MEC Setup Questions
beckenrod,
I am sure that I missunderstand a lot of details of your questions but I will try to anwer as good as I understand these points. Please do not hesitate to ask questions again with more details if you see that I do not help you with an answer.
For certificates, if we have 2 of our clients on AS2, would they each need a separate certificate or would the partners on the other end get the same certificate from us (a certificate for my company)?
Every party of the communication needs a public key (certificate) for every of the other parties and a secret, private key for itself.
That means if there are the parties YOU, CUST1 and CUST2 there are the following certificates/keys needed:
YOU: key (YOU), cert (CUST1), cert (CUST2)
CUST1: key (CUST1), cert (YOU)
CUST2: key (CUST2), cert (YOU)
Since my company would be the entity on the other end of the communications, would the certificate represent us or would we need one for each client so it looks to the partner on the other end like they are trading with that particular company? I am thinking we would need separate certificates for each of our clients which leads me to a problem...
Your certificate (your public key) represents you. With 3 partners there are 6 key parts available. Every party keeps it's own private key and gives away it's public key.
Please have a look at the article Public key, it gives a good overview on public key infrastructure.
If I need to set up separate certificates for each of our clients, doesn't that mean I need multiple 'Local stations"? One for each of our clients? I do not think MEC AS2 supports this from what I can see.
I see no configuration beneath commercial ASP where multiple local stations may be necessary. Being the local station means that you are the sender. Whenever you send the data in your name (even for other parties, if it is mutually defined between partners even ASP is posible with this configuration), you are the local station.
In m-e-c as2 you could define as many partners as you wish and exchange data with them. Having one local station does not mean to send data to only one partner!
I hope this helps
Regards
Heller
Hi Heller. Thank you for your reply. I think you did misunderstand my question a little.
My company processes EDI for other companies (EDI Outsourcing). We act as their EDI department and translate files inbound and outbound for them. We take data files and create EDI for them and take EDI and turn it in to data files for them to load in to their ERP systems.
In this scenario, let's say we are connecting 2 of our customers to the same trading partner (Target Dept Stores, for example).
Do we (my company) need to have separate certificates for our customers that we would give to Target? I will try to explain with some fake names to explain better:
My Company has 2 customers
Joe's Supply
Sally's Supply
we (my company) processes all of their EDI for them (we are their virtual EDI dept).
Now Joe and Sally both need to connect to Target using AS2.
We contact Target on behalf of Joe and Target is going to ask for Joes certificate, correct? If so, what do we give them? MEC looks to only support one Certificate for the "Local Station". Would that mean we (my company) have a certificate that represents us and we give that out to everyone that we exchange AS2 with on behalf of our clients (Joe and Sally)?
When we contact Target on behalf of Sally, will Target want a certificate that represents Sally and only Sally?
As our AS2 use grows, I could see this happening quite a bit where many of our customers need to connect to the same AS2 endpoint(s) for EDI.
If we need to have separate certificates for each of our clients (I hope we do not) then would we not need multiple PCs with MEC on them with certificates for each of our customers?
I might be TOTALLY off base here so I apologize if what I am asking about is way off base and not standard. I just do not want to get caught off guard by a request that I am not sure how to handle.
Thank you again.
beckenrod,
I hope I understand your scenario. You are right, you cannot turn into Joe and Sally in one instance to communicate with Target.
m-e-c as2 has no routing capability that is needed for your scenario. But I am sure you have a integration system that computes the receipt and send data behind the as2 adapter. This could be capable to do the routing (using its message identification). Then Sally, Joe and Target would alway connect to you and you would connect in a second step to the other TP.
Does this work for you?
Regards
Heller
We do have integration that will separate the data for Joe and Sally and anyone they trade with. This is how I was thinking of doing it in MEC.
We would set up a partnership that would be called something like:
Sally_Target
Joe_Target
Even though the endpoint for both is Target, we would separate out their sending and receiving data in MEC AS2 so it would all be in separate subdirectories. I think I have a good handle on how to do that in MEC. My main concern is that will Target (or any outside TP) require different certificates for Joe and Sally since they are different companies or will they accept that my company handles their EDI and take the same certificate from my company for Joe AND Sally. I am pretty new to AS2 and am not sure what is considered to be 'acceptable' when you do EDI Outsourcing for someone and use AS2 as well.
Thank you again for helping me to work through this.
beckenrod,
My idea on this point is really to act as ASP with your own private key and certificates to esatblish a three point connection for each transaction, e.g.
Sally-You-Target
All you need is the routing in the integration system but this should be no problem. And then you could configure m-e-c as2 as normal.
