Link Search Menu Expand Document

AWS S3 Integration for AS2

1 Introduction

The MFTGateway utilizes Amazon Simple Storage Service, Amazon S3 as the storage for all files exchanged through the system. Each tenant or account within the MFTGateway is assigned its own unique S3 Bucket. If you are deploying your own MFTGateway, with dedicated hosting, or on-cloud hosting within your own AWS account, the S3 region can be selected from the available AWS regions.

This section guides you on using direct S3 bucket access, for integration of AS2 communications with external systems.

2 AWS S3 Integration

2.1 Bucket Content Layout

The following hierarchy exists for each bucket, created for each MFT Gateway account. <Station-AS2-ID> refers to the AS2 ID of the local Station defined in the MFT Gateway, while <Partner-AS2-ID> refers to the AS2 ID of the remote partner. The AS2/raw-message contains the encrypted AS2 messages as-sent, or as-received, while the AS2/files contains the actual payload files without, or after decryption. It should be noted that AS2/keystore and AS2/tmp are special locations and end-users should not access them, and are listed here only for completeness.

  • AS2/files [Raw files of messages]
    • <Station-AS2-ID>/<Partner-AS2-ID>/inbox
    • <Station-AS2-ID>/<Partner-AS2-ID>/outbox
  • AS2/headers [Raw HTTP headers of messages]
    • <Station-AS2-ID>/<Partner-AS2-ID>/inbox
    • <Station-AS2-ID>/<Partner-AS2-ID>/outbox
  • AS2/keystore [Key stores]
    • https.jks [SSL/TLS certificates and keypairs]
    • identity.jks [AS2 Station encryption/signature certificates]
    • trust.jks [AS2 Partner certificates]
  • AS2/raw-mdn [Raw MDNs]
    • incoming
    • outgoing
  • AS2/raw-message [Raw AS2 messages]
    • <Station-AS2-ID>/<Partner-AS2-ID>/inbox
    • <Station-AS2-ID>/<Partner-AS2-ID>/outbox
  • AS2/send [Send location]
  • AS2/tmp [Temporary file location]

2.2 Default S3 Lifecycle rules

MFT Gateway enables S3 lifecycle rules by default to manage transactional objects stored in buckets. Objects stored under the following directories of the S3 bucket will be moved to non-current status after 35 days, and will be permanently deleted after another 35 days. i.e. Objects will be deleted 70 days since creation.

  • AS2/files
  • AS2/raw-message
  • AS2/raw-mdn
  • AS2/headers

Objects stored in AS2/tmp directory will be moved into non-current status after 1 day, and will be permanently deleted after 2 days from the creation.

2.3 Access Keys

MFT Gateway allows access to the S3 bucket via AWS access keys. To obtain a new access keypair, expiring any previously issues credentials, navigate to the S3 Integration Page. Before the first credential creation, you will need to tick the checkbox to confirm that you have read and understood the terms. Then click ‘Enable S3’, and your keypair will be downloaded as a comma separated value (CSV) format file. Note the S3 bucket name assigned to your account, as it will be required for all subsequent access.

The keys can be downloaded only once. You can create a new key pair replacing the previous keys

S3 Integration

Once an access keypair is created, you can either disable S3 integration, or generate a new credential pair, which will invalidate previously issued keypairs. S3 access disable or modity

Once the keys are ready, you can use them to access the bucket through the AWS SDK (available for several programming languages) or ready-made tools like s3cmd, or the AWS CLI.

e.g.

export AWS_ACCESS_KEY_ID=yourAccessKey
export AWS_SECRET_ACCESS_KEY=yourAccessSecret
export AWS_DEFAULT_REGION=us-east-1

aws s3 ls s3://<mftg-yourtenantname>

3 Automation via S3 API/Tools

3.1 Sending Files

To submit a file to be sent over AS2, copy it (i.e. PutObject) to the S3 location AS2/send/<station-AS2-id>/<partner-AS2-id>/. If you want to send a single file, you can copy it directly to this location (or S3 prefix). If you have more than one file to be submitted as a single AS2 message, zip the files into a single archive, and then upload the archive.

e.g

aws s3 cp <local-file> s3://<mftg-bucketname>/AS2/send/<station-AS2-id>/<partner-AS2-id>/

After a file has been submitted for send, the system will be automatically triggered, and will perform the AS2 communications process to send the file to the designated partner. The processed file will be placed into the AS2/files/<Station-AS2-ID>/<Partner-AS2-ID/outbox location

Files uploaded with same name within a 6 hour window will be considered as duplicates and will not be processed. If you need to submit files with the same name, add a postfix to the filename, such as an extension

S3 triggers only apply for the content directly uploaded to the above mentioned directory / S3 prefix. Any content copied or moved within the S3 bucket itself, will be ignored

3.2 Receiving Files

Received files will be persisted to the AS2/files/<station-AS2-id>/<partner-AS2-id>/inbox. You can fetch/download these payload files through the (GetObject) call.

e.g

aws s3 cp s3://<mftg-bucketname>/AS2/files/<station-AS2-id>/<partner-AS2-id>/inbox/<timestamp-random-number>/<attachment-name> <local-path>

Note that each message will have a unique path / S3 prefix, with the timestamp followed by a random number, within which the actual attachments will be found.

3.3 Accessing MDNs, sent files, HTTP headers and raw messages

If required, the MDN’s sent and received, files successfully sent, raw (encrypted) messages or message headers can be downloaded from the S3 locations as listed in the bucket layout.