AS2 Authentication

In "normal" authentication, EFT Server supports client-authenticated transactions, meaning EFT Server’s HTTP/S protocol handler requires a username and password at the outset of the HTTP/S-based AS2 transaction. After it authenticates the partner's login credentials, EFT Server passes the transaction to its AS2 processor, which performs all message validation and handling. This normal authentication method is secure, but requires the administrator to create and manage partner accounts.

Message Level Security (MLS) authentication is a sort of sub-set of normal authentication. MLS requires only two criteria to authenticate on EFT Server (AS2-From + signature), whereas normal authentication can require up to four criteria (Username + Password + AS2-From + Signature).

To accommodate MLS, instead of immediately rejecting messages that don’t contain the Authentication verb (or an empty value next to the Authentication verb) EFT Server manually looks for the AS2-From verb, and if present, looks up the partner account that matches the identifier. If that account is found, and if MLS is allowed for that partner, EFT Server passes the message to its AS2 processor, along with the mandatory “RequireSign” parameter--one of two mandatory factors used for MLS authentication. The AS2 processor checks for mismatched signatures and properly formatted AS2 messages, and if validated, submits the transaction to the AS2 engine for decryption and processing.

Regardless of whether MLS is enabled for a particular partner account, if a username and password are provided (authentication verb and values present), EFT Server validates the user account credentials. If those credentials are invalid, the transaction is denied (regardless of whether the AS2-From and signatures match). If the credentials are valid, then the transaction proceeds and is passed to the AS2 processor; however, if MLS authentication is enabled for that partner, then not only does the AS2-From identifier have to match up with that partner account, but also the RequireSign must be passed to the AS2 processor (and be a valid signature for that account), meaning all four factors must be correct. If, on the other hand, normal authentication mode was specified for the user (rather than MLS), then only the username and password factors are checked, unless AS2-From and signature factors were required by EFT Server, as specified in the inbound settings for that particular partner’s account.

Process flow:

If authentication credentials are missing, EFT Server manually parses the AS2-From ID, and then:

If authentication credentials are present, EFT Server validates the credentials, and then:

To mitigate the risk of DoS attacks and prevent unauthorized transactions, the administrator should employ EFT Server’s IP address filters, set a maximum size limit to a reasonable level, or select the Require SSL certificates from connecting clients check box in the SSL Certificate Settings dialog box on the Site's Connections tab.

You can enable Message Level Authentication in the AS2 Partner Inbound Wizard or the AS2 Inbound Settings dialog box.

Permutations of Valid Authentication Factors

Normal Authentication

Any of the four combinations below will allow the inbound AS2 transaction:

MLS Authentication

Any of the two combinations below will allow the inbound AS2 transaction:

The following table describes possible login scenarios, depending on settings specified in the partner’s AS2 inbound configuration page (top row column headings), and depending on the verbs and factors provided by the incoming partner in the HTTP headers (left column row headings).

HTTP Header Information sent from inbound AS2 client to EFT Server "Auth" = username/password|"Sign" = certificate signature

Partner's AS2 Inbound Configuration

MLS
Auth
Allowed

Normal authentication +

Accept mismatch
AS2-From id +
Do require sign

Reject mismatch
AS2-From id +
Do require sign

Accept mismatch
AS2-From id +
Do require sign

Reject mismatch
AS2-From id +
Do require sign

No Auth, No Sign, AS2ID invalid

fail

fail

fail

fail

fail

No Auth, No Sign, AS2ID valid

fail

fail

fail

fail

fail

No Auth, Sign invalid, As2ID invalid

fail

fail

fail

fail

fail

No Auth, Sign invalid, As2ID valid

fail

fail

fail

fail

fail

No Auth, Sign valid, As2ID invalid

fail

fail

fail

fail

fail

No Auth, Sign valid, As2ID valid

pass

fail

fail

fail

fail

Valid Auth, No Sign, AS2ID invalid

fail

pass

fail

fail

fail

Valid Auth, No Sign, AS2ID valid

fail

pass

pass

fail

fail

Valid Auth, Sign invalid, As2ID invalid

fail

fail

fail

fail

fail

Valid Auth, Sign invalid, As2ID valid

fail

fail

fail

fail

fail

Valid Auth, Sign valid, As2ID invalid

fail

pass

fail

pass

fail

Valid Auth, Sign valid, As2ID valid

pass

pass

pass

pass

pass

Invalid Auth, No Sign, AS2ID invalid

fail

fail

fail

fail

fail

Invalid Auth, No Sign, AS2ID valid

fail

fail

fail

fail

fail

Invalid Auth, Sign invalid, As2ID invalid

fail

fail

fail

fail

fail

Invalid Auth, Sign invalid, As2ID valid

fail

fail

fail

fail

fail

Invalid Auth, Sign valid, As2ID invalid

fail

fail

fail

fail

fail

Invalid Auth, Sign valid, As2ID valid

fail

fail

fail

fail

fail

From the table above, you can see that: