Configure Custom AS2 Connections

Veeva Safety supports AS2 (system-to-system) communication to exchange ICSRs with other organizations.

About Custom AS2 Connections

Note: Safety AS2 Connections replace Safety Gateways. AS2 Connections provide significant technical improvements including Admin management of Internet Protocol (IP) lists, more concise outbound IP lists, and improved Certificate Management. Though Gateways are still supported, we recommend replacing any Custom AS2 Gateways in your Vault with an equivalent Custom AS2 Connection. See Replace a Gateway Profile with an AS2 Connection for instructions on how to do this.

To configure Safety to communicate with another organization through an AS2 Connection, you must set up a Transmission Profile and an AS2 Connection. Create a Transmission Profile and AS2 Connection for each organization that you want to exchange information with. You need only one (1) profile and connection per trading partner, which includes both sending and receiving transmissions.

Safety supports both synchronous and asynchronous AS2 interchange. Set up your AS2 Connection to match the external gateway with which you want to communicate.

Note: If you are configuring a CRO Vault, which multiple sponsor organizations can access, consider setting up multiple AS2 Connections for sponsor Transmissions to a common destination. A unique AS2 Connection for each sponsor enforces organization-specific Transmission security.

Prerequisites

Your environment must meet the following requirements before you set up an AS2 Connection:

You must contact Veeva Support to enable configurable AS2 Gateways in your Vault.
You must have your own public and private certificate pair set up for communication with the destination gateway.
You must send your public certificate and URL to the destination gateway.
You must have the public certificate and URL for the destination gateway.

Create an AS2 Gateway Transmission Profile

You must first create a Transmission Profile of the type AS2 Gateway. Manage Transmission Profiles provides instructions on setting up Transmission Profiles.

Configure a Safety AS2 Connection

Navigate to Admin > Connections, then select Create.
For the Connection Type, select AS2, then select Continue.
Complete applicable fields.
Select Save.

AS2 Connection Fields

The following fields may be available:

Field	Description
Name	Enter a name for the AS2 Connection. This name must be unique in your Vault.
API Name	Enter an API Name for the AS2 Connection. This name must be unique in your Vault.
Contact Email	Enter the Sender's Email.
Description	Enter a description for the AS2 Connection.
AS2 Vault Gateway State	Vault populates this field with the current state of the AS2 Vault Gateway, which consists of one (1) of the following options: Unregistered: The Sync to Gateway action has not yet been run for this AS2 Connection. Registered: The AS2 Connection is synchronized with the Gateway. Out of Sync: Changes have been made to the AS2 Connection or its Connection Allowed List since the last time the Sync to Gateway action was run. From the All Actions menu, select Sync To Gateway to resync the AS2 Connection with the Gateway.
AS2 Additional ACK Stages	If required, select one (1) or more of the following options: HTTP Handshake: Used primarily for asynchronous requests. PRE-ACK: Used mainly for FDA VAERS, but can be used with synchronous or asynchronous requests. Note: We do not recommend using any additional ACK stages.
AS2 Encryption	The algorithm Vault uses to encrypt outbound AS2 messages and decrypt inbound messages. Vault supports the following algorithms: Triple DES (3DES) AES-256-GCM AES-256-CBC Select the AS2 Encryption algorithm used by the partner organization.
AS2 MDN Setting	Whether the Message Delivery Notification (MDN) can be exchanged synchronously (Sync) or asynchronously (Async). Select the AS2 MDN Setting used by the partner organization.
AS2 Signature	The method Vault uses to sign outbound AS2 messages. Vault supports the following signing methods: SHA-1 SHA-256 Select the AS2 Signature method used by the partner organization.
AS2 Partner Sends ACK on MDN URL	The default setting for this field is No, as Vault expects an AS2 partner to send the ACK using a different URL than that used to send the MDN. Unless the partner specifies otherwise, select No. For more information about AS2 Gateway communications, see Send a Gateway Transmission.
AS2 Compression Settings	Select how Vault compresses and signs AS2 messages before they are sent, as specified by the agency: Compress After Sign (Standard): Vault compresses messages after applying the Signing Algorithm. Compress Before Sign: Vault compresses messages before applying the Signing Algorithm. Uncompressed: Vault applies the Signing Algorithm to messages but does not compress them.
AS2 Partner ID	Enter the partner ID.
AS2 Partner URL	Enter the partner URL.
AS2 Partner Certificate Expiry	Vault automatically populates this field when your Admin uploads the partner certificate.
AS2 Vault ID	Enter the AS2 ID of your Vault.
AS2 Vault URL	Enter the AS2 URL of your Vault in the following format, replacing `<SponsorName><Partner><Environment>` with the corresponding values of your Vault: `https://<SponsorName><Partner><Environment>.gateway.veevavaultsafety.com:4080` The following example demonstrates how to form the AS2 Vault URL for a Vault with the following values: `<SponsorName>` = vern `<Partner>` = custom `<Environment>` = validation AS2 Vault URL = `https://verncustomvalidation.gateway.veevavaultsafety.com:4080` Informing the Partner of your AS2 Vault URL When informing the partner of the URL they need to use for this AS2 Connection, use the value you entered in this field appended with `/api/v1/inbound/transmission` In the example shown above, this is `https://verncustomvalidation.gateway.veevavaultsafety.com:4080/api/v1/inbound/transmission`
AS2 Vault Certificate Expiry	Vault automatically populates this field when your Admin uploads the sponsor certificate.
AS2 Vault Domain / IP Configuration	Select the method the partner uses to interface with the AS2 Connection. AS2 Vault URL: Domain Name (typical): A standard domain name that resolves to dynamic IP addresses. AS2 Vault URL: Domain Name bound to static IP addresses: A standard domain name that resolves to static IP addresses. AS2 Vault URL: IP URL (uncommon): A non-standard IP address domain name that resolves to an IP address.
AS2 Vault Certificate Serial Number	When you upload a new sponsor certificate for this connection, Vault sets this field to the Serial Number of the certificate.
AS2 Partner Certificate Serial Number	When you upload a new partner certificate for this connection, Vault sets this field to the Serial Number of the certificate.

