What is AS2? AS2 stands for Applicability
Statement 2 and is an EDI (Electronic Data Interchange) specification
for exchanging peer-to-peer communication documents between business
partners using the Internet. AS2 is based upon the Secure HTTP
(Hyper Text Transport Protocol). AS2 offers distinct advantages
over standard HTTP, including increased verification and security
achieved through the use of receipts and digital signatures. Another
edge for AS2 over secure HTTP: its transactions and acknowledgements occur in real-time,
increasing the efficiency of document exchanges.
One of the best and well known software packages available
that handles this AS2 protocol is
LexiCom from Cleo
AS2 and AS3 protocols both provide Non-Repudiation (a legal way to track
who received the message and when) whereas both secure "HTTP/s" and
secure "FTP/s" protocols do not.
Other Information Covering AS2
AS2 is a
standard for the exchange of business documents. It is concerned with
the encryption and exchange of documents, not the format of the data in
the documents themselves.
is designed to be a real-time exchange system. When a business entity
has data ready to send to a trading partner, the data is immediately
pushed to the trading partner. In older systems, the data would be held
in a queue somewhere until the trading partner picked up the data.
exchanges are secure. Multiple encryption schemes are used to confirm
the identity of the sender and receiver, that unauthorized third parties
cannot read the data, and that the data has not been corrupted in
AS2 can be
thought of as a layered protocol. Each layer uses the service provided
by the layer beneath it to add a level of functionality to the
transmission. As a layer adds its contribution, it forwards the
resulting package to the layer beneath it.
the Transport layer forwards the package to the remote system using the
http protocols over the web. After the remote system receives the data
package the process is reversed. The data package is decrypted, the
headers are checked and removed and the result is passed to the Session
example above, a document is presented to the interface layer of the
sending system. The interface layer determines the address (the IP
address and socket number) of the receiver. The document data (the
payload) and the address information are passed to the Session
Session layer uses the services of the Security Layer to send the data
to the remote system and then waits for the remote system to acknowledge
that it has received the package without errors. The Session layer
maintains a list of all outstanding transmissions. When the receipt is
received the Session layer informs the Interface of the successful
delivery of the data.
The AS2 standard specifically states that Session
layer receipts are not a substitute for 997 (EDI oriented) functional acknowledgments.
Session later receipts acknowledge the delivery of the data. 997
functional acknowledgments indicate that the data in the document has
been successfully processed.
Security layer encrypts the data using either the PGP/MIME or the S/MIME
standard. It is up to the trading partners to decide which standard to
use. Both standards support the exchange of digitally signed encrypted
data. Brief descriptions of the differences between the standards can be
Security layer then uses the services of the Transport layer to send the
message to the remote system. The basic difference between AS1 and AS2
is found in the Transport layer. AS1 uses email to send data to remote
system, while AS2 uses http over the Internet.
AS2 is a
push-only protocol (whereas AS3 is a push/pull protocol discussed
below). With AS2, companies
receive AS2 data by having a computer waiting for incoming http requests.
A company that wants to receive AS2 data informs its trading partners of
the IP address and socket number it will be monitoring. Berkley sockets
are a method used by computers to allow applications to communicate
directly with one another over a network. A description of Berkley
sockets and the programming issues involved when using them is beyond
the scope of this document. Obviously the socket used for receiving AS2
data must be unique on a given system.
AS3 is based upon the Secure version of the FTP
protocol (rather than HTTP). Simply stated...
The AS3 transport is S/MIME over FTP.
AS3 is a client/server model like FTP (as
opposed to the "peer-to-peer" when using AS2).
AS3 uses MDN's (receipt notifications) like AS2.
The following are a few additional comments
The client initiates "sends" and "receives" just
AS3 is a push/pull protocol. Client-side AS3 does not require a listener to
be always aware of inbound traffic (like with AS2 that always requires
a persistent connection for the listener). Dial-up Internet connections are fine
AS3 may be especially well suited for banking
and other industries where there are heavy investments in FTP
scripting, applications and security.
Cleo Communications helped design the initial Drummond
Certification AS3 definition.
The following is a short excerpt from Cleo’s
current internal AS3 specification that might be helpful.
The EDIINT family of secure MIME-based protocols
includes AS1 (SMTP), AS2 (HTTP), and AS3 (FTP). AS1 was and still is
available from a number of companies, but is not widely used. Cleo
LexiCom does not support AS1. Since its inception only a few years ago,
AS2 has become an established, proven peer-to-peer solution. Some
proprietary implementations of AS3 exist, but not “official” until the
Drummond Group approved the AS3 certification tests. During the
certification period, the protocol was, in essence, standardized.
The original drafts outlined AS3 in a peer-to-peer
(push/push) model like AS2. However, using AS3/FTP peer-to-peer causes
more security issues than AS2/HTTP (because there are more ports
involved) and has no advantages over AS2/HTTP. Because of this,
Drummond Group certified AS3 only in a client/server (push/pull) model.
This distinguishes AS3 and gives it viability partly because, with a
client/server model, dial-up Internet users can now use EDIINT.
EDIINT: What is it?
EDIINT, or EDI-INT, is the transfer of EDI, Electronic Data
Interchange, over the Internet. EDIINT is becoming the preferred method
for exchanging EDI, XML and other data over the Internet. EDIINT, or
EDI-INT, has been successful in helping companies reduce or eliminate
the high costs of value-added network, or VAN, connections for
themselves and their suppliers. EDIINT is also becoming the standard
method of EDI communication for many retail giants. Wal-Mart requires a
Drummond certified EDIINT AS2 solution from all of its EDI exchanging
The LexiCom software also offers software for EDIINT communications.
EDIINT software is in use by thousands of suppliers who have proven our
EDIINT software to be vital aspects of their companies.
This AS2/3 information comes from Cleo
Communications. CTI Communications has been a major Cleo
distributor/reseller for over twenty five years.