Configure FDA AS2 Connection

Learn how to set up a Vault Safety FDA AS2 Connection to support submissions through the FDA ESG.

About AS2 Connection Support for the FDA Gateway

Vault Safety supports the FDA Electronic Submissions Gateway (ESG) through AS2 (system-to-system) communication. Vault Safety supports CDER, CBER, and CBER VAERS electronic submissions to the FDA.

Vault’s integration with the FDA ESG allows you to set up an AS2 Connection for users to submit directly from Vault Safety and receive gateway responses.

Types of FDA Electronic Submission Endpoints

The following table outlines the different FDA ESG endpoints that Vault Safety supports and the details for each:

Endpoint Setup Document Format
CDER (Drugs)
  • Register your account with the FDA
  • Configure Sender User
  • Create an AS2 Connection for the FDA[1]
  • Set up the CDER Transmission Profile
 FDA E2B(R2) or FDA E2B(R3)
CBER (Biologics)
  • Register your account with the FDA
  • Configure Sender User
  • Create an AS2 Connection for the FDA[1]
  • Set up the CBER Transmission Profile
 FDA E2B(R2) or FDA E2B(R3)
CBER VAERS (Vaccines)
  • Register your account with the FDA
    You can use the same account registered with the FDA ESG for CBER submissions
  • Configure Sender User
  • Create an AS2 Connection for the FDA[1]
  • Set up the CBER VAERS Transmission Profile
 FDA VAERS E2B(R3)
CDER Study (Drugs)
  • Register your account with the FDA
  • Configure Sender User
  • Create an AS2 Connection for the FDA[1]
  • Set up the CDER Study Transmission Profile
 FDA E2B(R3)
CBER Study (Biologics)
  • Register your account with the FDA
  • Configure Sender User
  • Create an AS2 Connection for the FDA[1]
  • Set up the CBER Study Transmission Profile
 FDA E2B(R3)
CDER IND Exempt (Drugs)
  • Register your account with the FDA
  • Configure Sender User
  • Create an AS2 Connection for the FDA[1]
  • Set up the CDER IND Exempt Transmission Profile
 FDA E2B(R3)
[1] Each of these endpoints can use the same AS2 Connection to the FDA.

Configure an FDA ESG AS2 Account

Before you can configure the Vault Safety AS2 Connection, you must have an active FDA ESG AS2 account. The FDA Website provides instructions for setting up an AS2 account.

When you configure your FDA ESG account, ensure that the AS2 URL exactly matches the AS2 Vault URL of your AS2 Connection.

Public and Private Certificates

As part of the FDA registration process, you must obtain a public and private certificate pair and send the public certificate to the FDA. If you need help generating these certificates, contact Veeva Managed Services.

Configure a Vault Safety AS2 Connection

  1. Go to Admin > Connections, then select Create.
  2. For the Connection Type, select AS2, then select Continue.
  3. Complete the AS2 Connection Fields.
  4. Select Save.

AS2 Connection Fields

Field Description
Name Enter a name for the AS2 Connection.
This name must be unique in your Vault.
API Name Enter an API Name for the AS2 Connection.
This name must be unique in your Vault.
Contact Email Enter the Sender's Email.
Description Enter a description for the AS2 Connection.
AS2 Vault Gateway State Vault populates this field with the current state of the AS2 Vault Gateway, which consists of one (1) of the following options:
  • Unregistered: The Sync to Gateway action has not yet been run for this AS2 Connection.
  • Registered: The AS2 Connection is synchronized with the Gateway.
  • Out of Sync: Changes have been made to the AS2 Connection or its Connection Allowed List since the last time the Sync to Gateway action was run. From the All Actions menu, select Sync To Gateway to resync the AS2 Connection with the Gateway.
AS2 Additional ACK Stages If required, select one (1) or more of the following options:
  • HTTP Handshake: Used primarily for asynchronous requests.
  • PRE-ACK: Used mainly for FDA VAERS, but can be used with synchronous or asynchronous requests.
AS2 Encryption The algorithm Vault uses to encrypt outbound AS2 messages and decrypt inbound messages.
Vault supports the following algorithms:
  • Triple DES (3DES)
  • AES-256-GCM
  • AES-256-CBC
For the FDA, select Triple DES (3DES).
AS2 MDN Setting Whether the Message Delivery Notification (MDN) can be exchanged synchronously (Sync) or asynchronously (Async).
For the FDA, select Sync.
AS2 Signature The method Vault uses to sign outbound AS2 messages. Vault supports the following signing methods:
  • SHA-1
  • SHA-256
For the FDA, select SHA-1.
AS2 Compress Before Sign

If you select this option, Vault compresses messages before applying the Signing Algorithm.

If you do not select this option, Vault compresses messages after applying the Signing Algorithm.

AS2 Partner ID Enter one of the following FDA identification codes:
  • For a production account, enter ZZFDA.
  • For a test account, enter ZZFDATST.
AS2 Partner URL

Enter one (1) of the following destination FDA Gateway URLs:

  • For a production account, enter https://esg.fda.gov:4080/exchange/ZZFDA.
  • For a test account, enter https://esgtest.fda.gov:4080/exchange/ZZFDAAS2TST.
AS2 Partner Certificate Expiry Vault automatically populates this field when your Admin uploads the Partner Certificate.
AS2 Vault ID Enter the ID registered with FDA Gateway, typically your FDA D-U-N-S number.
AS2 Vault URL

Enter the AS2 URL of your Vault in the following format, replacing <SponsorName><Partner><Environment> with the corresponding values of your Vault:

https://<SponsorName><Partner><Environment>.gateway.veevavaultsafety.com:4080

The following example demonstrates how to form the AS2 Vault URL for a Vault with the following values:

  • <SponsorName> = vern
  • <Partner> = fda
  • <Environment> = validation
  • AS2 Vault URL = https://vernfdavalidation.gateway.veevavaultsafety.com:4080

Informing the Partner of your AS2 Vault URL

When informing the Partner of the URL they need to use for this AS2 connection, use the value you entered in this field appended with /api/v1/inbound/transmission/.

