Description of changes:
Eighteen months ago, the Sequoia Project announced a change to a new Certificate Authority and certificate issuance process. As this project draws closer to completion, we wanted to inform you of a few critical next steps in that process for the eHealth Exchange.
On Tuesday November 16, 2021, the eHealth Exchange Hub will transition its outward facing certificates in the LIVE PRODUCTION environment from Entrust to EMR Direct-issued certificates. One outcome of this change will be that the SAML attributes and signatures will reflect this new EMR Direct certificate for messages that are re-signed. If your organization has not updated your trust bundles to accept the new Certificate Authorities, this will be a BREAKING CHANGE and you will not be able to receive traffic from the eHealth Exchange Hub.
DETAILS:
Tuesday 11/16 – noon ET
The eHealth Exchange team will deploy their new certificate to 2 of the 7 Hub’s scale-out router instances. We will monitor traffic on those two routers for Participant issues and will perform outreach if we identify any issues.
Tuesday 11/16 – 12:30p to 5:00p (or later, as needed) ET
The eHealth Exchange team will open a conference bridge for Participants to join if they are experiencing any issues with the Hub’s certificate change. Multiple eHealth Exchange staff will be on the conference bridge to assist.
Tuesday 11/16 – 2:00p ET
The eHealth Exchange team will deploy their new certificate to the remaining Hub’s scale-out router instances. Upon completion of this activity the Hub will be completely migrated over to their new EMR Direct (non-Entrust) certificate.
Conference Bridge Details:
Microsoft Teams meeting
Join on your computer or mobile app
Click here to join the meeting
Learn More | Meeting options
As a previous part of this transition process, you were informed that the internal structure of the certificates has changed, but we wanted to provide this reminder. Previously, all certificates carried an Organization (O) value of HHS-ONC for all certificates. With the new Certificate Authorities, the Organization value will properly reflect the Organization to whom the certificate has been issued. This may be a breaking change for some organizations who do SAML filtering on this value. As an FYI, the Organizational Unit (OU) value will remain unchanged.
Finally, the Entrust certificates will still be trusted on the eHealth Exchange Hub until December 13, 2021, at which time they will be fully decommissioned.
Scope:
These changes will be applied to the eHealth Exchange Hub PRODUCTION environment as outlined above.
Impact:
We do not anticipate any other service interruptions during the maintenance event; Real-time routing of messages through the Hub will be unaffected.
Support:
eHealth Exchange staff have an open Conference Bridge starting 12:30p on Tuesday 11/16 for Participants to join if they are experiencing any issues with the certificate change. eHealth Exchange staff will also monitor administrator@ehealthexchange.org during the upgrade window to address any questions or concerns.
Microsoft Teams meeting
Join on your computer or mobile app
Click here to join the meeting
Learn More | Meeting options
ADDITIONAL INFORMATION AND REMINDERS:
The eHealth Exchange Hub team has implemented a recurring weekly scheduled maintenance window each Thursday evening at 5:00pm ET for all non-urgent events. The duration of each maintenance event will be determined by the respective changes for each event, and details will be communicated out to all Participants at least 48 hours prior to the event. If there are no changes for any given week then the maintenance event will not occur, and no notice will be sent. Also please note that Operating System and similar updates that do not require a service outage, and do not require changes to the application layer, will be performed during this scheduled maintenance window without specific notice due to their frequent and routine nature.