EDI/AS2 Setup Explained

(Beginner-Friendly Guide)

EDUCATIONAL SERIES: LEARNING

Why AS2?

EDI/AS2 Setup Explained (Beginner-Friendly Guide)

EDI (Electronic Data Interchange) is the automated, computer-to-computer exchange of standardized business documents—like purchase orders, invoices, shipping notices, or invoices—between companies. Instead of emailing PDFs or printing paper forms, EDI uses structured formats (e.g., ANSI X12 or EDIFACT) so systems "talk" directly, reducing errors, speeding up processes, and cutting costs.

**AS2** (Applicability Statement 2) is one of the most popular and secure ways to send those EDI documents over the internet. It's a point-to-point protocol (like a direct, encrypted tunnel between your system and your trading partner's) that uses HTTP/HTTPS—the same tech behind secure websites. AS2 wraps your EDI file in a secure "envelope" with encryption, digital signatures, and a built-in receipt (called an MDN—Message Disposition Notification) to confirm delivery and prevent tampering or denial.

### Why Use AS2 for EDI?
- **Secure & Reliable**: Encryption + signatures protect sensitive data; MDN provides proof of receipt (non-repudiation).
- **Cost-Effective**: No expensive third-party VAN (Value-Added Network) fees for most setups—direct over the web.
- **Fast & Real-Time**: Messages send instantly; great for retail (e.g., Walmart requires it), healthcare, logistics, and CPG.
- **Widely Adopted**: Drummond Group certifies interoperable AS2 software, so different vendors work together seamlessly.

Many large buyers (Amazon, Walmart, etc.) mandate AS2 for suppliers, making it essential for B2B.

### Key Components in AS2 Setup
- **AS2 Software/Server**: Handles sending/receiving (e.g., free OpenAS2, Mendelson AS2, or paid like Cleo, Seeburger, JSCAPE).
- **Digital Certificates** (.pfx/PKCS#12 format recommended—bundles cert + private key securely).
- **AS2 Identifiers** (unique IDs like your company name or GLN/Global Location Number).
- **URL/Endpoint** (your server's listening address, e.g., https://yourdomain.com:8443).
- **Trading Partner Agreement**: Shared details (IDs, URLs, certs, encryption/signing algorithms).

### Step-by-Step AS2 Setup (High-Level for First-Timers)
This assumes you're using a tool like **OpenAS2** (free, Java-based, as discussed earlier). For production, consider a hosted/cloud option if you want less hands-on maintenance.

1. **Choose & Install AS2 Software**
  - Download OpenAS2 (latest from GitHub: https://github.com/OpenAS2/OpenAs2App/releases).
  - Install Java 11+ (LTS version—Adoptium or Azul).
  - Unzip to a folder (e.g., C:\OpenAS2 on Windows).
  - Why? It's free, configurable, and supports strong security.

2. **Prepare Your Certificate**
  - Use your PEM-to-PFX converter to create a .pfx file (password-protected bundle with cert + private key).
  - Import into OpenAS2's keystore (config/as2_certs.p12 or similar—update config.xml).

3. **Configure the Server**
  - Edit config/config.xml: Set ports (default HTTP 10080, HTTPS 10443), modules (polling for outbound files), logging.
  - Define your AS2 ID and certificate alias.
  - Enable HTTPS for production (uncomment SSL module, use trusted cert if possible).

4. **Exchange Details with Trading Partner**
  - Share with them: Your AS2 ID, URL/endpoint, certificate (public part), preferred algorithms (e.g., SHA-256 signing, AES-256 encryption).
  - Get theirs in return (they'll add you as a partner too).

5. **Set Up Trading Partner Profiles**
  - In OpenAS2 (or software): Add partner entry in partnerships.xml or UI—enter their AS2 ID, URL, cert, algorithms.
  - Test connectivity: Send a sample file (place in outbound folder), check logs for MDN receipt.

6. **Test End-to-End**
  - Send test EDI (or plain text) file.
  - Verify: Message arrives, signs/encrypts correctly, MDN returns (success/failure).
  - Tools like Drummond test suites or partner's tester help.

