What is AS2 protocol? How to use Applicability Statement 2

AS2 (Applicability Statement 2) is a secure file transfer protocol used for automated, server-to-server transfers. It ensures message integrity, confidentiality, and reliability, making it ideal for exchanging business documents like purchase orders and invoices. Based on HTTP and S/MIME, AS2 supports encrypted transfers and digital signatures, offering robust security for sensitive data exchanges.
  1. Blog

Overview: What is the AS2 file transfer protocol?

AS2 (Applicability Statement 2) is a file transfer protocol that enables organizations to conduct fully automated, server-to-server file transfers. You can use it to exchange business documents with one or more parties in a paper-free manner. AS2 can be used for exchanging digitized purchase orders, invoices, healthcare claims and other types of business documents. By exchanging these files through AS2, you can ensure message integrity, confidentiality and reliability.

AS2 is based on the Hypertext Transfer Protocol (HTTP) and incorporates Secure/Multipurpose Internet Email Extensions (S/MIME) for business-grade messaging. AS2’s built-in electronic receipt functionality, known as Message Disposition Notification (MDN), is a function of S/MIME. Since firewalls are normally configured to allow HTTP and HTTPS (HTTP secure) connections, you won’t have to apply any configuration changes to your firewall for AS2 to work.

The AS2 protocol can transfer almost any type of file over the Internet. However, it’s more closely associated with EDI messages. To get a good grasp of AS2, you need to understand what Electronic Data Interchange is first.

What Is Electronic Data Interchange (EDI)?

EDI is a standardized, scalable and efficient method for exchanging digitized business documents used in inter-organizational and intra-organizational transactions. It originated in the transportation industry in the 1960s, but was eventually adopted by other industries like retail, e-commerce, healthcare and manufacturing.

When two organizations or two departments (in the case of intra-organizational transfers) transact or participate in a business process, they normally exchange supporting documents. For example, a manufacturer and its supplier may exchange requests for quotations (RFQs), purchase orders, shipping notices, invoices and so on. Or, in the healthcare industry, hospitals and insurance companies may exchange healthcare claims, eligibility verification, claim status inquiries and so on.

These supporting documents used to be exchanged in paper format. As you might have experienced yourself, manual processing of paper-based documents is error-prone, slow and inefficient. To streamline the processes involved, many organizations replace paper-based documents with electronic documents. Some of these companies manually encode the supporting document and then send it to the other party via email. Others, on the other hand, use EDI.

EDI-based transactions are usually carried out automatically between computer systems. They rarely involve human intervention. In most cases, humans only get involved when the systems require maintenance, troubleshooting or audits.

EDI documents follow a standardized format or structure. By leveraging automation scripts, integration middleware, EDI translation tools or other intermediary software, you can automatically generate EDI documents using data sourced from business applications (e.g. those used in inventory, accounting, sales, purchasing, etc.) or an Enterprise Resource Planning (ERP) system. Similarly, you can automatically extract data from an EDI message and make it available to business applications and your ERP system.

This diagram illustrates what we mean:

Electronic Data Interchange (EDI)

You can gain substantial benefits when you exchange business documents through EDI. For instance, you can:

  • Automate and streamline data transfer workflows and business processes
  • Eliminate manual entries and, in turn, minimize the risk of human error
  • Enable two organizations to exchange data even if they each employ entirely different IT systems and document/data formats
  • Eliminate the use of paper and the costs associated with it (e.g. costs of sorting, searching, mailing, collecting and distributing documents)
  • Simplify storage of transaction data
  • Streamline corporate governance initiatives and simplify audits

Some of the first adopters of electronic data interchange came from the automotive industry. Car manufacturers used EDI alongside Just-In-Time and Lean Manufacturing processes. EDI made it possible for the geographically dispersed and heterogeneous systems of car manufacturers and their different suppliers to connect and transact quickly, seamlessly and efficiently. Today, EDI is implemented across various industries, including finance, insurance, logistics, supply chain and many others.

