AS2 Testing & Certification for Proven Secure EDI Solutions
With over 25 years of B2B Interoperability testing expertise, you can trust the team at Drummond for comprehensive automated multi-party AS2 testing.
AS2 Is Still the Gold Standard for Secure EDI Messaging
Applicability Statement 2 (AS2) remains a widely adopted protocol for secure Electronic Data Interchange (EDI) messaging across industries, especially retail, logistics, and manufacturing. AS2 conformance testing and certification from an experienced, well-known, and trusted third party like Drummond validates your implementation meets rigorous interoperability standards.
AS2 Interoperability Certification
AS2 Transport Certification tests an AS2 product’s mechanism for transporting data through the layers of the protocol stack using HTTP, ensuring that data can be transported correctly and can be understood. SSL (or TLS) may also be applied to secure the channel and protect the data from being read or intercepted by a “man-in-the-middle.”
AS2 Interoperability Pre-Certification
Pre-certification testing is required prior to participating in an AS2 Interoperability Certification test event. During pre-certification, you must integrate Drummond’s proprietary InSitu™ framework with your application to allow for automated testing against two AS2 reference servers hosted by Drummond. The AS2 uses S/MIME for packaging and HTTP or HTTPS for transport. Pre-certification testing is offered upon request.
Resources
- Blog
AS2 CEM Market Research Survey
- News & Announcements
Drummond Certifies 15 AS2 B2B Solutions in Fourth Quarter 2024
- Blog
Why AS2 Certification is Important for Retail-Focused Vendors
- News & Announcements
Drummond AS4 2024 Test Event Certifies Five AS4 Software Products
- Events
Transforming Healthcare Interoperability Testing with FHIRplace
- News & Announcements
Drummond Certifies 15 AS2 B2B Solutions in the Second Quarter of 2024
- Blog
The History of Drummond’s Full-Matrix Interoperability Testing
- Blog
Third-Party Validation—Your Strategic Advantage
Why AS2 Certification
Drummond was chosen by GS1 as the exclusive compliance certification agent for the Global Data Synchronisation Network (GDSN) Data Pool AS2 Interoperability requirement. GDSN Data Pools are now required to use a Drummond Certified AS2 solution. Any data pool developing its own AS2 solution must maintain certification through Drummond by participating in a formal AS2 test event every two years. You can view certified products and their final reports on our AS2 Certified Products page.
Real-World Interoperability Testing: Certification with Drummond provides a cost-effective extension of your quality assurance program. Instead of building complex in-house labs, vendors can validate interoperability against a broad set of AS2 implementations in a simulated production environment—saving time, resources, and cost.
Version Support & Product Lifecycle Confidence: With lifecycle interoperability management, you can certify multiple versions of your product and validate backward compatibility. Your first backward-compatible version is certified at no additional cost.
Proven & Trusted Certification: Our program has been driving interoperability in global supply chains for more than two decades. Leading enterprises and trading communities continue to require certification from Drummond as a prerequisite for trusted EDI communication.
Competitive Sales Edge: Certification helps eliminate roadblocks during procurement by showing your product meets technical, operational, and industry expectations. It also reassures prospective partners that your solution is interoperable with other trusted systems.
Ongoing Participation & Improvements: Drummond certification events regularly include the most widely used AS2 products on the market. Our proprietary automated test platform ensures consistency and efficiency, allowing you to participate in ongoing tests with minimal disruption.
Market Advantage: Products that pass certification are granted the Drummond Certified seal and are added to recommended vendor lists. This visibility helps software vendors demonstrate standards conformance and attract new customers.
What Is Tested?
AS2 Transport Certification tests an AS2 product’s mechanism for transporting data through the layers of the protocol stack using HTTP, ensuring that data can be transported correctly and can be understood. SSL (or TLS) may also be applied to secure the channel and protect the data from being read or intercepted by a “man-in-the-middle.”
Participants must select at least one transport profile they want tested.
Legacy Transport Profile
This is the AS2 program that our clients have been certifying against for over 20 years. Tests include Non-SSL, SSL, and CTE (optional) transport as well as SHA-1 and 3DES payloads.
