How to Apply a Digital Signature on AS2 MDNs | JSCAPE

To avoid compatibility issues, you should keep your MFT Gateway agents updated to match your Gateway instance. Learn how to update the Agents online.
  1. Blog

To ensure non-repudiation of AS2 receipts, you need to affix digital signatures to your AS2 Message Disposition Notifications or MDNs. We'll teach you how to do that in this post.

Message Disposition Notifications or MDNs are important elements of AS2 data transfers. They basically serve as electronic receipts that enable message senders to determine whether a particular message they sent to a trading partner was actually received by that trading partner.

as2 message mdn-1

Watch the video

Would you prefer to watch a video version of this tutorial instead? You can play the video below. Otherwise, just skip it if you wish to continue reading.

But what if an attacker intercepts the message and sends out a bogus MDN to trick the sender into thinking that the message reached its intended destination? That can be a problem. In fact, if the attacker succeeds in intercepting one message, it's possible that it can also intercept all other succeeding AS2 messages.

as2 mdn attacker

To prevent that from happening, the AS2 receiver can digitally sign each MDN receipt with its private key. Upon receiving the MDN, the AS2 sender, who presumably has a copy of that private key's corresponding public key, can verify the authenticity of the source of that MDN receipt. If the digital signature is proven to come from the intended AS2 receiver, the MDN receipt can be considered valid.

as2 mdn with digital signature-1

bogus as2 mdn denied

Another benefit of having AS2 receivers digitally sign MDNs is that, it would prevent that AS2 receiver from denying having sent a particular MDN and having received a particular AS2 message, for whatever reason, even if it actually did so.

non repudiation as2 mdn digital signature

Setting up JSCAPE MFT Server instances for AS2 MDN digital signatures is easy.

Enabling MDN receipt signing on the receiving end

Note: This is done on the AS2 receiver

In the AS2 receiver side, go to Settings > Web > AS2 tab, and then tick the Receipt signing key checkbox. Next, expand the adjacent drop-down list and then select a signing key. The contents of this list is sourced from the Server Keys module. You can also choose a suitable receipt signature algorithm. We've picked SHA256 because it's secure enough and it's widely used.

Click Apply to proceed.

as2 receipt signing key

Exporting the public key digital certificate

Now that you have already chosen the private key that JSCAPE MFT Server would use for signing AS2 MDNs, the next step would be to export that private key's corresponding public key. Once you've exported that key, you could then hand it over to your trading partner's server admin, who will then import that key into their AS2 host.

To export the public key, just go to Keys > Server Keys, and then select the alias of the key you selected earlier in the AS2 tab. So, in our case, that would be as2server2crypt. Next, click the Export button and then the Certificate button...

export digital certificate server keys

Specify a filename, or leave it as is, select the X509 format, and then click OK.

export certificate x509-1

And then click Save File.

save digital certificate export

You can then hand over the newly exported digital certificate file, which contains the public key, to your trading partner's server admin.

Importing the public key digital certificate on the sending end

Note: This is done on the AS2 sender

If the AS2 sender happens to be an instance of JSCAPE MFT Server, this is what you would do to import that public key digital certificate file. Just go to Keys > Host Keys, click Import, and then click Import File.

import digital certificate to host keys

Assign an alias to this key and then select the public key digital certificate from your file system.

import public key crt

Once the file has been successfully imported, you should then be able to see its alias in your list of Host Keys.

newly imported public key in host keys-1

There's one more step left to do. Go to Domains and double-click the domain that contains the Trading Partner object that corresponds to your trading partner.


edit domain mft server

Go to the Trading Partners module, select the trading partner in question, and click Edit.

edit trading partner

Next, scroll down until you see the checkbox that says 'Receipt signature required'. Tick that. That will ensure that all incoming receipts from this trading partner will have a digital signature. Any MDN that doesn't have a digital signature will be rejected.

receipt signature required

That's it. Now you know how to apply digital signatures to your AS2 MDNs using JSCAPE MFT Server.

Would you like to try this out yourself? Download the FREE, fully-functional Starter Edition of JSCAPE MFT Server now.

Related posts

What is a Digital Signature?

What is AS2 Protocol? | How to Use Applicability Statement 2

What is an AS2 MDN?

How to Setup an AS2 Server with JSCAPE - A QuickStart Guide

How To Set Up An Automated AS2 File Transfer

Applying AS2 Encryption

AS2 Message Tutorial on Applying Digital Signatures

Setting Up Client Certificate Authentication On An AS2 Server