In the United States healthcare industry, the use of EDI is mandated by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s key objectives include the standardization of health care transactions, an undertaking that’s perfect for EDI.

But where does AS2 fit into all this?

Do you see that orange bi-directional arrow in the diagram above, the one connecting Company A and Company B? AS2 plays a crucial role in that area .

JSCAPE MFT Server Trial

Let's talk about it further and if you want to experience AS2 in action, request a free JSCAPE MFT Server trial.

The role of AS2 in EDI

Two parties that exchange information through EDI are called trading partners. When two trading partners operate in two different geographical locations, they must agree on a common method for transmitting and receiving EDI messages across a wide area network (WAN). In the past, the most common solution for this type of undertaking used to be a Value Added Network (VAN).

VANs are third-party service providers that act like post offices. They receive EDI messages from a sending trading partner and then forward them to the receiving trading partner. For this method to work, both trading partners must subscribe to either the same VAN or to interconnected VANs.

These days, however, organizations are shifting from VANs to internet-based solutions that use file transfer protocols like standard File Transfer Protocol (FTP), SSH File Transfer Protocol (SFTP) and AS2. 

This shift, which cuts the middleman, is largely due to the lower barrier to adoption and Total Cost of Ownership (TCO) associated with using internet-based protocols compared to VANs. Most organizations are already connected to the internet and are even actively using internet-based solutions. Thus, by going this route, organizations can leverage existing infrastructure. It also means organizations can easily onboard new trading partners through this option.

One of the biggest problems with exchanging EDI data over the internet, however, is the increased exposure to cyber threats. Since most EDI transactions involve sensitive data, they have to be secured. AS2 readily provides the security needed to address this problem.

AS2 in EDI

A snapshot of AS2 security

AS2 is equipped with features that enable secure file transfers. These features include:

  • Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption: Prevents eavesdroppers from viewing the contents of your EDI messages. SSL/TLS combines asymmetric cryptography, which uses private keys and public keys for encryption and decryption, with symmetric cryptographic algorithm like AES to preserve data confidentiality. You can take advantage of SSL/TLS security when you run your AS2 connections over HTTPS.
  • Digital signatures: A digital signature affixed by a sending trading partner allows the receiving party to verify whether the EDI message it received came from a legitimate sender and not an impostor. Similarly, a digital signature affixed by a receiving trading partner allows the sending party to verify whether the intended recipient received the message. In other words, it can be used to enforce non-repudiation and avoid disputes.
  • Hashing algorithms: Hashing algorithms like SHA-1, MD5 and SHA-2 enable recipients to check received messages for data integrity. If a message is tampered along the way, the hashing algorithm can detect it.
  • Digital certificates: Enable trading partners to authenticate each other. Mutual authentication ensures that both parties only transact with legitimate trading partners and not impostors. In order to strengthen the reliability of your digital certificates, a certificate authority must digitally sign them.
  • Message Disposition Notification (MDN): Acts as an electronic receipt. It essentially serves as a confirmation that an AS2 transfer went through successfully. Once the EDI message arrives, the receiving server may issue an MDN, affix its digital signature to it, and then send it back to the message sender.

    An AS2 solution can be configured to send the MDN back over the same HTTP/S connection used to deliver the original EDI message. This is known as Synchronous MDN or Sync MDN. Alternatively, an AS2 solution can also be configured to send the MDN later over a different HTTP/S connection. This is known as asynchronous MDN or ASync MDN.

AS2’s built-in security features make it suitable for business-to-business (B2B) data exchanges. For this reason, large enterprises like Walmart, Unilever and General Motors, either require or recommend the use of AS2. If you need to transact with large enterprises, you may have to adopt AS2 to achieve interoperability with those enterprises.

If all this still sounds vague, an overview of how a typical AS2 data transfer works might enlighten you.

