In the previous 2 posts, we covered an Outgoing EDI Flow and an Incoming EDI Flow over SFTP. We will now continue on our EDI journey by looking at Using EDI Over AS2.

In this post, we will define a new Trading Partner “Customer2“, who will push EDI Files over AS2 into Integration Suite / CPI. As we have seen in the Part 2 we will receive an EDIFACT ORDERS D96B File from a Trading Partner and process them as an IDoc into ERP. We will leverage the same mapping as we used in Part 2. While there exists tons of content on both the SAP Community and help documentation from SAP ( see Further reading section at the end ), I would like to start from scratch here where we Install Mendelson AS2 to simulate our CUSTOMER3 and set up security rules for this Customer3. In other words, what we are doing is,

  • Install and set up Mendelson AS2 for AS2 Sender.
  • Leverage same MIG and Mapping from Previous Post
  • Leverage same Agreement Template from Previous Post
  • Create a new Trading Partner called CUSTOMER2 and define AS2 Parameters for this.
  • Create a new Agreement for CUSTOMER2 to process EDIFACT D96 B ORDERS Message.

Scenario in Scope

Scenario at a Glance - AS2 to IDoc Flow

You will build an AS2 (EDI) –> CPI –> IDoc flow and leverage TPM to handle the Trading Partner Details.

Pre-requisites from Previous Post

If you are starting directly on this post, you would need to ensure that the below pre-requisites from the previous post (Part 2 ) are already handled as highlighted below.

High Level Steps in Scope

  • IntegrationSuite: Deploy the Standard Iflow: Step 1 – Sender AS2 Communication Flow V2 from Package Cloud Integration – Trading Partner Management V2
  • IntegrationSuite: Export Public TLS Certificate of your AS2 endpoint
  • IntegrationSuite: Export public certificate from Keystore for sap_cloudintegrationcertificate
  • IntegrationSuite: Create a Service Instance and Service Key for our new Customer: CUSTOMER2
  • MendelsonAS2: Download and Install
  • MendelsonAS2: Configure Certificates
  • MendelsonAS2: Configure Partners
  • IntegrationSuite: Define a new Trading Partner
  • IntegrationSuite: Define a new Agreement
  • Test Your Flow

IntegrationSuite: Deploy the Standard Iflow: Step 1 – Sender AS2 Communication Flow V2

Just go to the Standard Package Cloud Integration – Trading Partner Management V2 and Deploy the Iflow: Step 1 – Sender AS2 Communication Flow V2.

Note down the Endpoint of your Integration Flow you just deployed. You will use this in the next step and in Mendelson AS2.

Deploy Standard Iflow Step 1 - Sender AS2 Communication Flow V2
AS2 Endpoint of Standard IFlow Step 1 - Sender AS2 Communication Flow V2

IntegrationSuite: Export Public TLS Certificate of your AS2 endpoint

The AS2 Endpoint of your Integration Flow is the it-rt runtime of your Integration Suite tenant. You would need the TLS Certificate of this endpoint to be loaded into Mendelson AS2 at the next section (s) and hence you need to download the TLS Certificate of this endpoint. There are multiple ways to do this but I used the Connectivity Tests of Integration Suite.

You will get a .zip file with 3 certificates. Unzip it and have them handy!

AS2 TLS Connectivity Test
TLS Certificates of CPI IT RT Runtime

IntegrationSuite: Export public certificate from Keystore for sap_cloudintegrationcertificate

To enable Decryption of payload on Integration Suite, our AS2 Partner will require our “Public Certificate“. In our scenario I assume that we will use the standard sap_cloudintegrationcertificate to decrypt the message and hence we need to export the Public Certificate of this Key from Integration Suite KeyStore.

In real world, you will of course create your own “Signed” Key Pair but for the purpose of this post lets use sap_cloudintegrationcertificate .

  • Login to Integration Suite -> Monitor -> Integrations -> Keystore
  • Click on sap_cloudintegrationcertificate
  • Download -> Certificate
  • Save this file for use in Mendelson AS2
Select Keystore entry: sap_cloudintegrationcertificate
Download Certificate for Keystore entry: sap_cloudintegrationcertificate

IntegrationSuite: Create a Service Instance and Service Key for our new Customer

At the moment of writing this post, AS2 in Integration Suite only works with User Authentication. Unlike on Process Orchestration where you could turn off User Authentication for AS2 endpoints, on Integration Suite, you need to have this protected via Basic Authentication. There are workarounds that can be built to make AS2 Sender channel without Authentication ( Use SAP API Management) but for the sake of this post, we will stick to using Basic Authentication for AS2 Sender Channel.

Create Service Instance

We will now create a new Service Instance and Service Key on BTP Subaccount of your Integration Suite. These are standard steps and hence I wont go into details of these except with some screenshot.

  • Service: Process Integration Runtime
  • Plan: integration-flow
  • Name: CUSTOMER2
Create Service Instance for AS2 Sender

Create Service Key

Create a Service Key and note down the client_id and client_secret. We will use them subsequently.

