Manage AS2 partners
This topic discusses how to manage AS2 certificates, profiles, and agreements.
Import AS2 certificates
The Transfer Family AS2 process uses certificate keys for both encryption and signing of transferred information. Partners can use the same key for both purposes, or a separate key for each. If you have common encryption keys kept in escrow by a trusted third-party so that data can be decrypted in the event of a disaster or security breach, we recommend having separate signing keys. By using separate signing keys (which you do not escrow), you don't compromise the non-repudiation features of your digital signatures.
Note
The key length for AS2 certificates must be at least 2048 bits, and at most 4096.
The following points detail how AS2 certificates are used during the process.
-
Inbound AS2
-
The trading partner sends their public key for the signing certificate, and this key is imported to the partner profile.
-
The local party sends the public key for their encryption and signing certificates. The partner then imports the private key or keys. The local party can send separate certificate keys for signing and encryption, or can choose to use the same key for both purposes.
-
-
Outbound AS2
-
The partner sends the public key for their encryption certificate, and this key is imported to the partner profile.
-
The local party sends the public key for the certificate for signing, and imports the private key of the certificate for signing.
-
If you are using HTTPS, you can import a self-signed Transport Layer Security (TLS) certificate.
-
For details on how to create certificates, see Step 1: Create certificates for AS2.
This procedure explains how to import certificates by using the Transfer Family console. If you want to use the AWS CLI instead, see Step 3: Import certificates as Transfer Family certificate resources.
To specify an AS2-enabled certificate
-
Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/
. -
In the left navigation pane, under AS2 Trading Partners, choose Certificates.
-
Choose Import certificate.
-
In the Certificate description section, enter an easily identifiable name for the certificate. Make sure that you can identify the certificate's purpose by its description. Additionally, choose the role for the certificate.
-
In the Certificate contents section, provide a public certificate from a trading partner, or the public and private keys for a local certificate.
-
In the Certificate usage section, choose the purpose for this certificate. It can be used for encryption, signing, or both.
Tip: If you choose Encryption and signing for the usage, Transfer Family creates two identical certificates (each having their own ID): one with a usage value of
ENCRYPTION
and one with a usage value ofSIGNING
. -
Fill in the Certificate contents section with the appropriate details.
-
If you choose Self-signed certificate, you do not provide the certificate chain.
-
Paste in the contents of the certificate.
-
If the certificate is not a self-signed certificate, provide the certificate chain.
-
If this certificate is a local certificate, paste in its private key.
-
-
Choose Import certificate to complete the process and save the details for the imported certificate.
Note
TLS certificates can only be imported as a partner's public certificate. If you select Public certificate from a partner, and then select Transport Layer Security (TLS) for the usage, you receive a warning. Also, TLS certificates must be self-signed (that is, you must select Self Signed Certificate to import a TLS certificate).
AS2 certificate rotation
Often, certificates are valid for a period of six months to a year. You might have set up profiles that you want to persist for a longer duration. To facilitate this, Transfer Family provides certificate rotation. You can specify multiple certificates for a profile, allowing you to keep using the profile for multiple years. Transfer Family uses certificates for signing (optional) and encryption (mandatory). You can specify a single certificate for both purposes, if you like.
Certificate rotation is the process of replacing an old expiring certificate with a newer certificate. The transition is a gradual one to avoid disrupting transfers where a partner in the agreement has yet to configure a new certificate for outbound transfers or might be sending payloads that are signed or encrypted with an old certificate during a period when a newer certificate might also be in use. The intermediate period where both old and new certificates are valid is referred to as a grace period.
X.509 certificates have Not Before
and Not After
dates.
However, these parameters might not provide enough control for administrators. Transfer Family
provides Active Date
and Inactive Date
settings to control
which certificate is used for outbound payloads and which is accepted for inbound
payloads.
Outbound certificate selection uses the maximum value that is prior to the date of the
transfer as an Inactive Date
. Inbound processes accept certificates within
the range of Not Before
and Not After
and within the range of
Active Date
and Inactive Date
.
The following table describes one possible way to configure two certificates for a single profile.
