In our continuous effort to enhance transparency and collaboration with the solution providers community, we are presenting below a list of user needs for the AS4 software.
These needs represent the current additional feature requests and suggestions from Access Point users.
We aim to increase awareness of these needs. While some of them may not be implemented in Domibus, the eDelivery sample software, they represent areas that AS4 solution providers might want to explore. For each user need described below, we indicate whether or not it is planned to be included in the eDelivery sample software.
AS4 software providers are encouraged to consider implementing some of these enhancements in their solutions.
Next, we plan to shift our approach, encouraging Access Point users to express their needs for more functionalities improving AS4 software. We believe this will help solution providers better understand user requirements and focus their efforts accordingly. We are committed to sharing this information openly and transparently to foster a rich market offering.
Allow hybrid static-dynamic configuration for incoming messages
THIS FUNCTIONALITY IS ALREADY IN SCOPE OF ONE OF THE UPCOMING RELEASES OF THE EDELIVERY SAMPLE SOFTWARE
Description
This feature request is for an Access Point implementation to be configurable for validating incoming messages from parties in a hybrid/mixed way. Some parties would be configured statically, while others would be validated using SML/SMP as a trust store and a whitelist.
Request source
Feature request submitted on by the European Commission team preparing the use of eDelivery in the European Maritime Single Window environment.
Allow message-based update of AS4 certificates (implement support for the "ebCore Agreement Update" Profile Enhancement in eDelivery AS4 Profile 2.0)
THIS FUNCTIONALITY IS ALREADY IN SCOPE OF ONE OF THE UPCOMING RELEASES OF THE EDELIVERY SAMPLE SOFTWARE
Description
This feature request if for an Access Point implementation to allow the update of AS4 certificates through a message exchange. While not directly requested by the user, this is a part of the functionality defined in the "ebCore Agreement Update" profile enhancement added in the eDelivery AS4 Profile 2.0. In the original user request, if the AS4 certificate expires or has expired, a request should be sent to the associated party. The response contains a replacement for the existing certificate, if available. The Access Point implementation then replaces the old certificate with the new one.
Request source
Feature request submitted on by a stakeholder involved in the e-CODEX project.
Allow message-based update of TLS certificates and/or download of configuration and certificate store updates from a specific external tool (CMT)
THIS FUNCTIONALITY IS NOT CURRENTLY PLANNED FOR EDELIVERY SAMPLE SOFTWARE
Description
This feature request if for an Access Point implementation to allow the update of TLS certificates through a message exchange. If the TLS certificate expires or has expired, a request should be sent to the associated party. The response contains a replacement for the existing certificate, if available. The Access Point implementation then replaces the old certificate with the new one.
An alternative feature request is for an Access Point implementation to support a mechanism to download the latest (AS4, Server TLS, or Client TLS) certificates from a specific external tool called the Configuration Management Tool (CMT). The CMT is an online tool designed to manage the collection of participant data and the distribution of e-CODEX configuration files. Acting as a central provider of certificates for various projects, the CMT streamlines certificate management across different implementations.
Request source
Feature request submitted on by a stakeholder involved in the e-CODEX project.
JSON logging
THIS FUNCTIONALITY IS ALREADY IN SCOPE OF ONE OF THE UPCOMING RELEASES OF THE EDELIVERY SAMPLE SOFTWARE
Description
This feature requests the implementation of JSON logging capabilities to allow logs to be output in a structured JSON format, which is more easily processed by modern log management tools like Elasticsearch. This would improve log parsing, enhance search and filtering capabilities, as well as increase observability, likely providing better insights into Access Point operations for several EU Member States.
Request source
Feature request submitted on by a representative of a Swedish public agency.
Attachment size limits
THIS FUNCTIONALITY IS ALREADY IN SCOPE OF ONE OF THE UPCOMING RELEASES OF THE EDELIVERY SAMPLE SOFTWARE
Description
This feature would allow limiting the size of incoming message attachments by configuring payload profiles in PMode. This would apply to all payloads in a message, excluding metadata, and would consider the size of the uncompressed payloads. This enhancement would provide better control over large attachments and improve Access Point performance.
Request source
Feature request submitted on by a representative of a private company.
REST API for back end
THIS FUNCTIONALITY MAY BE IMPLEMENTED IN THE EDELIVERY SAMPLE SOFTWARE IN THE FUTURE
Description
The feature request relates to providing a REST API as an integration option between the backend and the Access Point.
The request emphasises that the addition of this feature would greatly improve usability and adoption, particularly among government bodies.
Request source
Feature request submitted on by the Irish Government in the context of Once-Only Technical System.
Support digital signing of PMode configuration
THIS FUNCTIONALITY MAY BE IMPLEMENTED IN THE EDELIVERY SAMPLE SOFTWARE IN THE FUTURE
Description
In digital ecosystems, administrators often prepare the PMode configuration in advance and distribute it through various channels, such as websites. To ensure the security and integrity of these configurations, users need a way to confirm that the PMode has not been altered, either intentionally or by mistake, before it is imported into the Access Point implementation. This requirement leads to the necessity of digitally signing the PMode configurations. Digital signatures can automatically verify the authenticity and integrity of the PMode files during import, whether done manually by an administrator or through an API. This feature ensures that any tampering with the configuration is detected, enhancing the overall security of the Access Point.
The proposal involves adding options for administrators to enforce the digital signing of PMode files within the Access Point implementation. This includes rejecting updates without valid signatures and specifying which certificates or keys should be used for signing. The feature aims to prevent unauthorised changes and supports automated workflows, thus improving the security and reliability of the Access Point's system management.
