Skip to content
Xferity

AS2 B2B Integration — Run AS2 with Xferity

AS2 B2B Integration

Section titled “AS2 B2B Integration”

This page explains how Xferity handles AS2 B2B file exchange and what is required to operate it.

What AS2 provides

Section titled “What AS2 provides”

AS2 (Applicability Statement 2) is a certificate-based B2B message exchange protocol. Unlike SFTP directory polling, AS2 is message-oriented:

  • messages are signed and/or encrypted at the payload level
  • the receiving side sends an MDN (Message Disposition Notification) to confirm receipt
  • certificate roles govern message security, not SSH host keys

Use AS2 when:

  • a trading partner explicitly requires it (EDI, retail supply chain, healthcare, financial data)
  • message signing and encryption are contractual requirements
  • MDN-based delivery confirmation is required
  • the exchange standard requires AS2 (e.g., many Walmart, Target, or NHS EDI integrations)

Xferity AS2 capabilities

Section titled “Xferity AS2 capabilities”

Xferity supports the following AS2 operations:

Inbound

Section titled “Inbound”
  • Receives AS2 messages at an HTTP endpoint
  • Decrypts inbound messages using the configured decryption certificate
  • Verifies inbound message signatures against the partner’s signing certificate
  • Sends synchronous MDN receipts
  • Handles asynchronous MDN receipts at a configurable return URL
  • Persists inbound messages and MDN records (Postgres-backed)
  • Exposes inbound messages in the AS2 inbox UI

Outbound

Section titled “Outbound”
  • Sends AS2 messages to a partner’s AS2 endpoint URL
  • Signs outbound messages using the configured signing certificate
  • Encrypts outbound messages using the partner’s encryption certificate
  • Receives and validates synchronous MDN responses
  • Awaits and validates asynchronous MDN responses at a configurable callback URL
  • Persists outbound message records (Postgres-backed)

Certificate role model

Section titled “Certificate role model”

For each AS2 trading partner, Xferity manages up to 5 distinct certificate roles:

RolePurpose
signingXferity signs outbound messages with this certificate
verificationVerify partner’s signature on inbound messages
encryptionEncrypt outbound messages with partner’s public cert
decryptionDecrypt inbound messages with Xferity’s private key
https_trustTLS trust for the partner’s AS2 HTTPS endpoint

These are managed separately — one role per certificate — because AS2 production deployments often use different keys for signing, encryption, and transport trust.

The unified Partner Crypto Policy view shows all configured and missing roles in one place.

Configuration

Section titled “Configuration”

Partner definition

Section titled “Partner definition”

An AS2 partner file defines:

  • as2_id — the partner’s AS2 identifier
  • url — the partner’s AS2 endpoint URL
  • receipt_modesync or async
  • sign_algorithm — e.g., sha256
  • encrypt_algorithm — e.g., aes256
  • Certificate bindings for each role

Flow definition

Section titled “Flow definition”

An AS2 flow references the partner and defines:

  • direction (send or receive)
  • file matching (for outbound)
  • scheduling (for outbound polling or batching)
  • MDN handling mode

Posture integration

Section titled “Posture integration”

The security posture engine evaluates AS2 configuration continuously:

  • Missing signing certificate → Active Finding
  • Missing encryption certificate → Active Finding
  • Expired certificate in any role → Active Finding
  • No known_hosts for HTTPS (where applicable)

These surface in the posture dashboard with links to the affected partner.

AS2 with Postgres-backed deployment

Section titled “AS2 with Postgres-backed deployment”

Full AS2 support requires Postgres-backed mode:

  • AS2 message records persisted in the database
  • Inbound message history in the AS2 inbox
  • MDN tracking per message
  • Async MDN callback endpoint backed by durable state
  • Worker-based outbound job processing

Common integration patterns

Section titled “Common integration patterns”

Retail EDI (Walmart/Target/Amazon)

Section titled “Retail EDI (Walmart/Target/Amazon)”
  • Partner requires AS2 with specific signing and encryption algorithms
  • Xferity is configured with retailer’s public cert for encryption role and verification role
  • Xferity’s private key bound to signing and decryption roles
  • Sync MDN mode is typical for direct confirmation

Healthcare data exchange (HL7, FHIR bundles)

Section titled “Healthcare data exchange (HL7, FHIR bundles)”
  • Partner requires signed-and-encrypted AS2
  • HTTPS mutual TLS to the partner’s endpoint
  • Asynchronous MDN to a Xferity callback URL

Financial data delivery

Section titled “Financial data delivery”
  • EDI 820/835 payroll or payment files
  • AS2 with encryption required by compliance policy
  • Posture engine monitors certificate expiry proactively

Xferity supports

Section titled “Xferity supports”
  • AS2 (with MDN)
  • SFTP / FTPS
  • OpenPGP + CMS
  • Durable job execution
  • Retry and resume
  • Air-gapped deployment
Section titled “Related pages”