Instructions for the athena-hosted SFTP migration
At athenahealth, we’re continually working to ensure our technology is as reliable and secure as possible, and for this project, we need your help. In the coming weeks, we’ll be migrating our athenahealth-hosted SFTP service (aSFTP) to Amazon Web Services (AWS) to improve the stability and security of your aSFTP traffic. This update will impact all aSFTP connections that currently point to sftp.athenahealth.com, as we’ll be updating the hostname URL to a new DNS address.
Please note that this update will not affect your user credentials nor integrations hosted by your organization, other vendors, or third-party IT services. The only integrations that will be impacted are those hosted by athenahealth, specifically those hosted on sftp.athenahealth.com. This is a large project, and your timely participation is essential to its success.
What do you need to do?
We ask that you perform the following actions in anticipation of the migration:
- Confirm you are currently compliant with the prerequisites listed below.
- Please email us at sftpmigration@athenahealth.com with a date and time that is convenient for you to test your server to validate its functionality using the information below. We will coordinate with our development team for this validation to be seamless on your chosen date.
- Change your server’s hostname to enable migration to the new production server. See below for more information.
Once your validation is completed successfully, we will reach out to coordinate with you on the production migration.
Essential Prerequisites
Our upgraded server has some new security policies, and you need to validate that your SFTP client complies with them. The upgraded server will support only the following algorithms and ciphers as per the TransferSecurityPolicy-FIPS-2020-06 security policies listed here.
KEXs
- diffie-hellman-group14-sha256
- diffie-hellman-group16-sha512
- diffie-hellman-group18-sha512
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group-exchange-sha256
- ecdh-sha2-nistp256
MACs
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-256
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-512
TLS Ciphers
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSH Ciphers
- aes128-ctr
- aes128-gcm@openssh.com
- aes192-ctr
- aes256-ctr
- aes256-gcm@openssh.com
Validating Functionality in a Test Environment
Please connect to the following host from your SFTP client and transmit test files (no actual data, please) to validate your connection to our test environment.
Host: external.sftp.fuzzy.athena.io
Username: (Same as for current connection with sftp.athenahealth.com)
Password: (Same as for current connection with sftp.athenahealth.com)
Migrating to the Production Server
On the day scheduled for your service migration, please change the hostname in your SFTP client from sftp.athenahealth.com to external.sftp.athena.io.
Troubleshooting
If you have any issues with SFTP connectivity:
- Start by confirming if the credentials and the hostname match the options provided above.
- You could be experiencing an issue with the SFTP client. Validate that you are on the correct version and confirm it is using one of the algorithms (listed above) for establishing the connection.
- Check to see where the connection is aborting by enabling the debugger.
- If you continue to have connections problems, or if you have any questions, please email us at sftpmigration@athenahealth.com and include the following information:
a. Your username
b. Your interface vendor ID
c. Any technical details that you or your IT team feel are relevant for troubleshooting (e.g., error messages or snapshots of errors).
d. Technical contact(s) from your team and the best method to reach them.
Thank you for your patience and partnership with this transition. We appreciate you helping us ensure that athenaOne’s data exchange continues to be protected and secure.