Secure Transport Service (STS) US Certificate Update Information (SHA2) For External Client Facing Users What is changing? The Experian Secure Transport Service (STS), Experian s file transfer application, is having the server certificate replaced to comply with Experian Information Security policy regarding migration from SHA1 to SHA2 certificates. Why the change? A certificate works as a digital signature for a secure server. The file transfer client and server exchange this information the first time they communicate, and use this saved information afterwards to assure that the server has not been compromised. Unlike physical signatures, digital signatures expire and need to be replaced every few years. In this case, industry standards are rapidly changing with Microsoft and Google migrating off SHA1 certificates to SHA2 certificates. This mandates that Experian provides the industry standard in server certificates to ensure that data received and sent via our platform remains secure. When is this change taking place? This change will take place on the 19 th September 2015, between 21:00 and 23:00 (CST). Who will be affected? Users accessing Secure Transport (STS) using FTPS and SFTP/SSH connections using stm.experian.com (205.174.34.41) This change does not affect users accessing Secure Transport (STS) via an internet browser (Internet Explorer, Mozilla Firefox etc.). What will happen when the STS certificate is changed? When the certificate is changed, your secure FTP application should display a message upon connecting to STS that the certificate presented by STS does not match the one that was saved locally. This message may contain strongly worded warnings alerting users that the server may have been compromised. You may safely disregard the warning this one time. The procedure for correcting this situation varies from application to application. In general, Windows-based applications will simply ask for confirmation and then proceed normally after that. Other applications, notably OpenSSH, may require you to delete the old stored certificate.
This is a routine procedure in the use of secure file transfer protocols, and it should be documented in your software's manual The following pages provide example warning messages for the most popular applications which users may receive when connecting to Secure Transport (STS) following the certificate update. Can STS users prepare for this change in advance? Yes, users connecting from mainframes utilizing FTP w/ssl may request a copy of the new certificate prior to this change. Requests may be made By email to: globalfiletransfer@experian.com By following the link here All desktop FTP client software, UNIX and Linux users will receive warning messages indicating that the certificate has changed. After the change is made, users will have to accept the new certificate. Please review the next section for samples of warning messages received once the certificate is changed and actions to take (desktop, UNIX, Linux only). Who do I contact if I have any issues connecting to Secure Transport following the change on the 19 th September 2015? Please contact: Global File Transfer at globalfiletransfer@experian.com Experian s Technical Support Center at 1-800-854-7201
Experian Secure Transport Host Certificate Change Samples Note: The below are examples only, wording may vary slightly due to different software versions. The following examples will have different fingerprints and server addresses than production servers. The below information is provided to assist you with this change on our server stm.experian.com. If for any reason you do not understand this document, please forward to an IT professional within your organization or contact the software vendor. 1. System Application: WS-FTP Pro using SFTP/SSH Action: Select Trust this key and select OK
2. System Application: UNIX/LINUX command line SFTP/SSH/SCP @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is ed:07:a2:f9:47:6d:7b:f8:ac:ac:6e:2c:fc:2e:6d:87. Please contact your system administrator. Add correct host key in /export/home/user/.ssh/known_hosts to get rid of this message. Offending key in /export/home/user/.ssh/known_hosts:1 Action: Make a copy of known_hosts file and remove entry for 205.174.34.41 Upon your next connection you will be prompted to accept the new host key. Connecting to 205.174.34.41... The authenticity of host 205.174.34.41 (205.174.34.41)' can't be established. RSA key fingerprint is ed:07:a2:f9:47:6d:7b:f8:ac:ac:6e:2c:fc:2e:6d:87. Are you sure you want to continue connecting (yes/no)? Type yes
3. System Application: WS_FTP Pro using FTPS (FTP w/ssl) Action: Select Trust this certificate and select OK
4. System Application: FileZilla using SFTP/SSH Action: Select Always trust this host, add this key to cache and select OK
5. System Application: FileZilla using FTPS (FTP w/ssl) Action: Select Always trust certificate in future sessions and select OK
6. System Application: WinSCP using SFTP/SSH Server Key never exist on the client before Action: Select Yes Server Key already exist on the client Action: Select Update
7. System Application: Core FTP using SFTP/SSH Action: Select Yes
8. System Application: Core FTP using FTPS (FTP w/ssl) Action: Select Always Accept