Configure FDA AS2 Connection

Learn how to set up a Vault Safety FDA AS2 Connection to support submissions through the FDA ESG.

About AS2 Connection Support for the FDA Gateway

Vault Safety supports the FDA Electronic Submissions Gateway (ESG) through AS2 (system-to-system) communication. Vault Safety supports CDER, CBER, and CBER VAERS electronic submissions to the FDA.

Vault’s integration with the FDA ESG allows you to set up an AS2 Connection for users to submit directly from Vault Safety and receive gateway responses.

Note: If your Vault currently uses the FDA Gateway Profile to communicate with the FDA, we recommend that you create an AS2 Connection to the FDA as described in this article and then follow the instructions in Replace a Gateway Profile with an AS2 Connection

Types of FDA Electronic Submission Endpoints

The following table outlines the different FDA ESG endpoints that Vault Safety supports and the details for each:

Endpoint	Setup	Document Format
CDER (Drugs)	Register your account with the FDA Configure Sender User Create an AS2 Connection for the FDA^[1] Set up the CDER Transmission Profile	FDA E2B(R2)
CBER (Biologics)	Register your account with the FDA Configure Sender User Create an AS2 Connection for the FDA^[1] Set up the CBER Transmission Profile	FDA E2B(R2)
CBER VAERS (Vaccines)	Register your account with the FDA You can use the same account registered with the FDA ESG for CBER submissions Configure Sender User Create an AS2 Connection for the FDA^[1] Set up the CBER VAERS Transmission Profile	FDA VAERS E2B(R3)
^[1] Each of these endpoints can use the same AS2 Connection to the FDA.

Configure an FDA ESG AS2 Account

Before you can configure the Vault Safety AS2 Connection, you must have an active FDA ESG AS2 account. The FDA Website provides instructions for setting up an AS2 account.

As part of the registration process, you must send a public and private certificate pair to the FDA. If you need help generating these certificates, contact Veeva Managed Services.

When you configure your FDA ESG account, ensure that the AS2 URL exactly matches the AS2 Vault URL of your AS2 Connection.

Configure a Vault Safety AS2 Connection

Go to Admin > Connections, then select Create.
For the Connection Type, select AS2, then select Continue.
Complete the AS2 Connection Fields.
Select Save.

AS2 Connection Fields

Fields marked with a (*) are required.

Field	Description
Name*	Enter a name for the AS2 Connection. This name must be unique in your Vault.
API Name*	Enter an API Name for the AS2 Connection. This name must be unique in your Vault.
Contact Email*	Enter the Sender's Email
Description	Enter a description for the AS2 Connection.
AS2 Vault Gateway State	The system populates this field with the current state of the AS2 Vault Gateway, which consists of one of the following options: Registered: The AS2 Connection is synchronized with the Gateway. Out of Sync: Changes have been made to the AS2 Connection or its Connection Allowed List since the last time the Sync to Gateway action was run. From the All Actions menu, select Sync To Gateway to resync the AS2 Connection with the Gateway.
AS2 Encryption	The algorithm the system uses to encrypt outbound AS2 messages and decrypt inbound messages. The system supports the following algorithms: Triple DES (3DES) AES-256-GCM AES-256-CBC For the FDA, select Triple DES (3DES).
AS2 MDN Setting	Whether the Message Delivery Notification (MDN) can be exchanged synchronously (Sync) or asynchronously (Async). For the FDA, select Sync.
AS2 Signature	The method the system uses to sign outbound AS2 messages. The system supports the following signing methods: SHA-1 SHA-256 For the FDA, select SHA-1.
AS2 Compress Before Sign	If this option is selected, the system compresses messages before applying the Signing Algorithm. If this option is not selected, the system compresses messages after applying the Signing Algorithm. Note: We recommend leaving this option unselected.
AS2 Additional ACK Stages	If required, select one or more of the following options: HTTP Handshake: Used primarily for asynchronous requests. PRE-ACK: Used mainly for FDA VAERS, but can be used with synchronous or asynchronous requests. Note: We do not recommend using any additional ACK stages.
AS2 Partner ID	Enter one of the following FDA identification codes: For a production account, enter `ZZFDA`. For a test account, enter `ZZFDATST`.
AS2 Partner URL	Enter one of the following destination FDA Gateway URLs: For a production account, enter `https://esg.fda.gov:4080/exchange/ZZFDA`. For a test account, enter `https://esgtest.fda.gov:4080/exchange/ZZFDAAS2TST`.
AS2 Partner Certificate Expiry	The system automatically populates this field when an Admin uploads the Partner Certificate.
AS2 Vault ID	Enter the ID registered with FDA Gateway, typically your FDA D-U-N-S number.
AS2 Vault URL	Enter the AS2 URL of your Vault in the following format, replacing `<SponsorName><Partner><Environment>` with the corresponding values of your Vault: `https://<SponsorName><Partner><Environment>.gateway.veevavaultsafety.com:4080/api/v1/inbound/transmission/` The following example demonstrates how to form the AS2 Vault URL for a Vault with the following values: `<SponsorName>` = vern `<Partner>` = fda `<Environment>` = validation AS2 Vault URL = `https://vernfdavalidation.gateway.veevavaultsafety.com:4080/api/v1/inbound/transmission/`
AS2 Vault Certificate Expiry	The system automatically populates this field when an Admin uploads the Sponsor Certificate.