Upload the Partner and Sponsor Certificates

Safety uses partner and sponsor certificates to communicate securely with the partner. You will have received the partner certificate as part of creating your account with the partner.

Complete the following steps to create and upload these certificates:

Add Connection Allowed IPs

Specify one (1) or more Allowed Connections for the AS2 Connection. These are Internet Protocol (IP) addresses that Vault will allow to connect with this AS2 Connection.

Note: Contact the partner organization to obtain their list of allowed connections.

Perform the following steps for each Allowed Connection you want to add to the AS2 Connection:

Navigate to Admin > Connections > [Connection] > Connection Allowed Lists, then select Create.
On the Create Connection Allowed List window, complete the following information:
- Name: Enter a name for the Allowed Connection.
- (Optional) Description: Enter a description for the Allowed Connection.
- IP: Enter the address of the Allowed Connection.
  Ensure the format of the IP address is XX.XX.XX.XX or XX.XX.XX.XX/{subnet mask} where the {subnet mask} is a number between 24 and 32.
Repeat the above steps for each Allowed Connection.
When you have added all the Allowed Connections, select Save.

Note: By default, Vaults are limited to 512 Allowed Connections. If your organization requires more, contact your Veeva Representative.

Synchronize the Connection

Once you have entered all the details of the AS2 Connection, the Connection must be synchronized with the Gateway.

From the All Actions menu, select Sync Connection to Gateway.

When Vault successfully completes this action, the Connection’s AS2 Vault Gateway State changes to Registered and Vault can send and receive messages using this Connection.

Note: If the Sync Connection to Gateway action is not successful, ensure each field value on the AS2 Connection is correct before retrying the action again. If the issue persists, contact your Veeva Representative.

If you make any changes to the Connection object or its Connection Allowed List, the AS2 Vault Gateway State changes to Registered - Out of Sync. Vault cannot send or receive any messages using this Connection while it is in the Registered - Out of Sync state. You will need to repeat the All Actions > Sync to Gateway action to restore the Connection to the Registered state.

Result

The AS2 Connection is active and available to use to exchange data with external organizations.

Note: For partner gateways that transmit MDNs asynchronously, the partner gateway should send the MDN to the URL included in the header of the Safety Transmission.

Configure Transmission Lifecycles and Workflows

We recommend that you configure Transmission lifecycles and workflows to align with your organization’s standard operating procedures. The following items are best practices and recommendations:

Configure a Case Transmission Error workflow to handle transmission errors.
Configure a workflow to prevent a Transmission record from entering a Ready for Submission state until a Transmission Profile is specified.

About Object Lifecycles and About Object Workflows provide more information about configuring lifecycles and workflows.