Configure NMPA AS2 Connection

Set up an AS2 Connection and Transmission Profile to support submissions through the NMPA Gateway.

About AS2 Connection Support for the NMPA Gateway

Vault Safety supports electronic reporting to the National Medical Products Administration (NMPA) through AS2 (system-to-system) communication.

You must set up an AS2 Connection and a corresponding Transmission Profile for users to report cases to the NMPA and receive gateway responses.

Note: The NMPA AS2 Connection is an early adopter feature. If you create and configure an NMPA AS2 Connection in your Vault, you must test the Connection and ensure you receive an Acknowledge (ACK) signal from the NMPA Gateway to ensure the Connection is active.

Prerequisite: Activate NMPA as a Standard Organization

The NMPA is a standard Agency provided with Vault Safety. However, in certain Vaults, an Admin must activate the Agency record.

Complete the following steps if the NMPA is Inactive in your Vault:

Go to Business Admin > Objects > Organizations.
Open the NMPA (China) Agency record.
From the All Actions menu, select Change State to Active.

Note: The Change State to Active user action appears only if configured by your Admin. Add User Action to the Organization Lifecycle provides instructions for this configuration.

Configure an NMPA Account

Before you can configure the Vault Safety AS2 Connection, you must have an active NMPA AS2 account.

Public and Private Certificates

As part of the registration process, you must obtain a public and private certificate pair and upload the public certificate to your NMPA account. If you need help generating these certificates, contact Veeva Managed Services.

Create an NMPA Transmission Profile

You must create a Transmission Profile of the type AS2 Gateway for the NMPA. Manage Transmission Profiles provides instructions on setting up Transmission Profiles.

Note: For the NMPA, the Transmission Profile API Name is hard coded to ucr_china_gateway__c.

Add a Submission Rule Set

Vault Safety comes preconfigured with the NMPA as a standard Organization. To define Case criteria for Submissions to the NMPA Gateway, you need to add a Submission Rule Set to the Organization record by completing the following steps:

Go to Business Admin > Objects > Organizations.
On the Organizations page, select NMPA.
On the NMPA page, select Edit.
Under Details, in the Submission Rules field, select a standard Rule Set from the picklist.
Select Save.

Note: Reporting Rule Sets provides more information about the available Rule Sets. If these do not fulfill your requirements and you need a different Rule Set, contact your Veeva Managed Services representative.

Result

The system can now auto-generate Submission records for ICSR Submissions to the NMPA based on the Rule Set you selected.

Configure a Vault Safety AS2 Connection

Go to Admin > Connections, then select Create.
For the Connection Type, select AS2, then select Continue.
Complete the AS2 Connection Fields.
Select Save.

AS2 Connection Fields

Fields marked with a (*) are required.

Field	Description
Name*	Enter a name for the AS2 Connection. This name must be unique in your Vault.
API Name*	Enter an API Name for the AS2 Connection. This name must be unique in your Vault.
Contact Email*	Enter the Sender's Email
Description	Enter a description for the AS2 Connection.
AS2 Vault Gateway State	The system populates this field with the current state of the AS2 Vault Gateway, which consists of one of the following options: Registered: The AS2 Connection is synchronized with the Gateway. Out of Sync: Changes have been made to the AS2 Connection or its Connection Allowed List since the last time the Sync to Gateway action was run. From the All Actions menu, select Sync To Gateway to resync the AS2 Connection with the Gateway.
AS2 Encryption	The algorithm the system uses to encrypt outbound AS2 messages and decrypt inbound messages. The system supports the following algorithms: Triple DES (3DES) AES-256-GCM AES-256-CBC For the NMPA, select Triple DES (3DES).
AS2 MDN Setting	Whether the Message Delivery Notification (MDN) can be exchanged synchronously (Sync) or asynchronously (Async). For the NMPA, select Sync.
AS2 Signature	The method the system uses to sign outbound AS2 messages. The system supports the following signing methods: SHA-1 SHA-256 For the NMPA, select SHA-1.
AS2 Compress Before Sign	If this option is selected, the system compresses messages before applying the Signing Algorithm. If this option is not selected, the system compresses messages after applying the Signing Algorithm. Note: We recommend leaving this option unselected.
AS2 Additional ACK Stages	If required, select one or more of the following options: HTTP Handshake: Used primarily for asynchronous requests. PRE-ACK: Used mainly for FDA VAERS, but can be used with synchronous or asynchronous requests. Note: We do not recommend using any additional ACK stages.
AS2 Partner ID	Enter one of the following NMPA identification codes: For a production account, enter `nmpacdr`. For a test account, enter `nmpacdr_test`. Whether you will be submitting Study or postmarket Cases, enter one of these values. You can specify the destination gateway endpoint in the Transmission Profile.
AS2 Partner URL	Enter one of the following destination NMPA Gateway URLs: For a production account, contact the NMPA to obtain the production NMPA Gateway URL. For a test account, contact the NMPA to obtain the test NMPA Gateway URL.
AS2 Partner Certificate Expiry	The system automatically populates this field when an Admin uploads the Partner Certificate.
AS2 Vault ID	Enter the sponsor ID registered with the NMPA. This value is the same as the customer's Routing ID you provided when setting up your NMPA account.
AS2 Vault URL	Enter the AS2 URL of your Vault in the following format, replacing `<SponsorName><Partner><Environment>` with the corresponding values of your Vault: `https://<SponsorName><Partner><Environment>.gateway.veevavaultsafety.com:4080/api/v1/inbound/transmission/` The following example demonstrates how to form the AS2 Vault URL for a Vault with the following values: `<SponsorName>` = vern `<Partner>` = nmpa `<Environment>` = validation AS2 Vault URL = `https://vernnmpavalidation.gateway.veevavaultsafety.com:4080/api/v1/inbound/transmission/`
AS2 Vault Certificate Expiry	The system automatically populates this field when an Admin uploads the Sponsor Certificate.

