AS2, defined in RFC 4130, enables organizations to exchange EDI documents securely over HTTP or HTTPS without relying on a third-party network provider. Developed by the IETF's EDIINT (EDI over the Internet) working group and published in 2005, AS2 has become the dominant protocol for direct EDI connectivity, particularly in the retail industry where Walmart's early mandate drove widespread adoption. Today, AS2 is used across retail, manufacturing, logistics, and other sectors by organizations ranging from small suppliers to Fortune 500 corporations.
How AS2 Works
AS2 transmits EDI documents as the payload of HTTP or HTTPS POST requests. The protocol wraps each message in S/MIME (Secure/Multipurpose Internet Mail Extensions) encoding, which provides three critical security features: encryption, digital signing, and message integrity verification.
Message Encryption
AS2 messages are encrypted using the recipient's public key certificate, ensuring that only the intended recipient can decrypt and read the payload. Common encryption algorithms include AES-128, AES-256, and 3DES. The sender obtains the recipient's public certificate during the partner setup process and uses it to encrypt every outbound message. Even if the HTTP transmission is intercepted, the encrypted payload remains unreadable without the recipient's private key.
Digital Signatures
The sender digitally signs each AS2 message using their private key, which allows the recipient to verify the sender's identity and confirm that the message has not been altered in transit. SHA-256 is the current standard hashing algorithm for AS2 signatures, replacing the older SHA-1 and MD5 algorithms that are no longer considered secure. Digital signatures provide non-repudiation: the sender cannot deny having sent a message that carries their valid signature.
Message Disposition Notifications (MDN)
The MDN is what distinguishes AS2 from simple HTTPS file transfer. After receiving and processing an AS2 message, the recipient returns an MDN to the sender confirming successful receipt. The MDN itself is digitally signed, creating an auditable chain of evidence that the message was delivered and accepted. MDNs can be returned synchronously (in the HTTP response) or asynchronously (via a separate HTTP POST to the sender's MDN URL). The signed MDN provides legally defensible proof of delivery, which is valuable in dispute resolution.
AS2 Configuration Requirements
Setting up an AS2 connection between two trading partners requires exchanging several pieces of configuration information:
- AS2 Identifiers: Each partner has a unique AS2 ID string (often a DUNS number or company name) that identifies them in message headers.
- Endpoint URLs: The receiving partner's AS2 URL where messages should be POSTed, and optionally an asynchronous MDN URL for the sender.
- Digital Certificates: Public key certificates for encryption and signature verification must be exchanged. Most AS2 implementations use X.509 certificates, either self-signed or issued by a Certificate Authority.
- Security Settings: Partners agree on encryption algorithm, signature algorithm, and whether MDNs should be synchronous or asynchronous.
AS2 Software Options
AS2 is implemented through dedicated software that handles the protocol's security and delivery mechanics. Options include commercial solutions like IBM Sterling B2B Integrator, OpenText Trading Grid, and Axway SecureTransport, as well as open-source alternatives like OpenAS2 and Mendelson AS2. Many cloud-based EDI platforms also include built-in AS2 connectivity, eliminating the need to manage on-premise AS2 infrastructure.
AS2 vs Other Protocols
Compared to SFTP, AS2 provides built-in non-repudiation through signed MDNs, which SFTP lacks. However, AS2 is more complex to configure and requires certificate management. Compared to VANs, AS2 eliminates per-transaction fees by enabling direct partner connectivity, but it requires each partner to operate or subscribe to AS2 infrastructure. Many organizations use AS2 for high-volume trading partners where the direct connection justifies the setup effort, while maintaining VAN connectivity for lower-volume partners.
Related Resources
For alternative transport protocols, see our guides on SFTP and Value Added Networks. To understand how AS2 fits into a broader EDI implementation, visit the Implementation overview. For industry-specific protocol preferences, see our Industries guides, particularly Retail where AS2 is most widely mandated.