AS2—Meeting the Challenges of B2B CommerceHow to Use the AS2 Protocol for Transporting Data Securely and Reliably Across the Internet

By John Radko, VP Enterprise Architecture, GXS

A GXS Thought Leadership White Paper

Table of Contents

Executive Summary ..................................................................................................3

Why AS2? The Business Case ..................................................................................4

How AS2 Works .......................................................................................................5

AS2—Meeting the Challenges of B2B Commerce ...................................................7

Introducing AS2 to Your Business—Implementing the Technical Solution .............8

1. Firewall Security ...........................................................................................8

2. Digital Certificates ........................................................................................9

3. HTTP Protocol ..............................................................................................9

4. Receipts .......................................................................................................9

5. Encryption Algorithm ................................................................................. 10

6. Signature Algorithm ................................................................................... 10

Introducing AS2 to Your Business—Managing Relationships ................................11

Getting Started with AS2 ....................................................................................... 12

GXS Offers a Range of AS2 Solutions to Meet Your Business Needs: ........... 13

Summary ................................................................................................................ 12

2 • AS2—Meeting the Challenges of B2B CommerceA GXS White Paper

Executive Summary

The availability of and ease of access to the Internet presents a huge opportunity for companies to be able to connect more easily and cheaply to both existing and new B2B partners—if they can find ways to share data securely over this very public network. A B2B communications standard introduced in 2002, AS2 is addressing this need, bringing the traditional benefits of electronic data interchange (EDI) to smaller companies with limited budgets and slashing the costs of online transactions for large companies.

AS2 works by providing an “envelope” for the data, allowing it to be sent over the Internet (or an-other TCP/IP-based network) using the HTTP protocol, which powers the World Wide Web. The receiv-ing organisation’s server then listens out for messages addressed to it. Like a call to a phone with no answering machine, the message will be missed if your server is not available to take the call; so, many organisations decide to use a service provider such as GXS to provide AS2 connectivity. Of course, this approach also means you benefit from GXS’ shared infrastructure, skills and security.

AS2 can handle any kind of document but is ideally suited to the kind of transactions that have traditionally made up the bulk of EDI exchanges. Just as with EDI document exchanges before the availability of the Internet, you can extract data from internal systems and use a translator to trans-form it into the appropriate standard before dispatching it. You can then process the data you send and receive in the same way.

There are two key differences between traditional EDI document exchanges and those EDI docu-ment exchanges using AS2 for transmission over the Internet, however. The first is that AS2 operates only over networks running the TCP/IP protocol. The second is that the receiving computer must be connected to the Internet at the time the document is sent. Together, these factors mean that if you decide to develop an AS2 capability in-house rather than work through a service provider, both you and your trading partners must use AS2 and both of you must be communicating over TCP/IPbased networks such as the Internet.

Before you can begin using AS2, you need to make a number of choices—in conjunction with your trading partners—about how you will transact online. This paper takes you through these decisions and shows how to get online with AS2 effectively.

Whether you are introducing AS2 at the request of a trading partner or rolling AS2 out to your own trading partners, GXS can help you with these steps. GXS offers a number of solutions and our cli-ents are already benefiting from AS2 on a global basis. AS2 has become one of the key standards for B2B commerce, and GXS has helped make this happen by assisting many customers in their implementation of this powerful protocol.

AS2—Meeting the Challenges of B2B Commerce • 3A GXS White Paper

Why AS2? The Business Case

At a minimum, B2B commerce requires: • Partnerstousecommondataformats(thesedays,typicallyEDIorXML) • Commonnetworkconnectivity,sothatanetworkpathexistsbetweentrading

partners • Securedocumentdelivery,sothatonlytheintendedrecipientreceivesthemessage • Securedocumenttransmission,sothatnoonecanreadthedocumentintransit • Non-repudiation,sothattherecipientcanbesurethatadocumentwasactually

sentbytheclaimedsender • Reliabledocumentstatus,sothatasenderknowsexactlywhathashappenedtoa

document

Ideally,aB2Bcommercesystemwouldalsooffer: • Theabilitytomanagepartnerrelationships,controlwhoinformationisshared

with,andwhatkindofinformationcanbesharedwithdifferenttypesofpartners • Theabilitytoconvertdataintoaformacceptabletotherecipient • Theabilitytosenddatausingarangeofprotocols(suchassecureFTP,FTPover

VPN,andsoon)andtomakeuseofdifferentcarrierservices,suchastraditionalvalue-addednetworksorotherthird-partyintegrationserviceproviders.

