AS2OnboardingEDIPharmaWar Story

Onboarding One AS2 Trading Partner Took 3 Months. Both Sides Made Every Mistake.

10 min readBy Marwan Nakhaleh

How Long Does AS2 Partner Onboarding Actually Take?

In my experience, onboarding a single AS2 trading partner takes two to three months when neither side has a way to independently verify their own configuration. That's not a worst case. That's what happened on a well-funded engagement where both sides were motivated, responsive, and staffed with people who knew what they were doing.

A few years back, I took a consulting engagement for a pharmaceutical wholesaler. DSCSA compliance meant they had to exchange serialized transaction data with their trading partners over AS2, and they needed a new partner connection stood up. The engagement was worth over $50,000. The technical scope, on paper, was small: configure one AS2 connection between two servers that both already spoke the protocol.

It took nearly three months. The project stalled and restarted multiple times. Some issues were never cleanly resolved, they just stopped happening after enough config churn that nobody could say which change fixed what.

I want to walk through what actually consumed those three months, including the mistakes that were mine, because the lesson isn't "be more careful." The lesson is that AS2's validation model is structurally broken: you cannot prove your own setup works without burning a round-trip with the counterparty you're trying to onboard.

The Anatomy of Config Ping-Pong

Most of the calendar time went to an email pattern I now call config ping-pong: each side asserts their configuration is correct, a test message fails, and an email thread starts about whose side broke it. Each round of that thread costs two to five business days.

Here's why a single round-trip is so expensive:

  • You send a test message. It fails, or it disappears, or an MDN never comes back. Often the failure is silent, you learn nothing except "it didn't work."
  • You check your logs. Your logs show your side did its job: message signed, encrypted, POSTed, got a 200. Or they show a cryptic decryption error that could mean five different things.
  • You email the partner. Their EDI team is a shared queue. Response time: one to two days, and the first response is usually a question, not an answer.
  • They check their logs and reply "our side is fine." This is the load-bearing phrase of the entire industry. Everyone's side is always fine. Both sides are looking at logs that only show half the conversation.
  • Someone proposes a change. Now you schedule another test window, because their EDI team tests on Tuesdays and Thursdays, or the change needs a change-control ticket on a regulated system.

One failed test message: two to five days. And AS2 onboarding involves a lot of failed test messages, because there are a dozen independent settings that all have to match: AS2 IDs, certificates for signing, certificates for encryption, signing algorithm, encryption algorithm, MDN mode, MDN signing, MIC algorithm, URLs, ports, TLS versions.

The AS2 ID Round

We lost the better part of two weeks to AS2 identifiers alone. This is typical, not exceptional. AS2 IDs are free-text strings that must match exactly on both sides, and they're usually communicated by pasting them into emails, where case, whitespace, and "is that an O or a zero" ambiguities thrive. When the IDs don't match, most AS2 servers don't say "unknown AS2 ID." They reject the message with a generic error, or worse, silently drop it. Both sides then stare at their own config, see the ID they expect, and declare their side fine.

The Certificate Rounds (Plural)

Certificates generated multiple rounds. The typical patterns, all of which we hit in some form: one side loads the other's certificate into the wrong slot (encryption cert used for signature verification or vice versa), someone sends a stale certificate from a previous rotation, or a certificate chain is incomplete so TLS handshakes fail intermittently depending on which side initiates. Each of these produces a different opaque error, and none of the errors say "certificate mismatch." I've since written up the broader failure taxonomy in why AS2 connections fail, and certificates dominate it for a reason.

The Algorithm Round

Then came the algorithm negotiation that isn't a negotiation. AS2 has no handshake where both sides agree on signing and encryption algorithms; each side just configures what it expects and hopes. Our two servers disagreed on the requested MIC algorithm for MDNs, which meant messages were delivered and processed successfully but the receipts failed verification. From the sender's perspective, that's indistinguishable from delivery failure. If you've never dug into what an MDN actually asserts, this failure mode makes no sense at all: the message got through, but the system reports failure.

The Admission

Deep into the engagement, after weeks of "our side is fine," the partner's team went back through their configuration and found errors on their side. To their credit, they said so plainly. I don't share this to dunk on them, because of what comes next.

The Mistakes That Were Mine

Here's the part that consulting war stories usually leave out: I made setup mistakes on our server too. I was the expert being paid $50k+ to get this right, and some of the failed rounds were my fault.

