05-14-2019, 05:23 AM
Manage business documents with OpenAS2 on Fedora
<div><p>Business documents often require special handling. Enter Electronic Document Interchange, or <strong>EDI</strong>. EDI is more than simply transferring files using email or http (or ftp), because these are documents like orders and invoices. When you send an invoice, you want to be sure that:</p>
<p>1. It goes to the right destination, and is not intercepted by competitors.<br />2. Your invoice cannot be forged by a 3rd party.<br />3. Your customer can’t claim in court that they never got the invoice.</p>
<p>The first two goals can be accomplished by HTTPS or email with S/MIME, and in some situations, a simple HTTPS POST to a web API is sufficient. What EDI adds is the last part. </p>
<p>This article does not cover the messy topic of formats for the files exchanged. Even when using a standardized format like ANSI or EDIFACT, it is ultimately up to the business partners. It is not uncommon for business partners to use an ad-hoc CSV file format. This article shows you how to configure Fedora to send and receive in an EDI setup.</p>
<p> <span id="more-27795"></span> </p>
<h2>Centralized EDI</h2>
<p>The traditional solution is to use a Value Added Network, or <strong>VAN</strong>. The VAN is a central hub that transfers documents between their customers. Most importantly, it keeps a secure record of the documents exchanged that can be used as evidence in disputes. The VAN can use different transfer protocols for each of its customers</p>
<h2>AS Protocols and MDN</h2>
<p>The AS protocols are a specification for adding a digital signature with optional encryption to an electronic document. What it adds over HTTPS or S/MIME is the Message Disposition Notification, or <strong>MDN</strong>. The MDN is a signed and dated response that says, in essence, “We got your invoice.” It uses a secure hash to identify the specific document received. This addresses point #3 without involving a third party.</p>
<p>The <a href="https://en.wikipedia.org/wiki/AS2">AS2 protocol</a> uses HTTP or HTTPS for transport. Other AS protocols target <a href="https://en.wikipedia.org/wiki/AS3_(networking)">FTP</a> and <a href="https://en.wikipedia.org/wiki/AS1_(networking)">SMTP</a>. AS2 is used by companies big and small to avoid depending on (and paying) a VAN.</p>
<h2>OpenAS2</h2>
<p>OpenAS2 is an open source Java implemention of the AS2 protocol. It is available in Fedora since 28, and installed with:</p>
<pre class="wp-block-preformatted">$ sudo dnf install openas2<br />$ cd /etc/openas2</pre>
<p>Configuration is done with a text editor, and the config files are in XML. The first order of business before starting OpenAS2 is to change the factory passwords.</p>
<p>Edit <em>/etc/openas2/config.xml</em> and search for <em>ChangeMe</em>. Change those passwords. The default password on the certificate store is <em>testas2</em>, but that doesn’t matter much as anyone who can read the certificate store can read <em>config.xml</em> and get the password.</p>
<h2>What to share with AS2 partners</h2>
<p>There are 3 things you will exchange with an AS2 peer.</p>
<h3>AS2 ID</h3>
<p>Don’t bother looking up the official AS2 standard for legal AS2 IDs. While OpenAS2 implements the standard, your partners will likely be using a proprietary product which doesn’t. While AS2 allows much longer IDs, many implementations break with more than 16 characters. Using otherwise legal AS2 ID chars like ‘:’ that can appear as path separators on a proprietary OS is also a problem. Restrict your AS2 ID to upper and lower case alpha, digits, and ‘_’ with no more than 16 characters. </p>
<h3>SSL certificate</h3>
<p>For real use, you will want to generate a certificate with SHA256 and RSA. OpenAS2 ships with two factory certs to play with. Don’t use these for anything real, obviously. The certificate file is in PKCS12 format. Java ships with <em>keytool</em> which can maintain your PKCS12 “keystore,” as Java calls it. This article skips using <em>openssl</em> to generate keys and certificates. Simply note that <em>sudo keytool -list -keystore as2_certs.p12</em> will list the two factory practice certs.</p>
<h3>AS2 URL</h3>
<p>This is an HTTP URL that will access your OpenAS2 instance. HTTPS is also supported, but is redundant. To use it you have to uncomment the https module configuration in <em>config.xml</em>, and supply a certificate signed by a public CA. This requires another article and is entirely unnecessary here.</p>