Advanced Transport Profile
This is the basic level updated AS2 program testing SSL and CTE (optional) transport and updated SHA-2 and AES payloads. This program does not test for authentication.
Authenticate Transport Profile
This program has the same testing requirements as Advanced and also requires Basic Authentication testing.
Optional Profiles
Chunked Transfer Encoding (CTE)
Participants may elect to test Chunked Transfer Encoding (CTE). Chunked Transfer Encoding (CTE) is a mechanism that allows HTTP messages to be split into several parts. The Chunked-Transfer-Encoding tests verify a product’s ability to send messages without initially knowing how much data will be sent. In the case where the size of the data is known, a “Content-Length” header is usually included. When the data length is unknown, a “Transfer-Encoding: chunked” header is included instead, and the data is streamed in “chunks” with a data length indicator included at the beginning of each chunk and a ‘0’ character added at the end to indicate the end of the chunked data stream.
AES Encryption
The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for
the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. Rijndael is a family of ciphers with different key and block sizes. For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits. AES has been adopted by the U.S. government. It supersedes the Data Encryption Standard (DES), which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data.
SHA-2 Signature Hashing
In cryptography, SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256, SHA-384, SHA-512) designed by the National Security Agency (NSA) and published in 2001 by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2 includes a significant number of changes from its predecessor, SHA-1. SHA-2 consists of a set of four hash functions with digests that are 224, 256, 384, or 512 bits. The Drummond AS2 Certification process tests a myriad of different test cases in terms of security transport and MDN configuration using the SHA-256, SHA-384 and SHA-512 hash algorithms. SHA-224 is not tested.
MA - Multiple Attachments
Multiple attachment testing adds multiple payload attachments to AS2 messages. Although it was originally conceived for meeting the needs of the PIDX profile used by the Oil, Gas & Electric supply chains, multiple attachments can be used within any industry or supply chain. Through the use of the multipart/related MIME type, an unbounded number of payload attachments may be included with the AS2 message.
FN - File Name Preservation
The EDIINT RFC does not mandate any provisions for maintaining the file name of transmitted data from one trading partner to another. However, certain trading communities require that specific file names are
preserved within the message format to trigger backend processing. To that end, a mechanism for including the original file name within the payload by adding a “Content-Disposition” header to the payload’s innermost MIME headers was developed. The full specification may be found at: https://datatracker.ietf.org/doc/draft-harding-ediint-filename-preservation/
FN-MA – File Name Preservation for Multiple Attachment
As in the Filename Preservation (FN) profile, the FN for MA profile further enhances the Filename Preservation specification to include preservation of the filename when multiple attachments are being sent. The same IETF Filename Preservation specification applies, as it documents that for the AS2 FN-MA message, a “Content-Disposition” header be included for each individual attachment’s MIME body part describing the filename of that attachment.
FN-MDN – Duplicate File Name with MDN Responses (time based)
AS2 Filename Preservation addresses the need to communicate a payload filename provided by the sender to the recipient. This requirement has been documented in the IETF Filename Preservation draft. The need for this requirement originated with the Financial Services Technical Consortium (fstc.org) but is useful by all industries.
This profile addresses the business context whereby Trading Partners that provide a filename with AS2 payloads desire to be notified if that filename is already in existence. This notification provides content-based MDN responses that serve as alerts or notifications to the sending Trading Partner. The receiving AS2 system should therefore not overwrite the existing duplicate filename, nor submit this duplicate payload for backend processing.
Basic Authentication
Basic Authentication is a method used by products hosted on Cloud-based platforms to restrict access to authorized users. In the context of an HTTP transaction, Basic Authentication is a means for an AS2/HTTP user to provide a username and password when making a request to the server. In basic authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where <credentials> is the Base64 encoding of the username and password joined by a single colon (:) — the specification is described in RFC 7617.
