Got everything up and running with the one exception of an issue with MDN mismatch on receiving. However it looks Iike I hit a wall with this particular solution.
How do people handle having their cert expire then having to change that cert with many dozens of vendors instantly? Am I understanding this right? As a partner I can only have one global AS2_ID attached to a cert alias? So when I change my cert 100% of all my partner connections will have to use that new cert?
In my current solution (iSoft/Liaison Commerce Suite) every partnership has it's own AS2_ID linked to their and my cert. So I can create a new cert and only update Amazon, then work on Walmart, then work on Target.... this process usually takes a few weeks. I don't understand how people are instantly swapping out their public cert with these types of companies. There's times they don't even respond for days, so they need to be up and running with the old cert until I'm ready to change just them.
Is there a way to make the partner not global and per partnership?
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the link. I was afraid of that. Unique AS2_IDs for every single partner attached to a unique certificate. Yeah, I have no intention of managing dozens of certs especially when more and more partners are following suit with that max 2 year standard. Over time they wont all expire all at once. I would have to keep a monthly eye on them.
It looks like lots of other solutions out there (using a cert store) have adopted using a cert with backup or secondary cert to better handle the transition. That way you can create a new cert, attach it to your ID and if the first one fails it rolls over to the second. Problem solved. Take as long as you want rolling out your new cert.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You can do this currently by having 2 partner definitions that you roll around across the partnerships.
For example if you had the partnership config shown below which has 2 partner definitions for your own companies partner entry:
* MyCompany-CURRENT - the partner definition with the about to expire certificate all your existing partner are using.
* MyCompany-NEXTGEN - the partner definition you the new certificate you want to move your existing partners to.
The key is that both are using AS2 ID "MyCompany_OID",
You can then first do PartnerA by changing the receiver (or sender depending on whether you are hcanging the sending or receving of files) from "MyCompany-CURRENT" to "MyCompany-NEXTGEN". PartnerB will continue to use the "old" partner until you are ready to do that partner.
Your trading partners will not need to change the AS2 ID, only update the certificate on their end.
<partnerships><partnername="MyCompany-CURRENT"as2_id="MyCompany_OID"x509_alias="mycompany_2021_2022"email="as2msgs@openas2.com"/><partnername="MyCompany-NEXTGEN"as2_id="MyCompany_OID"x509_alias="mycompany_2022_2023"email="as2msgs@openas2.com"/><partnername="PartnerA"as2_id="PartnerA_OID"x509_alias="partnera"email="as2msgs@partnera.com"/><partnername="PartnerB"as2_id="PartnerB_OID"x509_alias="partnerb"email="as2msgs@partnerb.com"/><partnershipname="MyCompany-to-PartnerA"><sendername="MyCompany-CURRENT"/><receivername="PartnerA"/><pollerConfigenabled="true"/><attributename="protocol"value="as2"/><attributename="content_transfer_encoding"value="binary"/><attributename="subject"value="File $attributes.filename$ sent from $sender.name$ to $receiver.name$"/><attributename="as2_url"value="http://localhost:10080"/><attributename="as2_mdn_to"value="edi@myCompany.com"/><attributename="as2_mdn_options"value="signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, $attribute.sign$"/><attributename="encrypt"value="3DES"/><attributename="sign"value="SHA256"/><attributename="resend_max_retries"value="3"/></partnership><partnershipname="PartnerA-to-MyCompany"><sendername="PartnerA"/><receivername="MyCompany-CURRENT"/><attributename="store_received_file_to"value="$properties.storageBaseDir$/inbox/$msg.receiver.as2_id$/inbox/$msg.sender.as2_id$-$rand.12345$-$msg.content-disposition.filename$"/></partnership><partnershipname="MyCompany-to-PartnerB"><sendername="MyCompany-CURRENT"/><receivername="PartnerB"/><pollerConfigenabled="true"/><attributename="protocol"value="as2"/><attributename="content_transfer_encoding"value="8bit"/><attributename="subject"value="File $attributes.filename$ sent from $sender.name$ to $receiver.name$"/><attributename="as2_url"value="https://as2.partnerb.com:8443"/><attributename="as2_mdn_to"value="edi@myCompany.org"/><attributename="as2_mdn_options"value="signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, $attribute.sign$"/><attributename="encrypt"value="3DES"/><attributename="sign"value="SHA1"/></partnership><partnershipname="PartnerB-to-MyCompany"><sendername="PartnerB"/><receivername="MyCompany-CURRENT"/></partnership></partnerships>
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
NOTE: New functionality in OpenAS2 allows for overlapping your old and new certificates and OpenAS2 automatically tries to use the correct one.
Check out the latest OpenAS2 documentation.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Got everything up and running with the one exception of an issue with MDN mismatch on receiving. However it looks Iike I hit a wall with this particular solution.
How do people handle having their cert expire then having to change that cert with many dozens of vendors instantly? Am I understanding this right? As a partner I can only have one global AS2_ID attached to a cert alias? So when I change my cert 100% of all my partner connections will have to use that new cert?
In my current solution (iSoft/Liaison Commerce Suite) every partnership has it's own AS2_ID linked to their and my cert. So I can create a new cert and only update Amazon, then work on Walmart, then work on Target.... this process usually takes a few weeks. I don't understand how people are instantly swapping out their public cert with these types of companies. There's times they don't even respond for days, so they need to be up and running with the old cert until I'm ready to change just them.
Is there a way to make the partner not global and per partnership?
Perhaps you will have some answers in this post ?
Thanks for the link. I was afraid of that. Unique AS2_IDs for every single partner attached to a unique certificate. Yeah, I have no intention of managing dozens of certs especially when more and more partners are following suit with that max 2 year standard. Over time they wont all expire all at once. I would have to keep a monthly eye on them.
It looks like lots of other solutions out there (using a cert store) have adopted using a cert with backup or secondary cert to better handle the transition. That way you can create a new cert, attach it to your ID and if the first one fails it rolls over to the second. Problem solved. Take as long as you want rolling out your new cert.
You can do this currently by having 2 partner definitions that you roll around across the partnerships.
For example if you had the partnership config shown below which has 2 partner definitions for your own companies partner entry: * MyCompany-CURRENT - the partner definition with the about to expire certificate all your existing partner are using. * MyCompany-NEXTGEN - the partner definition you the new certificate you want to move your existing partners to.
The key is that both are using AS2 ID "MyCompany_OID",
You can then first do PartnerA by changing the receiver (or sender depending on whether you are hcanging the sending or receving of files) from "MyCompany-CURRENT" to "MyCompany-NEXTGEN". PartnerB will continue to use the "old" partner until you are ready to do that partner.
Your trading partners will not need to change the AS2 ID, only update the certificate on their end.
NOTE: New functionality in OpenAS2 allows for overlapping your old and new certificates and OpenAS2 automatically tries to use the correct one.
Check out the latest OpenAS2 documentation.