cornerstoneondemand.my.site.com Open in urlscan Pro
2600:140b:400::172d:32d1  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Loading
×Sorry to interrupt
CSS Error

Refresh
Skip to Main Content

Cornerstone Support Central
 * Home
 * More
   


Expand search

Close search

Log inAccount Management


SABA SCHEDULED MAINTENANCE: 2024 SFTP SERVICE UPGRADE & WEAK CIPHER DISABLEMENT
(SN-04252024-2)

2024/06/04•KNOWLEDGE


INFORMATION

Title
Saba Scheduled Maintenance: 2024 SFTP Service Upgrade & Weak Cipher Disablement
(SN-04252024-2)
URL Name
Saba-FAQ-2024-SFTP-WeakCipherDisablement
Product Suite
General Information and Advisories
Article Number
000027879
Product Category
General Information and Advisories



ARTICLE CONTENTS

Description


ACTION IS REQUIRED: REVIEW THIS FAQ WITH YOUR CORPORATE IT DEPARTMENT

As announced in a recent Product Advisory (reference SN-04252024-2), Cornerstone
is pleased to roll out a significant upgrade to our Secure File Transfer
Protocol (SFTP) service for Saba customers. This upgrade aligns with the most
current industry standards and focuses on reinforcing the security of your data
transfers.

This activity involves the disablement of outdated ciphers, key exchange (KEX)
algorithms, and message authentication codes (MACs) that are no longer
considered secure. After the upgrade, any connection attempts using unsupported
ciphers will be blocked. Although many customers will not be required to take
any action due to these changes, please review this article with your corporate
IT department and all relevant parties responsible for managing your SFTP
connections to confirm.

Quick Links
 * Schedule
 * Potential Impact & Tips to Prepare
 * FAQs

Schedule

Note: Each region has a single maintenance window for non-production,
production, and VEMS environments. 



SCHEDULED MAINTENANCE NOTIFICATIONS: 
We have sent Scheduled Maintenance emails to registered Service Alert contacts
for customers in each region. These alerts are identified by the SN reference
numbers specified in the subject line. 
 
 * APAC (reference SN-05152024-9):
   Fri, Jun 14th from 9 PM - 11 PM AEST
    
 * Canada (reference SN-05152024-10):
   Fri, Jun 14th from 9 PM - 11 PM PDT
    
 * EMEA - UK & Frankfurt (reference SN-05152024-11):
   Sat, Jun 15th from 5 AM - 7 AM BST
    
 * EMEA - Amsterdam (reference SN-05152024-12):
   Sat, Jun 22nd from 5 AM - 7 AM BST
    
 * North America (reference SN-05152024-13):
   Fri, Jun 28th from 9 PM - 11 PM PDT

Potential Impact and Tips to Prepare

Customers may experience the impact of this change in the following areas:

 1. USE SECURE CIPHERS, KEX, & MACs.
    Potential Impact: This activity involves disabling outdated ciphers, key
    exchange (KEX) algorithms, and message authentication codes (MACs) that are
    no longer considered secure. After the upgrade, any connection attempts
    using ciphers not included in the list in FAQ #8 below will be denied. 
    
    How to Prepare: Work with your corporate IT department and all relevant
    parties responsible for managing your SFTP connections to audit all client
    configurations involved in file transfers to the SFTP. Confirm that all
    systems are upgraded and utilizing supported ciphers prior to the scheduled
    upgrade.
     
 2. ACCEPT THE UPDATED HOST KEY.
    Potential Impact: When making the initial connection to the test device and
    after the scheduled upgrade, you may be prompted to verify the identity of
    the SFTP server with a message stating, "The server's host key is unknown.
    Trust this host and carry on connecting?" 
    
    How to Prepare: Establish a manual connection with the new SFTP server to
    select the option "Always trust this host, add this key to cache" and
    acknowledge by clicking OK. This step is vital for maintaining seamless and
    prompt-free future connections.
     
 3. SCHEDULE FILE TRANSFERS AROUND THE MAINTENANCE WINDOW.
    Potential Impact: The SFTP device will be offline during the scheduled
    maintenance window. Any file transfer attempts, such as placing files on or
    retrieving files from the SFTP device, will not be successful while we
    perform this critical upgrade.
    
