...
We plan to disable CBC ciphers and enable TLSv1.3 encryption according to the following schedule:
What is SFTP?
SSH File Transfer Protocol (SFTP) is a secure file transfer protocol. Connections made using SFTP use SSH to provide secure transport for your files with Westpac.
Why is Westpac Changing Its SFTP Server Cryptography Standards?
The Payment Card Industry Security Standard Council has deemed that the above cryptography standards (SHA1 and CBC) are no longer secure for SFTP servers and hence Westpac is changing its offered cryptography in line with these standards.
When will this change take place?
The change is scheduled for the following dates:
Test/Support over the Internet: ssiw.support.qvalent.com/203.39.159.31 – Change in Place as of 27th May 2024
Production over the Internet: ssiw.qvalent.com/192.170.86.151 - Tuesday 20th Aug 2024 @ 10:00am AEST
We encourage you to perform UAT testing in the Test/Support environment as soon as possible to ensure your SFTP client is compatible with the cryptography options available in this environment.
What must I do?
Read this detailed change advice, and escalate to your technical team for review.
Identify all SFTP client instances that interact with the SFTP server and take action to prepare for this change in advance. Note that older SFTP client software may not support may not support SHA2(256) for MACing (as an example). You will need to check with your provider.
Ensure all SFTP client(s) do not exclusively rely on either of the following by consulting with SFTP client vendor documentation and/or technical support:
All SHA1 hashing for Key Exchange
All CBC Ciphers
Are any keys changing? No keys are changing. Your SFTP client needs to support the above cryptography.
Use the iLink SFTP (Qvalent) Test/Support Environment to perform UAT testing to confirm no compatibility issues between your SFTP client and our hardened service offering.
Resolve any issues by upgrading any required SFTP clients to support the latest industry-grade cryptography standards and perform UAT testing against our Test/Support environment.
Promote all changes to your Production environment before the Production change deadline.
Understand and be prepared to instigate your iLink BCP solution in the event of any issues post-change. This includes how to manually transfer files from your finance applications into/from iLink in the event of an SFTP client connection failure.
Common Issues
If the change preparation has not been successfully applied, an SFTP connection to the WIBS SFTP server will not be successful without manual administrative user intervention.
This may appear as any of the following errors depending on your SFTP client software/application
...
Frequently Asked Questions
Do I need to send through a new Connectivity Change Request?
There is no requirement to send through a Connectivity Change Request in iLink for customers to take action on this change. This change should only affect the SFTP client software and not the network path.
Do I need to change my SSH or PGP keypairs for this change?
This change does not affect your SSH or PGP keypairs and there is no requirement for them to change as a part of this change.
Qvalent pushes files to our SFTP server. Do I need to change my SFTP server?
...
How do I evaluate whether my SFTP client software contains cryptography which is compatible with the changes Westpac is making?
...
Yes, this change will apply to all SFTP HTTP customers that connect to the Westpac (Qvalent) SFTP serversweb services.
Contact Us
Email wibs_support@qvalent mailto:quickstream@qvalent.com or phone the Helpdesk team on 1300 726 370 between 7:00am and 7:00pm (AEST), Monday to Friday.
...