Veeva Safety uses partner and sponsor certificates to securely send (encrypt) and receive (decrypt) messages through an AS2 Connection. This ensures that only the intended recipients (the sponsor and the partner) can read the messages. Once created, a certificate remains valid for a certain period of time, after which it expires and must be replaced with a new certificate, or communications between the partner and sponsor will fail.
You can use Vault to perform the following actions to keep the certificates for an AS2 Connection updated:
- Create a new sponsor certificate for a connection. Alternatively, you can upload a sponsor certificate created by a third party. Once you have created or uploaded a sponsor certificate, you can download the public sponsor certificate and send it to the partner so they can also update their connection.
- Upload a new certificate received from a partner to replace the existing partner certificate for a connection.
Resyncing a Connection
After uploading a partner or sponsor certificate for an AS2 Connection, the connection’s AS2 Vault Gateway State moves to the Unregistered state. You must synchronize the connection again so the connection can continue to send and receive messages through the gateway.
AS2 Certificate Considerations
Consider the following when creating or uploading AS2 certificates:
- AS2 certificate files must be 50KB or less.
- Upload only certificates intended for AS2 message encryption/decryption. Do not upload certificates intended for any other purpose (TLS/SSL certificates for example).
Upload a Partner Certificate for an AS2 Connection
To upload a partner certificate for an AS2 Connection:
- Navigate to Admin > Connections > [AS2 Connection].
- From the All Actions menu, select Manage Partner Certificate.
- In the Manage Partner Certificate dialog, select Upload, then select the partner’s public certificate. The following accepted formats are:
- PKCS7 (*.p7b or *.p7c)
- DER (*.cer or *.der)
- PEM (*.cer, *.crt, or *.pem)
Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record.
- Select Continue.
- Synchronize the connection
Create a Sponsor Certificate for an AS2 Connection
To create a new sponsor certificate for an AS2 Connection:
- Navigate to Admin > Connections > [AS2 Connection].
- From the All Actions menu, select Manage Sponsor Certificate.
- In the Manage Sponsor Certificate dialog, select Create.
- In the Create a Sponsor Certificate dialog, complete the applicable fields.
- Select Save.
Result
Vault:
- Creates and attaches a new sponsor certificate for the AS2 Connection.
- Creates a User Task1 (of the type AS2 Connection Task) to synchronize the connection2 and assigns it to the person who created the certificate.
Download a copy of the public sponsor certificate for sending to the partner.
Note:
- If you receive an error when saving the record, check that the User Task is not missing any field values (Due Date for example) that are required by your Vault's Validation Rules for the User Task object.
- If you are creating a new sponsor certificate to replace one that is about to expire, we recommend that you wait until the partner has confirmed they have uploaded the new sponsor certificate into their system and are ready to send and receive requests using the new certificate before you synchronize the connection. Until then, communications can continue using the existing certificate until it expires.
Sponsor Certificate Fields
The following fields may be available:
| Field | Description |
|---|---|
| Sponsor | Enter the details of the sponsor. |
| Sponsor Person Email | |
| Street Address | |
| City | |
| State / Province | |
| Zip Code / Postal Code | |
| Country Code | |
| Password |
Enter a password for the certificate. The password must be between 6 and 32 characters. |
| Confirm Password | Re-enter the password from the Password field above. |
| Expiration Date | Select when the sponsor certificate will expire from your Vault's current date and time. |
Upload the Sponsor Certificate for an AS2 Connection
If you use a third party to supply the sponsor certificates for your connections, follow these steps to upload a sponsor certificate for a connection:
- Navigate to Admin > Connections > [AS2 Connection].
- From the All Actions menu, select Manage Sponsor Certificate.
- In the Manage Sponsor Certificate dialog, select Upload, then select the sponsor’s public certificate. The accepted formats are PKCS12 (*.pfx or *.p12).
Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record. - Select Continue.
Result
Vault:
- Uploads and attaches the new sponsor certificate to the AS2 Connection.
- Creates a User Task1 (of the type AS2 Connection Task) to synchronize the connection2 and assigns it to the person who uploaded the certificate.
Download a copy of the public sponsor certificate for sending to the partner.
Note:
- If you receive an error when saving the record, check that the User Task is not missing any field values (Due Date for example) that are required by your Vault's Validation Rules for the User Task object.
- If you are uploading a new sponsor certificate to replace one that is about to expire, we recommend that you wait until the partner has confirmed they have uploaded the new sponsor certificate into their system and are ready to send and receive requests using the new certificate before you synchronize the connection. Until then, communications can continue using the existing certificate until it expires.
Download the Public Sponsor Certificate for an AS2 Connection
Follow these steps to download the public sponsor certificate for an AS2 Connection to send to the partner:
- Navigate to Admin > Connections > [AS2 Connection].
- From the All Actions menu, select Manage Sponsor Certificate.
- In the Manage Sponsor Certificate dialog, select Download Public Sponsor Certificate.
Result
Vault downloads the public sponsor certificate to your computer. You can then send this file to the partner to update their corresponding AS2 connection.
AS2 Connections and TLS/SSL Certificates
Veeva Safety does not use or hard code Partner or Health Authority TLS/SSL certificates. If you receive such certificates from a Partner or Health Authority, do not upload these certificates into your Safety Vault.
Likewise, it is advised and recommended that Partners and Health Authorities do not use or hard code Veeva Safety TLS/SSL certificates in their system. TLS/SSL certificates are often updated within shorter time periods which subsequently breaks the connection between the Partner or Health Authority and Veeva Safety. Partners and Health Authorities that still require TLS/SSL certificates can refer to the Veeva Certificate Expiry Date Ranges.