You can choose to use external certificate as well here but I am sticking to Basic Authentication ( clientid / secret ). Check the blog in further reading section if you are an expert user on partner directory and want to avoid using Basic Authentication.

Create Service Key

Mendelson AS2 – Download and Install

Download Mendelson AS2 Community Edition

We will use Mendelson AS2 Community edition as our Testing Tool to push AS2 messages. While this has been covered in multiple posts on the SAP Community and this tool has been around for a long long time, to make it easy I also show how to set up Mendelson AS2. I do not go into each setting of this tool nor do I explain the basics of AS2 but I try to make sure you can set this up and run your flow.

Download the community edition of Mendelson AS2 from this link .

Install Mendelson AS2 Community Edition

Once you have downloaded the executable file, go ahead and install it. I have changed the Installation Directory ( as I have a previous installation) but you can choose to use the default Installation directory as well. Just make sure you know where the tool is Installed!

Mendelson AS2 Installer Starts
Note the Installation directory
Installation is completed

Start Mendelson AS2 Community Edition

Navigate to the Installation Directory of Mendelson AS2 and run the file AS2.exe. Allow required Network Access if you use Windows Defender blocks it!

Starts Mendelson AS2
Mendelson AS2 is up and running

MendelsonAS2: Configure Certificates

Load the TLS Certificates of Integration Suite

In previous section you had downloaded the 3 TLS Certificates of Integration Suite IT RT runtime. You would need to load them on Mendelson AS2. Select TLS –> Import Certificate and import the 3 certificates ( certificate chain) into Mendelson AS2. If you get a error that the Certificate already exists, then you can ignore that cert as that means that the Certificate is already in your Keystore in the TrustedCAs.

Import TLS Certificate into Mendelson AS2
Import the Certificates
List of Certificates in Mendelson AS2

Load Sign/Crypt Certificates into Mendelson AS2

As we have looked at in the previous section we will use the sap_cloudintegrationcertificate as our Decryption Certificate for Integration Suite. We will import this as our Sign/Crypt Cert.

Note: Change alias to sap_cloudintegrationcertificate when you import to make it easy to identity this certificate.

Import Sign / Crypt Certificate into Mendelson AS2

Select sap_cloudintegrationcertificate
Change Alias to sap_cloudintegrationcertificate
sap_cloudintegrationcertificate  imported.

MendelsonAS2: Configure Partners

Define a Partner for CPI ( Reactor)

Define a partner for CPI by changing the existing mendelsontest partner with below details

  3. Email Address: Change to any Email Address
  4. Partner Certificate (Outbound..) : sap_cloudintegrationcertificate
  5. Partner Certificate (Inbound..) : sap_cloudintegrationcertificate
  6. Receipt URL : AS2 Endpoint of Iflow: Step 1 – Sender AS2 Communication Flow V2
  7. HTTP Authentication User : client_id of Service Key created in previous steps
  8. HTTP Authentication Password: client_secret of Service Key created in previous steps
  9. Click Ok
Change Partner mendelsontest
Change Partner mendelsontest
Change Security Settings of Partner
Change Receipt URL of Partner
Change Authentication Of Partner

Define a Partner for CUSTOMER2 ( Initiator)

Define a partner for CUSTOMER2 by changing the existing mycompany partner with below details

  1. Select Partner
  2. Select mycompany ( the name will change the moment you change the Name in Step 3)
  3. Name: CUSTOMER2
  5. EmailAddress: Any email
  6. Click Ok!
Configure mycompany

MendelsonAS2: Download Public Certificate

Download Mendelson AS2 Sign Certificate key3. Save the file locally. We will use this when we define our Trading Partner in Integration Suite.

Download Mendelson AS2 Sign Certificate key3

Integration Suite: Define a new Trading Partner

Create Trading Partner

  • Navigate to B2B Scenarios –> Trading Partners –> Create
  • Provide Name and Short Name as : CUSTOMER2, CUSTOMER2 and Save.
Create Trading Partner Management Overview

Create Identifiers for EDIFACT

  • Go to Identifiers and Define EDI Identifiers ( like in Part 2)
    • Identification: CUSTOMER2
    • Type System: UN/EDIFACT
    • Scheme: 30
Create Identifiers for EDIFACT

Create Identifiers for IDoc

  • Go to Identifiers and Define EDI Identifiers ( like in Part 2)
    • Identification: CUSTOMER2
    • Alias: CUSTOMER2_IDOC
    • Type System: SAP S/4HANA On Premise IDoc
    • Scheme: N/A
Create Identifiers for IDoc

Create System And Type System

  • Go to Systems and Create a System
  • Purpose: DEV
  • Type System: Create New
    • Description: CUSTOMER2_MENDELSON
Create System And Type System
Create System And Type System

Create Type System

  • Name: UN/EDIFACT
  • Version: D.96B.S3 ( We will receive ORDERS EDI Of version D96 B )
Create Type System

Create Certificates

Before we configure Communication Systems, we need to load our Certificates. This will be the KEY3 certificate we downloaded from Mendelson AS2 in the step MendelsonAS2: Download Public Certificate

Create Certificate
Customer 2 Certificate is loded

Create Security

We will create the Security Profile of our Trading Partner here.