<p>By default, OpenAS2 listens on 10080 for HTTP and 10443 for HTTPS. OpenAS2 can talk to itself, so it ships with two partnerships using <em>http://localhost:10080</em> as the AS2 URL. If you don’t find this a convincing demo, and can install a second instance (on a VM, for instance), you can use private IPs for the AS2 URLs. Or install <a href="https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/">Cjdns</a> to get IPv6 mesh addresses that can be used anywhere, resulting in AS2 URLs like <em>http://[fcbf:fc54:e597:7354:8250:2b2e:95e6:d6ba]:10080</em>.</p>
<p>Most businesses will also want a list of IPs to add to their firewall. This is actually <a href="https://www.ld.com/as2-part-2-best-practices/">bad practice</a>. An AS2 server has the same security risk as a web server, meaning you should isolate it in a VM or container. Also, the difficulty of keeping mutual lists of IPs up to date grows with the list of partners. The AS2 server rejects requests not signed by a configured partner.</p>
<h2>OpenAS2 Partners</h2>
<p>With that in mind, open <em>partnerships.xml</em> in your editor. At the top is a list of “partners.” Each partner has a name (referenced by the partnerships below as “sender” or “receiver”
, AS2 ID, certificate, and email. You need a partner definition for yourself and those you exchange documents with. You can define multiple partners for yourself. OpenAS2 ships with two partners, OpenAS2A and OpenAS2B, which you’ll use to send a test document.</p>
<h2>OpenAS2 Partnerships</h2>
<p>Next is a list of “partnerships,” one for each direction. Each partnership configuration includes the sender, receiver, and the AS2 URL used to send the documents. By default, partnerships use synchronous MDN. The MDN is returned on the same HTTP transaction. You could uncomment the <em>as2_receipt_option</em> for asynchronous MDN, which is sent some time later. Use synchronous MDN whenever possible, as tracking pending MDNs adds complexity to your application.</p>
<p>The other partnership options select encryption, signature hash, and other protocol options. A fully implemented AS2 receiver can handle any combination of options, but AS2 partners may have incomplete implementations or policy requirements. For example, DES3 is a comparatively weak encryption algorithm, and may not be acceptable. It is the default because it is almost universally implemented.</p>
<p>If you went to the trouble to set up a second physical or virtual machine for this test, designate one as OpenAS2A and the other as OpenAS2B. Modify the <em>as2_url</em> on the OpenAS2A-to-OpenAS2B partnership to use the IP (or hostname) of OpenAS2B, and vice versa for the OpenAS2B-to-OpenAS2A partnership. Unless they are using the FedoraWorkstation firewall profile, on both machines you’ll need:</p>
<pre class="wp-block-preformatted"># sudo firewall-cmd --zone=public --add-port=10080/tcp</pre>
<p>Now start the <em>openas2</em> service (on both machines if needed):</p>
<pre class="wp-block-preformatted"># sudo systemctl start openas2</pre>
<h2>Resetting the MDN password</h2>
<p>This initializes the MDN log database with the factory password, not the one you changed it to. This is a packaging bug to be fixed in the next release. To avoid frustration, here’s how to change the h2 database password:</p>
<pre class="wp-block-preformatted">$ sudo systemctl stop openas2<br />$ cat >h2passwd <<'DONE'<br />#!/bin/bash<br />AS2DIR="/var/lib/openas2"<br />java -cp "$AS2DIR"/lib/h2* org.h2.tools.Shell \<br /> -url jdbc:h2:"$AS2DIR"/db/openas2 \<br /> -user sa -password "$1" <<EOF<br />alter user sa set password '$2';<br />exit<br />EOF<br />DONE<br />$ sudo sh h2passwd ChangeMe yournewpasswordsetabove<br />$ sudo systemctl start openas2</pre>
<h2>Testing the setup</h2>
<p>With that out of the way, let’s send a document. Assuming you are on OpenAS2A machine:</p>
<pre class="wp-block-preformatted">$ cat >testdoc <<'DONE'<br />This is not a real EDI format, but is nevertheless a document.<br />DONE<br />$ sudo chown openas2 testdoc<br />$ sudo mv testdoc /var/spool/openas2/toOpenAS2B<br />$ sudo journalctl -f -u openas2<br />... log output of sending file, Control-C to stop following log<br />^C</pre>
<p>OpenAS2 does not send a document until it is writable by the <em>openas2</em> user or group. As a consequence, your actual business application will copy, or generate in place, the document. Then it changes the group or permissions to send it on its way, to avoid sending a partial document.</p>
<p>Now, on the OpenAS2B machine, <em>/var/spool/openas2/OpenAS2A_OID-OpenAS2B_OID/inbox</em> shows the message received. That should get you started!</p>
<hr class="wp-block-separator" />
<p><em>Photo by </em><a href="https://unsplash.com/photos/XN4T2PVUUgk?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Beatriz Pérez Moya</em></a><em> on </em><a href="https://unsplash.com/search/photos/documents?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Unsplash</em></a><em>.</em></p>
