AS2 Configuration

The connector accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the connector, access to these internal properties is provided through the Other property.

AS2 Configuration Settings

AcceptAnySignerCert: Used to accept trust any signing certificate unconditionally.

If AcceptAnySignerCert is set to true, the connector will accept any signer certificate for the incoming signature. Use of this setting in production is discouraged, as failing to authenticate the sender poses a security risk.

AS2MessageId: The Id of the message.

The Id format is as in RFC 2822: id-left@id-right.

A unique Id will automatically be generated on startup. Sending a message will reset id-left if the MessageId has been used in the previous message.

If you set MessageId to a string of the form "@(id-right)" a unique id-left will be generated. If you set MessageId to an empty string, a new MessageId will be generated with the same id-right.

The default value is empty string, meaning the connector will generate a unique Id.

This setting is only applicable to the send connector.

AS2Subject: The subject of the message.

The optional human-readable subject of the message. Some AS2 partners will use this field to send additional information about the transmission at the transport layer.

This setting is only applicable to the send connector.

ErrorProcessingFlags: Flags controlling how errors affect ProcessRequest.

ErrorReportingFlags is bitmask of values controlling how the errors are reported in the MDN. The connector can be configured to not halt for certain types of errors by setting ErrorProcessingFlags to the OR of one or more of the following values:


0x04	Unable to validate integrity of data, or unsupported signing protocol used.
0x08	Unable to authenticate the sender.
0x10	Client requested unsupported signature type.
0x20	Client requested unsupported MIC algorithm.

ErrorReportingFlags: Flags controlling how errors affect the MDNReceipt.

By default, the MDN will report an error if any of the conditions below occur. The MIC will not be calculated and the data will be reported as unprocessed. However, the MDN may be configured to permit one or more of the errors below. A warning will be reported if MDNWarning is set; otherwise the error will silently be ignored.

Multiple errors may be permitted by setting ErrorReportingFlags to the OR of one or more of the following values:


0x04 (4)	Unable to validate integrity of data, or unsupported signing protocol used.
0x08 (8)	Unable to authenticate the sender.
0x10 (16)	Client requested unsupported signature type.
0x20 (32)	Client requested unsupported MIC algorithm.

Note: errors should be ignored only with extreme caution, and only by agreement of both trading parties.

From: The email address of the HTTP agent (optional).

If the From setting contains a non-empty string, an HTTP From header is added to the request. This header generally gives the email address of the requester of the document.

This setting is only applicable to the send connector.

LogDebug: Whether to log debug data.

This setting specifies whether to log debug data. When set to True the connector will create additional files in the LogDirectory. The default value is False.

When sending, files with extensions ".input", ".sign", ".compress", and ".encrypt" may be created. When receiving, files with extensions ".input", ".verify", ".decompress", and ".decrypt" may be created.

MDNDeliveryOption: A URL indicating how the receipt is to be delivered.

The default mode of operation is for the receipt to be returned synchronously within the HTTP reply. By specifying a valid URL, the user may request asynchronous delivery instead. The URL indicates the destination for the reply, and may use any appropriate protocol, such as "mailto", "http", or "https".

If this is set to an empty string (default), the receipt will be returned synchronously, and will be processed automatically by the connector. Clients requesting asynchronous delivery should provide their own processing for reading receipts. This is applicable to the send connector only.

MDNWarning: A warning to appear in the MDN.

MDNWarning defines a warning to appear in the outgoing MDN. If any errors are found and not explicitly allowed in ErrorReportingFlags, the errors will take precedence and the warning will not be reported.

MDNWarning should be assigned when allowing errors to be ignored via the ErrorReportingFlags property. The MDN will indicate successful processing of the request, but will contain a warning field. The following warning is defined by the AS2 specifications:

"authentication-failed, processing continued"

Any other warnings are not defined by the specifications and may or may not be understood by the client.

SignatureAlgorithm: Signature algorithm to be used in outgoing messages.

The Signature Algorithm can be set to indicate the preferred signing algorithm. Possible values are:

sha1
md5
sha-224
sha-256 (default)
sha-384
sha-512

The default value is "sha1". MDNOptions will need to be updated to reflect the selected algorithm if the MDN receipt is to be signed with the same algorithm. For example:

 signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, sha-256

This is applicable to the send connector only.

SMTPFrom: The senders address for asynchronous MDN delivery.

If an asynchronous MDN is requested to be sent over SMTP this specifies the sender. This is applicable to the receive connector only.

SMTPServer: The SMTP server for asynchronous MDN delivery.

If an asynchronous MDN is requested to be sent over SMTP this specifies the server. This is applicable to the receive connector only.

SMTPSubject: The SMTP message subject for asynchronous MDN delivery.

If an asynchronous MDN is requested to be sent over SMTP this specifies the subject. This is applicable to the receive connector only.

UseChunkedEncoding: Whether to chunk outgoing posts.

When sending, this setting controls whether data is chunked. Chunking allows data to be streamed as it is available instead of preparing the entire message first. It is recommended to set this to True if sending very large files. The default value is False.

UseOAEP: Whether to use Optimal Asymmetric Encryption Padding (OAEP) when encrypting the key with RSA.