Somepartsofthischallenge—forexample,commonformatsandfunctionalacknowl-edgement—havebeensolvedthroughthedevelopmentofarangeofdatastandards,suchasANSI,EDIFACTandformsofXMLaimedattheB2Bcommerceenviron-ment,suchascXMLandOAGBODs.Connectivitythroughtheever-evolvingchoiceofprotocolswastraditionallyachievedusingamixofprivateandsharedvalue-addednetworks,addingtothecomplexityofthecommunicationprocess,especiallywheresmallerorganisationswereinvolved.TherapidgrowthoftheInternettothepointofnearuniversalconnectivityisnowallowingtradingpart-nerstocarveoutthepathwaysbetweenthemmoreeasily—butattheexpenseofotherrequirementssuchassecurity,privacyandmanageability.

AnInternetstandardcreatedbytheEDIovertheInternet(EDIINT)taskforceoftheInternetEngineeringTaskForce(IETF)—thebodythatdevelopsthestandardsused ontheInternet—addressestheseconcerns.CalledAS2(whichstandsforApplicabilityStatement2),itwascreatedtoallowthesecureandreliabletransmissionofdocumentsovertheInternetusingtheHTTPprotocol.

Insimpleterms,ifyoucan“surftheweb”,youhavethebasicinfrastructureneededto sendAS2-compliantdocumentsandtoexchangedocumentswithotherorganisationsalsorunningAS2-compliantsoftware—withoutneedingtoknowanythingaboutthespecificsoftheirsystems.Ifyourorganisationcanhostawebsite24x7,youhavethebasicinfrastructureforreceivingdocumentsfrompartnersviaAS2—againwithoutneedingtoknowanytechnicalspecificsabouttheirplatforms.

Companiesmayquestiontheneedforyetanotheronlinestandard—buttherearegoodreasonswhytheyshouldconsiderAS2.First,AS2hasbeendesignedforbothbusi-nessmessagingandtheInternet,meaningitworksparticularlywellfortheexchange

4 • AS2—Meeting the Challenges of B2B CommerceA GXS White Paper

ofbusinessdocuments.UnliketraditionaldataorientedprotocolslikeFTP(whichremainstheleadingTCP/IP-basedprotocolforB2B,eclipsingevenAS2),itaddressesissuessuchasdocumentencryptionandsignatures,andoffersreceipts.Andunlikeothere-commercespecificstandards,likeebXMLorRosettaNet,itallowscompaniestocontinuetouseexistinginternalprocesses,demandingchangesonlytothemecha-nismsactuallyusedtoexchangedocumentswithpartners.Althoughlargeenterpriseswillcontinuetomakesignificantinvestmentsine-commercetohandlehighvolumesoftransactions,smallerpartnerswithlowertransactionvolumeswillnowbeabletoaf-fordthesamefeaturesthroughrelativelyinexpensivesoftwareoroutsourcingservices.Thisshouldsignificantlyincreasethenumberoftradingpartnersexchanginginforma-tionelectronically.

Second,AS2mayoffersomecostsavingsovermoretraditionalapproachestodataexchangewhenbothpartnersareusingAS2andwhenveryhighvolumesofdata needtobeexchangedorwhencompaniesaremigratingfromlegacydirectconnects—althoughimplementingitandmanagingtheAS2environmentongoingwillstillinvolvesoftware,hardwareandprofessionalservicefees.

ThispaperexplainshowAS2works,whatroleitcanplayinyoure-commerce operationsandtheissuesyoumayfacewhenimplementingit.

How AS2 Works

TheAS2standarddefinesanenvelopefordatathatenablesittobesentoverthe InternetusingtheHTTPprotocol.AS2canhandleanykindofdocumentbutis ideallysuitedtothekindoftransactionsthathavetraditionallymadeupthebulk ofEDIexchanges.JustaswithEDI,youcanextractdatafrominternalsystemsanduseatranslatortotransformitintotheappropriatestandardbeforedispatchingit. Youcanthenprocessthedatayousendandreceiveinthesameway(forexample,sendingacknowledgementthatamessagehasbeenreceived).

TRADITIONAL B2B IMPLEMENTATION

Partner “A” Partner “B”

Line ofBusiness

App

EDI/XMLTranslator

CommsGateway

Line ofBusiness

App

EDI/XMLTranslator

CommsGateway

Figure 1: “Traditional” B2B Implementation (simplified)

AS2—Meeting the Challenges of B2B Commerce • 5A GXS White Paper

IntheabovepicturedepictingasimplifiedtraditionalB2Bprogram,onlytheareawithintheredoval—thecommunicationsgateways—isaffectedbytheAS2 implementation.Theareasoutlinedingreenmaycontinuetoworkinthesameway. ThelimitedchangerequiredispartofthereasonAS2hasbeenadoptedsoquickly bymanyorganisations.