3DES Encryption and SHA-1 Signature Hashing
Although current security requirements necessitate stronger encryption algorithms, it may be important to your customers to remain backward-compatible with the legacy payload algorithms (SHA-1 and 3DES) for signing and encryption. Although the focus moving forward will be to test stronger encryption algorithms, Drummond Group will continue to offer test cases that use legacy payload security for the foreseeable future.
CEM - Certificate Exchange Messaging
The demand for updating active certificates that may have expired, been compromised and/or revoked is a critical concern in most, if not all, industries that utilize AS2. Certificate Exchange Messaging (CEM) addresses this concern through the use of proper exchanging and loading of new digital certificates within a working trading partner profile, without interfering with the active trading relationship. The Certificate Exchange Messaging for EDIINT draft describes the implementation details and usage of certificate exchange messages and the process that must be done for seamlessly moving the newly received certificate(s) into the trading environment.
AS2 Reliability
AS2 reliability is a draft IETF specification (https://datatracker.ietf.org/doc/draft-duker-as2-reliability/) for guaranteed message delivery, duplicate message elimination and reporting, which will enable “reliable” communication between AS2 servers. It extends the AS2 RFC 4130 standard and in essence recognizes error scenarios that may occur during message transfers. Recovery from these error scenarios is described as retrying a message on failure and resending that message until a configured number of retry attempts has been exceeded.
AS2 Restart
The AS2 restart feature was designed to allow prematurely terminated message transfers (due to network or firewall timeout errors) to be able to resume the message transfer from the point where the previous transfer had been broken. The benefits of this feature are that the message does not have to repackaged, that is, there is no need to reapply signing, encryption and/or compression after the failure, and previously sent bytes of data do not have to be resent again. When a message transfer ends prematurely, AS2 Restart allows the sender to query the receiver for the number of bytes it has already received, allowing the sender to resume the message transfer from that particular point.
AS2 Restart with VLM
With typical message transfers potentially in the gigabyte range, the AS2 Restart with VLM profile extends the AS2 Restart profile to include very large message (VLM) transfers. Implementation of the AS2 Restart with VLM feature enhances Quality of Service and expedites message transfers of very large messages, especially on “glitchy” networks. Message files that are tested are 200-megabyte, 500-megabyte and 1-gigabyte.
Why Drummond?
Drummond was founded on and with B2B interoperability testing and certification. It’s where we began, and we’ve spent over 25 years building and refining our approach to help companies demonstrate conformance, ensure interoperability, and earn industry recognition.
TRUST
There is a lot at stake. Our staff has deep experience in certification; we’re not cutting our teeth on your project. When you work with Drummond, you experience a team of highly skilled professionals who bring a code of honesty, empathy, and advocacy to each engagement.
QUALITY
We focus on quality from every angle. In many cases, our staff are the people who created the frameworks that everyone else tests against. We bring an exclusive and proven methodology to each engagement and look for ways to improve and be more efficient at every step of the project.
INTEGRITY
Ask any of our clients—they’ll tell you the Drummond difference is its people. The people of Drummond listen carefully and tailor solutions to your unique business and situation. Experience our team of highly skilled experts, proven methodologies, and unique approach as we help you test critical applications for standards conformance and interoperability and gain certifications for your long-term success. Increase trust, gain expertise, and experience our attention to detail as we partner with you for your long-term success.
Frequently Asked Questions
Is Drummond’s AS2 certification required by major retailers?
Yes, many major retailers—including Walmart, Target, and Amazon require their trading partners to use Drummond-certified AS2 solutions. Certification ensures interoperability, security, and compliance with industry standards, which helps reduce the risk and cost of onboarding new partners.
Why is Drummond certification important for AS2 solutions?
Drummond certification is the industry-recognized standard for verifying AS2 interoperability, security, and compliance. It ensures that an AS2 solution can reliably exchange data with other certified systems, reducing integration issues. Many major retailers, healthcare networks, and government agencies require Drummond-certified solutions for EDI communications, making certification essential for trust, compatibility, and market access.
Do I need to pre-certify my AS2 product? How long does this process take?