I won't pretend to remember every one precisely, but the categories were the classics: settings I believed were correct because I had set them and therefore trusted them; a mismatch between what I had documented for the partner and what was actually running; and configuration I had verified by reading it rather than by exercising it. Reading your own config to validate it is like proofreading your own writing. You see what you meant, not what's there.

The uncomfortable symmetry: while the partner was telling me their side was fine, I was telling them my side was fine, and we were both wrong at various points. Neither of us was lying. Neither of us was incompetent. We both simply had no way to check our claims against anything except each other.

Some issues from that engagement never got a clean root cause. They stopped reproducing after enough parallel changes that the honest answer to "what fixed it?" is "we don't know." On a regulated pharma data exchange, "we don't know" is not a comfortable line in a closeout report, but it's the true one.

What Finally Worked: Systematic Elimination

The turning point wasn't a clever fix. It was abandoning the assumption that either side's configuration was correct and testing one layer at a time, in order, with both teams looking at the same evidence.

The sequence that works, and that I'd start with on day one if I could do it again:

  1. Transport first. Can each side reach the other's URL at all? Firewalls, allowlists, and proxies kill more first messages than any AS2 setting.
  2. TLS next. Does the handshake complete, with the full certificate chain, at a protocol version both sides accept? Test this in isolation, not as a side effect of a full AS2 message.
  3. Identity. Confirm AS2 IDs by having each side read back what they have configured, character by character, from the running system, not from the onboarding spreadsheet.
  4. Certificates. Confirm fingerprints of the certificates actually loaded, in each slot (signing vs. encryption), on each side. Not filenames. Fingerprints.
  5. One security feature at a time. Send unsigned and unencrypted first if both systems allow it in a test lane. Then add signing. Then encryption. Then require a signed MDN. When something breaks, you know which layer broke it.
  6. Only then, the full production-shape message.

Systematic elimination works. It's also an indictment: every one of those steps is a check either side could have run alone, in an afternoon, if there had been anything on the other end to test against. There wasn't. So each layer's verification consumed a multi-day round-trip with a busy counterparty. I've written the tactical version of this process as a standalone guide: how to test an AS2 connection.

The Real Lesson: The Validation Model Is Broken

Strip away the specific mistakes, mine and theirs, and one structural fact explains the entire three months: I didn't have a way to test my setup without verifying it with someone else.

Think about how strange that is compared to everything else we build. You don't validate a REST API by asking your customer to call it and email you their impressions. You curl it. You run a test suite. You point a validator at it. AS2 offers no equivalent. The protocol's core operation, encrypt for a specific counterparty, sign, transmit, receive a signed receipt, only exists between two configured parties. There is no loopback. Your own server can't meaningfully test itself, because the failure modes that matter live in the interaction between two independently configured systems.

So the industry's de facto validation tool is the trading partner's production onboarding process. Every mistake, on either side, is discovered at the cost of a two-to-five-day round-trip with a counterparty who has their own queue, their own change control, and their own certainty that their side is fine. Multiply a dozen settings by a handful of mistakes by days per round-trip, and "three months for one partner" stops being surprising and starts being arithmetic.

And this cost recurs. Certificates rotate. Servers migrate. Algorithms get deprecated. Every change reopens the same question, is my side actually right?, with the same broken answer: ask the partner to find out.

What I'd Want Instead (And Why I Built It)

What that engagement needed was a known-good counterparty: an AS2 endpoint that is definitely configured correctly, that I could fire test messages at, and that would tell me precisely what my message got wrong. TLS chain, certificate usage, signing algorithm, encryption algorithm, MDN exchange, all validated against a system whose configuration is not in question, with a report in plain language instead of a stack trace.

With that, my own mistakes would have surfaced in minutes, alone, before the partner ever saw a message. The partner's mistakes would have been the only thing left to debug together, and we'd have entered that debugging knowing one side was already proven. I estimate that collapses two to three months into two to three weeks, and most of the remaining time is just the partner's queue.

Nothing like that existed when I needed it. So after the engagement, I built it: AS2 Certify is the known-good counterparty I wish I'd had, it runs the full round-trip against your endpoint and grades every layer of your setup.

If you're in the middle of your own onboarding slog, you can test your AS2 connection right now, no signup, and see what your side looks like from the other end of the wire. If you're onboarding partners regularly, create an account and make "our side is verified" a fact you can attach to an email instead of a claim your partner has to take on faith.

Three months, one partner, both sides wrong at various points, and no way for either of us to know. Don't run your onboarding the way we ran ours.