TherearetwokeydifferencesbetweentraditionalEDIandAS2,however.ThefirstisthatAS2operatesonlyovernetworksrunningtheTCP/IPprotocol—whichactu-allymakesitidealforsituationsinwhichyoudonothaveaprivatenetworkinplacewithtradingpartnersandwanttoworkthroughapublicnetworkliketheInternet.However,itdoesmeanthat—aswiththeintroductionofanynewstandard—youwillprobablyneedtocontinuetosupporttransactionsflowingovernetworksthatarenotInternet-based,usingprotocolsthatarenotAS2,forsometimetocome.

TheseconddifferenceisthatthereceivingcomputermustbeconnectedtotheInternetatthetimethedocumentissent.Itislikeaphonewithnoansweringmachine:ifyoudonotanswerit,youmissthecall.YouneedtohaveaserverconstantlylisteningforinbounddocumentsandinboundHTTPconnections,justasawebserverdoes.

WhilemanypeopleusewebbrowserstoaccesscontentontheInternet,veryfewofusactuallyrunwebserversofferingcontenttothegeneralpublic.Mostbusinessesturntodedicatedserviceproviderstohosttheirwebsites,takingadvantageofthecostbenefitsofsharedinfrastructure,theskillsofferedbytheserviceprovider’steamandthehigherlevelsofsecuritywhichserviceprovidersareabletodevelopasaresultoftheirexpertiseandabilitytospreadcostsovermultipleclients.

Together,thesefactorsmeanthatifyoudecidetodevelopanAS2capabilityin-houseratherthanworkthroughaserviceprovider,bothyouandyourtradingpartnersmustuseAS2andbothofyoumustbecommunicatingoverTCP/IP-basednetworkssuchastheInternet.

OneoptionforimplementingAS2istooutsourceyoure-commerceconnectivitytoaserviceprovider.Theserviceproviderwilltypicallysupportalltheprotocolsusedbytradingpartnersandwillalsoimplementnewprotocols,suchasAS3orAS4,astheyaredeveloped.Yourorganisationcansendallitsmessagestotheserviceproviderusingasingleprotocol(whetherthat’sAS2,FTPorsomethingelse)andleaveituptotheserviceprovidertohandlethetranslationneededtodeliverittotradingpartnersusingthestandardstheyprefer.

Alternatively,youmaychoosetouseahybridapproachinwhichyouconnectdirectlyviaAS2withthosetradingpartnersforwhomthatmakesenseandalsouseAS2asyourconnectivitymethodtoaserviceprovider.Itwillthenbeuptoyourserviceprovidertohandleconnectivitytootherkindsofnetworksandtranslationtootherprotocolsasneededbytherestofyourtradingpartners.Thisgreatlysimplifiesyourinternalopera-tionsforseveralreasons:

6 • AS2—Meeting the Challenges of B2B CommerceA GXS White Paper

1) yourcompanyhasonlyasingleprotocoltomanage 2) itenablesyoutoleveragethevalue-addedservicesofaserviceprovider,includ-

inghelpingtogetyourtradingpartnersonlineandprovidingongoingsupport,and

3) itpositionsyoutoeasilyreacttoconstantchangethattakesplaceintheITindustryandthusavoidthecomplexityandmanagementheadachesassociatedwiththosechanges.

AS2—Meeting the Challenges of B2B Commerce

WhenusingtheInternetitisimportantthatAS2messagingprovidessecurityandreliability,anditdoes.Inmanycases,theAS2standardbuildsonpreviousstandardsintheseareas.Forexample,theuseofdigitalcertificatesensuresthatdocumentsaredeliveredonlytotheintendedrecipient,thattheyaresecuredintransit,andthatthesendercanbeverified.TheAS2standardworkswithsomeofthestrongestencryptionandsignaturealgorithmsavailablecommercially,givingyoutheconfidencethatyourdocumentswillremainsecure.

Inaddition,youneedtosecureyoursystemfrommaliciousattacksandensureyouareonlyexchangingdatawithknownpartners.ThesearenetworksecurityissuesnotaddressedbytheAS2standard.ThiscanberesolvedbyusingrouterstoisolatetheAS2serverandcontrolthetrafficreachingit,orthroughimplementationofoneofthemanyfirewallsolutionsavailableinthemarket.

