Home | Contact Us| Support


AS2 & AS3 Protocols         


What is AS2?  AS2 stands for Applicability Statement 2 and is an EDI (Electronic Data Interchange) specification for exchanging peer-to-peer communication documents between business partners using the Internet.  AS2 is based upon the Secure HTTP (Hyper Text Transport Protocol).  AS2 offers distinct advantages over standard HTTP, including increased verification and security achieved through the use of receipts and digital signatures. Another edge for AS2 over secure HTTP: its transactions and acknowledgements occur in real-time, increasing the efficiency of document exchanges. 

One of the best and well known software packages available that handles this AS2 protocol is LexiCom from Cleo Communications, see Screen Shots. AS2 and AS3 protocols both provide Non-Repudiation (a legal way to track who received the message and when) whereas both secure "HTTP/s" and secure "FTP/s" protocols do not.

Other Information Covering AS2

AS2 is a standard for the exchange of business documents.  It is concerned with the encryption and exchange of documents, not the format of the data in the documents themselves. 

AS2 is designed to be a real-time exchange system.  When a business entity has data ready to send to a trading partner, the data is immediately pushed to the trading partner.  In older systems, the data would be held in a queue somewhere until the trading partner picked up the data.

AS2 data exchanges are secure.  Multiple encryption schemes are used to confirm the identity of the sender and receiver, that unauthorized third parties cannot read the data, and that the data has not been corrupted in transit.

AS2 can be thought of as a layered protocol.  Each layer uses the service provided by the layer beneath it to add a level of functionality to the transmission.  As a layer adds its contribution, it forwards the resulting package to the layer beneath it.

Finally the Transport layer forwards the package to the remote system using the http protocols over the web.  After the remote system receives the data package the process is reversed.  The data package is decrypted, the headers are checked and removed and the result is passed to the Session layer.

In the example above, a document is presented to the interface layer of the sending system.  The interface layer determines the address (the IP address and socket number) of the receiver.  The document data  (the payload) and the address information are passed to the Session layer.

The Session layer uses the services of the Security Layer to send the data to the remote system and then waits for the remote system to acknowledge that it has received the package without errors.  The Session layer maintains a list of all outstanding transmissions.  When the receipt is received the Session layer informs the Interface of the successful delivery of the data.

The AS2 standard specifically states that Session layer receipts are not a substitute for 997 (EDI oriented) functional acknowledgments.  Session later receipts acknowledge the delivery of the data.  997 functional acknowledgments indicate that the data in the document has been successfully processed.

The Security layer encrypts the data using either the PGP/MIME or the S/MIME standard.  It is up to the trading partners to decide which standard to use.  Both standards support the exchange of digitally signed encrypted data. Brief descriptions of the differences between the standards can be found at http://www.imc.org/smime-pgpmime.html

The Security layer then uses the services of the Transport layer to send the message to the remote system.  The basic difference between AS1 and AS2 is found in the Transport layer.  AS1 uses email to send data to remote system, while AS2 uses http over the Internet.

AS2 is a push-only protocol (whereas AS3 is a push/pull protocol discussed below).  With AS2, companies receive AS2 data by having a computer waiting for incoming http requests.  A company that wants to receive AS2 data informs its trading partners of the IP address and socket number it will be monitoring.  Berkley sockets are a method used by computers to allow applications to communicate directly with one another over a network.  A description of Berkley sockets and the programming issues involved when using them is beyond the scope of this document.  Obviously the socket used for receiving AS2 data must be unique on a given system.


AS3 is based upon the Secure version of the FTP protocol (rather than HTTP).  Simply stated...

  • The AS3 transport is S/MIME over FTP.
  • AS3 is a client/server model like FTP (as opposed to the "peer-to-peer" when using AS2).
  • AS3 uses MDN's (receipt notifications) like AS2.

The following are a few additional comments regarding AS3...

  • The client initiates "sends" and "receives" just like FTP.
  • AS3 is a push/pull protocol.  Client-side AS3 does not require a listener to be always aware of inbound traffic (like with AS2 that always requires a persistent connection for the listener).  Dial-up Internet connections are fine too.
  • AS3 may be especially well suited for banking and other industries where there are heavy investments in FTP scripting, applications and security.
  • Cleo Communications helped design the initial Drummond Certification AS3 definition. 

The following is a short excerpt from Cleo’s current internal AS3 specification that might be helpful.

The EDIINT family of secure MIME-based protocols includes AS1 (SMTP), AS2 (HTTP), and AS3 (FTP).  AS1 was and still is available from a number of companies, but is not widely used.  Cleo LexiCom does not support AS1.  Since its inception only a few years ago, AS2 has become an established, proven peer-to-peer solution.  Some proprietary implementations of AS3 exist, but not “official” until the Drummond Group approved the AS3 certification tests.  During the certification period, the protocol was, in essence, standardized.

The original drafts outlined AS3 in a peer-to-peer (push/push) model like AS2.  However, using AS3/FTP peer-to-peer causes more security issues than AS2/HTTP (because there are more ports involved) and has no advantages over AS2/HTTP.   Because of this, Drummond Group certified AS3 only in a client/server (push/pull) model.  This distinguishes AS3 and gives it viability partly because, with a client/server model, dial-up Internet users can now use EDIINT.

EDIINT: What is it?

EDIINT, or EDI-INT, is the transfer of EDI, Electronic Data Interchange, over the Internet. EDIINT is becoming the preferred method for exchanging EDI, XML and other data over the Internet. EDIINT, or EDI-INT, has been successful in helping companies reduce or eliminate the high costs of value-added network, or VAN, connections for themselves and their suppliers. EDIINT is also becoming the standard method of EDI communication for many retail giants. Wal-Mart requires a Drummond certified EDIINT AS2 solution from all of its EDI exchanging suppliers.

The LexiCom software also offers software for EDIINT communications. EDIINT software is in use by thousands of suppliers who have proven our EDIINT software to be vital aspects of their companies.

This AS2/3 information comes from Cleo Communications.  CTI Communications has been a major Cleo distributor/reseller for over twenty five years. 



SyncPack® and FastSync® are registered trademarks of CTI Communications, a Division of Consul Tec, Inc.  Cleo®, 3780Plus®, SYNCcable+® and SYNCrac® and LexiCom are trademarks of Cleo Communications, a Division of DFI.  All other trademarks belong to their respective companies. Copyright © 1996 - 2008 CTI Communications, a Division of Consul Tec, Inc. All Rights Reserved. CTI makes no claim or representation, and accepts no responsibility, regarding the quality, nature, connect, operability or reliability of sites accessible by hyperlink from this Web site, or sites linking to this Web site.