FDA AS2 Electronic Submission Gateway Next Gen

Product Usage Instructions

• This guide is intended for industry participants who want to utilize AS2 to submit regulatory information to the FDA.
• The audience includes current AS2 submitters and user technical support resources.
• All legacy pre-production and production ESG AS2 accounts have -been migrated to ESG NextGen.
• Review the entire AS2 Guide to understand how to integrate with ESG NextGen.
• If you have never used AS2 with legacy ESG, contact support at: ESGNGSupport@fda.hhs.gov.
• Prepare Submission: Follow Center guidelines. Multifile submissions must be compressed into a zip or gzip archive.
• Sign and Encrypt: Sign the submission using your private key. Optionally encrypt the submission using the FDA’s public certificate.
• Upload Submission: Use the AS2 gateway to transmit the submission. The AS2 software assigns a unique MessageId.
• Antivirus Scan: ESG NextGen scans for viruses. If a virus is detected, an exception ACK1a message is sent.
• Decryption and Validation: ESG NextGen decrypts (if necessary) and validates the submission signature. A Message Delivery Notification (MDN) is sent back.
• Submission Processing: ESG NextGen unpacks the submission and assigns a unique CoreID.
• Acknowledgment Generation: ACK2 is sent upon successful unpacking and delivery to the center. ACK3 is generated by some Centers for validation results.
• Acknowledgment Delivery: ACK2 and ACK3 are sent to the industry AS2 gateway.

Introduction

Purpose of the Guide

• This document provides guidelines for submitting files and folders through Applicability States 2 (AS2) with the FDA’s ESG NextGen system.
• AS2 is a point-to-point protocol for securely exchanging data. AS2 allows businesses to transmit data, such as electronic data interchange (EDI) messages, securely and reliably.
• AS2 is considered a legacy technology. The modernization of AS2 submissions is to submit via API.
• If you are looking to create a new point-to-point submission to connect to ESG NextGen, API is the recommended method.
• For more information on API submissions, refer to the ESG NextGen
• API Guide, which can be found here under User Guides.

Target Audience

• This guide is intended for industry participants who want to utilize AS2 to submit regulatory information to the FDA.
• The audience includes current AS2 submitters and user technical support resources.

Getting Started with AS2

• All legacy pre-production and production ESG AS2 accounts have been migrated to ESG NextGen.
• Please review the entire AS2 Guide to understand how to integrate with ESG NextGen.
• If you have never used AS2 with legacy ESG, please contact support at ESGNGSupport@fda.hhs.gov.

AS2 Submission Process

• Below is the high-level AS2 submission process in ESG NextGen

Steps to Update AS2 Configuration

1. Access AS2 Configuration:
   • Navigate to your AS2 gateway configuration settings.
2. Update AS2 Endpoint:
   • If your company limits its AS2 communications via a firewall IP whitelist they will need to add new ranges for ESG Next Gen. These are different than the addresses and/or ranges used for legacy ESG. Retain all legacy ESG firewall rules.
   • Inbound ranges (Industry to FDA) – 15.205.247.22 and 3.31.183.245
   • Outbound ranges (FDA to Industry) – 150.148.0.0/16
   • If your company does not need to make changes to its whitelist in legacy ESG, then it should not be required for ESG NextGen.
   • Modify the AS2 endpoint to deliver submissions based on production or test submission context.
   • For production submissions, update the AS2 endpoint to: https://upload-api-esgng.fda.gov:4080/as2/receive
   • For test submissions, update the AS2 endpoint to: https://upload-api-esgng.fda.gov:4080/as2/receive/test
   • Advanced Encryption Standard (AES) encryption is recommended for submissions in ESG NextGen
   • The following encryption methods are supported, but AES is preferred:
   • AES-128
   • AES-192
   • AES-256
   • AES-256-GCM is currently unsupported.
   • RC2
   • Triple DES (DESede)
   • Cast5
   • Idea
3. Save and Confirm Changes
   • Save the updated configuration and ensure all changes are correctly applied.

Additional Steps for Password Protected AS2 Endpoints

This step is only required if the industry ACK AS2 endpoint is secured with a username and password. If it is not secured in this fashion, please skip to section 2.4.

1. Prepare JSON Payload:
   • Construct a JSON document with the following structure:
2. Sign the JSON Document:
   • Sign the JSON payload using the private key associated with the certificate you use for ESG.
3. Send the Signed JSON:
   • Submit the signed JSON via AS2 to ESG NextGen’s system using the Routing ID: ESGNG_ACKGATEWAY.
4. Receive Confirmation:
   • ESG NextGen will validate the signature and update its configuration. A confirmation message will be sent to you.
   • If the confirmation message is not received, please email ESGNGSupport@fda.hhs.gov with a copy of the JSON from step 1 and the associated routing ID so it can be reviewed or configured manually.

Send a Submission

1. Prepare either a Production or Test Submission:
   • Follow the standard procedure to prepare a submission. This will be specific to your organization.
2. Send Submission:

Transmit the submission to ESG NextGen using the updated AS2 configuration. Use either a routing ID (https://www.fda.gov/industry/about-esg/esg-appendix-j-as2-routing-ids) or headers (https://www.fda.gov/industry/about-esg/esg-appendix-f-as2-header-attributes) to indicate the receiving center and submission type.
An industry partner submitting via AS2 must indicate to ESG NextGen on how to route the submission via one of 3 methods:

Option 1: Center / submission type specific AS2 routing ID in the AS2-To header.