Assuringreliabledocumentstatus—sothatdocumentsdon’t“getlostinthesystem”—typicallyrequirestrackingtheprogressofthedocumentinfourways.Threeoftheseapplytoanystandardthatautomatestheexchangeofdocuments(seeFigure2): • Thecommunicationstatusconfirmsthatdatawasreceivedatanetworklevel

(forexample,thatall256bytesexpectedwereactuallytransferred)

• Thefunctionalacknowledgementconfirmsthatavalidmessagewasreceivedbythee-commerceapplication(forinstance,thattheEDIenvelopewasopenedandcontainedavalidorstructurallycorrectdocument);and

AS2—Meeting the Challenges of B2B Commerce • 7A GXS White Paper

Business Status(from business app)

Functional Status(from Translator)

AS2 Status(MDN document)

Comms Status(from Gateway)

Business Status(from business app)

Functional Status(from Translator)

Comms Status(from Gateway)

3 Basic Statuses AS2 Adds 4th Status

Figure 2: Document Status Tracking

• Thebusinessacknowledgementconfirmsthecontentofthemessageandthatithasbeendealtwithinanappropriateway(forexample,apurchaseorderacknowledgementagreestofulfilltheordersmadeinapurchaseorder)

TheAS2standardaddsafourthkindofstatus—theMDN,ormessagedispositionnotification(seeFigure2).BecauseAS2placesamessageinanenvelopetoenableittobesentoverHTTP,youneedtoknowthatthemessagewassuccessfullyextractedfromthatenvelope.Infact,theAS2envelopemaycontainanotherenvelope(ANSIEDI,forinstance)withtheactualdocumentinsidethat.

AS2softwarewillgenerallymanagebothcommunicationstatusandenvelopeextrac-tionstatus,whileAS2servicesproviderswillalsousuallydealwithfunctionalstatus.Thewayinwhichyoumonitorbusinessstatuswilldependonyourownbusinessprocessesandthesoftwareyouareusinginternallytomanagethoseprocesses.

Introducing AS2 to Your Business—Implementing the Technical Solution

BeforeyoucanbeginsharingdocumentsusingAS2,youneedtomakeanumberofdecisions—someinternalandsomeinconjunctionwithyourtradingpartners.

1. Firewall Security

First,itisimportanttorealisethatrunningAS2softwaremeansyouareallowingreceiptoftransactionsordocumentsfromtheInternet.Youneedtoconsiderhowtosecurethis“doorway”againstmaliciousattacks.Themostcommonapproachistheuseofafirewall,whichlooksatincomingtransactionsandfiltersthemaccordingtotherulesyoudefine.Twowaysyoumightconfigureyourfirewallare: • AlloweachtradingpartnertosendAS2onaspecific“port”,ornetworkaddress.

Thefirewallcanbeconfiguredtoaccepttransactionsforthatportonlyfromspecificsources(suchastheIPaddressofaparticulartradingpartner).Thisisaverysafeapproachbutconsiderablyincreasestheoverheadinvolvedinsettingupanewpartner

• UseaDMZ(orde-militarisedzone):allAS2trafficcomesinonaportthroughthefirewall,butthecomputerrunningAS2canonlytalktoothercomputersinyourorganisationthroughafurtherfirewall.Thisconfigurationeliminatestheneedtosetupaseparatesecuritysolutionforeachtradingpartner,butmakes upforthelowersecurityoflettinganytrafficintothecomputerrunningAS2 byisolatingitfromothercomputers

2. Digital Certificates

Thenextstepistodecidehowtomanagethedigitalcertificatesyouwillbeusing.YoucaneithergenerateyourowncertificatesoruseoneoftheCertificateAuthorities(CAs),suchasVerisignandEntrust,tomanagetheprocessforyou.Aswellashandlingtheroutineadministrationofcertificates,thechecksrunbyCAsprovideadditionalassurancetotradingpartnersthattheholderofacertificateiswhotheyclaimtobe.Ontopofthat,CAscan“revoke”acertificatebeforeitexpiresifitis“compromised”andwilladviseyoutochangeyourcertificateiftheysuspectithasbeencompromised.

8 • AS2—Meeting the Challenges of B2B CommerceA GXS White Paper

CAcertificatesalsocontainanexpirationdatethatwillprompttheCAtoverifytheidentityofyourtradingpartneronaregularbasis,increasingthesecurityofthesystemstillfurther.Clearly,youwillneedtopayanannualfeefortheCA’sservices.

ThealternativetousingaCAistogeteveryoneto“self-generate”certificates,allowingthemtosettheirownexpirationdates.Thissimplifiesthemanagementheadachebutdoesreducethesecurityofthesystem,sincenoorganisationis“policing”thesystemandconfirmingthatacertificatedoesbelongtothepersonitappearstocomefrom.Moreover,ifyouhavemanytradingpartners,addingandupdatingcertificatescanbecomeasignificantburden.Theself-generatedcertificatemodeliscurrentlymorecommoninB2BasmanyB2Bsoftwareapplicationsincludeacertificateself-genera-tioncapability.

