AS4 Webinar

Copyright (c) 2009, Drummond Group

AS4: Secure B2B Document Exchange Using Web Services

By Timothy Bennett, Drummond Group

[email protected]

615.337.6087

mailto:[email protected]


Introduction

Rik Drummond, CEO and CTODrummond Group, Inc.

Opening Remarks


Why AS4? AS4 does not replace AS2

AS4 is a Web services based protocol

The complexity of Web services has not been addressed nor has interoperability been achieved

AS4 brings AS2 simplicity to Web services

AS4 brings interoperability to Web services through comprehensive interop testing by DGI

Organizations that are heavily invested in AS2 will continue to use AS2

AS4 will help organizations that are heavily investing in Web Services but need simplicity and interoperability

Provides B2B vendors an on-ramp to Web services based B2B solutions that have otherwise resisted


Value of Drummond Certified™ Interoperability

Interoperability Certification drives standards adoption

Interoperability Certification offers assurances to end users that products will work with other products, a base of interoperable products are available, and that the standard is being implemented and is viable

Interoperability Certification drives software product sales


Overview What is AS4 and what are the benefits of this new B2B

messaging protocol

The birth of AS4 and its continuing evolutionary process towards a B2B messaging standard

Some technical highlights of the AS4 profile

The DGI Interoperability Certification Test

Where we are in the process and what you can do


What is AS4?

An open standard for the secure and payload-agnostic exchange of B2B documents using Web services

Maps the AS2 functional requirements onto the WS-* stack using ebMS 3.0 as a leverage point

Constrains the ebMS v3.0 specification (and its underlying specifications) for message packaging, transport, security, exchange patterns, and business non-repudiation


Purpose of AS4

Provides an entry-level on-ramp for Web services B2B messaging by embracing “elegant simplicity”

Promotes the adoption of Web services

Extends the use of SOA deployments for inter-business communication


Elegant Simplicity The success of AS2 rests in its “just enough” approach to secure

B2B messaging

AS4 eliminates WSDL complexity by avoiding the pitfalls of mapping document types and business process to SOAP operations and actions

Out-of-the-box support for only the most common message exchange patterns and security options

Payload-agnostic and just enough reliable messaging


Benefits Summary Web services landscape lacks a B2B messaging specification

that has the simplicity and elegance of AS2

Simplification of Web services for B2B breeds an environment whereby the likelihood for interoperability become achievable

As SOA and Web services deployments becomes more pervasive, the opportunity for B2B communication on these platforms will increase

New markets that are Web services centric can benefit from the AS2 success story


Origins of AS4 DGI facilitated a series of technical discussions with a group of interested

vendors in 2007

The group arrived at a high level consensus of the functional requirements for the WS-* stack

The consensus was characterized by a simple approach to Web services messaging that focused on secure, payload-agnostic document exchange – in fact, similar to the AS2 functional requirements

It was important to the group that the requirements be captured in an open standard instead of a proprietary and closed document


Looking for a Home EDIINT at IETF was first considered because of the history with

AS1, AS2, and AS3

OASIS seemed like a more natural fit because of its focus on the WS-* stack

At OASIS, the recently published ebMS 3.0 specification already contained a good portion of what AS4 needed

A subcommittee of the OASIS ebXML MS TC was formed to develop a profile of the ebMS 3.0 specification


AS4 Profile Highlights

Message security governed by WS-Security specification along with support for payload compression

Support for both document push and pull message exchange choreographies

Support for an AS2-like business Non-Repudiation Receipt

Reception Awareness – Just enough reliable messaging


AS4 Message Security

Support for payload compression and must occur prior to attaching the document(s) and prior to any message-level security

Support for message-level security including various combinations of XML Digital Signature and/or XML Encryption as governed by WS-Security

X.509 security tokens for signing/encryption; additional support for username/password tokens for access to message pull channels


AS4 Document Push/Pull Support for AS2's synchronous and asynchronous document push

choreographies

Support for the ebMS v3 document pull choreography which is not available with AS2

Important for markets where 24x7 Internet connectivity and IP addressability is not available

Clients can access multiple document pull channels (priority, document types, etc)

AS4 defines a “Light Client” for deployment to IT and cost challenged endpoints


AS4 Non-Repudiation of Receipt (NRR)

Support for business non-repudiation receipts similar to AS2's RFC3798 (MDN)

The MDN is specified by the ebXML BPSS in the form of an XML schema and returned as special signal message

AS4 defaults to requiring message recipients to return a signed receipt and contain digests necessary for NRR

Receipt may contain error information if the Recipient could not process the Sender's message


AS4 Reception Awareness

Makes use of the message receipt as the signal to the message sender that the recipient received the business payload – similar to AS2 Reliability

Support for Duplicate Detection at the message Recipient

Support for Message Retry if the Sender does not receive a receipt.


Future Profile Development

Certificate Exchange and Identity-related concerns

Advanced Quality of Service (Reliable Messaging) concerns

Very Large Message exchange

More complex message exchange choreographies


Where Are We?

ebMS TC has approved a draft profile document that has been submitted to OASIS for public review

AS4 Profile expected to be released as a Committee Specification in April 2009

DGI interoperability certification event to follow starting September 2009


What Can You Do? Review the draft AS4 Profile during the OASIS public review

process and provide feedback as appropriate

Commit to implementing the AS4 profile as an early adopter

Participate in DGI's interoperability certification program

Consider AS4 as a Web services based communication platform for your business domain

Consider having your user group endorse AS4 as its Web services B2B messaging choice


Q&A

Comments? Questions?Feedback?

Technology

AS4 Webinar