Hope this helps
Heller
My idea on this point is really to act as ASP with your own private key and certificates to esatblish a three point connection for each transaction, e.g.
Sally-You-Target
All you need is the routing in the integration system but this should be no problem. And then you could configure m-e-c as2 as normal.
Hope this helps
Heller
I agree with you Heller that we should be seen as the ASP for the EDI services for the client. But, it looks like the partners expect to have different certificates for their 'partners' (Sally/Joe/etc). They do not really see my company as the partner and they want to have separate certificates with different expiration dates for each partner.
How it works now works perfectly for anyone who is only their own endpoint. But since we are the endpoint for multiple people, I do not think it will work for us.
Is this something you would consider adding in a future release to accommodate an EDI service provider like we are?
Thanks again.
beckenrod,
We have discussed this issue about a year ago in our team. Another user requested this feature. It is surely a nice feature but comes with a major disadvantage: once implemented it will make the whole configuration of m-e-c as2 much more complicated. And setting up AS2 connections is already complicated enough, just think about the security know-how you need to set up a working connection. There is mainly no need to make the configuration more complicated than it already is in time.
A major design goal of our software products is always creating a powerful software which is easy to configure and to use, best is out of the box. The hardest point is always finding the balance to make the software useful for normal users and power users.
That is why we are still unsure on how to go forward at this point.
I hope there is a way for you to use m-e-c as2 in your case (perhaps install different instances on different computers with different local stations?).
Thank you for your thoughts, we will keep on the discussion about this point in our team
Regards
Heller
Thank you heller and team for considering my request. I do agree with you it makes the setup more complicated. Perhaps there would be an option during install to indicate how you want to use the software so for the average user they would get the 'normal' version and interface with those other features hidden/deactivated and for a more advanced user we could choose the other route with those options enabled?
I know that makes more work for your team to create the features and then hide/unhide them, but perhaps that is an option if you think my needs are worthy of implementing later.
I was thinking of the multiple install route too, the main issue I see there is that I would need to have the individual installs of MEC listening on separate ports or separate IPs, neither of which may be easy to do. If on the same IP, the onl way to listen on the same port would be firewall rules to NAT the connection to the proper internal IP when the connection comes from a certain outside IP. That may work, but would add many rules to the firewall for sure. I do not think multiple ports would be a good idea since I know most partners like to settle on one or two ports for AS2 and if my company does AS2 for our clients with many partners, that would likely be an issue.
If we would go the multiple install route, perhaps a high power PC/Server running Virtual PC would work where we could have one machine running all the instances of MEC? Have you had any luck running MEC within a Windows Virtual PC or Linux one?
Thank you again.
I would like to use mec as2 for a test setup in our development setup. Mec AS2 would simulate the many business business partners we communicate with. But in order to do so, multiple "Local Stations" are needed.
So another reason to have a somewhat more complex setup.
By the way, any suggestions for a (commercial) light-weight AS2 server that support multiple "Local Stations" ?
Kind regards, Guy Crets
© 1999-2008 mendelson-e-commerce GmbH. All right reserved.
Hi. My company has an EDI translation service and we are looking at MEC AS2 to provide some AS2 connections for one customer. We are looking at MEC as a way to being doing AS2 without the large investment in software since we are not sure how much we will need AS2 as part of our service. I am trying to plan out exactly how we would use MEC AS2 in our environment. I am also new to AS2 in general as far as the setup is concerned so some of my questions may be a bit basic. Here goes:
1. For certificates, if we have 2 of our clients on AS2, would they each need a separate certificate or would the partners on the other end get the same certificate from us (a certificate for my company)? Since my company would be the entity on the other end of the communications, would the certificate represent us or would we need one for each client so it looks to the partner on the other end like they are trading with that particular company? I am thinking we would need separate certificates for each of our clients which leads me to a problem...
2. If I need to set up separate certificates for each of our clients, doesn't that mean I need multiple 'Local stations"? One for each of our clients? I do not think MEC AS2 supports this from what I can see.
To make sure I am being clear, I'll try to draw it :-)
MYCOMPANY
-Client 1
---Partner A
---Partner B
---Partner C
-Client 2
---Partner A (same Partner A as Client 1)
---Partner D
---Partner E
I think I would need separate certificates for Client 1 and for Client 2, right? And I would need to be able to separate out the incoming and outgoing EDI data for each of my clients too.
I do not think the separate folders by partner would work for me because it would not allow for separate certificates for my clients, right? I could create separate partners and get the data separated that way without a problem, but I am still left with just one certificate to represent 'me' but I am really representing multiple entities (or I will be eventually).
Sorry for the really long and probably rambling post, but I am hoping others here do similar data processing for multiple companies and could shed some light.
Thank you.