Ifyourtradingpartnerssettherules,youmayneedtosupportbothmodels,withsomepartnersaskingyoutouseacertificatefromaCA,whileotherswillacceptself-generatedcertificates.

Whicheverrouteyouchoose,youmustbecarefulnottoloseaccesstoyourprivatekey(byforgettingyourownpassword,forinstance),sinceneitheraCAnorasystemthatself-generatescertificatescanretrieveit.Inthesecircumstances,youwillneedtogenerateanewcertificateanddistributeittoallyourtradingpartners,andyouoryourpartnersmayneedtore-sendsomedocumentsiftheyweresentusingtheoldkey.

3. HTTP Protocol

AthirddecisioniswhetherornottousethesecureHTTPprotocol.Ifyouarealreadyusingdigitalcertificatestosignyourmessagesthroughencryption,thisisprobablynotnecessary,sincelayeringencryptiondoesnotusuallystrengthensecurity,whileitincreasestheoverheadoftransmission.SecureHTTPcanbeusedifthecontentisnotalreadyencrypted,butGXSrecommendsencryptingallcontentusingdigitalcertifi-catesasamatterofcourse,sincethisallowsyouandyourtradingpartnerstoconfirmthatcontenthasreallybeensentbytheorganisationnamedonthedocument,aswellasensuringconfidentialitybypreventingdatafrombeinginterceptedintransit.

4. Receipts

Amorecomplexdecisioniswhichofthefiveoptionsforhandlingreceipts(knownasmessagedispositionnotificationorMDN)youshoulduse.Thechoicesare: • No receipt:thisisapoorchoice,sinceitgeneratesnoaudittrail • Plain receipt:returnedimmediatelytosignifythatamessagehasbeenreceived,

butnotsignedbytherecipient • Signed receipt: returnedimmediatelyandsigned.Thisprovidesthestrongest

audittrail,sinceitnotonlyconfirmsthatthemessagewasreceivedbutalsothatthereceiverwasprobablytheintendedrecipient,sincetheyhadaccesstotheprivatekeyoftheintendedrecipient

• Asynchronous plain receipt:thesameformatastheplainreceiptbutsentlaterratherthanimmediately

• Asynchronous signed receipt:thesameformatasthesignedreceiptbut,again,sentlaterratherthanimmediately

AS2—Meeting the Challenges of B2B Commerce • 9A GXS White Paper

Thedocumentthesendersendsspecifiestheformofreceiptyoumustsendback,soyouneedtomakesureyoursoftwarecansupportallfiveoptions.Youcanmakethischoiceyourselfwhensendingdocuments—althoughyourtradingpartnersmayaskyoutorequestaparticularformofreceipttoensuretheirownaudittrailmeetstheirneeds.TheformofreceiptneedstobespecifiedforeachpartnerwhenyousetupyourAS2software.

5. Encryption AlgorithmThenextstepistodecideonanencryptionalgorithmfromthosesupportedbyyourAS2software.Optionsinclude,butarenotlimitedto:noencryption,tripleDES,RC240,andRC2128.Algorithmsusing128bitkeys(TripleDESandRC2128)aremuchstrongerandthereforemoresecure.Ofcourse,it’sessentialthatthesoftwareusedbyyourtradingpartnercansupportthealgorithmyouintendtouse,soyouneedtoconfirmwhichalgorithmsyourpartnerscanhandlebeforeyoubeginlivetrading.AS2indicatestheencryptionmethodinthemessageheaders,makingiteasyforyoursoftwaretodeterminewhichdecryptionalgorithmtoapply.

6. Signature AlgorithmAfinalchoiceisthesignaturealgorithmtobeused.AS2offersoptions:nosignature,SHA-1andMD5.Again,usingsignatureswillmaketheprocessmoresecuresincetheymakeitmucheasiertoprovethatthepersonitappearstocomefromreallysentames-sage.TheAS2standardrecommendsusingSHA-1butyoushouldalsosupportMD5incaseanyofyourtradingpartnersareusingit.

Ofcourse,youalsoneedtohavereachedagreementaboutthecontentofthedocu-mentyouaresending,bydevelopingimplementationguidesforEDImessagesorcre-atingschemasforXMLdocuments.Forexample,youandyourpartnerneedtoknowthatyouaresendinganinvoice,thatthefirstdataitemistheinvoicenumberandissomanycharacterslong,thattheseconddataitemisthedate,thatthethirddataitemisthesender’ssuppliernumberandsoon.