    How to Prepare: Adjust the timings for any scheduled file jobs or make
    alternative arrangements to process the file transfers to prevent any
    disruptions to your operations. 


FAQS


Q1. IS THERE ANY DOWNTIME FOR THE APPLICATION DURING THIS WINDOW? 

No, the application will be available for the duration of the maintenance
window.
 


Q2. IS IT POSSIBLE TO SCHEDULE THE UPGRADE FOR NON-PRODUCTION ENVIRONMENTS IN
ADVANCE OF PRODUCTION?

Upgrades for non-production environments cannot be individually scheduled in
advance of production due to infrastructure arrangements. Each region operates
with a single SFTP device for all non-production, production, and VEMS
environments. Because of this shared infrastructure, any scheduled upgrades must
occur simultaneously across all environments within the same data center within
a coordinated maintenance window. This ensures consistency and minimizes the
risk of discrepancies between environments.



Q3. WILL THE IP ADDRESS OR URL FOR THE SFTP SERVICE CHANGE AS PART OF THIS
UPGRADE?

No, there will be no changes to the IP address or URL.
 


Q4. WILL THE ACCOUNT NAME OR PASSWORD CHANGE?

No, all account credentials will remain the same.
 


Q5. HOW CAN WE PERFORM TESTING TO ENSURE THAT WE ARE USING SUPPORTED CIPHERS?

We have created replicas of the existing SFTP devices in each region for
customers to perform connectivity testing in advance of this change. Access
details for the device in testing device for your region have been sent in
Scheduled Maintenance alerts for each region (see detail above for the
corresponding SN reference numbers for the alert sent to each region). To test
connectivity, work with your IT department and all relevant parties responsible
for managing your SFTP connections to send or extract test files simulating your
standard process.

Additional testing notes: 

 * Tests for SFTP connections can only be conducted using SFTP clients that are
   currently utilizing our existing SFTP infrastructure for their file
   transfers. This is to ensure that the tests accurately reflect the conditions
   under which your file transfers are normally performed and to maintain the
   integrity of the testing process. 
 * All customer IP addresses previously added to the safelist for use with our
   existing SFTP servers in each region have been added to the test devices. 
 * Customers may need to add the IP address of the Cornerstone temporary testing
   device to the safelist for the SFTP clients used to perform connectivity
   testing.
 * Customers can connect to test devices using the same account details and
   credentials.
 * Any test files sent to the SFTP will be deleted after the upgrade.



Q6. WE USE SSH KEYS TO CONNECT TO THE SFTP. WILL THERE BE ANY UPDATES REQUIRED
FOR THE SSH KEYS? 

Your existing SSH keys will continue to work seamlessly, so there's no need for
you to update SSH keys on your part. However, during the initial SSH connection
to the test or upgraded SFTP server, some connections may encounter a prompt to
confirm the server's identity (see detail above for more info about this this
prompt). 

 
 
 

CRUCIAL NOTES FOR CUSTOMERS USING AUTOMATED JOBS:

 * Automated jobs may fail without accepting the new host key due to the trust
   prompt. Please perform a manual connection to accept the new host key to
   avoid disruptions.
 * If you encounter the prompt on the test device, you may need to follow the
   same steps again after the upgrade. 

 
 

 


Q7. WHAT SHOULD I DO IF I HAVE MORE QUESTIONS OR CONCERNS?

If you have any general questions or concerns, please submit a case via Support
Central.

 


Q8. WHICH CIPHERS WILL BE SUPPORTED BY THE SFTP SERVICE AFTER THE UPGRADE? 

In alignment with industry best practices, after the upgrade, our SFTP service
will only support the following cipher suite:
 

CIPHERSMACKEX3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.comhmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.comdiffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com

Additional Resources




FILES(0)

 * Post
 * Question
   
 * Show more actions
   

Drop Files
Upload FilesOr drop files


Was this article helpful?

Choose a general reason
Select an Option


Feedback

Upload Files
Upload FilesOr drop files
Submit





Loading