SEEBURGER: What is AS4 (Applicability Statement 4)?

AS4 (Applicability Statement 4) is a message protocol based on web services to securely exchange B2B messages between trading partners. The protocol was developed by the technical committee of OASIS (Organization for the Advancement of Structured Information Standards) for ebXML Messaging Services. AS4's web services capability gives it the opportunity to develop into a cloud-based communication standard.

AS4 and AS2 are very similar by design. During the development of AS4, all advantages of AS2 were analyzed, worked out and inspired by them. In contrast to AS2, AS4 works within a web service context and also has better interaction patterns and delivery notifications. In addition, compared to AS2, AS4 has the option of actively pulling messages by the recipient, since the AS4 server is permanently active.

Interoperability: The AS4 messaging standard is defined based on the OASIS standard
Security: A subset of web services security features is used to ensure the non-repudiation of the message and data confidentiality.
Reliability: by exchanging confirmations, AS4 ensures a one-time delivery
Independence from use: any type of payload (EDI, XML, ...) can be exchanged

The Messaging Service Handler (MSH) is responsible for setting up the AS4 message exchange with the remote station on the sending or receiving side. Communication with the remote station must comply with AS4 specifications and be able to communicate with an internal business application.

User Message

contains the business payload that is exchanged between the business applications of two parties

Signal Message

have the function of establishing non-repudiation and reliability. There are three different types:

Receipt: Confirmed that the received MSH could analyze the incoming message
Error: Confirms that the received MSH encountered a problem while parsing the incoming message.
Pull request: Supports the pull message exchange pattern.

AS4 is increasingly being used in markets that use a service-oriented architecture for B2B messaging. These include the retail trade, the health sector and the utilities sector.

For example, the European gas network operators (ENTSOG) have already defined their own usage profile in 2015. Other uses that rely on AS4 include:

Learn more about how SEEBURGER AG offers its customers an AS4 gateway for various purposes.

The source is clearly defined by digital signatures

Data security through encryption is secured

Proof of timely delivery by delivery notification receipt

Support for large file compressions and file transfers

Which changes apply with MaKo 2023?

AS4 communication replaces AS2 and email communication in the electricity sector.
All market participants need to set up a new connection to each of their communication partners.
AS4 communication to be encrypted with ECC Brainpool (elliptic curve cryptography).
Certificates are used within the smart meter public key infrastructure (PKI). • Participants will need to obtain new certificates.
MaKo to become part of the smart meter public key infrastructure (SM-PKI). • Private keys must be secured in the hardware security module (HSM).
Take a look at this SEEBURGER AS4 blog article to discover more.

Will the migration period be extended to April 1, 2024?

The AS4 migration period will not be extended.

What happens if I’m not able to communicate via AS4 as of October 1, 2023? Can I refer to the "transition period" until March 31, 2024?

There is no “transition period.” There is a migration period from October 1, 2023 to March 31, 2024.

All market participants are required to be able to communicate via AS4 starting October 1, 2023. SEEBURGER does not know how the BNetzA will deal with market participants who do not meet the deadline.

What do I need to switch to AS4?

• You need an AS4 adapter that supports ECC Brainpool. The SEEBURGER adapter already supports this type of encryption.

• You need a hardware security module (HSM) to generate and store private keys.
• You need new certificates from the Federal Office for Information Security’s smart meter public key infrastructure.

Where can I find details of the AS4 profile? Is this available to view anywhere?

You can find information on the AS4 profile for MaKo on the edi@energy page.

Does AS4 use the push or pull method?

MaKo only uses the push method.

Is the URL in the certificate the AS4 address or web address where I can get the AS4 parameters?

The URL is the same as the AS4 address used for communication.

When can I consider a file “delivered“ through AS4? Is there a time stamp I can refer to?

Your file has been successfully transferred via AS4 if you receive a synchronous, non-repudiation receipt (NRR).

As with smart meters, do I have to provide a separate host name for each connection?

Each endpoint, i.e. each individual partner ID, requires a hostname.

What is HSM?

HSM is an acronym for Hardware Security Module. This is used to generate and store private keys.

Can my company only use one HSM?

A company can use multiple HSMs. There are no restrictions to the number you can use.

Can I use the same HSM for smart meter communication and MaKo?

Yes, you can use the same HSM. You can find more details in the BSI Certificate Policy (CP) for Smart Metering PKI version 1.1.2.

What HSMs can I use?

From what we know so far, you can use any HSMs that have already been approved for SM-GW communication by the BSI.

Can I implement and use one HSM for multiple organizations and customers or are there scenarios that require two or more HSMs?

You can use one HSM for several organizations and customers.

From now on, will every MaKo process via AS4 access my HSM in order to retrieve the certificate information?

All cryptographic operations that need a private key take place within the HSM.

The CP was published by the BSI in March 2023. It describes that no HSM and no process can be streamlined for "smaller scenarios." How exactly is that to be interpreted, since some passages of the CP also contradict each other?

Contradictory passages from the CP related to storing the keys for communication with the sub CA, and not for market communication, will be corrected.

Why did SEEBURGER opt for an HSM instead of an alternative cryptographic module (smart card or server)?

According to the definition, passive external market participants (EMT) do not fall under security level 2 but only under security level 1, which means that using a certified HSM is not mandatory.

For the MaKo AS4 service, SEEBURGER opted for an HSM certified for the smart meter PKI because we want to provide our customers with proof of compliance with the requirements for the cryptography module at any time. An HSM certified according to the PKI specifications fulfills the requirements and can be proven by the certification and the manufacturer's declaration.

Which sub CAs can I use for MaKo and from when?

Find more information on all sub CAs in this list from the Federal Office for Information Security (BSI): SubCA-Liste.

Is there a specification or a process on how to apply for the certificates?