If set to true, OAEP will be used when encrypting the key. By default this value is False and the component will use PKCS1. Only applicable when sending AS2 messages. The following optional settings apply when this is set to True:

UserAgent: Information about the user agent.

the default value is "IP*Works! AS2 Transmitter - www.nsoftware.com".

OAEPMGF1HashAlgorithm: The MGF1 hash algorithm used when encrypting a key.

When UseOAEP is True, this algorithm specifies the MGF1 hash algorithm used for the encryption key by RSA OAEP. Possible values are:

"SHA1"
"SHA224"
"SHA256" (default)
"SHA384"
"SHA512"

Note: An empty string value indicates that the algorithm specified by OAEPRSAHashAlgorithm is used as the RSA hash algorithm as well.

OAEPRSAHashAlgorithm: The RSA hash algorithm used when encrypting a key.

When UseOAEP is True, this algorithm specifies the RSA hash algorithm used for the encryption key. This may differ from the hash algorithm used to sign the AS4 message content. Possible values are:

"SHA1"
"SHA224"
"SHA256" (default)
"SHA384"
"SHA512"

OAEPParams: The hex encoded OAEP parameters to be used when encrypting a key.

This setting is optional and should only be specified if OAEP parameters need to be explicitly set. The value specified should be a hex string. By default this setting is unspecified.

UsePSS: Whether to use RSA-PSS when signing.

If set to true, RSA-PSS will be used when signing messages. The default value is False. Note that the certificate used to sign does not itself need to be signed with RSA-PSS; any valid RSA certificate may be used with this setting.

SSL Configuration Settings

ReuseSSLSession: Determines if the SSL session is reused.

If set to true, the connector will reuse the context if and only if the following criteria are met:

The target host name is the same.
The system cache entry has not expired (default timeout is 10 hours).
The application process that calls the function is the same.
The logon session is the same.
The instance of the connector is the same.

SSLCipherStrength: The minimum cipher strength used for bulk encryption.

This minimum cipher strength largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated.

Please note that this setting contains the minimum cipher strength requested from the security library.

Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities in your application.

SSLEnabledProtocols: Used to enable/disable the supported security protocols.

Used to enable/disable the supported security protocols.

Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:


TLS1.3	12288 (Hex 3000) (Experimental)
TLS1.2	3072 (Hex C00) (Default)
TLS1.1	768 (Hex 300) (Default)
TLS1	192 (Hex C0) (Default)
SSL3	48 (Hex 30)
SSL2	12 (Hex 0C)

Note: TLS 1.1 and TLS1.2 support are only available starting with Windows 7.

Note: Enabling TLS 1.3 will automatically set UseInternalSecurityAPI to True.

SSLIncludeCertChain: Whether the entire certificate chain is included in the SSLServerAuthentication event.

This setting specifies whether the transport log contains the full certificate chain. By default this value is False and only the leaf certificate will be present.

If set to True all certificates returned by the server will be present in the transport log. This includes the leaf certificate, any intermediate certificate, and the root certificate.

Note: When UseInternalSecurityAPI is set to True this value is automatically set to True. This is needed for proper validation when using the internal provider.

SSLSecurityFlags: Flags that control certificate verification.

The following flags are defined (specified in hexadecimal notation). They can be or-ed together to exclude multiple conditions:


0x00000001	Ignore time validity status of certificate.
0x00000002	Ignore time validity status of CTL.
0x00000004	Ignore non-nested certificate times.
0x00000010	Allow unknown Certificate Authority.
0x00000020	Ignore wrong certificate usage.
0x00000100	Ignore unknown certificate revocation status.
0x00000200	Ignore unknown CTL signer revocation status.
0x00000400	Ignore unknown Certificate Authority revocation status.
0x00000800	Ignore unknown Root revocation status.
0x00008000	Allow test Root certificate.
0x00004000	Trust test Root certificate.
0x80000000	Ignore non-matching CN (certificate CN not-matching server name).

SSLEnabledCipherSuites: The cipher suite to be used in an SSL negotiation.

The enabled cipher suites to be used in SSL negotiation.

By default, the enabled cipher suites will include all available ciphers ("*").

The special value "*" means that the connector will pick all of the supported cipher suites. If SSLEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered.

Multiple cipher suites are separated by semicolons.

Example values when UseInternalSecurityAPI is False (default):

// The "Other" property could contain ONE of the following lines:
SSLEnabledCipherSuites=*
SSLEnabledCipherSuites=CALG_AES_256
SSLEnabledCipherSuites=CALG_AES_256;CALG_3DES

Possible values when UseInternalSecurityAPI is False (default) include:

CALG_3DES
CALG_3DES_112
CALG_AES
CALG_AES_128
CALG_AES_192
CALG_AES_256
CALG_AGREEDKEY_ANY
CALG_CYLINK_MEK
CALG_DES
CALG_DESX
CALG_DH_EPHEM
CALG_DH_SF
CALG_DSS_SIGN
CALG_ECDH
CALG_ECDH_EPHEM
CALG_ECDSA
CALG_ECMQV
CALG_HASH_REPLACE_OWF
CALG_HUGHES_MD5
CALG_HMAC
CALG_KEA_KEYX
CALG_MAC
CALG_MD2
CALG_MD4
CALG_MD5
CALG_NO_SIGN
CALG_OID_INFO_CNG_ONLY
CALG_OID_INFO_PARAMETERS
CALG_PCT1_MASTER
CALG_RC2
CALG_RC4
CALG_RC5
CALG_RSA_KEYX
CALG_RSA_SIGN
CALG_SCHANNEL_ENC_KEY
CALG_SCHANNEL_MAC_KEY
CALG_SCHANNEL_MASTER_HASH
CALG_SEAL
CALG_SHA
CALG_SHA1
CALG_SHA_256
CALG_SHA_384
CALG_SHA_512
CALG_SKIPJACK
CALG_SSL2_MASTER
CALG_SSL3_MASTER
CALG_SSL3_SHAMD5
CALG_TEK
CALG_TLS1_MASTER
CALG_TLS1PRF

Example values when UseInternalSecurityAPI is True:

// The "Other" property could contain ONE of the following lines:
SSLEnabledCipherSuites=*
SSLEnabledCipherSuites=TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSLEnabledCipherSuites=TLS_DHE_DSS_WITH_AES_128_CBC_SHA;TLS_DH_ANON_WITH_AES_128_CBC_SHA

Possible values when UseInternalSecurityAPI is True include:

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

If SSLEnabledProtocols is configured to use TLS 1.3 the following values are supported:

TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384

SSLEnabledCipherSuites is used together with SSLCipherStrength.

TLS12SignatureAlgorithms: Defines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True.

This setting specifies the allowed server certificate signature algorithms when UseInternalSecurityAPI is True and SSLEnabledProtocols is set to allow TLS 1.2.

When specified the connector will verify that the server certificate signature algorithm is among the values specified in this setting. If the server certificate signature algorithm is unsupported the connector will fail with an error.

The format of this value is a comma separated list of hash-signature combinations. For instance:

// The "Other" could contain ALL of these lines:
UseInternalSecurityAPI=true
SSLEnabledProtocols=3072
TLS12SignatureAlgorithms=sha1-rsa,sha1-dsa,sha256-rsa,sha256-dsa

The default value for this setting is "sha1-rsa,sha1-dsa,sha224-rsa,sha224-dsa,sha256-rsa,sha256-dsa,sha384-rsa,sha384-dsa,sha512-rsa,sha512-dsa".

In order to not restrict the server's certificate signature algorithm, specify an empty string as the value for this setting, which will cause the signature_algorithms TLS 1.2 extension to not be sent.

TLSNamedGroups: The supported (EC)DHE groups.

This setting specifies a comma separated list of (EC)DHE groups that are supported for key exchange. The values are ordered from most preferred to least preferred. The following values are supported:

"ecdhe_secp256r1" (default)
"ecdhe_secp384r1" (default)
"ecdhe_secp521r1"
"ffdhe_2048" (default)
"ffdhe_3072" (default)
"ffdhe_4096"
"ffdhe_6144"
"ffdhe_8192"

The default value is ecdhe_secp256r1,ecdhe_secp384r1,ffdhe_2048,ffdhe_3072. This setting is only applicable when SSLEnabledProtocols includes TLS 1.3. Note that groups of larger size require more computational resources and will impact performance.

TLS13SignatureAlgorithms: The allowed certificate signature algorithms.

This setting holds a comma separated list of allowed signature algorithms. Possible values are:

"rsa_pkcs1_sha256" (default)
"rsa_pkcs1_sha384" (default)
"rsa_pkcs1_sha512" (default)

The default value is rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512. This setting is only applicable when SSLEnabledProtocols includes TLS 1.3.

General Configuration Settings


	AbsoluteTimeout: Determines whether timeouts are inactivity timeouts or absolute timeouts. If AbsoluteTimeout is set to True, any method which does not complete within Timeout seconds will be aborted. By default, AbsoluteTimeout is False, and the timeout is an inactivity timeout.
	LocalHost: The name of the local host or user-assigned IP interface through which connections are initiated or accepted. The LocalHost configuration contains the name of the local host as obtained by the Gethostname() system call, or if the user has assigned an IP address, the value of that address. In multihomed hosts (machines with more than one IP interface) setting LocalHost to the value of an interface will make the connector initiate connections (or accept in the case of server connectors) only through that interface. If the connector is connected, the LocalHost configuration shows the IP address of the interface through which the connection is made in internet dotted format (aaa.bbb.ccc.ddd). In most cases, this is the address of the local host, except for multihomed hosts (machines with more than one IP interface).
	TcpNoDelay: Whether or not to delay when sending packets. When true, the socket will send all data that is ready to send at once. When false, the socket will send smaller buffered packets of data at small intervals. This is known as the Nagle algorithm. By default, this config is set to false.
	UseInternalSecurityAPI: Tells the connector whether or not to use the system security libraries or an internal implementation. By default the connector will use the system security libraries to perform cryptographic functions. Setting this to True tells the connector to use the internal implementation instead of using the system's security API.