</div>
<div><p>Business documents often require special handling. Enter Electronic Document Interchange, or <strong>EDI</strong>. EDI is more than simply transferring files using email or http (or ftp), because these are documents like orders and invoices. When you send an invoice, you want to be sure that:</p>
<p>1. It goes to the right destination, and is not intercepted by competitors.<br />2. Your invoice cannot be forged by a 3rd party.<br />3. Your customer can’t claim in court that they never got the invoice.</p>
<p>The first two goals can be accomplished by HTTPS or email with S/MIME, and in some situations, a simple HTTPS POST to a web API is sufficient. What EDI adds is the last part. </p>
<p>This article does not cover the messy topic of formats for the files exchanged. Even when using a standardized format like ANSI or EDIFACT, it is ultimately up to the business partners. It is not uncommon for business partners to use an ad-hoc CSV file format. This article shows you how to configure Fedora to send and receive in an EDI setup.</p>
<p> <span id="more-27795"></span> </p>
<h2>Centralized EDI</h2>
<p>The traditional solution is to use a Value Added Network, or <strong>VAN</strong>. The VAN is a central hub that transfers documents between their customers. Most importantly, it keeps a secure record of the documents exchanged that can be used as evidence in disputes. The VAN can use different transfer protocols for each of its customers</p>
<h2>AS Protocols and MDN</h2>
<p>The AS protocols are a specification for adding a digital signature with optional encryption to an electronic document. What it adds over HTTPS or S/MIME is the Message Disposition Notification, or <strong>MDN</strong>. The MDN is a signed and dated response that says, in essence, “We got your invoice.” It uses a secure hash to identify the specific document received. This addresses point #3 without involving a third party.</p>
<p>The <a href="https://en.wikipedia.org/wiki/AS2">AS2 protocol</a> uses HTTP or HTTPS for transport. Other AS protocols target <a href="https://en.wikipedia.org/wiki/AS3_(networking)">FTP</a> and <a href="https://en.wikipedia.org/wiki/AS1_(networking)">SMTP</a>. AS2 is used by companies big and small to avoid depending on (and paying) a VAN.</p>
<h2>OpenAS2</h2>
<p>OpenAS2 is an open source Java implemention of the AS2 protocol. It is available in Fedora since 28, and installed with:</p>
<pre class="wp-block-preformatted">$ sudo dnf install openas2<br />$ cd /etc/openas2</pre>
<p>Configuration is done with a text editor, and the config files are in XML. The first order of business before starting OpenAS2 is to change the factory passwords.</p>
<p>Edit <em>/etc/openas2/config.xml</em> and search for <em>ChangeMe</em>. Change those passwords. The default password on the certificate store is <em>testas2</em>, but that doesn’t matter much as anyone who can read the certificate store can read <em>config.xml</em> and get the password.</p>
<h2>What to share with AS2 partners</h2>
<p>There are 3 things you will exchange with an AS2 peer.</p>
<h3>AS2 ID</h3>
<p>Don’t bother looking up the official AS2 standard for legal AS2 IDs. While OpenAS2 implements the standard, your partners will likely be using a proprietary product which doesn’t. While AS2 allows much longer IDs, many implementations break with more than 16 characters. Using otherwise legal AS2 ID chars like ‘:’ that can appear as path separators on a proprietary OS is also a problem. Restrict your AS2 ID to upper and lower case alpha, digits, and ‘_’ with no more than 16 characters. </p>
<h3>SSL certificate</h3>
<p>For real use, you will want to generate a certificate with SHA256 and RSA. OpenAS2 ships with two factory certs to play with. Don’t use these for anything real, obviously. The certificate file is in PKCS12 format. Java ships with <em>keytool</em> which can maintain your PKCS12 “keystore,” as Java calls it. This article skips using <em>openssl</em> to generate keys and certificates. Simply note that <em>sudo keytool -list -keystore as2_certs.p12</em> will list the two factory practice certs.</p>
<h3>AS2 URL</h3>
<p>This is an HTTP URL that will access your OpenAS2 instance. HTTPS is also supported, but is redundant. To use it you have to uncomment the https module configuration in <em>config.xml</em>, and supply a certificate signed by a public CA. This requires another article and is entirely unnecessary here.</p>