Name | NOT BEFORE (controlled by certificate authority) | ACTIVE DATE (set by Transfer Family) | INACTIVE DATE (set by Transfer Family) | NOT AFTER (set by certificate authority) |
---|---|---|---|---|
Cert1 (older certificate) | 2019-11-01 | 2020-01-01 | 2020-12-31 | 2024-01-01 |
Cert2 (newer certificate) | 2020-11-01 | 2020-06-01 | 2021-06-01 | 2025-01-01 |
Note the following:
When you specify an
Active Date
andInactive Date
for a certificate, the range must be inside the range betweenNot Before
andNot After
.-
We recommend that you configure several certificates for each profile, making sure that the active date range for all the certificates combined covers the amount of time for which you want to use the profile.
-
We recommend that you specify some grace time between when your older certificate becomes inactive and when your newer certificate becomes active. In the preceding example, the first certificate does not become inactive until 2020-12-31, while the second certificate becomes active on 2020-06-01, providing a 6-month grace period. During the period from 2020-06-01 until 2020-12-31, both certificates are active.
Create AS2 profiles
Use this procedure to create both local and partner profiles. This procedure explains how to create AS2 profiles by using the Transfer Family console. If you want to use the AWS CLI instead, see Step 4: Create profiles for you and your trading partner.
To create an AS2 profile
-
Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/
. -
In the left navigation pane, under AS2 Trading Partners, choose Profiles, then choose Create profile.
-
In the Profile configuration section, enter the AS2 ID for the profile. This value is used for the AS2 protocol-specific HTTP headers
as2-from
andas2-to
to identify the trading partnership, which determines the certificates to use, and so on. -
In the Profile type section, choose Local profile or Partner profile.
-
In the Certificates section, choose one or more certificates from the dropdown menu.
Tip: If you want to import a certificate that is not listed in the dropdown menu, select Import a new Certificate. This opens a new browser window at the Import certificate screen. For the procedure about importing certificates see Import AS2 certificates.
-
(Optional) In the Tags section, specify one or more key-value pairs to help identify this profile.
-
Choose Create profile to complete the process and save the new profile.
Create AS2 agreements
Agreements are associated with Transfer Family servers. They specify the details for trading partners that use the AS2 protocol to exchange messages or files by using Transfer Family, for inbound transfers—sending AS2 files from an external, partner-owned source to a Transfer Family server.
This procedure explains how to create AS2 agreements by using the Transfer Family console. If you want to use the AWS CLI instead, see Step 5: Create an agreement between you and your partner.
To create an agreement for a Transfer Family server
-
Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/
. -
In the left navigation pane, choose Servers, and then choose a server that uses the AS2 protocol.
-
On the server details page, scroll down to the Agreements section.
-
Choose Add agreement.
-
Fill in the agreement parameters, as follows:
-
In the Agreement configuration section, enter a descriptive name. Make sure that you can identify the agreement's purpose by its name. Also, set the Status for the agreement: either Active (selected by default) or Inactive.
-
In the Communication configuration section, choose a local profile and a partner profile. Also, choose whether or not to enforce message signing.
-
By default, Enforce message signing is enabled, which means that Transfer Family rejects unsigned messages from your trading partner for this agreement.
-
Clear this setting to allow Transfer Family to accept unsigned messages from your trading partner for this agreement.
-
-
In the Inbox directory configuration section, provide the following information.
-
For S3 Bucket, choose an Amazon S3 bucket.
-
For Prefix, you can enter a prefix (folder) to use for storing files in the bucket.
For example, if you enter
amzn-s3-demo-bucket
for your bucket andincoming
for your prefix, your AS2 files are saved to the/
folder.amzn-s3-demo-bucket
/incoming -
For AWS IAM Role, choose a role that can access the bucket you specified.
-
For Preserve filename, choose whether to preserve original filenames for incoming AS2 message payloads.
If you select this setting, the filename provided by your trading parter is preserved when the file is saved in Amazon S3.
If you clear this setting, when Transfer Family saves the file, the filename is adjusted, as described in File names and locations.
-
-
(Optional) Add tags in the Tags section.
-
After you have entered all the information for the agreement, choose Create agreement.
-
The new agreement appears in the Agreements section of the server details page.