• Valid AS2 center / submission type routing ID’s for industry can be found at https://www.fda.gov/industry/about-esg/esg-appendix-j-as2-routing-ids
• Messages sent using this option should be encrypted using the ZZFDA certificate or left unencrypted. They cannot be encrypted using the ZZFDATST certificate.

Option 2: Custom X-Cyclone-Metadata-FdaSubmissionType and X-Cyclone-Metadata-FdaCenter headers paired with ZZFDA for production submissions or ZZFDATST for test submissions in the AS2-To header.

• Valid custom header options can be found at https://www.fda.gov/industry/about-esg/esg-appendix-f-as2-header-attributes
• Production submissions addressed to ZZFDA should be encrypted using the ZZFDA certificate or left unencrypted.
• Test submissions addressed to ZZFDATST should be encrypted using the ZZFDATST certificate or left unencrypted.

Option 3: Center / submission type specific AS2 routing ID in the X-Cyclone-True-Receiver header paired with ZZFDA for production submissions or ZZFDATST for test submissions in the AS2-To header.

• Valid AS2 center / submission type routing ID’s for industry can be found at https://www.fda.gov/industry/about-esg/esg-appendix-j-as2-routing-ids
• Production submissions addressed to ZZFDA should be encrypted using the ZZFDA certificate or left unencrypted.
• Test submissions addressed to ZZFDATST should be encrypted using the ZZFDATST certificate or left unencrypted.

ESG NextGen utilizes the same encryption certificate as legacy ESG.

Confirm Receipt of MDN and ACKs

1. Monitor Acknowledgements:
   • Verify the receipt of the following acknowledgements via AS2:
   • MDN (Message Disposition Notification) (optional)
   • ACK2 (if applicable to your submission type)
   • ACK3/4 (if applicable to your submission type)

Unchanged from Legacy ESG

The following aspects of the ESG NextGen system remain unchanged from the previous ESG system:

• FDA and Industry Certificates: All certificates loaded in legacy ESG Preprod and Prod will be migrated to ESG NextGen Production.
• FDA Routing IDs
• FDA Custom Routing Headers
• Industry AS2 Contact Information
• Industry Routing IDs
• ACK2 Format
• ACK3 Format

Changes from Legacy ESG

• Core ID Format: ci<timestamp>.<GUID> (47 characters).
• ESG NextGen AS2 Message ID follows RFC 4130 guidelines.
• IP Ranges:
  • Inbound range (industry to FDA) used for synchronous MDN’s and submissions: Prod: 15.205.247.22 and 3.31.183.245
  • Outbound range (FDA to industry) used for asynchronous MDN’s, ACK2’s, and ACK3’s: 150.148.0.0/16
• AS2 URL
• For production submissions: https://upload-api-esgng.fda.gov:4080/as2/receive
• For test submissions: https://upload-api-esgng.fda.gov:4080/as2/receive/test
• Industry Credentials must be resubmitted via JSON payload or encrypted email. For more information on the JSON file, refer to Section 2.3 Additional Steps for Password Protected AS2 Endpoints.
• ESG NextGen only accepts one signing/encryption certificate per industry routing ID regardless of which environment the routing ID is utilized. If multiple signing certificates are required by your organization, then multiple industry routing IDs are required.
  • Ex: Same routing ID is used in the industry pre-prod/test environment as their production environment and a different certificate is used in each environment, this is not allowed. A new routing ID would need to be generated for one of the environments.
  • Please contact ESGNGSupport@fda.hhs.gov for further assistance, if needed.

Common Issues and Trouble Shooting

• The following table describes behaviors and possible causes:

Symptom	Potential Cause	Potential Action Items
Not receiving MDN	Security blocks	Verify industry firewalls are allowing FDA IP’s to connect
		Verify certificates in place on both sides
	Bad request	Ensure header being used is a supported header

Symptom	Potential Cause	Potential Action Items
	Sender has requested not to receive MDN in header	Reconfigure sending software to request an MDN
	AS2 gateway issues	MDN’s are being delivered to industry AS2 gateway but rejected with a 400 or 500 error. Contact ESG NextGen Support for help troubleshooting.
Not receiving ACKs	Credentials	Verify if credentials are in use and if ESG NextGen has them
	Firewall	Verify industry firewalls are allowing FDA IP’s to connect
	AS2 gateway issues	ACK’s are being delivered to industry AS2 gateway but rejected with a 400 or 500 error. Contact ESG NextGen Support for help troubleshooting.

References

• FDA ESG NextGen Support: ESGNGSupport@fda.hhs.gov
• For ESG NextGen encryption and signing certificates, email ESGNGSupport@fda.hhs.gov

FAQ

• Q: What is the purpose of this guide?
  • A: The guide is intended for industry participants wanting to utilize AS2 to submit regulatory information to the FDA.
• Q: How can I update my AS2 configuration?
  • A: Access the AS2 configuration settings, make changes, and save them to confirm.

Documents / Resources

FDA AS2 Electronic Submission Gateway Next Gen [pdf] User Guide AS2 Electronic Submission Gateway Next Gen, AS2, Electronic Submission Gateway Next Gen, Submission Gateway Next Gen, Gateway Next Gen, Next Gen

References

• User Manual