Collect AS4 Transport Details

AS4 is an HTTP-based, point-to-point protocol typically used for real-time transactions. A bidirectional AS4 message exchange involves two AS4 endpoints.

While creating this transport, you must collect information from your trading partner about their AS4 endpoint. You also may need to provide information about your AS4 endpoint to your trading partner. The following table describes the information you need to collect:

For...	What You Need From Your Trading Partner	What You Need to Provide to Your Trading Partner
Basic connectivity	The partner's AS4 URL. An SSL certificate with a public key, if a self-signed certificate was used. User name/password credentials for HTTP basic authentication, if enabled.	Your AS4 URL (see AS4 URL for Receiving) User name/password credentials (see Certificates)
Two-way SSL for outbound connections (an optional feature)	If you select the Invoke or Trigger and invoke role, you can create a certificate alias to use for establishing client identity during two-way SSL communication.	See in Using the AS4 Adapter with Oracle Integration 3.Prerequisites for Creating a Connection
Signed or encrypted AS4 messages (an optional feature)	The partner's public certificate for signing and encryption. (Typically the same certificate is used for both signing and encryption, but if the partner prefers to use different ones, you should get two separate public certificates from them.)	Your public certificate for signing and encryption (see Certificates)

Signing and encryption are optional features in AS4. You can start with only the basic connectivity first and add signing/encryption later. Signing/encryption provide nonrepudiation, message integrity, and security features and are recommended for production environments. However, there is a bit more complexity in setting those up.

The following table shows which PKI key is used in each scenario:

Message Configuration	Inbound Message	Outbound Message
Signed AS4 message	Partner's public key for signing is used to verify a signed message.	Your company's private key for signing is used to digitally sign the message.
Encrypted AS4 message	Your company's private key for encryption is used to decrypt the message.	Partner's public key for encryption is used to encrypt the message.

If you already have the AS4 endpoint information from your trading partner, follow these steps:

Step	Description
1	Upload each of the partner's certificates. Upload SSL certificates as X.509 Trust, whereas upload signing and encryption as X.509 Identity. For identity certificates, you decide and enter a unique alias. Note the aliases. In the navigation pane, click Settings, then Certificates. See Certificates.
2	If signing/encryption is a requirement, acquire or generate a key-pair for signing and encryption (or two separate key-pairs, if you want to use separate keys for signing and encryption). Upload the private key as X.509 Identity and note the alias and password you enter. Share the public key with your trading partner. However, never share the private key. In the navigation pane, click Settings, then Certificates. See Certificates.
3	Create an AS4 connection with the Trigger and invoke role. In the Connections page, enter: The partner's AS4 URL in the AS4 service URL field The user name/password in the corresponding fields If signing/encryption are a requirement, configure the AS4 connection further. If both your partner and your company use one certificate for signing and encryption, select AS4 Basic Username Password Token Policy. If either of you use different certificates, select AS4 Advanced Username Password Token Policy. For AS4 Basic Policy, enter the partner's certificate alias, corresponding to the identity certificate from step 1. For AS4 Basic Policy, enter the private key alias and key password, corresponding to the identity certificate from step 2. For AS4 Advanced Policy, enter each of the certificate aliases into the fields. See Configure Connection Security in Using the AS4 Adapter with Oracle Integration 3.
4	Test the AS4 Adapter connection, to make sure it succeeds. If it fails, review the errors, verify that the AS4 URL entered is correct, and verify that the certificate aliases are correct. Save the AS4 Adapter connection.
5	Create an AS4 transport, selecting the AS4 Connection created in step 3. Complete the configuration. See Define an AS4 Transport.
6	Deploy the AS4 transport. After the state changes to deployed, the transport is ready for use.

If you do not yet have the AS4 endpoint information from your trading partner, but want to get your side ready for receiving AS4 messages, follow these steps:

Step	Description
1	Same as Step 1 in the previous table. Skip this step for now, but you can perform it when the information becomes available from the trading partner
2	Same as Step 2 in the previous table.
3	Same as Step 3 in the previous table, but given that the partner's AS4 URL is not yet available, enter a temporary placeholder URL in the AS4 service URL field. This can be the URL of your Oracle Integration instance, copy and pasted from the browser URL address or any other valid URL. This placeholder is only needed to pass the connection test (which fails if the URL is invalid). Outbound AS4 messages do not work with this placeholder, but inbound messages can be received (since the AS4 service URL is not used when receiving inbound messages).
4	Same as Step 4 in the previous table.
5	Same as Step 5 in the previous table.
6	Same as Step 6 in the previous table.

Credentials

To receive messages over AS4 from an external trading partner, HTTP basic authentication is enforced. Your trading partner is required to send the Authorization HTTP header with user name/password credentials you provide them in an AS4 message.

For internal testing you may use the same credentials that you use to log in to Oracle Integration to send test AS4 messages. However, it is not safe to share these credentials with an external trading partner because they can also log in to Oracle Integration with these credentials.

Instead, create a new user account in the Oracle Integration Identity Management application. Grant the Service Invoker role to this user account. This account is enough to send messages, but does not grant permissions to access any user interface pages in Oracle Integration. Share the user name and password of this new user with the trading partner.

Certificates

If you want to enable encryption or signing for the AS4 communication, you must create a key pair and certificate following your company's process and generate a CA-signed certificate that you use for AS4 decryption and signing.

For testing with a self-signed certificate, here are simple steps to generate a key-pair using the Java keytool:

Generate public/private key pair using keytool.
1. Specify any alias and a keystore file name, replacing b2b-private-key-alias and b2b.jks with your values.
2. Enter a keystore password when prompted and note it.
3. Enter your organization's information when prompted.
This generates a key pair (a public key and associated private key) and self-signed digital certificate in a keystore. If the keystore does not exist, it is created.
```
keytool -genkey -keyalg RSA -alias b2b-private-key-alias -validity 1095 -keystore b2b.jks
```
Upload the JKS into Oracle Integration as the X.509 type (SSL transport) and Identity category using the same alias and password as entered above (this is part of Step 3 from the table of steps above).
Export the public key from this keystore as follows.
1. Replace b2b.jks, b2b-private-key-alias, and public.cer with your keystore file name, alias that was used previously, and a file name to store the public certificate.
```
keytool -export -keystore <b2b.jks> -alias <b2b-private-key-alias> -file <public.cer>
```
Convert it to any other industry-standard format using keytool as per your preference, if necessary. Share only the public certificate public.cer with your trading partner (never share the private key with anyone). Your trading partner uses the public key certificate for signature verification and encryption.

AS4 URL for Receiving

You need the AS4 URL for your AS4 endpoint to share with your trading partner. Once the transport is deployed (indicating it is ready to receive and/or send messages), your AS4 endpoint URL is displayed in the AS4 endpoint URL for receiving transport field. Copy this AS4 URL to share with your trading partner. This AS4 URL is not common across all trading partners; it is specific to the current trading partner that you are viewing or editing. Only that specific trading partner may send AS4 messages to this URL.

The AS4 URL is the URL to invoke the AS4 integration for receiving messages for this transport. While you can also get the same from the Integrations page, this provides an easier way to access it.