7. **Go Live & Monitor**
  - Run as service (Windows: NSSM; Linux: systemd).
  - Integrate with your EDI translator (maps internal data to EDI format).
  - Monitor logs, set alerts for failures.
  - Firewall: Open chosen ports inbound.

### Quick Tips for CFOs & First-Timers
- **Time/Cost**: Initial setup ~1-4 hours (plus partner coordination). No recurring VAN fees—big savings.
- **Security Focus**: Always use strong certs (.pfx), HTTPS, and test MDNs—protects against fraud/tampering.
- **Common Pitfalls**: Mismatched IDs/certs, firewall blocks, wrong Java version, or no MDN handling.
- **Alternatives if AS2 Feels Heavy**: Cloud EDI providers (e.g., Orderful, Cleo, Seeburger) handle AS2 for you—pay per use, faster onboarding.

For your site, tie this back to your PEM-to-PFX converter: "Once you have your .pfx ready, import it into OpenAS2 for secure signing/encryption—start exchanging EDI safely."

If you want visuals (e.g., diagram of AS2 flow) or deeper on OpenAS2 config, let me know! This keeps things simple while covering the essentials.

  Large wholesale and retail providers, as well as major trucking firms, use the AS2 protocol. Based on this requirement, all their suppliers are asked to send invoices, purchase orders, and other B2B trading messages via AS2 or SFTP. The growing trend is AS2. Wrapped inside this transport protocol, all but a few use EDI, which we will discuss in a separate thread. In this format and later in audio and video, we will explain how to get started with the AS2 protocol and send and receive AS2 messages. using our AS2 In this discussion we will use, our choice, OpenAS2, and an application that provides AS2 capabilities. In our example, we will be sending EDI messages between AS2.LOADTALK.ME and AS2.VERIFY.ME.

step 1 - required for Implementing AS2 (Our LaB Environment)

   In this exercise, we are using our two groups — LOADTALK.ME and VERIFYMC.ME, each with an instance of OpenAS2 running on a virtual server.

  • LoadTalk - ASA.LOADTALK.ME is the destination and has a static conduit through a Cisco Firewall.
  • VerifyMC - ASA.VERIFY.ME is the destination and has a static conduit through a Cisco Firewall.
  • Firewall Access List - Both have a "Cisco Access-List" that limits access to only partners AS2, a Best Practice.
  • Messages - We have some sample messages for sending EDI messages from their C:\EDI\Outbound and C:\EDI\Inbound folders. 
  • OpenAS2 Application - We are using OpenAS2, a Java program downloaded and expanded into the C:\OpenAS2 folder.
  • Operating Systems - We use Windows for the exercise and recommend Ubuntu Linux for larger organizations. OpenAS2 can run on Windows, MAC or Linux. 

About Our Systems

  •  Humintuit™ Protocol In Action with AS2 We use our own protocol to securely monitor and, as needed, manage operations. All parts of our systems have extensive logging that is shipped in real time to a redundant site, surpassing all  Federal Motor Carrier Safety Regulations (FMCSRs), Healthcare (HIPAA), and all State and Local regulations. Our AI assures we keep all records as required, and unlike most corporations, we like to talk about our redundancy, disaster recovery, and security. Our security is integrated into our philosophy, which states, "All user information is private," and our systems meet or exceed DOD, NIST 800, and HIPAA standards using user-controlled ECC (Curve25519) keys. We transmit mail using a matching TLS-only secure handshake, making all transactions encrypted email. 
  • VERA BOT (Verification EDI Relay Assistant) - VERA handles all the EDI messaging between the AS2 inbound and outbound folders and is monitored by Ellie, our AI, or Super Grok via an API.
  • REID BOT (Redundant Encrypted Information Distribution) - REID keeps both our primary and backup AS2 installations in sync. Either one can take over the other's primary operations in a few minutes with no loss of information. REID is graduating to Agentic AI. 

Step 2 - The Role of Passwords in AS2 Certificates

  Passwords play a vital role in securing AS2 certificates, primarily by protecting the private key—the most sensitive component of the certificate bundle. In AS2 implementations, such as those using OpenAS2 or similar tools, certificates are often stored in password-protected formats, such as PKCS#12 (.PFX), to prevent unauthorized access.  This is part of the EDIINT AS2 standard.  Generate passwords before you begin.  If you can type them, they aren't complicated enough. 

