AS4 user authentication

To authenticate the AS4 message pushes and AS4 pull requests, Activator supports the use of:

• UserName tokens
• X.509 security tokens

It is recommended to use at least one of these authentication methods. The two methods may be combined to authenticate a remote partner's pull request.

Whatever user authentication scheme you agree upon with your AS4 trading partner, it must be implemented identically for both the sender and receiver partner, or the message exchange will fail.

UserName tokens

UserName tokens are supported for user authentication in AS4 message exchanges, as described in the WSS: SOAP Message Security specification. The following paragraphs describe their use.

Push authentication

On a sender-initiated AS4 User message push, the UserName token can be optionally included in the header of the AS4 User message, and checked by the receiver to confirm that it is sent from a known partner. The token comprises a specific user name and password.

If the user name and password are confirmed, the message is accepted. Otherwise the message is rejected.

Pull authentication

On a client initiated AS4 pull request, the user name token can be optionally included in the header of the AS4 Signal message (pullRequest) sent by the client, and used by the server to validate the requester.

Because a pull request/response is synchronous, the response is returned in the same synchronous connection and the authentication setting on the server (user message sender) side is ignored.

How to activate UserName tokens

For outbound pushes and for outbound client pull requests:

Activate UserName tokens in the AS4 Collaboration Settings:

1. Open the community that represents you for your AS4 exchanges.
2. On the community graphic, click on the Collaboration settings icon to open the Configure community-specific collaboration settings page.
3. In the "Choose the settings to specialize:" section, select Set sending rules for the AS4 message protocol to display the AS4 enveloping options at the bottom of the page.
4. Select the option, Use username token when sending. You can optionally choose to include this in the SOAP header as a digest in place of plain text.
5. Enter the user name and password that is required by your receiving partner.
6. Click Save changes.

For additional AS4 validation rules information, see AS4 default settings.

For inbound reception:

Step 1: Create a user account on the AS4 pickup:

1. Open the community that represents you for your AS4 exchanges.
2. On the community graphic, click on the Trading pickup icon to open the Trading pickups page.
3. From the list of pickups, click on the name of an AS4 pickup to open the maintenance page for that pickup.
4. Click the Accounts tab.
5. Under the Partner table, click Add.
6. Click choose a party and from the popup page, select the partner from whom you want to receive pushed AS4 files. Click OK.
7. Create a user for the selected partner by entering a username and password. Click Save.

Step 2: Set the Validation Rule for inbound AS4 messages:

1. Open the community that represents you for your AS4 exchanges.
2. On the community graphic, click on the Message validation icon to open the Configure message validation rules page.
3. Select the Web services tab.
4. Select the option: Reject messages without user name and password within UsernameToken in SOAP header
5. Optionally select the related option: Reject messages when password is plain text (not digest)

X.509 security tokens

X.509 security tokens are supported for user authentication in AS4 message exchanges, as described in the WSS: SOAP Message Security specification.

An X.509 certificate specifies a binding between a public key and a set of attributes that includes (at least) a subject name, issuer name, serial number and validity interval.

Note that an X.509 certificate may be used to validate a public key that may be used to authenticate a SOAP message or to identify the public key with a SOAP message that has been encrypted. In the case of user authentication, it is only the authentication function that must be activated.

How to activate X.509 tokens

For outbound pushes and for outbound client pull requests:

Activate X.509 tokens in the AS4 Collaboration Settings:

1. Open the community that represents you for your AS4 exchanges.
2. On the community graphic, click on the Collaboration settings icon to open the Configure community-specific collaboration settings page.
3. In the "Choose the settings to specialize:" section, select Set sending rules for the AS4 message protocol to display the AS4 enveloping options at the bottom of the page.
4. Select the option, Sign messages. Partners use your certificate to verify you as the sender. Select a message signing algorithm (SHA1 or SHA256) from the drop-down box.
5. Click Save changes.

For additional AS4 Collaboration settings information, see AS4 default settings.

For inbound reception:

Set the Validation Rule for inbound AS4 messages:

1. Open the community that represents you for your AS4 exchanges.
2. On the community graphic, click on the Message validation icon to open the Configure message validation rules page.
3. Select the Web services tab.
4. Select the option: Reject messages that are not authorized using X509 digital signature defined within SOAP header
5. Click Save changes.

Related topics

• AS4
• AS4 messages
• AS4 metadata
• Message Partition Channels (MPC)
• Large message splitting and joining
• Enable handling of empty SOAP Body messages
• Configure a one-way client pull
• AS4 use case: One-way push (MMD initiated)
• AS4 use case: One-way pull (MMD initiated)
• AS4 tasks