In the example shown above, this is https://vernfdavalidation.gateway.veevavaultsafety.com:4080/api/v1/inbound/transmission/.

AS2 Vault Certificate Expiry Vault automatically populates this field when your Admin uploads the Sponsor Certificate.
AS2 Vault Domain / IP Configuration

Select the method the Partner uses to interface with the AS2 Connection.

  • AS2 Vault URL: Domain Name (typical): A standard domain name that resolves to dynamic IP addresses.
  • AS2 Vault URL: Domain Name bound to static IP addresses: A standard domain name that resolves to static IP addresses.
  • AS2 Vault URL: IP URL (uncommon): A non-standard IP address domain name that resolves to an IP address.
For the FDA, select AS2 Vault URL: Domain Name (typical).
AS2 Ingress IPs If you set the AS2 Vault Domain / IP Configuration field to AS2 Vault URL: Domain Name bound to static IP addresses, Vault populates this field automatically.

Upload the Partner and Sponsor Certificates

Vault Safety uses the Partner and Sponsor certificates to communicate securely with the Partner.

You will have received the Partner certificate as part of creating your account with the Partner.

If you need help generating a Sponsor certificate, contact your Veeva Representative.

Upload Partner Certificate

  1. Go to Admin > Connections > [Connection].
  2. From the All Actions menu, select Upload Partner Certificate.
  3. Select Choose, then select the Partner’s Public Certificate.
    The following accepted formats are:
    • PKCS7 (.p7b or .p7c)
    • DER (.cer or .der)
    • PEM (.cer, .crt, or .pem)
      Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record.
  4. Select Continue.

Upload Sponsor Certificate

  1. Go to Admin > Connections > [Connection].
  2. From the All Actions menu, select Upload Sponsor Certificate.
  3. Select Choose, then select the Sponsor’s Public Certificate.
    The accepted formats are PKCS12 (.pfx or .p12)
    Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record.
  4. Select Continue.

Add Connection Allowed IPs

Specify one (1) or more Allowed Connections for the AS2 Connection. These are Internet Protocol (IP) addresses that Vault will allow to connect with this AS2 Connection.

Perform the following steps for each Allowed Connection you want to add to the AS2 Connection:

  1. Go to Admin > Connections > [Connection].
  2. Go to the Connection Allowed Lists section, then select Create.
  3. On the Create Connection Allowed List window, complete the following information:
    • Name: Enter a name for the Allowed Connection.
    • (Optional) Description: Enter a description for the Allowed Connection.
    • IP: Enter the address of the Allowed Connection.
      Ensure the format of the IP address is XX.XX.XX.XX or XX.XX.XX.XX/{subnet mask} where the {subnet mask} is a number between 24 and 32.
  4. Repeat the above steps for each Allowed Connection.
  5. When you have added all the Allowed Connections, select Save.

Synchronize the Connection

Once you have entered all the details of the AS2 Connection, the Connection must be synchronized with the Gateway.

From the All Actions menu, select Sync Connection to Gateway.

When Vault successfully completes this action, the Connection’s AS2 Vault Gateway State changes to Registered and Vault can send and receive messages using this Connection.

If you make any changes to the Connection object or its Connection Allowed List, the AS2 Vault Gateway State changes to Registered - Out of Sync. Vault cannot send or receive any messages using this Connection while it is in the Registered - Out of Sync state. You will need to repeat the All Actions > Sync to Gateway action to restore the Connection to the Registered state.

Result

The FDA AS2 Connection is active and available to use to submit case reports to the FDA.

Configure FDA Transmission Profiles

Vault Safety comes with standard, system-provided Transmission Profiles for FDA submissions. You must configure these Transmission Profiles as part of the FDA Gateway setup.

The following table lists the Vault-provided FDA Transmission Profiles:

Transmission Profile Description Routing ID
CBER ICSR transmissions to the Center for Biologics Evaluation and Research (CBER) FDA_AERS
CDER ICSR transmissions to the Center for Drug Evaluation and Research (CDER) FDA_AERS
GWTEST Test transmissions to the FDA GWTEST_CONNECTION
CBER VAERS VAERS ICSR transmissions to the Center for Biologics Evaluation and Research (CBER) CBER_VAERS
CBER Study Study data transmissions to the Center for Biologics Evaluation and Research (CBER) The Routing ID will be provided by the FDA at a future date.
CDER Study Study data transmissions to the Center for Drug Evaluation and Research (CDER) The Routing ID will be provided by the FDA at a future date.
CDER IND Exempt Study data transmissions for marketed products that are exempt from Investigational New Drugs (IND) requirements The Routing ID will be provided by the FDA at a future date.

Manage Transmission Profiles provides instructions on setting up Transmission Profiles.

When setting up the Transmission Profiles, see the following guidance on setting the Origin and Destination IDs:

  • Origin ID: Enter the ID registered with FDA ESG, typically your FDA D-U-N-S number.
  • Destination ID: Enter one (1) of the following destination IDs:
    • For a production account, enter ZZFDA.
    • For a test account, enter ZZFDATST.

Once you set up the FDA Transmission Profiles, Vault uses the appropriate Transmission Profile to generate Submissions based on your Vault’s FDA reporting rules.

Configure FDA Study Manual Transmissions

For manual Study Case report Submissions to the FDA, which are coordinated outside of Vault Safety, configure the FDA Study Transmission Profile.

Manage Transmission Profiles provides instructions on setting up Transmission Profiles.