Vault Safety uses the Partner and Sponsor certificates to communicate securely with the Partner.

Partner certificate: You will have received the Partner certificate as part of creating your account with the Partner.
If you need help generating a Sponsor certificate, contact Veeva Managed Services.

Upload Partner Certificate

From the All Actions menu, select Upload Partner Certificate.
Select Choose, then select the Partner’s Public Certificate.
Accepted formats: PKCS7 (.p7b or .p7c), DER (.cer or .der) and PEM (.cer, .crt, or .pem)
Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record.”
Select Continue.

From the All Actions menu, select Upload Sponsor Certificate.
Select Choose, then select the Sponsor’s Public Certificate.
Accepted formats: PKCS12 (.pfx or .p12)
Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record.
Select Continue.

Add Connection Allowed IPs

Specify one (1) or more Allowed Connections for the AS2 Connection. These are Internet Protocol (IP) addresses that the system will allow to connect with this AS2 Connection.

Note: To obtain the latest list of allowed connections for the NMPA, contact Veeva Managed Services.

Perform the following steps for each Allowed Connection you want to add to the AS2 Connection:

Go to the Connection Allowed Lists section, then select Create.
Enter the Name, (optional) Description, and IP address of the Allowed Connection.
Ensure the format of the IP address is XX.XX.XX.XX or XX.XX.XX.XX/{subnet mask} where the {subnet mask} is a number between 24 and 32.
Repeat steps 1 and 2 for each Allowed Connection.
When you have added all the Allowed Connections, select Save.

Note: By default, Vaults are limited to 512 Allowed Connections. If your organization requires more, contact Veeva Managed Services.

Synchronize the Connection

Once you have entered all the details of the AS2 Connection, the Connection must be synchronized with the Gateway.

From the All Actions menu, select Sync Connection to Gateway.

When the system successfully completes this action, the Connection’s AS2 Vault Gateway State changes to Registered and the system can send and receive messages using this Connection.

Note: If the Sync Connection to Gateway action is not successful, ensure the value of each of the AS2 Connection fields is correct before retrying the action again. If the issue perists, contact Veeva Managed Services.

If you make any changes to the Connection object or its Connection Allowed List, the AS2 Vault Gateway State changes to Registered - Out of Sync. The system cannot send or receive any messages using this Connection while it is in the Out of Sync state. You will need to repeat the All Actions > Sync to Gateway action to restore the Connection to the Registered state.

Configure Transmission Lifecycles and Workflows

We recommend that you configure Transmission lifecycles and workflows to align with your organization’s standard operating procedures. The following items are best practices and recommendations:

Configure a Case Transmission Error workflow to handle Transmission errors.
Configure a workflow to prevent a Transmission record from entering a Ready for Submission state until a Transmission Profile is specified.

About Object Lifecycles and About Object Workflows provide more information about configuring lifecycles and workflows.