  Many AS2 setups recommend using a blank or simple password for internal server use (e.g., when installing on a secure system), but stronger passwords are advised for files that are shared or stored in less secure environments. Ultimately, passwords add a layer of defense-in-depth, complying with standards like EDIINT and helping meet regulatory requirements such as HIPAA or GDPR in data-sensitive industries.

Step 3 - Generating AS2 Certificates

 We encourage you to stop and handle this as a separate exercise.  We have built our own PEM to PFX Converter that will help. Follow the link, and the page will walk you through everything needed to create the correct bundled certificate. It will also save you hundreds of dollars a year.

If you need help or are just busy, we have a service that costs much less than sites charge for certificates, and our systems have reminders and can help communicate with the other side.  We also have a private cloud that securely delivers the certificates to you.  It has space and tools to help keep all your certificates and config files backed up.

STEP 4 - Installing openas2

  This installation exercise is for Windows. If you are on Linux, Unix, or a MAC, check with us; the documentation may be ready. You need a dedicated IP address on your machine and a static conduit with an outside publicly accessible IPv4 address.  More one that later.

For servers (e.g., those running AS2 software like Mendelson on Java or Apache-based setups), passwords are used to secure keystores or truststores where certificates are loaded—preventing unauthorized modifications that could disrupt partnerships or expose vulnerabilities. They also protect administrative interfaces, SSH access, or API endpoints used for monitoring AS2 traffic, reducing the risk of remote exploits. In the case of firewalls, such as Cisco models commonly referenced in AS2 documentation, passwords safeguard configuration files, VPN tunnels, or access control lists (ACLs) that regulate inbound/outbound traffic on ports like 80/443 (HTTP/S for AS2). For instance, a Cisco firewall might require passwords for enabling port forwarding to an internal AS2 server with a public IP, ensuring only authorized admins can adjust rules that expose the server to the internet. The "why" boils down to risk mitigation: AS2 often involves public-facing endpoints (as seen in configurations with URLs like http://my-public-ip:10080), making servers and firewalls prime targets for attacks. Strong passwords, combined with multi-factor authentication where possible, help enforce least-privilege principles, comply with security best practices, and maintain the reliability of EDI exchanges by preventing downtime from breaches.

Passwords in the Context of Firewalls and Servers for AS2

When deploying AS2 on servers and behind firewalls, passwords are essential for both access control and secure configuration, ensuring that the infrastructure supporting EDI communications remains protected. Cisco, as an example, requires this kind of bundled certificate.  Read the entire explanation …

Why The Movement Of Goods Depend on Reliable, Efficient and Dependable Communications Tools that include AS2, EDI, SFTP, and LoadTalk

The heart of every nation, all over the world, runs on the movement of goods in many shapes and sizes, some frozen, some fresh, most in boxes, bags, or pallets. Commerce is the lifeblood of the world.  All of it, transported by truck, plane, ship, even bikes and drones.  They all require a communications infrastructure capable of handling the paperwork and challenges brought on by fraud and AI. LoadTalk and Verify MC tackle the challenge, outpace the competition. 

We are the only private AI-centric system that offers 100% privacy and security. With Humintuit (hu·​min·​tu·​it) engineered technology, anyone can use our products and services.  And when you need help, just pick up the phone and talk to a real person—no bots, no barriers." Learn more

Open AS2

  OpenAS2  is a Java-based implementation of the EDIINT AS2 standard. It's what we use from multiple locations.  It is needed when partners require AS2 for EDI communications.  It is extremely configurable and supports a wide variety of signing and encryption algorithms.
 

  OpenAS2  supports very high traffic volume, allowing parallel processing of files per partner.  OpenAS2 at Source Forge.  Interested in why we chose OpenAS2 over paid versions, and why we will support their Open Source effort as a company.  Reach out, we'll be happy to explain why.




Our Privacy Exceeds EU Standards

LoadTalk

What does Salina turda salt mine romania have to do with AS2