Manage AS2 partners - Amazon Transfer Family
Import AS2 certificatesAS2 certificate rotationCreate AS2 profilesCreate AS2 agreements
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Manage AS2 partners

This topic discusses how to manage AS2 certificates, profiles, and agreements.

Import AS2 certificates

The Transfer Family AS2 process uses certificate keys for both encryption and signing of transferred information. Partners can use the same key for both purposes, or a separate key for each. If you have common encryption keys kept in escrow by a trusted third-party so that data can be decrypted in the event of a disaster or security breach, we recommend having separate signing keys. By using separate signing keys (which you do not escrow), you don't compromise the non-repudiation features of your digital signatures.

Note

The key length for AS2 certificates must be at least 2048 bits, and at most 4096.

The following points detail how AS2 certificates are used during the process.

  • Inbound AS2

    • The trading partner sends their public key for the signing certificate, and this key is imported to the partner profile.

    • The local party sends the public key for their encryption and signing certificates. The partner then imports the private key or keys. The local party can send separate certificate keys for signing and encryption, or can choose to use the same key for both purposes.

  • Outbound AS2

    • The partner sends the public key for their encryption certificate, and this key is imported to the partner profile.

    • The local party sends the public key for the certificate for signing, and imports the private key of the certificate for signing.

    • If you are using HTTPS, you can import a self-signed Transport Layer Security (TLS) certificate.

For details on how to create certificates, see Step 1: Create certificates for AS2.

This procedure explains how to import certificates by using the Transfer Family console. If you want to use the Amazon CLI instead, see Step 3: Import certificates as Transfer Family certificate resources.

To specify an AS2-enabled certificate

  1. Open the Amazon Transfer Family console at https://console.amazonaws.cn/transfer/.

  2. In the left navigation pane, under AS2 Trading Partners, choose Certificates.

  3. Choose Import certificate.

  4. In the Certificate description section, enter an easily identifiable name for the certificate. Make sure that you can identify the certificate's purpose by its description. Additionally, choose the role for the certificate.

  5. In the Certificate contents section, provide a public certificate from a trading partner, or the public and private keys for a local certificate.

  6. In the Certificate usage section, choose the purpose for this certificate. It can be used for encryption, signing, or both.

    Note

    If you choose Encryption and signing for the usage, Transfer Family creates two identical certificates (each having their own ID): one with a usage value of ENCRYPTION and one with a usage value of SIGNING.

  7. Fill in the Certificate contents section with the appropriate details.

    • If you choose Self-signed certificate, you do not provide the certificate chain.

    • Paste in the contents of the certificate.

    • If the certificate is not a self-signed certificate, provide the certificate chain.

    • If this certificate is a local certificate, paste in its private key.

  8. Choose Import certificate to complete the process and save the details for the imported certificate.

Note

TLS certificates can only be imported as a partner's public certificate. If you select Public certificate from a partner, and then select Transport Layer Security (TLS) for the usage, you receive a warning. Also, TLS certificates must be self-signed (that is, you must select Self Signed Certificate to import a TLS certificate).

AS2 certificate rotation

Often, certificates are valid for a period of six months to a year. You might have set up profiles that you want to persist for a longer duration. To facilitate this, Transfer Family provides certificate rotation. You can specify multiple certificates for a profile, allowing you to keep using the profile for multiple years. Transfer Family uses certificates for signing (optional) and encryption (mandatory). You can specify a single certificate for both purposes, if you like.

Certificate rotation is the process of replacing an old expiring certificate with a newer certificate. The transition is a gradual one to avoid disrupting transfers where a partner in the agreement has yet to configure a new certificate for outbound transfers or might be sending payloads that are signed or encrypted with an old certificate during a period when a newer certificate might also be in use. The intermediate period where both old and new certificates are valid is referred to as a grace period.

X.509 certificates have Not Before and Not After dates. However, these parameters might not provide enough control for administrators. Transfer Family provides Active Date and Inactive Date settings to control which certificate is used for outbound payloads and which is accepted for inbound payloads.