Yes, if you’re new to Drummond AS2 interoperability certification, you must first complete the pre-certification process. This involves demonstrating that your AS2 product can successfully send and receive AS2 messages with two Drummond-hosted reference products that have passed the most recent certification event. You must also integrate with Drummond’s proprietary InSitu™ framework to enable automated testing.
Pre-certification is a self-paced process, allowing you to work according to your own schedule and resources. Most participants complete it in two to six months, depending on their readiness. Once all pre-certification steps are complete, your product will be considered “pre-certified,” and you’ll be eligible to join the next AS2 interoperability test event.
What is InSitu™ and why do I need to integrate it into my AS2 solution?
InSitu™ is Drummond’s proprietary interoperability testing tool designed to enable automated, full-matrix interoperability testing. It allows AS2 products to automatically coordinate the sending, receiving, and validation of test cases with other products—without manual intervention.
By integrating InSitu with your AS2 solution, your product can independently execute and record test cases during the certification process. Once implemented across a Product Test Group, it significantly reduces the manpower needed for coordination, streamlining the testing process and improving efficiency.
How often does Drummond conduct AS2 interoperability test events?
Drummond conducts AS2 interoperability test events twice a year, typically in the second and fourth quarters. For exact dates and registration deadlines, please refer to the Drummond Test Calendar.
How long does the AS2 certification process take?
The AS2 certification process typically takes 10 to 12 weeks. During this time, participants go through a series of structured test phases designed to validate interoperability with other products. Each phase builds toward achieving full certification and ensures your product meets industry standards for secure and reliable data exchange.
Do I need to participate in a group test event, or can I test individually?
During the Pre-Certification phase, you can test individually against two Drummond-hosted reference products. However, to earn the Drummond Certified™ Seal, you must participate in a group test event and successfully complete all test cases in a full-matrix exchange against all other participants in your test group.
What does the multi-party test event involve?
To earn the Drummond Certified™ Seal for AS2, your product must successfully complete at least one of the three core AS2 Transport Certification test profiles—Legacy, Advanced, or Authenticate—using Drummond’s proprietary InSitu™ test tool.
During the Certification Run Phase of the Interoperability Test Event, you’ll participate in a full-matrix, peer-to-peer exchange of test data with all other products in the event, ensuring your solution meets the required test criteria for interoperability.
You may also choose to participate in additional optional test profiles, depending on the capabilities your product supports.
What happens if my product fails a test case?
The AS2 certification process includes multiple Debug and Dry Run test phases, giving you the opportunity to identify and fix any interoperability issues before the final Certification phase. By the time you reach Certification, your product is expected to be free of known errors.
Only products that successfully complete all certification test cases will receive the Drummond Certified™ Seal and be listed in the AS2 Interoperability Product Directory. If your product does not pass the Certification phase, you can make improvements and try again during the next test event.
What happens if my product does not meet all test requirements?
Waivers or exceptions are not typically granted for unmet test requirements unless there is unanimous agreement from both the entire Product Test Group and the Drummond Test Administrators.
If a waiver is approved, it will be clearly documented in your product’s listing under Product Capabilities in the AS2 Interoperability Product Directory on our website.
Can I preview the testing criteria or requirements before registering?
Yes. We encourage prospective participants to schedule a call with us to review the full set of test criteria and requirements needed to successfully complete an AS2 interoperability test event. This ensures you understand what’s involved before committing to the process.
Are Drummond-certified products listed publicly?
Yes. All Drummond-certified products are publicly listed in the AS2 Interoperability Product Directory on our website, providing visibility and assurance to prospective partners and customers.
Note: If you prefer not to have your product listed publicly, you may request to opt out of the directory during the certification process.
Can AS2 certification help with business development or procurement requirements?
Yes. AS2 certification demonstrates that your system meets industry standards for secure and reliable data exchange. Many large enterprises and government agencies require it for onboarding trading partners. Being AS2 certified can accelerate procurement processes, improve credibility, and open new business opportunities by meeting technical compliance requirements in RFPs and vendor assessments.
Get Started
Speak with a Drummond representative to learn more about our B2B Interoperability (including AS2, AS4 and ebMS) testing and certification services.