EMSWe RIM Sender Integration – Access Point Setup Guide
Reference document
This document is a concise technical overview for senders.
For authoritative requirements, detailed field definitions, validation rules, certificate policies, and legal references, always refer to:
Finland EMSWe Domibus Sender Integration Guide.pdf
Purpose
This document provides quick, practical guidance for senders integrating with a Member State backend through the Reporting Interface Module (RIM) using AS4 (Domibus) within the European Maritime Single Window environment (EMSWe).
It focuses on:
- Sender-side architecture and responsibilities
- AS4 Access Point (C2) setup and ownership
- Message preparation and metadata expectations
- Security, certificates, and authentication prerequisites
This guidance applies to both:
- Declarants (DECL)
- Data Service Providers (DSP)
as defined by EMSWe and the RIM architecture.
Architecture Overview (Four-Corner Model)
flowchart LR
C1["Sender Backend (C1)"]
C2["Sender AS4 Access Point – Domibus (C2)"]
C3["Member State RIM – Domibus (C3)"]
C4["Member State MNSW Backend (C4)"]
C1 -->|ASiC-E payload| C2
C2 -->|AS4 UserMessage| C3
C3 -->|Validated payload| C4
| Corner | Role | Responsibility |
|---|---|---|
| C1 | Sender backend | Generates EMSWe formalities and signs ASiC-E |
| C2 | Sender Access Point | AS4 messaging, WS-Security, TLS |
| C3 | Member State RIM | Authentication, validation, routing |
| C4 | Member State backend | Business processing |
The sender fully controls C1 and C2 only. All communication beyond C2 takes place via secure AS4 exchange.
AS4 Access Point Requirement (Key Rule)
There is NO shared or Member State–provided AS4 Access Point.
- The Member State does not provide an AS4 Access Point for senders
- All AS4 Access Points (C2) are self-hosted
- Responsibility for setting up, configuring, and operating C2 lies entirely with the sender side
The Domibus AS4 Access Point software is publicly available and can be downloaded from the EU DIGIT eDelivery website. Each sender must install and operate its own Domibus instance and configure communication between:
- its backend system (C1), and
- its AS4 Access Point (C2)
This applies regardless of whether the sender submits messages directly or via a service provider.
Role of Data Service Providers (DSP)
A Data Service Provider (DSP) can be characterized as a technical service that:
- Operates an AS4 Access Point (C2) on behalf of one or more Declarants (DECL)
- Provides connectivity, AS4 messaging, and security configuration as a service
- Integrates multiple Declarant backends (C1) with its own Access Point (C2)
Important clarifications:
- DSPs are not provided by the Member State
- DSPs are not central or national shared services
- Use of a DSP is a commercial or contractual arrangement between senders and the DSP
From the RIM and Member State perspective:
- Both DECL and DSP are treated as senders
- Both must be registered in URAM
- Both are responsible (directly or indirectly) for operating a compliant C2 (AS4 Access Point)
Message Preparation (Sender Backend – C1)
Before transmission, the sender backend must create an ASiC-E container that includes:
- EMSWe formality XML
META-INF/signatures.p7b(CAdES signature)manifest.xmlmimetype=application/vnd.etsi.asic-e+zip- Optional signed attachments (PDF, XML, jpg or png)
Signature requirements:
- eIDAS Qualified or Advanced Electronic Signature (QES / AdES)
- Hash algorithm: SHA-256
The ASiC-E container is handed over to the Access Point unchanged.
AS4 Message Mapping (Access Point – C2)
The Access Point (Domibus) wraps the ASiC-E container into an AS4 UserMessage.
Mandatory header metadata includes:
| Field | Description |
|---|---|
| Sender | Sender Access Point identifier |
| Receiver | Member State RIM identifier |
| Authorization.Identifier | Sender EORI |
| Authorization.Type | DECL or DSP |
| Authorization.SubDomain | Country code |
| originalSender | Business identifier of C1 |
| finalRecipient | Member State MNSW |
| Service | rim-messaging-service |
| Action | emswe-formality-request |
| MessageId | UUID |
| Timestamp | ISO 8601 |
Critical requirement: The EORI value must exactly match the value registered in URAM, otherwise the message is rejected.
Certificates and Security
| Purpose | Used by | Certificate |
|---|---|---|
| ASiC-E signing | C1 | eIDAS QES / AdES |
| AS4 signing & encryption | C2 | X.509 (Domibus keystore) |
| TLS transport | C2 ↔ C3 | X.509 TLS |
| Trust validation | All | CA certificates |
Minimum cryptographic requirements:
- RSA ≥ 2048 bits or ECDSA ≥ 256 bits
- SHA-256
Registration and Authentication (URAM)
Before sending any messages:
- The sender must be registered in URAM by Member State
- Registration includes:
- EORI
- Sender type (DECL or DSP)
- Country subdomain
- Certificate fingerprint
The RIM validates every incoming AS4 message against URAM.
Access Point Configuration and Changes
A bilateral AS4 agreement between the sender and the Member State defines:
- AS4 endpoints
- Party identifiers
- Certificates
- PMode configuration
- Security policy
Any change (certificate, endpoint, key) requires:
- Advance notification
- Certificate exchange
- PMode update
- Staging tests
- Production activation
- Versioned documentation