<p>By default, OpenAS2 listens on 10080 for HTTP and 10443 for HTTPS. OpenAS2 can talk to itself, so it ships with two partnerships using <em>http://localhost:10080</em> as the AS2 URL. If you don’t find this a convincing demo, and can install a second instance (on a VM, for instance), you can use private IPs for the AS2 URLs. Or install <a href="https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/">Cjdns</a> to get IPv6 mesh addresses that can be used anywhere, resulting in AS2 URLs like <em>http://[fcbf:fc54:e597:7354:8250:2b2e:95e6:d6ba]:10080</em>.</p>
<p>Most businesses will also want a list of IPs to add to their firewall. This is actually <a href="https://www.ld.com/as2-part-2-best-practices/">bad practice</a>. An AS2 server has the same security risk as a web server, meaning you should isolate it in a VM or container. Also, the difficulty of keeping mutual lists of IPs up to date grows with the list of partners. The AS2 server rejects requests not signed by a configured partner.</p>
<h2>OpenAS2 Partners</h2>
<p>With that in mind, open <em>partnerships.xml</em> in your editor. At the top is a list of “partners.” Each partner has a name (referenced by the partnerships below as “sender” or “receiver”
, AS2 ID, certificate, and email. You need a partner definition for yourself and those you exchange documents with. You can define multiple partners for yourself. OpenAS2 ships with two partners, OpenAS2A and OpenAS2B, which you’ll use to send a test document.</p><h2>OpenAS2 Partnerships</h2>
<p>Next is a list of “partnerships,” one for each direction. Each partnership configuration includes the sender, receiver, and the AS2 URL used to send the documents. By default, partnerships use synchronous MDN. The MDN is returned on the same HTTP transaction. You could uncomment the <em>as2_receipt_option</em> for asynchronous MDN, which is sent some time later. Use synchronous MDN whenever possible, as tracking pending MDNs adds complexity to your application.</p>
<p>The other partnership options select encryption, signature hash, and other protocol options. A fully implemented AS2 receiver can handle any combination of options, but AS2 partners may have incomplete implementations or policy requirements. For example, DES3 is a comparatively weak encryption algorithm, and may not be acceptable. It is the default because it is almost universally implemented.</p>
<p>If you went to the trouble to set up a second physical or virtual machine for this test, designate one as OpenAS2A and the other as OpenAS2B. Modify the <em>as2_url</em> on the OpenAS2A-to-OpenAS2B partnership to use the IP (or hostname) of OpenAS2B, and vice versa for the OpenAS2B-to-OpenAS2A partnership. Unless they are using the FedoraWorkstation firewall profile, on both machines you’ll need:</p>
<pre class="wp-block-preformatted"># sudo firewall-cmd --zone=public --add-port=10080/tcp</pre>
<p>Now start the <em>openas2</em> service (on both machines if needed):</p>
<pre class="wp-block-preformatted"># sudo systemctl start openas2</pre>
<h2>Resetting the MDN password</h2>
<p>This initializes the MDN log database with the factory password, not the one you changed it to. This is a packaging bug to be fixed in the next release. To avoid frustration, here’s how to change the h2 database password:</p>
<pre class="wp-block-preformatted">$ sudo systemctl stop openas2<br />$ cat >h2passwd <<'DONE'<br />#!/bin/bash<br />AS2DIR="/var/lib/openas2"<br />java -cp "$AS2DIR"/lib/h2* org.h2.tools.Shell \<br /> -url jdbc:h2:"$AS2DIR"/db/openas2 \<br /> -user sa -password "$1" <<EOF<br />alter user sa set password '$2';<br />exit<br />EOF<br />DONE<br />$ sudo sh h2passwd ChangeMe yournewpasswordsetabove<br />$ sudo systemctl start openas2</pre>
<h2>Testing the setup</h2>
<p>With that out of the way, let’s send a document. Assuming you are on OpenAS2A machine:</p>
<pre class="wp-block-preformatted">$ cat >testdoc <<'DONE'<br />This is not a real EDI format, but is nevertheless a document.<br />DONE<br />$ sudo chown openas2 testdoc<br />$ sudo mv testdoc /var/spool/openas2/toOpenAS2B<br />$ sudo journalctl -f -u openas2<br />... log output of sending file, Control-C to stop following log<br />^C</pre>
<p>OpenAS2 does not send a document until it is writable by the <em>openas2</em> user or group. As a consequence, your actual business application will copy, or generate in place, the document. Then it changes the group or permissions to send it on its way, to avoid sending a partial document.</p>
<p>Now, on the OpenAS2B machine, <em>/var/spool/openas2/OpenAS2A_OID-OpenAS2B_OID/inbox</em> shows the message received. That should get you started!</p>
<hr class="wp-block-separator" />
<p><em>Photo by </em><a href="https://unsplash.com/photos/XN4T2PVUUgk?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Beatriz Pérez Moya</em></a><em> on </em><a href="https://unsplash.com/search/photos/documents?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Unsplash</em></a><em>.</em></p>
</div>