How To Check the Encryption Certificate of an AS2 EDIINT Data
Applicability Statement 2, though widely used, can be tricky to troubleshoot. See to find out details of certificate used for as2 encryption in ediint data.
Join the DZone community and get the full member experience.
Join For FreeAS2 aka Applicability Statement 2 communication protocol, one of the most widely used secured protocols used in the B2B world can sometimes be very tricky to troubleshoot, especially when you are trying to set up a new connection with your trading partner.
There can be numerous different reasons why your AS2 setup may not be working but in this particular article we are only going to talk about the error "insufficient-message-security" which comes in a negative MDN originated from the receiving party.
AS2 Configuration Used In My Example
| S/MIME | SignedandEncrypted |
| Digital Signature Algorithm | SHA1 |
| Message Encryption Algorithm | 3DES |
What the Disposition Information Looks Like:
| <Disposition> <DispositionMode ActionMode="automatic-action" SendingMode="MDN-sent-automatically"/> <DispositionType>processed</DispositionType> <DispositionModifier>error</DispositionModifier> </Disposition> <Error>insufficient-message-security</Error> |
This is a clear indication that something isn't right with the security of the message and something to do with the encryption algorithm or the certificates.
While sending an outbound message to the trading partner below is what a typical AS2 system does, in the same sequence:
- Sign the message using own private key
- Encrypt the message using partner public key
The AS2 ediint data looks like gibberish and obviously cannot be read because it is encrypted.
So there are two ways to verify if the outgoing message was encrypted with the correct certificate.
- First is that you check the AS2 configuration and verify that section indicating, partner certificate (Outbound data encryption) has the correct certificate selected.
- Secondly, there can be situations when you get into catch 22 situation with your trading partner and have to prove that the correct encryption certificate is applied and used for AS2 data encryption. Here's what you can do:-
Ask your partner for the AS2 ediintdata, which is completely encrypted and would look like a binary file, and perform the following steps.
1. Open the encrypted payload in notepad++ and if it has headers to it, chuck them off and make sure you just have the binary data in the file.
2. Now, let's convert the binary AS2 message into Base64 with help of Notepad++ commands.
- Ctrl+A (select all data)
- Plugins->Mime Tools->Base64 Encode with Unix EOL
3. After step 2 we will get the Base 64 encoded data in the following format:-
4. Now we just have to run a simple OpenSSL command on the Base 64 data from step 3 and we get what we need. This command is called asn1parse command and the output is stored in the As1
This command will output the ASN1parse information on the console itself:
- openssl asn1parse -i -in ediintdata.txt
This command will output the ASN1parse information into the file Asn1ParseReport.txt
- openssl asn1parse -i -in ediintdata.txt > Asn1ParseReport.txt
Below is how the ASN1Parse structure looks like and how information is grouped. You will notice that all the information related to the encryption certificate is available along with the Serial number of the certificate that's used and the encryption algorithm.
Using this method it becomes very easy to troubleshoot and find out the certificate that is being used by any of the trading partners to encrypt the data is the correct one or not.
Thanks for the read, please feel free to pour in your thoughts and feedback.
Opinions expressed by DZone contributors are their own.
Comments