Data in transit

Data in transit refers to data that are actively moved from one place to another, e.g. across the Internet or through a private network. The data being moved is unencrypted, and should be encrypted with Secure Sockets Layer (SSL), a cryptographic protocol used to secure communications over the Internet for email, web browsing, and other types of web protocols.

SSL is the method by which a client can obtain a secure connection to an SSL-enabled server. The SSL-enabled server can identify itself to the client in a trusted manner before any information is passed between the client and the SSL-enabled server.

For more information about SSL, refer to the OneSpan Authentication Server Administrator Guide.

Setup of database connections between OneSpan Authentication Server and database server

The data that are communicated between the client and the database server are sensitive data that can be intercepted by any person monitoring a particular network. Without the assurance of an SSL-encrypted protocol, your organization is not compliant with the GDPR, and is at risk of security breaches and fines.

After the database installation, user accounts can be created that connect to the database, but do not require an SSL connection. In this case, all communication with the database is unencrypted. To be GDPR-compliant, we recommend to configure the user to require SSL.

When selecting the embedded MariaDB during installation, you will be prompted to choose whether or not to use encryption. If you select Yes, OneSpan Authentication Server will be configured by default to use SSL.

When selecting the Advanced installation option and not opting for a MariaDB database, you have to explicitly encrypt the database connection to comply with GDPR.

Transparent Data Encryption protects data at rest, where the data on the hard disk are encrypted. However, it does not protect the data in transit.

The communication flow will need to be encrypted to safeguard the sensitive data when in transit.

For more information about encrypting database connections, refer to the OneSpan Authentication Server Administrator Guide.

SEAL/SOAP/RADIUS communicator modules

OneSpan Authentication Server provides a communicator module for each protocol for which it can receive and handle requests. Each communicator module can be enabled or disabled as required, subject to support in the server license.

You can use SSL to protect connections between the communicator modules and the communication end points. Enabling and configuring SSL for communicator module connections requires your server's certificate and its corresponding private key password (if you set one). Configuring the SEAL and SOAP communicator modules will also require a certification authority (CA) certificate file for (optional) client certificate verification.

SEAL protocol

The SEAL protocol is a proprietary OneSpan protocol used by some of the OneSpan authentication modules.

SOAP protocol

OneSpan Authentication Server provides support for web applications through an SDK based on the standard SOAP protocol. These applications may cover operational tasks such as authentication and signature validation, provisioning of software authenticators, or administration of DIGIPASS Authentication for Microsoft ADFS.

SOAP over HTTPS is supported, versions 1.1 and 1.2. 'Document Literal' binding is used.

Some of the OneSpan Authentication Server client components also use the SOAP protocol for communication, such as the Digipass Authentication Module products and Digipass Authentication for Windows Logon.

RADIUS protocol

OneSpan Authentication Server supports the RADIUS protocol (according to RFC 2865) for remote network access authentication. Some applications are written using RADIUS as an authentication protocol. These applications will also be supported.

Configuring SOAP and SEAL communication protocols

When configuring the SOAP or SEAL communication protocol in the Configuration Utility, you can specify whether the client certificate verification is any of the following:

  • Never
  • Required
  • Optional
  • Required - Signed Address Only. The client certificate must include the IP address of the client. The server will check the IP address from the client certificate against the client it is establishing a connection with, and the handshake will fail if the two IP addresses do not match.

The Configuration Wizard can provide a self-signed SSL certificate. This SSL certificate is time-limited, so it will expire after a period of time. When the SSL certificate expires, you can recreate it from the Configuration Wizard. Alternatively, you can also purchase an SSL certificate with a longer expiry period.

The Configuration Wizard runs in two modes: Installation Wizard and Maintenance Wizard. For more information, refer to the OneSpan Authentication Server Product Guide.

In the Configuration Utility, the SOAP and SEAL communication protocol page also contains a Re-Verify on Re-Negotiation checkbox. Select this box to force the connection between SOAP/SEAL and OneSpan Authentication Server to be re-verified each time a connection is established.

Enabling the Re-Verify on Re-Negotiation option may incur a performance penalty. As such, do not do so unless absolutely necessary.

Generating certificates

You can configure how OneSpan Authentication Server performs encrypted communication via the Configuration Wizard, either during or after the initial installation.

The Install SSL Server Certificate wizard (via the Configuration Wizard) allows you to generate an SSL certificate for the SOAP/SEAL communicator. For more information about generating SSL certificates, refer to the OneSpan Authentication Server Administrator Guide.

When generating an SSL certificate for SOAP/SEAL, the default file name of the generated certificate and certificate authority would be ikey_component_cert.pem and ikey_component_serverca.pem, respectively.

By default, these files are located in the following folder:

  • /etc/vasco/ias (on Linux)
  • %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin (on Windows)

Configuring SSL certificates

When installing OneSpan Authentication Server, the OneSpan Authentication Server Setup Utility will automatically launch the Configuration Wizard. This wizard can be used to configure SSL certificates for the SOAP communicator module.

During a basic installation, an SSL certificate will be generated automatically for each component.

During an advanced installation, you can specify whether to create an SSL certificate for each component or use an existing SSL certificate.

For more information about configuring SSL certificates, refer to the OneSpan Authentication Server Administrator Guide.

Whenever you are required to provide a private key password for an SSL certificate, note that such passwords must comply with the following requirements:

  • At least 16 characters long

  • Contain at least one of each of the following:

    • Lower case character
    • Upper case character
    • Numeric character

Using SSL with SOAP

OneSpan Authentication Server uses SSL to secure SOAP connections between itself and OneSpan Authentication Server applications and components. The SOAP client will verify the server with the help of SSL when connecting to OneSpan Authentication Server.

For more information about enabling SSL encryption for SOAP, refer to the OneSpan Authentication Server Administrator Guide.

The following OneSpan Authentication Server products use SOAP:

Administration Web Interface

The Administration Web Interface uses the SOAP communicator module to connect to OneSpan Authentication Server. If you manually configured the SOAP SSL configuration after installation, you also need to configure the Administration Web Interface accordingly.

For more information, refer to the OneSpan Authentication Server Administrator Guide.

Digipass Authentication Module

Digipass Authentication Module are a couple of OneSpan Authentication Server side products that are used to intercept authentication requests, e.g. to websites, remote desktop sessions, etc.

The following Digipass Authentication Module products are available:

  • Digipass Authentication for Microsoft ADFS. This is an add-on authentication module for Microsoft Active Directory Federation Services and provides strong authentication using an authenticator. Digipass Authentication for Microsoft ADFS contains an ADFS authentication provider that can be used as an additional authentication method. This allows for authentication against AD as the primary authentication, and authentication using an authenticator as the additional authentication.
  • Digipass Authentication for IIS Basic. This is an add-on for Internet Information Services (IIS) and can be configured to intercept authentication requests to websites using the HTTP basic authentication mechanism. Digipass Authentication for IIS Basic intercepts authentication requests, validates the OTP, and replaces it with the static password expected by the back-end system. The OTP values are validated by OneSpan Authentication Server or OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance.
  • Digipass Authentication for Citrix StoreFront. This is an add-on Digipass Authentication Module for Citrix Authentication Service for Citrix StoreFront and can be configured to intercept authentication requests to consumer app stores. Digipass Authentication for Citrix StoreFront intercepts authentication requests, validates the OTP, and replaces it with the static password expected by the back-end system. The OTP values are validated by OneSpan Authentication Server or OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance.
  • Digipass Authentication for OWA Basic/Digipass Authentication for OWA Forms. This is an add-on for Internet Information Services (IIS) and can be configured to intercept authentication requests to Outlook Web Access websites using the HTTP basic or forms authentication mechanism. These modules intercept authentication requests, validate the OTP, and replace it with the static password expected by the back-end system. The OTP values are validated by OneSpan Authentication Server or OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance.
  • Digipass Authentication for Steel-Belted RADIUS Server. This module adds authenticator ability to Steel-Belted RADIUS Server via a plug-in that communicates with an authentication server. Digipass Authentication for Steel-Belted RADIUS Server receives authentication requests from Steel-Belted RADIUS Server and passes them to an authentication server. The authentication server processes the authentication request and returns an Access-Accept, Access-Reject, or Pass response. It may also return RADIUS attributes associated with the user account or the Digipass Authentication Module that sent the request.
  • Digipass Authentication for Remote Desktop Web Access. This is an add-on for Internet Information Services (IIS) and can be configured to intercept authentication requests to websites using the HTTP basic or forms authentication mechanism. Remote Desktop Web Access is a web application providing access to remote applications through Remote Desktop Protocol (RDP) files, which contain the necessary information to successfully establish a remote connection (e.g. the remote IP address). When Digipass Authentication for Remote Desktop Web Access is installed, authentication to Remote Desktop Web Access can take place only with a one-time password (OTP).

For more information about enabling SSL encryption for each Digipass Authentication Module, refer to the OneSpan Authentication Server Administrator Guide.

All flavors of Digipass Authentication Module have the same configuration for a GDPR-compliant setup.

This presumes that OneSpan Authentication Server has the SOAP protocol enabled with the SSL option. SSL can be configured only after the installation of the product. By default the installation is not set to use SSL.

Digipass Authentication for Windows Logon (DAWL)

Digipass Authentication for Windows Logon provides strong authentication when logging on to Microsoft Windows. With this type of authentication, a user logs on to Microsoft Windows using the following:

  • User ID
  • Password
  • A one-time password (OTP) generated by an authenticator
  • Server PIN

For more information about encrypting Digipass Authentication for Windows Logon with SSL over SOAP, refer to the OneSpan Authentication Server Administrator Guide.

The auditing log files for Digipass Authentication for Windows Logon are unencrypted. Ensure that the folder or the disk storing the log files is encrypted.

For more information about Digipass Authentication for Windows Logon, refer to the Digipass Authentication for Windows Logon Getting Started Guide and the Digipass Authentication for Windows Logon Product Guide.

OneSpan User Websites

OneSpan User Websites allow users to perform functions that are unavailable during a usual logon request—either because the functionality is disabled during logon via the policies set for your client application, or because CHAP or another protocol is used that does not allow the functionality:

  • User registration and auto-assignment
  • Authenticator activation
  • Authenticator assignment
  • Authenticator management (logon test, PIN change, etc.)
  • Virtual Mobile Authenticator one-time password (OTP) requests

The websites can also be used to help users get started with their authenticators while they are still in the office and help is available.

OneSpan User Websites do not need to be configured to be GDPR-compliant, as the SOAP protocol has already been configured during installation in the Configuration Utility, and the Enable SSL box was checked.

For more information about OneSpan User Websites, refer to the OneSpan User Websites Administrator Guide.

LDAP Synchronization Tool

LDAP Synchronization Tool is a product used to synchronize user information from any LDAP data store with any OneSpan Authentication Server data store.

For more information about encrypting LDAP Synchronization Tool, refer to the OneSpan Authentication Server Administrator Guide.

Using SSL with SEAL

Some products that are communicating with OneSpan Authentication Server use the SEAL protocol. The protocol has to be configured to use SSL encryption to be regarded as safe.

SEAL over SSL is enabled by default in OneSpan Authentication Server.

SEAL without SSL is also enabled by default in OneSpan Authentication Server. For additional security, consider disabling SEAL without SSL.

For more information about enabling SSL encryption for SEAL, refer to the OneSpan Authentication Server Administrator Guide.

The following components of OneSpan Authentication Server need to be encrypted with SSL to assure compliance:

Live Audit Viewer

The Live Audit Viewer can open, display, and filter audit messages from various sources.

For more information about enabling SSL encryption for Live Audit Viewer, refer to the OneSpan Authentication Server Administrator Guide.

Replication

Replication can be configured to allow multiple OneSpan Authentication Server instances to keep their data synchronized and ensure consistency. OneSpan Authentication Server replicates entire records, rather than individual record attributes. When multiple OneSpan Authentication Server instances use different ODBC databases as their data stores, replication ensures that each database is up to date with the latest data changes.

For more information about setting up replication to be SSL-encrypted, refer to the OneSpan Authentication Server Administrator Guide.

Message Delivery Component (MDC)

The Message Delivery Component (MDC) service accepts one-time password (OTP) notifications and other messages from OneSpan Authentication Server. It interfaces with SMS, email, voice, or push notification gateways to relay those messages to a user’s phone or email address. Push notifications can be forwarded via an on-prem DIGIPASS Gateway or OneSpan Notification Gateway.

You can use SSL to protect connections between OneSpan Authentication Server and MDC. This requires your server's certificate and its corresponding private key password (if you set one) and a certification authority (CA) certificate file for (optional) client certificate verification.

For more information about enabling SSL for MDC, refer to the OneSpan Authentication Server Administrator Guide.

Password Synchronization Manager (PSM)

Password Synchronization Manager is used to convey password changes of Windows domain users with enabled (and not locked) authenticator support to the OneSpan Authentication Server environment. OneSpan Authentication Server uses static passwords for back-end authentication and for user authentication using Digipass Authentication for Windows Logon.

To be GDPR-compliant, you need to secure the communication between Password Synchronization Manager and OneSpan Authentication Server via SSL. Each OneSpan Authentication Server configuration can be updated to use encrypted communication (via the Use SSL option in the password filter configuration of the PSM Remote Configuration Manager). The certification authority (CA) certificate will need to be imported to the Windows certificate store of the server where Password Synchronization Manager is installed, This will have to be done for each OneSpan Authentication Server instance configured to use SSL over SEAL.

Tcl Command-Line Administration tool

The Tcl Command-Line Administration tool allows interactive command-line and scripted administration of authenticator-related data. It uses a configuration file to store necessary configuration settings. This file can be found in the following location:

  • /etc/vasco/ias/dpadmincmd.xml (Linux)
  • %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\Bin\dpadmincmd.xml (Windows)

For more information about enabling SSL for the Tcl Command-Line Administration tool, refer to the OneSpan Authentication Server Administrator Guide.

RADIUS

OneSpan Authentication Server can be used in a RADIUS environment in a number of ways, depending on your company's requirements.

In the RADIUS protocol, attributes are used for authorization and configuration of the remote access session in many cases. OneSpan Authentication Server can return authorization attributes from the user account. Alternatively, a separate RADIUS server can provide these attributes instead.

In many cases, a RADIUS client may be a dial-up network access server (NAS), firewall/VPN appliance, wireless access point (WAP), or another device that uses the RADIUS protocol for user authentication. Some software applications can also use RADIUS for authentication, and can therefore also act as RADIUS clients.

If your organization uses the RADIUS communication protocol, be advised that there is no Enable SSL option in the Configuration Utility. We recommend to create an encrypted VPN tunnel between RADIUS clients and OneSpan Authentication Server.

RADIUS provides connection encryption, however, its standards are no longer considered as safe.

Features that do not support encryption (data in transit)

When selecting an Advanced installation in the Installation Wizard, certain features in OneSpan Authentication Server do not support encryption, and must be encrypted manually with a workaround to be GDPR-compliant.

Data Migration Tool

The Data Migration Tool (DMT) is a general-purpose utility that allows you to migrate your data from one OneSpan authentication product to another. DMT accesses OneSpan Authentication Server via a SEAL connection and uses the SEAL port that is not SSL-encrypted to connect to OneSpan Authentication Server. For data migration to be successful, the SEAL communicator must be enabled in the OneSpan Authentication Server configuration. To be GDPR-compliant, we recommend to set up a VPN tunnel between DMT and OneSpan Authentication Server to secure the connection.

RADIUS

The RADIUS communication protocol provides connection encryption, however, its standards are no longer considered as safe. We recommend to create an encrypted VPN tunnel to be GDPR-compliant. For more information, see RADIUS.