Onceyouhavemadethesechoices,youneedtoconfigurethemintoyourAS2software(seebox).ThebestAS2solutionswillallowyoutoseteachoptiononapartner-by-partnerbasisinthetradingpartner’sprofile,whichwillalsoincludetheaddress(awebURL)oftheirAS2server.Inaddition,youwillneedtoloadyourpartner’scertificateintoyourAS2softwaretogiveyouaccesstotheirpublickey,usedforencryptingthemessagesyousendtothemandforvalidatingmessagestheysendtoyou.

Thefinalstepbeforeyouattemptlivetradingistoverifythatbothpartnershavecon-figuredtheirsystemscorrectlybysendingatestdocument.Ofcourse,youwillneedtoreloadyourpartner’scertificateandretesttheconfigurationeachtimeapartner’scertifi-cateexpires.

10 • AS2—Meeting the Challenges of B2B CommerceA GXS White Paper

Introducing AS2 to Your Business—Managing Relationships

GettingthetechnologyinplaceisonlyoneaspectofthetaskofintroducingAS2. Youalsoneedtomanagetherelationshipsyouhavewithyourtradingpartnersin fourways: •MakingyourselfavailabletoreceiveAS2messageswhenyourtradingpartners

wanttosendyoumessages • Keepingtrackofexpiringcertificates • Detectingproblemswhensendingtopartners;and • Detectingsecurityissues.

IfyoudecidetorunyourownAS2solutionandconnectdirectlytoyourpartners—ratherthanworkingthroughaserviceprovider—youwilleffectivelybecomeaVANproviderwithoneclient.AswellasmakingsureyourAS2softwareisconnectedandreadytoreceiveatalltimes—ifyouarenotonlineandreadytoreceive,yourpartners’attemptstosendtoyouwillfail—youwillberesponsibleforback-upsanddisasterrecoveryprocedures.

Youwillalsoneedtotracktheexpirationdatesonyourpartners’certificatesandcontactpartnersbeforetheircertificateexpirestoarrangeforanewcertificatetobesenttoensurethatthesmoothflowofdocumentsisnotinterrupted.Obviouslyyoushouldalsomakesureyouprovideyourtradingpartnerswiththenewversionofyourcertificatebeforetheoldoneexpires.

Adailytaskwillbetohandlethoseoccasionswhenmessagesfail,whetherbecauseofissuesinyourownAS2solution,inyourpartners’AS2solutionsorinthenetworksthatconnectthem.Mostfailureswillbetheresultoftemporaryconnectionglitchesandwon’tresultinmajordisruptionaslongasyoukeepontopofspottingandfixingthem.Thefinalongoingrequirementwillbetoensurethatyoursolutionisasrobustaspossible.OneregulartaskwillbetoinstallanysecuritypatchesforyourAS2soft-wareassoonastheyarereleased.ThesecondwillbetochecktheAS2softwarelogsforsuspiciousactivitytotrytodetermineifsomeoneis“probing”yoursystem.

IfyoudodecidetorunyourAS2solutioninhouse,youshouldlookforsoftwarethatmakestheseactivitiesaseasyandquickaspossible.GXSestimatesthattakingintoaccountsoftwarelicenses,hardwareprocurement,purchaseoftradingpartner-specifictemplates,keepingapermanentInternetconnectionandemployingstaffwiththenec-essaryskills,willcostasmallcompanywithlowtransactionvolumesaround$10,000-$30,000inthefirstyeartosetupanAS2solutionin-house.Inaddition,ongoingannualcostsof$5,000-$15,000ayearwillberequiredtomaintainitandaddfurthertradingpartners.Alargecompanywithhightransactionvolumes,whichwouldin-volveamorecomplexsoftwaresolutionandgreaterstaffingrequirements,wouldneedtospend$130,000+inthefirstyeartoimplementasolutionand$100,000to$1millionayearthereafter.

WorkingthroughaserviceproviderwillallowyoutooffloadmostofthemanagementhassleofrunninganAS2solution—andwillalsoreduceyouroperatingcosts.GXS

AS2—Meeting the Challenges of B2B Commerce • 11A GXS White Paper

WHEN ESTABLISHING AN AS2 RELATIONSHIP, EACH PARTNER NEEDS TO:

1. Decide whether to put the AS2 solution behind a fire-wall or in a “DMZ” isolated from their own systems

2. Install AS2 software

3. Get a certificate (the public/ private key) from company a third-party provider or gener-ate your own certificate

4. Agree whether to use HTTP or HTTPS (SSL-secured HTTP) as the transmission protocol

5. Agree on a “receipt policy”

6. Determine the encryption algorithm to be used

7. Determine the signature algorithm to be used

8. Configure your AS2 software with information about your trading partner:

a. URL for sending documents

b. Identity of partner c. Signing method d. Encryption method e. Receipt method f. Whether compression

will be used

9. Load the partner’s certificate (public key) into your soft-ware

10. Send a test document to confirm both systems have been configured correctly

estimatesthatforacompanysending300documentsamonthitwilltypicallycostlessthan$2000ayeartousetheGXSAS2OutsourcingService,saving50percentormorewhencomparedwiththecostofrunninganAS2servicein-houseandwhenthetotalcostofownershipistakenintoaccount.