Outbound certificate selection uses the maximum value that is prior to the date of the transfer as an Inactive Date. Inbound processes accept certificates within the range of Not Before and Not After and within the range of Active Date and Inactive Date.

The following table describes one possible way to configure two certificates for a single profile.

Two certificates in rotation
Name NOT BEFORE (controlled by certificate authority) ACTIVE DATE (set by Transfer Family) INACTIVE DATE (set by Transfer Family) NOT AFTER (set by certificate authority)
Cert1 (older certificate) 2019-11-01 2020-01-01 2020-12-31 2024-01-01
Cert2 (newer certificate) 2020-11-01 2020-06-01 2021-06-01 2025-01-01

Note the following:

  • When you specify an Active Date and Inactive Date for a certificate, the range must be inside the range between Not Before and Not After.

  • We recommend that you configure several certificates for each profile, making sure that the active date range for all the certificates combined covers the amount of time for which you want to use the profile.

  • We recommend that you specify some grace time between when your older certificate becomes inactive and when your newer certificate becomes active. In the preceding example, the first certificate does not become inactive until 2020-12-31, while the second certificate becomes active on 2020-06-01, providing a 6-month grace period. During the period from 2020-06-01 until 2020-12-31, both certificates are active.

Create AS2 profiles

Use this procedure to create both local and partner profiles. This procedure explains how to create AS2 profiles by using the Transfer Family console. If you want to use the Amazon CLI instead, see Step 4: Create profiles for you and your trading partner.

To create an AS2 profile

  1. Open the Amazon Transfer Family console at https://console.amazonaws.cn/transfer/.

  2. In the left navigation pane, under AS2 Trading Partners, choose Profiles, then choose Create profile.

  3. In the Profile configuration section, enter the AS2 ID for the profile. This value is used for the AS2 protocol-specific HTTP headers as2-from and as2-to to identify the trading partnership, which determines the certificates to use, and so on.

  4. In the Profile type section, choose Local profile or Partner profile.

  5. In the Certificates section, choose one or more certificates from the dropdown menu.

    Note

    If you want to import a certificate that is not listed in the dropdown menu, select Import a new Certificate. This opens a new browser window at the Import certificate screen. For the procedure about importing certificates see Import AS2 certificates.

  6. (Optional) In the Tags section, specify one or more key-value pairs to help identify this profile.

  7. Choose Create profile to complete the process and save the new profile.

Create AS2 agreements

Agreements are associated with Transfer Family servers. They specify the details for trading partners that use the AS2 protocol to exchange messages or files by using Transfer Family, for inbound transfers—sending AS2 files from an external, partner-owned source to a Transfer Family server.

This procedure explains how to create AS2 agreements by using the Transfer Family console. If you want to use the Amazon CLI instead, see Step 5: Create an agreement between you and your partner.

To create an agreement for a Transfer Family server

  1. Open the Amazon Transfer Family console at https://console.amazonaws.cn/transfer/.

  2. In the left navigation pane, choose Servers, and then choose a server that uses the AS2 protocol.

  3. On the server details page, scroll down to the Agreements section.

    Console screenshot showing the Agreements section with an agreement ID and status of ACTIVE.

  4. Choose Add agreement.

  5. Fill in the agreement parameters, as follows:

    1. In the Agreement configuration section, enter a descriptive name. Make sure that you can identify the agreement's purpose by its name. Also, set the Status for the agreement: either Active (selected by default) or Inactive.

    2. In the Communication configuration section, choose a local profile and a partner profile.

    3. In the Inbox folder configuration section, choose an Amazon S3 bucket to store incoming files and an IAM role that can access the bucket. Optionally, you can enter a prefix (folder) to use for storing files in the bucket.

      For example, if you enter DOC-EXAMPLE-BUCKET for your bucket and incoming for your prefix, your incoming files are saved to the /DOC-EXAMPLE-BUCKET/incoming folder.

    4. (Optional) Add tags in the Tags section.

    5. After you have entered all the information for the agreement, choose Create agreement.

The new agreement appears in the Agreements section of the server details page.