Create Communications ( Sender )

In this step you will need the client_id of the Service Key we created for Customer2 in the previous section. Have that handy.. Go to Systems -> Communications and Create a Communication.

  • Direction: Sender
  • Adapter : AS2
  • Security Configuration Model: Channel
  • User Account: <<client_id>> of the ServiceKey
  • Security Settings
    • Decrypt Message : Selected
    • Private Key Alias. sap_cloudintegrationcertificate
    • Verify Signature: Trusted Certificate
    • Public Key Alias: CUSTOMER2_CERT
Create TPM Communications
Security Settings of Customer2 AS2 Sender Channel

Create Communications (Receiver)

After you have created your Communications (Sender), technically you are good to go. But if you look closely you see that your Communication System Status is Incomplete. For some reason Integration Suite expects you to provide both a Sender and Receiver Communication before you can mark a System as Complete.

Systems is Incomplete

Hence we will create a Communications ( AS2 Receiver). We will use this in the next blog but for now I will fill this with dummy details.

Create Communications
  • Direction: RECEIVER
  • Adapter: AS2

Connection Details of AS2 Receiver

  • Recipient URL: https://hostname_where_mendelson_runs:8443
Recipient Details of AS2 Connection

Processing Details of AS2 Receiver

  • Partner AS2 ID: CUSTOMER2
  • Message Subject: AS2 from COMPANY_SELF_CPI to CUSTOMER2
  • Own E-mail address:
  • Content-Type: application/edi
  • Content Transfer Encoding: binary
Processing Details of AS2 Receiver

Security Details of AS2 Receiver

  • Sign Message : Selected
  • Algorithm: SHA1
  • Private Key Alias : sap_cloudintegrationcertificate
  • Encrypt Message: Selected
  • Algorithm : 3DES
  • Public Key Alias: CUSTOMER2_CERT
Security Details of AS2 Receiver

Make System Complete

You would need to go to back to your system, click on Edit, and then save and then your status will change from Incomplete to Complete.

Edit System to make complete
System Status is Complete

IntegrationSuite: Define a new Agreement

Go to your Trading Partner Management –>Agreements –> Create

Create TPM Agreement

Select the Agreement Template from Part 2 – Customer 1 Initiates EDIFACT ORDERS D6B . Ideally I should have named the Agreement Template without any Specific Customer in the previous post but we can still select this and continue.

Select Agreement Template

Note: Change the name to Customer2 Initiates EDIFACT ORDERS D96B and select the required details in the same order as below.

Provide Agreement Overview details

Select the B2B Scenarios and Transaction details as below.

Select B2B Scenarios -> Transactions -> Communication
Select B2B Scenarios -> Transactions -> Interchange

Provide Custom Mapping Processing Details. This ideally should have been without Customer details in Part 2 when we created the Mapping Iflow with Process Direct but for now , lets leave it as is and provide value as : /tpm/Customer1/EDIFACT_ORDERSD86B/IDOC_ORDERS_ORDERS05

Provide Custom Mapping Processing Details

Thats it, click on Save! Now Activate your Agreement!

Activate Agreement

Test Your Flow

You are now ready to test your flow. We will now send a message from Mendelson AS2 that will be encrypted and signed. The message will be a EDI file of ORDERS D96B format. Remember to change the Sender Interchange ID to the Identifier we have defined for Customer 2 in the raw EDI File ( CUSTOMER2).

  • Select Option : File -> Send File to Partner
  • Select the file you want to send ( Note – make sure it is a EDI ORDERS D96B File) or equivalent EDI file as you have configured your MIG and Mapping.
Send file to Partner in AS2
Select and Send file to Integration Suite over AS2

Logs in Mendelson AS2

Message was successfully sent to Integration Suite ( Encrypted and Signed). MDN was received back ( Signed and validated)

Message successful in Mendelson AS2
AS2 Message Logs
Detailed logs on Mendelson AS2

Logs in Integration Suite

Go to B2B Monitoring and check your message.

B2B Monitoring Successful
B2B Monitoring Detailed logs Integratiuon Suite
B2B Monitoring Interchange Logs
Integration Flow Logs

Final Thoughts

What we have done is used an existing MIG and Mapping in Integration Suite and configured it for another Trading Partner for another Protocol AS2. The standard flows in Integration Suite in Trading Partner Management need no change at all.

Imagine a scenario where you have a landscape with common mapping for all Trading Partners, you can using Trading Partner Management just configure your Trading Partners and avoid any changes to your Integration Flow. The security keys and certificates are all processed dynamically using Partner Directory ( from Trading Partner Management) and all you as an EDI Technician do is perform certain repetitive steps. In a real world, I would say you can even fathom a situation where super users can onboard new EDI Partners without doing any development. Of course there is a steep learning curve but if done right, this can be copy paste of same steps for different partners.

In the next steps we will extend Mendelson AS2 to receive EDI Over AS2 messages from Integration Suite. We will also look at what happens under the hood and some pitfalls to avoid in an EDI Implementation. But thats for another day!

Additional Blogs from this Series

Further Reading