You must follow a specific process to apply for certificates as defined by the BSI.

You can find the relevant BSI documents in the list below:

• Certificate Policy (CP) for Smart Metering PKI

• BSI TR-03109-4

• BSI TR-03116-3

Can the TLS-SSL certificate for an incoming AS4 https endpoint come from a free CA, or does it need to come from the BSI PKI?

You must use a TLS certificate from the smart metering public key infrastructure (SM-PKI).

Do I actually need a separate AS4 certificate for each role or division? This field has always been optional for AS2?

The certificate policy for the smart meter PKI stipulates an individual AS4 certificate for each MP-ID - i.e. also for each division- as the MP-ID must be maintained in the certificate.

Will there be permanent AS4 certificates? Or will they also expire after a certain period and need to be re-obtained?

From what we know so far, the AS4 certificates will expire after two years.

What can I do if market participants are still not able to use AS4 after October 1, 2023, or if my own company has not migrated to the new messaging protocol yet?

There are no clearly defined rules or consequences for this scenario. However, it is obligatory to have fully migrated by March 31, 2024 at the latest.

How is the migration phase organized? Who reports to whom, and when?

The BDEW has issued recommendations for dealing with migration.

However, essentially “the market has to organize itself”. You are therefore expected, to plan time for queries and delays into your project plan.

Where can I find the BDEW recommendations for the migration period?

You can find the BDEW application help “introductory scenario for migrating to AS4” on the Edi@Energy website.

What is the process for automated migration to AS4 after the test period, or after a request for migration has been issued?

The conversion service sends a conversion request to the partner. Your partner confirms the request, after which you can use AS4 to communicate in both directions.

Can I completely delete email communication data during the migration period?

Please ensure a fallback option to email in the unlikely case that an error occurs during the migration period of October 2023 to March 2024.

Can I still maintain email communication after migrating to AS4? If so, would you recommend doing so?

Incoming email communication should be kept open during the migration period.

However, we recommend monitoring these emails so that market participants who have supposedly switched to AS4 do not send them to the mailbox. As of April 1, 2024, according to BNetzA specifications, you must not communicate via email anymore and hence the mailbox shall be closed down.

What if a market participant can’t be contacted via AS4, i.e. retry continues to fail?

If the connection fails even after repeated attempts, the sender receives an error notification. However, if only a single transmission fails, this does not mean that the whole market communication has been disrupted.

When will there be a switch back to email?

A temporary switch back to email communication can only be done if one of the two partners has identified a disruption in the market communication and has also declared it as such.

This temporary email communication will be carried out in mutual agreement and as soon as the fault has been rectified, the system will be switched back to AS4 in a likewise mutual agreement. This regulation applies to the changeover phase.

Have there beeninteroperability tests with other manufacturers?

SEEBURGER is in contact with other manufacturers and service providers as well as via various working groups, such as BDEW, EDNA. The tests are ongoing.

Are there exemptions for certain market participants or limitations for SMEs?

No, there are no exemptions.

Where is the data decrypted?

In the HSM.

Why are there two versions of the regulations for the transmission paths? Which one is valid?

Both will be valid.
RzÜ from version 2.x regulates the AS4 communication for MaKo in the electricity sector.
RzÜ from version 1.x regulates the communication for MaKo in the gas industry which has not yet changed, Redispatch 2.0.

What are the e rules for the gas industry?

RzÜ 1.x continues to apply to the gas industry.We currently have no information when they are implementing AS4.

I found this in the latest BDEW documents: “Deadlines for the market migration: Within six weeks after the start of the migration period or parallel operation, all market partners should have migrated their communication to AS4 by migrating communication with all market partners to AS4 one after the other using the “Change of transmission path” service.” Is the migration period just six weeks long rather than half a year? Or is this statement no longer applicable?

The application help is to be seen as a recommendation. The migration period runs until March 31, 2024. However, you may consider migrating as many partners as soon as possible.

Will there be a central address service?

The German BNetzA is not planning to have a central address service for retrieving AS4 communication data.

Therefore, you must separately store and continuously update all data per MP-ED for each of your market partners.

The TSOs have already announced that the exchange of schedule data must also be exchanged via AS4 as of 2024. Is this also part of the MaKo Cloud Service for AS4 delivery?

At the technical level of AS4 communication, the SEEBURGER AS4 Service also supports the requirements for AS4 communication in schedule management.

However, since the AS4 service is designed on the basis of the specification for MaKo in the electricity sector and the requirements for schedule management were not known at this time, this use case is not yet in scope.

The 24-hour supplier change process is currently in consultation. What impact does this have on market communication?

The effects on MaKo are not yet known, as the individual process steps have not yet been defined. However, this has no effect on today's MaKo.

How do I connect to the AS4 cloud service?

Connect via AS2 or a REST service.

Why should I connect via AS2 or REST only, excluding email and any other protocol?

The connection specifications are based on the specifications of the BSI CP 1.3.3.4 external market participants:

"With such a system structure, care MUST be taken to ensure that the data exchange between the service provider and the client has a security level comparable to the security mechanisms defined in [TR-03116-3].” TR-03116-3 refers to TR-02102, which states what is “secure” and for how long from the BSI’s viewpoint.

What Is AS4?

Comparison AS2 and AS4

Main features of the AS4 messaging standard

AS4 Messaging Service Handler

Message types of AS4

The ebMS 3.0 specification defines the following message types defined within the AS4 usage profile:

The areas of use of AS4

What are the general advantages of AS4?

FAQ MaKo AS4

General

Dates

AS4 profile

HSM

Certificates

Migration scenarios

Other

Connection to the SEEBURGER AS4 Cloud Service

Do you work in a sector with its own specific needs?

Take a look at the SEEBURGER range of industry-specific solutions