Wisetail Technical Support
For all your Wisetail Technical Support Needs
  1. Wisetail Technical Support
  2. Documentation
  3. Process Guides
  4. Datafeeds

Migrating Your SFTP Security Policy

Created:
Updated:
Avatar
by C.W. Holeman III
Follow

Overview: Your datafeed vendors or whomever manages your datafeed files need to follow the below steps in order to prevent any interruption in your Datafeed file being sent to your Wisetail site.

Wisetail is currently undergoing a security policy upgrade. We will be updating our SFTP requirements to follow Amazon's current standard. (Which we use for incoming SFTP connections.) This includes ciphers, key exchange algorithms (KEXs), and message authentication codes (MACs). Specifically:

Additional information from Amazon: https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html

Your existing datafeeds may be impacted as a result and action is required to test your SFTP connection to ensure a smooth transition.

To assist in this transition, we’ve created a temporary FTP server with the new cipher. Your account credentials will remain the same. Simply update the cipher in your SFTP client, then test the connection to confirm it works with Wisetail’s updated security.

Steps for Testing your updated security policy

  1. Have your vendor or whomever manages your datafeed file, navigate to where your SFTP is configured on their end.
  2. Update the URL host to sftp-incoming-new.wisetail.com
  3. They should be prompted to enter your credentials.
  4.  If your credentials work and are able to connect to sftp-incoming-new.wisetail.com, their client software is compatible, and you can return to your original host and configuration as your existing client software version should continue to function after the upcoming change.
  5. Note: If you have multiple data feeds set up that use a SFTP, then you should test each datafeed coming from a different third-party vendor.
  6. While testing, they should keep their current datafeed alive.

In the event your credentials do not work

  1. Your sftp file vendor will see a ‘failed message’, indicating the SFTP (ex. FileZilla) tool they are trying to connect with hasn’t updated to the latest encryption standards.
  2. As a temporary solution to avoid disruptions, have your vendor update your host URL to ‘sftp-incoming-deprecated.wisetail.com’ to ensure your Wisetail site continues receiving information as expected until the next step can be completed.

  3. As soon as possible, please have your 3rd party vendor update its servers to AWS' latest security policy to TransferSecurityPolicy-2024-01. Once the policy is updated, please have the vendor return to using 'bridger.wisetail.com' as the Host URL.

Please be aware that if you do not upgrade your FTP client, you will not be able to connect to Wisetail after February 28, 2025.

Servers

  • bridger.wisetail.com - Current URL using old cipher. Will migrate to the new cipher next year.
  • sftp-incoming.wisetail.com - Some sites use this rather than bridger.wisetail.com. If this is the case, everything that is said about bridger applies to sftp-incoming.
  • sftp-incoming-new.wisetail.com - New server for testing cipher upgrades only.

Third-Party Messaging, if needed

Does a third party manage your datafeed SFTP? They may be required to update their security policy and encryption standards in order to continue sending files to Wisetail on your behalf. Send your vendor representative the below message to advise them of their part in ensuring your data’s security.

 

[Your company's name] Wisetail Site currently receives files from [Vendor name] via an SFTP protocol. In order to maintain this connection, Wisetail is requesting that [Vendor name] updates its servers to AWS’s latest security policy TransferSecurityPolicy-2024-01 by Feb 28th,2025.

 

Steps for Testing your updated security policy

  1. Have your vendor or whomever manages your datafeed file, navigate to the where your SFTP is configured on their end.
  2. Update the URL host to sftp-incoming-new.wisetail.com
  3. They should be prompted to enter your credentials.
  4.  If your credentials work and are able to connect to sftp-incoming-new.wisetail.com, their client software is compatible, and you can return to your original host and configuration as your existing client software version should continue to function after the upcoming change.
  5. Note: If you have multiple data feeds set up that use a SFTP, then you should test each datafeed coming from a different third-party vendor.
  6. While testing, they should keep their current datafeed alive.

In the event your credentials do not work

  1. Your sftp file vendor will see a ‘failed message’, indicating the SFTP (ex. FileZilla) tool they are trying to connect with hasn’t updated to the latest encryption standards.
  2. As a temporary solution to avoid disruptions, have your vendor update your host URL to ‘sftp-incoming-deprecated.wisetail.com’ to ensure your Wisetail site continues receiving information as expected until the next step can be completed.

  3. As soon as possible, please have your 3rd party vendor update its servers to AWS' latest security policy to TransferSecurityPolicy-2024-01. Once the policy is updated, please have the vendor return to using 'bridger.wisetail.com' as the Host URL.

 

Additional Information

  1. Which file should I use to see if I can connect to the new sftp-incoming-new.wisetail.com?
    1. Both SFTP servers use the same S3 bucket storage, multiple servers pointing to one end point.
    2. If you send a test-only file to the new server, your production datafeed will try and ingest it at its regularly scheduled time, so be certain you are only sending valid and complete files.
  2. What happens if I do nothing?
    1. If you are on the old cipher your datafeed file will no longer be delivered to Wisetail after we cut off the old cipher.
  3. My third-party vendor won’t update to the secure encryption, do I risk losing access to my datafeed?
    1. Yes, this is a risk if it not handled properly. Please reach out to our Technical Support team so we can help with this situation.
  4. Can I use the same credentials I use for my current SFTP?
    1. Yes