How to Apply a Digital Signature on AS2 MDNs | JSCAPE
To avoid compatibility issues, you should keep your MFT Gateway agents updated to match your Gateway instance. Learn how to update the Agents online.
To ensure non-repudiation of AS2 receipts, you need to affix digital signatures to your AS2 Message Disposition Notifications or MDNs. We'll teach you how to do that in this post.
Message Disposition Notifications or MDNs are important elements of AS2 data transfers. They basically serve as electronic receipts that enable message senders to determine whether a particular message they sent to a trading partner was actually received by that trading partner.
Watch the video
Would you prefer to watch a video version of this tutorial instead? You can play the video below. Otherwise, just skip it if you wish to continue reading.
But what if an attacker intercepts the message and sends out a bogus MDN to trick the sender into thinking that the message reached its intended destination? That can be a problem. In fact, if the attacker succeeds in intercepting one message, it's possible that it can also intercept all other succeeding AS2 messages.
To prevent that from happening, the AS2 receiver can digitally sign each MDN receipt with its private key. Upon receiving the MDN, the AS2 sender, who presumably has a copy of that private key's corresponding public key, can verify the authenticity of the source of that MDN receipt. If the digital signature is proven to come from the intended AS2 receiver, the MDN receipt can be considered valid.
Another benefit of having AS2 receivers digitally sign MDNs is that, it would prevent that AS2 receiver from denying having sent a particular MDN and having received a particular AS2 message, for whatever reason, even if it actually did so.
Setting up JSCAPE MFT Server instances for AS2 MDN digital signatures is easy.
Enabling MDN receipt signing on the receiving end
Note: This is done on the AS2 receiver
In the AS2 receiver side, go to Settings > Web > AS2 tab, and then tick the Receipt signing key checkbox. Next, expand the adjacent drop-down list and then select a signing key. The contents of this list is sourced from the Server Keys module. You can also choose a suitable receipt signature algorithm. We've picked SHA256 because it's secure enough and it's widely used.
Click Apply to proceed.
Exporting the public key digital certificate
Now that you have already chosen the private key that JSCAPE MFT Server would use for signing AS2 MDNs, the next step would be to export that private key's corresponding public key. Once you've exported that key, you could then hand it over to your trading partner's server admin, who will then import that key into their AS2 host.
To export the public key, just go to Keys > Server Keys, and then select the alias of the key you selected earlier in the AS2 tab. So, in our case, that would be as2server2crypt. Next, click the Export button and then the Certificate button...
Specify a filename, or leave it as is, select the X509 format, and then click OK.
And then click Save File.
You can then hand over the newly exported digital certificate file, which contains the public key, to your trading partner's server admin.
Importing the public key digital certificate on the sending end
Note: This is done on the AS2 sender
If the AS2 sender happens to be an instance of JSCAPE MFT Server, this is what you would do to import that public key digital certificate file. Just go to Keys > Host Keys, click Import, and then click Import File.
Assign an alias to this key and then select the public key digital certificate from your file system.
Once the file has been successfully imported, you should then be able to see its alias in your list of Host Keys.
There's one more step left to do. Go to Domains and double-click the domain that contains the Trading Partner object that corresponds to your trading partner.>
Go to the Trading Partners module, select the trading partner in question, and click Edit.
Next, scroll down until you see the checkbox that says 'Receipt signature required'. Tick that. That will ensure that all incoming receipts from this trading partner will have a digital signature. Any MDN that doesn't have a digital signature will be rejected.
That's it. Now you know how to apply digital signatures to your AS2 MDNs using JSCAPE MFT Server.
Would you like to try this out yourself? Download the FREE, fully-functional Starter Edition of JSCAPE MFT Server now.
What is AS2 Protocol? | How to Use Applicability Statement 2
How to Setup an AS2 Server with JSCAPE - A QuickStart Guide
How To Set Up An Automated AS2 File Transfer
AS2 Message Tutorial on Applying Digital Signatures
Setting Up Client Certificate Authentication On An AS2 Server