Getting Started with AS2

AtGXSourAS2volumeshavecontinuedtogrowsignificantlyeachyear.WebelieveAS2isoneofthekeystandardsforB2Bcommerceandthatcompaniesshouldbeeagerlyembracingthislow-costapproachtoonlinetrading.Moreover,AS2implemen-tationlendsitselftoanincrementalapproachthatbuildsonyourcurrentinfrastructure,allowingyoutomanagebothcostsandrisks,soit’seasytobegintestinghowitmightbenefityourbusiness.

IfyouareintroducingAS2attherequestofatradingpartner,youmaybeabletouseyourexistinge-commerceinfrastructuretohandleit.IfyouuseanEDIserviceprovid-er,askthemaboutAS2.Ifyourunyourownsoftware,checkifthesupplieroffersanAS2communicationsmodule(theDrummondGroupprovidesalistofAS2-certifiedvendorsathttp://www.drummondgroup.com)orcanrecommendathird-partysup-plierwhosesoftwarecanbeeasilyaddedtoyourexistingsetup.

Ifyouhavedecidedtorollthisouttoyourowntradingpartners,itisprobablyagoodideatouseyourexistingB2Bbrokersoftwareasabase.Mostofthevendorswhopro-videB2Bbrokersofferadd-onmodulesforAS2andyouwillbeabletotakeadvantageofotherfeaturesofferedbythebrokersoftware—suchaslogging,monitoringandcon-nectionstotranslationsoftware—inadditiontothebasicAS2protocolsupport.

WhateveryourAS2strategyandregardlessofyourcompanysizeorpositioninthesupplychain,GXScanhelp.Ifyouwantahostedservice,GXSoffersanumberofso-lutions,withorwithouttranslationservices,tosuiteveryonefromsmallandmedium-sizedenterprisesuptotieronesuppliersandmajorpurchasers.IfyouwanttorunyourownAS2solution,wecanprovideconsultancy,implementationservicesandavarietyofsoftwarecomponentsandconnectivityservicestoallowyoutobuildasystemthatmeetsyourneeds(seeboxonnextpage).

Summary

AS2offersmanybenefitsfororganisationsneedingtoexchangedocumentsonline:flexibilitytosharemanydifferenttypesofdata;securetransmissionofdocumentsovertheInternet,towhicheventhesmallesttradingpartnerscangaineasyaccess;confi-dencethatdocumentscanbereadonlybytheintendedrecipientsoractuallycomefromtheclaimedsenders;andaveryfavorablecostwhencomparedtootherformsofelectronicdatainterchange.Becauseofthesebenefits,webelievethatAS2hasbecomeoneofthekeystandardsforB2Bcommerce.

However,gettingstartedwithAS2involvesaseriesofdecisionsandtechnicalstepsbothwithinyourownorganisationandinconjunctionwithyourtradingpartners.

12 • AS2—Meeting the Challenges of B2B CommerceA GXS White Paper

GXShastheexperience,knowledgeandinfrastructuretohelpyourolloutanAS2solutionquicklyandeasilyandwecanprovidelong-termhostingservicestotakeawaythemanagementheadacheofrunningAS2.GXScustomersarealreadyusingourAS2servicestostrengthentheirrelationshipswithtradingpartnerswhilecuttingthecostoftransactions.Comeandtalktousabouthowyourbusinesscanjointheminmakingthemostofthisexcitingnewstandard.

GXS Offers a Range of AS2 Solutions to Meet Your Business Needs:

AS2 Outsourcing Service—If you are responding to a request from a key trading partner for AS2-based trading, our AS2 Outsourcing Service can get you up and running quickly. You need no AS2 software, hardware, firewalls, certificates or special skills: GXS does all the work, including setup and testing with your trading partner and certificate management. We can also offer optional translation services.

AS2 Software Options—If you want to implement AS2 yourself and need AS2 communications soft-ware, GXS provides a variety of software options to suit different needs, including:

• Enterprise Gateway—a highly scalable supply chain integration platform that supports AS2 as well as many other communication protocols. Enterprise Gateway also provides EDI/XML data translation, full supply chain process and event management, and a suite of back office integration adapters.