Request source
Feature request submitted on by a member of the EC team of the Once-Only Technical System.
Keystore Management: Support for PKCS11 (HSM)
THIS FUNCTIONALITY IS ALREADY IN SCOPE OF ONE OF THE UPCOMING RELEASES OF THE EDELIVERY SAMPLE SOFTWARE
Description
This functionality's aim is to enhance the security of the Access Point implementation by supporting PKCS11 for Hardware Security Modules (HSM). Currently, many Access Points store private keys in software keystores on file systems, which are vulnerable to theft. By integrating HSM support, the Access Point implementation would ensure that private keys remain secured within the hardware device itself, never leaving it. This change would bolster the digital signature and authentication processes, as they would be managed directly by the secure HSM.
The original request was to add support for the PKCS11 keystore protocol, allowing users to sign messages using HSM services, which is currently not possible with the existing PKCS12 and JKS keystore formats supported by the eDelivery sample software. The request was made to simplify and secure the process of signing messages.
Request source
Feature request submitted on by a representative of a Polish private company and separately requested by two public administrations participating in the CESOP ecosystem.
Support Prometheus-compatible metrics
THIS FUNCTIONALITY IS NOT CURRENTLY PLANNED FOR EDELIVERY SAMPLE SOFTWARE
Description
The user need is for AS4 software to support exporting metrics in a Prometheus-compatible format. Metrics would include data such as the number of messages exchanged over a period, the time taken to process, send or receive a message, among other technical metrics. This feature would enable more efficient monitoring and management of the Access Point's performance, making it easier for users to obtain and analyse key operational data.
The original request was to include support for Prometheus-compatible metrics, allowing for a broader integration with monitoring tools. This change aims to facilitate detailed tracking and visibility of the Access Point's performance metrics in a widely-used format. The requestor provided a link for reference.
Request source
Feature request submitted on by a representative of a SaaS provider for the pharmaceutical and biopharmaceutical industry.
Scripts for scheduled automated updates of PModes or Trust Stores
THIS FUNCTIONALITY IS NOT CURRENTLY PLANNED FOR EDELIVERY SAMPLE SOFTWARE
Description
The need is for scripts that can manage scheduled automatic updates of PModes and Trust Stores in an Access Point implementation. In a digital ecosystem where multiple Access Points interact, it is crucial to regularly update the PModes and public certificates to maintain secure and smooth operations. Scheduled updates through scripts allow these changes to occur at specific times, thus minimising disruption to communication between Access Points. These scripts could potentially use APIs provided by the Access Point implementation to manage updates effectively.
The original request highlighted the need for tools to automate and schedule the deployment of PModes and Trust Stores in Access Point implementations to facilitate changes with minimal downtime. This would support networks in implementing updates efficiently and with reduced manual effort. The feature would allow central provision of update files, with Access Point operators downloading and deploying these at a coordinated time, thus ensuring a streamlined update process across the network.
Request source
Feature request submitted on by a member of the EC team of the Once-Only Technical System.
PostgreSQL support
THIS FUNCTIONALITY IS NOT CURRENTLY PLANNED FOR EDELIVERY SAMPLE SOFTWARE
Description
The user need is to incorporate support for PostgreSQL in the Access Point implementation.
Request source
Feature request submitted on by a representative of a private company operating in several EU and non-EU countries.
Capability of storing the payloads in cloud native storage services
THIS FUNCTIONALITY MAY BE IMPLEMENTED IN THE EDELIVERY SAMPLE SOFTWARE IN THE FUTURE
Description
Users need the Access Point to integrate with cloud services for storing data (e.g., message payloads) in addition to the database or file system. Users would benefit from better integration with cloud services like Amazon S3, which could offer more efficient and scalable storage solutions.
Request source
Internal request from an EC service.
Capability to use cloud native password vaults
THIS FUNCTIONALITY IS NOT CURRENTLY PLANNED FOR EDELIVERY SAMPLE SOFTWARE
Description
Users need a more secure way to store secrets, such as passwords. Traditionally, these secrets might be stored in a database (encrypted, of course) or on the file system. But these methods are not always the most secure. By integrating with a cloud-native vault, the security of the secrets used in the Access Point could be significantly improved.
Request source
Internal request from an EC service.
Mixed static & dynamic discovery usage in Access Point
THIS FUNCTIONALITY MAY BE IMPLEMENTED IN THE EDELIVERY SAMPLE SOFTWARE IN THE FUTURE
Description
This request is for Access Points to support (1) simultaneous use of static and dynamic receivers when sending and (2) simultaneous validation of static and dynamic senders when receiving. The feature request is for a single Access Point instance to act in mixed (static and dynamic) mode both when sending (Dynamic Sender) and when receiving (Dynamic Receiver).
Request source
Feature requests submitted on and by the European Commission team preparing the use of eDelivery in the European Maritime Single Window environment.
SUT controller availability
THIS FUNCTIONALITY IS NOT CURRENTLY PLANNED FOR EDELIVERY SAMPLE SOFTWARE
Description
When using the eDelivery conformance testing service to certify the services they offer as conformant, service providers using a third party product need to use a System Under Test (SUT) controller as prescribed in the eDelivery Conformance Testing Service user guide. Developing a SUT controller can be complex. Software vendors can consider offering their SUT controllers to interested parties who would like to create services using the vendors' Access Point implementations. This could simplify the conformance testing process for service providers.
Request source
Feature request submitted by a service provider.