fledged AS2 transmissions
• Ability to export your AS2 and organization settings for import into another AS2G installation, deployment or platform

Table of contents

• User Management
• Certificate Management
• Message Management
• Audit Trail
• Custom Domain Setup
• Partner Types
• FDA AS2 Connectivity
• Troubleshooting Guide