Vault Safety uses the Partner and Sponsor certificates to communicate securely with the Partner.

Partner certificate: You will have received the Partner certificate as part of creating your account with the Partner.
If you need help generating a Sponsor certificate, contact Veeva Managed Services.

Upload Partner Certificate

From the All Actions menu, select Upload Partner Certificate.
Select Choose, then select the Partner’s Public Certificate.
Accepted formats: PKCS7 (.p7b or .p7c), DER (.cer or .der) and PEM (.cer, .crt, or .pem)
Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record.”
Select Continue.

From the All Actions menu, select Upload Sponsor Certificate.
Select Choose, then select the Sponsor’s Public Certificate.
Accepted formats: PKCS12 (.pfx or .p12)
Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record.
Select Continue.

Add Connection Allowed IPs

Specify one (1) or more Allowed Connections for the AS2 Connection. These are Internet Protocol (IP) addresses that the system will allow to connect with this AS2 Connection.

Note: To obtain the latest list of allowed connections for the FDA, contact Veeva Managed Services.

Perform the following steps for each Allowed Connection you want to add to the AS2 Connection:

Go to the Connection Allowed Lists section, then select Create.
Enter the Name, (optional) Description, and IP address of the Allowed Connection.
Ensure the format of the IP address is XX.XX.XX.XX or XX.XX.XX.XX/{subnet mask} where the {subnet mask} is a number between 24 and 32.
Repeat steps 1 and 2 for each Allowed Connection.
When you have added all the Allowed Connections, select Save.

Note: By default, Vaults are limited to 512 Allowed Connections. If your organization requires more, contact Veeva Managed Services.

Synchronize the Connection

Once you have entered all the details of the AS2 Connection, the Connection must be synchronized with the Gateway.

From the All Actions menu, select Sync Connection to Gateway.

When the system successfully completes this action, the Connection’s AS2 Vault Gateway State changes to Registered and the system can send and receive messages using this Connection.

Note: If the Sync Connection to Gateway action is not successful, ensure the value of each of the AS2 Connection fields is correct before retrying the action again. If the issue perists, contact Veeva Managed Services.

If you make any changes to the Connection object or its Connection Allowed List, the AS2 Vault Gateway State changes to Registered - Out of Sync. The system cannot send or receive any messages using this Connection while it is in the Out of Sync state. You will need to repeat the All Actions > Sync to Gateway action to restore the Connection to the Registered state.

Result

The FDA AS2 Connection is active and available to use to submit case reports to the FDA.

Configure FDA Transmission Profiles

Vault Safety comes with standard, system-provided Transmission Profiles for FDA Submissions. You must configure these Transmission Profiles as part of the FDA Gateway setup.

The following table lists the system-provided FDA Transmission Profiles:

Transmission Profile	Description	Routing ID
CBER	ICSR Transmissions to the Center for Biologics Evaluation and Research (CBER)	FDA_AERS
CDER	ICSR Transmissions to the Center for Drug Evaluation and Research (CDER)	FDA_AERS
GWTEST	Test Transmissions to the FDA	GWTEST_CONNECTION
CBER VAERS	VAERS ICSR Transmissions to the Center for Biologics Evaluation and Research (CBER)	CBER_VAERS

Note: The above-listed Transmission Profiles can use the same AS2 Connection for communicating with the FDA.

Manage Transmission Profiles provides instructions on setting up Transmission Profiles.

When setting up the Transmission Profiles, see the following guidance on setting the Origin and Destination IDs:

Origin ID: Enter the ID registered with FDA ESG, typically your FDA D-U-N-S number.
Destination ID: Enter one (1) of the following destination IDs:
- For a production account, enter ZZFDA.
- For a test account, enter ZZFDATST.

Note: When editing the FDA Transmission Profiles, do not edit the Routing ID.

Once you set up the FDA Transmission Profiles, the system uses the appropriate Transmission Profile to generate Submissions based on your Vault’s FDA reporting rules.

Configure FDA Study Manual Transmissions

For manual Study Case report Submissions to the FDA, which are coordinated outside of Vault Safety, configure the FDA Study Transmission Profile.