• Microsoft BizTalk Server—a complete business integration solution built on the market-leading Microsoft technology, BizTalk Gateway supports AS2 and is “Grid-Ready” out-of-the-box. BizTalk Gateway is capable of real-time integration with your critical decision-making systems, connects you with all your trading partners, and significantly improves your business performance.

• Application Integrator™—one of the world’s leading any-to-any data translation engines. Appli-cation Integrator leverages an easy-to-use, wizard-based graphical user interface and supports a full suite of Internet-based communication protocols, including AS2, to make it easy for you to trade electronically with any of your customers.

• Cleo Lexicom—the easiest easy way to get started in B2B e-commerce, Cleo Lexicom enables you to securely transfer critical business documents to and from your key customers over the Internet. Users can transfer and receive everything from purchase orders, invoices, and shipping notices to insurance claims, medical records, clinical data and retail reports.

AS2 Connectivity—If you have already selected an AS2 software solution, we can help you standardise on AS2 for all your communications. Where appropriate, you can connect to trading partners directly over the Internet. You can use the same AS2 software to connect to the GXS service, which will in turn connect to the rest of your partners according to their requirements. This enables you to reap the rewards of AS2 with your entire community and to simultaneously benefit from the GXS service, includ-ing trading partner management, transaction management, backup and recovery, translation services, access to tens of thousands of trading partners and more.

AS2 Contingency Service—If you connect to GXS via AS2, the AS2 Contingency Service provides an alternative connectivity method for sending and receiving critical business documents in the event of AS2 or Internet problems. You define the conditions under which the contingency mode is to be automatically invoked and you will be automatically notified of document arrival in your contingency mailbox.

ABOUT GXS

GXS is a leading B2B integration services provider and operates the world’s largest integration cloud, GXS Trading Grid®. Our software and services help more than 550,000 businesses, including 22 of the top 25 sup-ply chains, extend their partner networks, automate receiving processes, manage electronic payments, and improve supply chain visibility. GXS Managed Services, our unique approach to improving B2B integration operations, combines GXS Trading Grid® with our process orchestration services and global team to manage a company’s multi-enterprise processes. Based in Gaithersburg, Maryland, GXS has direct operations in 20 countries, employing more than 2,800 professionals. To learn more, see http://www.gxs.co.uk, read our blog at http://www.gxsblogs.com and follow us on Twitter at http://twitter.com/gxs. You can also access our public filings with the Securities and Exchange Commission at http://www.sec.gov/edgar.shtml.

AS2—Meeting the Challenges of B2B Commerce • 13A GXS White Paper

About GXSGXS is a leading B2B integration services provider and operates the world’s largest integration cloud, GXS Trading Grid®. Our software and services help more than 550,000 businesses, including 22 of the top 25 supply chains, extend their partner networks, automate receiving processes, manage electronic payments, and improve supply chain visibility. GXS Managed Services, our unique approach to improving B2B integration operations, combines GXS Trading Grid® with our process orchestration services and global team to manage a company’s multi-enterprise processes. Based in Gaithersburg, Maryland, GXS has direct operations in 20 countries, employing more than 2,800 professionals. To learn more, see http://www.gxs.co.uk, read our blog at http://www.gxsblogs.com and follow us on Twitter at http://twitter.com/gxs. You can also access our public filings with the Securities and Exchange Commission at http://www.sec.gov/edgar.shtml.

© Copyright 2013 GXS, Inc. All Rights Reserved. December 2013 UK

NORTH AMERICA ANDGLOBAL HEADQUARTERSGXS9711 Washingtonian Blvd.Gaithersburg, MD 20878US+1-800-503-9190 t+1-301-340-4000 twww.gxs.com

SOUTH AMERICABRAZILGXS BrazilRua Bela Cintra 1149 9° andar CEP: 01415-001 São Paulo, Brasil +55 11 2123 2500 twww.gxs.com.br

EUROPE, MIDDLE EASTAND AFRICA HEADQUARTERSUNITED KINGDOMGXS Limited18 Station RoadSunbury-on-ThamesMiddlesex TW16 6SUEngland+44 (0)1932 776047 twww.gxs.eu

ASIA HEADQUARTERSHONG KONGGXS InternationalRoom 1609-1016/F China Resources Building26 Harbour RoadWanchai, Hong Kong+852 2884-6088 twww.gxs.asia.com

JAPAN HEADQUARTERSTOKYOGXS Co., Ltd.Akasaka Intercity 3F11-44 Akasaka 1-chomeMinato-kuTokyo 107-0052Japan+81-3-5574-7545 twww.gxs.co.jp