The FDA has decided that it will update the ciphers for their Electronic Submissions Gateway (ESG), but what does this mean for you?
Here is the message that was received:
FDA Electronic Submissions Gateway (ESG) will update ciphers and SSL protocols in Production on Saturday, January 20, 2018 at 9:00 PM EST. Please make sure your AS2 system can connect to ESG with compatible secure ciphers and SSL protocols listed below. To make sure your AS2 system can connect to ESG, you may test in the ESG Pre-Production environment. The ESG Pre-Production environment already has the following updated SSL protocols and Cipher suites:
* SSL Protocols
* TLS 1.2
* Cipher Suites (suites in server-preferred order)
* TLS 1.2
* TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
* TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
* TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
* TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
***Warning: if your AS2 system CANNOT connect to ESG with compatible secure ciphers and SSL protocols, you will not be able to send submissions to the FDA.***
A couple of things come to mind, as far as what steps you should take, based on the information the FDA has provided.
The first thing to do is to check which version of Axway you are using to see if the above cipher changes impact you.
Some companies do not have a version of Axway that will be able to deal with the new security settings, so one option is to upgrade to the newest version of Axway (5.12).
Some considerations need to be taken with this approach, depending on the partnerships you may have in place. For example, you may wish to test with other agencies/partners when an upgrade is being evaluated.
Also, there is the potential for downtime when upgrading. So, do you keep your current Axway running while installing the new version?
Something else to consider. If you have a version of Oracle Argus in 7.x, you will need to install the patch 8.9.9.97. This patch contains an updated JAR file, which will allow you to upgrade from 5.10.1 to 5.12 SP8 in product v7.x line. Upgrading Axway to 5.12 SP8 will be possible, but it requires Argus patch 8.9.9.97. This patch is not applicable if you are in the Argus 8.x range.
If you are interested in learning more about how we can help you upgrade Argus and Axway, feel free to reach out.