How an AS2 secure file transfer is carried out

To ensure data security, AS2 file transfers are usually sent over HTTPS. HTTPS encrypts data in transit using SSL/TLS. It also enables trading partners to use digital certificates for mutual authentication. For added security, you can augment HTTPS with AS2’s built-in encryption functionality. Regardless whether you use AS2’s built-in encryption or not, an AS2 transmission done over HTTPS is already secure and looks like this:

Note: The AS2 server in the diagram below corresponds to the machine marked "Communications" in the previous diagram.

AS2 server

Let’s break that diagram down:

  1. The AS2 server retrieves an EDI message generated by an EDI translation/EDI mapping tool.
  2. The server encrypts the message and affixes a digital signature.
  3. The server sends the encrypted message across the internet to the intended recipient. This is done through AS2.
  4. The receiving AS2 solution decrypts the message using a decryption key previously obtained from the sender. It also authenticates the sender by inspecting the sender’s digital signature, again using a key obtained from the sender. Note: Before two parties transact using AS2, they typically exchange keys embedded in digital certificates. This is a function of SSL/TLS and other cryptographic protocols that are based on public key encryption. To learn more about public key encryption, read the article "Roles of Server and Client Keys in Secure File Transfers."
  5. The server makes the EDI message available to the recipient’s EDI translation tool. The translation tool in turn extracts relevant data and makes it available to the recipient’s business applications or ERP system.

If MDN is enabled, one more step would be added. This is how the AS2 process flow shown earlier would then look like.


Benefits of AS2 EDI

Rising cyber threats and increased pressure to achieve regulatory compliance is pushing business leaders to focus more on data security. These factors further strengthen the case to deliver EDI transactions through AS2. That said AS2 offers more business benefits than just enhanced security. These benefits include the following:

  • Lower costs: AS2 offers lower TCO compared to VANs in delivering EDI messages.
  • Improved interoperability: Being an internet standard, AS2 makes it possible to transact with any business or organization that has internet connectivity.
  • Reduced manual tasks: AS2-based data exchanges are usually automated. Automation saves time, reduces manual errors and enables real-time messaging.
  • Extensive document type support: AS2 can transfer any document payload, including EDI X12, EDIFACT and XML.

What kind of AS2 file transfer software should you use?

The best way to implement AS2 is through a managed file transfer (MFT) server. An MFT server like JSCAPE MFT Server by Redwood can augment AS2’s built-in security functions with complementary security features such as data-at-rest encryption, logging, access control, data loss prevention (DLP), strong authentication and many other essential attributes of a secure file transfer.

DLP, in particular, can help you detect sensitive data in your EDI messages and prevent it from leaking out. The presence of this capability is crucial for companies operating in industries governed by laws and regulations like PCI-DSS, HIPAA, SOX and GLBA.

A managed file transfer server doesn’t just support AS2. It also supports a wide range of other file transfer protocols such as FTP/S, HTTP/S, SFTP and Odette File Transfer Protocol (OFTP). This will allow you to interoperate with any trading partner that prefers to exchange data through other file transfer protocols. JSCAPE MFT is Drummond-certified. The Drummond Group tests software applications to ensure reliability and interoperability between certified products.

Lastly, a managed file transfer server like JSCAPE MFT Server is fully equipped with automation-enabling capabilities. These capabilities enable you to automate business processes. To learn more about JSCAPE MFT Server’s automation features, view these videos:

Using trading partners in JSCAPE MFT Server - part 1

Using trading partners in JSCAPE MFT Server - part 2

or read these posts:

Using triggers to automate file deletion

Using regular expressions in triggers - part 1

Indeed, JSCAPE MFT Server is built to accomplish a full range of file transfer workflows.

Get your free trial or Get a Product Demo

Would you like to try this yourself? JSCAPE MFT Server is platform-agnostic and can be installed on Microsoft Windows, Linux, Mac OS X and Solaris. Additionally, JSCAPE enables you to handle large file transfers and any file type, including batch files and XML. JSCAPE MFT Server also has an API that allows you to manage it programmatically. Ready to evaluate JSCAPE in your own environment? Here are your next steps: