Configuring OneSpan Authentication Server (basic installation)

When the required components have been installed, the Configuration Wizard is started to complete the initial configuration.

Before you begin

• Ensure that you have successfully installed OneSpan Authentication Server (see Installing OneSpan Authentication Server (basic installation)).
• If you want to license OneSpan Authentication Server during initial configuration, obtain and prepare an appropriate license file (see Finalizing pre-installation). Alternatively, you can apply a valid license file after installation via the Administration Web Interface.

Configuring OneSpan Authentication Server

To configure OneSpan Authentication Server (basic installation)

1. In the Welcome page, select Next.

2. If required, select or add an IP address to use for OneSpan Authentication Server.

3. Configure OneSpan Authentication Server to use a valid license:

   1. Open a new command window. From there, copy the license file to /opt/vasco/ias.
   2. Return to the Configuration Wizard and type the location and file name of the license file.

4. Configure the server functionality.

   On the Server Functionality page, enable the server functionalities as needed. By default, all options permitted by any license loaded previously will be enabled.

5. Configure partitioning for the audit database tables.

   This step is available only if you are using the embedded database (MariaDB).

   If you enable partitioning, audit data is split up into smaller subsets (partitions), instead of having all audit data in one big table. Each partition contains the data for one day. This can improve database performance for queries and delete operations.

6. Configure the login details for the first administrator account.

   Type a user ID and a password twice to prevent typing errors.

   The password for this account must comply with the default password rules:

   • At least 7 characters long
   • Contains at least 1 lowercase character
   • Contains at least 1 uppercase character
   • Contains at least 1 numeric character

   For more information about password rules, refer to the OneSpan Authentication Server Administrator Guide.

7. Configure the server SSL certificates.

   Type a private key password and the algorithm to be used for the server SSL certificate. This will create separate SSL certificates and certificate authority files for:

   • SOAP communicator
   • SEAL communicator
   • RADIUS communicator
   • MDC server
   • Live audit connection

   For more information about creating SSL certificates, refer to the OneSpan Authentication Server Administrator Guide.

   The password for the SSL certificates must comply with the default password rules:

   • At least 16 characters long
   • Contains at least 1 lowercase character
   • Contains at least 1 uppercase character
   • Contains at least 1 numeric character

   For more information about password rules, refer to the OneSpan Authentication Server Administrator Guide.

8. Configure the RADIUS topology.

   1. Specify the RADIUS topology.

      • Select No RADIUS configuration required if you do not need to integrate OneSpan Authentication Server with a RADIUS infrastructure.
      • Select IDENTIKEY Authentication Server as a standalone RADIUS server to use OneSpan Authentication Server as a stand-alone server and retrieve RADIUS attributes from the user accounts, if required. This requires configuration settings for the RADIUS client.
      • Select IDENTIKEY Authentication Server in front of RADIUS server to use OneSpan Authentication Server as an intermediary server and forward requests to a RADIUS server for back-end authentication. This requires configuration settings for the RADIUS client and the RADIUS server.

   2. If required, specify the connection details of the RADIUS client.

      This option is only available if you selected IDENTIKEY Authentication Server as a standalone RADIUS server or IDENTIKEY Authentication Server in front of RADIUS server.

      Enter connection details as required to create a client record for the RADIUS client:

      • Location. The IP address of the standalone RADIUS client.
      • Shared Secret. The password to authenticate the RADIUS client.
      • Confirm Shared Secret. The password confirmation to prevent typing errors.

   3. If required, specify the configuration settings of the RADIUS server.

      This option is only available if you selected IDENTIKEY Authentication Server in front of RADIUS server.

      Enter the RADIUS server settings as required to create a RADIUS back-end server record:

      • Authentication IP Address. The IP address on which the RADIUS server receives authentication requests.
      • Authentication Port. The UDP port on which the RADIUS server receives authentication requests.
      • Accounting IP Address. The IP address on which the RADIUS server receives accounting requests.
      • Accounting Port. The UDP port on which the RADIUS server receives accounting requests.
      • Shared Secret. The password to authenticate the RADIUS server.
      • Confirm Shared Secret. The password confirmation to prevent typing errors.

9. Review the configured settings and select Proceed to start the initial configuration.

   The Configuration Wizard applies the configuration settings to OneSpan Authentication Server. A summary of all operations will be displayed, including any errors.

10. Select Finish to close the Configuration Wizard.

    The rest of the default settings are being applied and the respective daemons will start.

11. (OPTIONAL) Import authenticator records from the corresponding record file.

    1. Type yes to do so, or no to skip this step.

    2. Specify the following information:

       • Administrator username
       • Administrator password
       • Domain to import the authenticator entries into
       • Location and file name of the authenticator import file
       • Transport key (for a demo authenticator, this is 11111111111111111111111111111111)

    3. If required, type yes to import authenticator records from another import file.

Additional considerations

• The Installation Wizard creates a trace file to log the configuration process in the following location:

  /var/log/vasco/identikey/ikconfigwizardconsole.trace

  If the Configuration Wizard is canceled during the installation or upgrade of OneSpan Authentication Server, the Web Administration Service will not be installed automatically. You can manually initiate the Web Administration Service installation at any time. For instructions, see Installing OneSpan Authentication Server Web Administration Service).

Next steps

• If you want to install another instance of OneSpan Authentication Server on the same host, configure it accordingly (see Running multiple OneSpan Authentication Server instances on a single Linux host machine).
• If required, verify and perform any post-installation tasks necessary to complete the installation (see Post-installation tasks and considerations).