Installing OneSpan Authentication Server (advanced installation)
Before you begin
- Ensure that you successfully completed and verified the required pre-installation tasks and settings (see Pre-installation tasks and considerations), in particular that:
- You are logged on using a user account with sufficient administrative privileges on the machine to run the installation.
Installing OneSpan Authentication Server
To install OneSpan Authentication Server (advanced installation)
-
Open a terminal window.
Ensure that the terminal window resolution is at least 80x24. Otherwise the Configuration Wizard cannot start automatically after the installation or upgrade.
-
Log on as root using the hyphen option (su -).
This ensures you load the root profile, not the default profile.
- Navigate to the mounted disk or ISO image containing the OneSpan Authentication Server setup files and locate the OneSpan Authentication Server install script install.sh.
-
Run ./install.sh.
The install script will guide you through the installation.
- Type the installation mode to run, in this case advanced.
- Use Space to scroll through the OneSpan license agreement and type yes to accept it.
- Enter yes to install the OneSpan Authentication Server component.
- If required, specify the user account that the OneSpan Authentication Server daemon should run as, by default vasco-ias.
If you specify a user that does not exist, the installation script will automatically create that user.
- If you want to use the embedded MariaDB database as data store, type yes.
If MariaDB is already installed, you need to configure it manually (see Additional tasks).
If you wish to use another database, type no.
-
If required, specify whether to encrypt the embedded MariaDB database and database connections.
If you want to use encryption for the data store and all connections to the embedded database, type yes. Type no to leave it unencrypted.
Once you decide to use (or not use) encryption for the embedded database and all database connections, encryption will remain permanently enabled (or disabled). You cannot change this setting at a later time!
- Enter yes to install the Message Delivery Component (used with Virtual Mobile Authenticator).
- If required, specify the user account that the Message Delivery Component daemon should run as, by default vasco-mdc.
If you specify a user that does not exist, the installation script will automatically create that user.
-
You will be prompted to choose whether to install the following components:
- Web Administration Service
- Command-Line Administration
- Audit Viewer
- Audit Verification Tool
During each prompt, type and enter yes to install the component, or no if you do not wish to install it.
-
If required, install missing dependencies.
The script is designed to install as many dependencies as possible. However, due to license and other restrictions, not all required standard packages are shipped with the OneSpan Authentication Server setup. Any required dependency that is not already installed and cannot be installed by the script automatically, is listed and you are prompted to install it now.
- Open a separate terminal window.
- Install the required packages according to your Linux distribution.
- Return to the terminal window where the OneSpan Authentication Server script is running and press Enter.
The following default packages need to be additionally installed on Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, and Rocky Linux 8:
- chkconfig
- coreutils
- initscripts
- gtk2
- ncurses-libs
- redhat-lsb-core
- unixODBC
Example: yum install chkconfig coreutils initscripts gtk2 ncurses-libs redhat-lsb-core unixODBC
The following default packages need to be additionally installed on Red Hat Enterprise Linux 7 if you want to install the embedded MariaDB:
- boost-program-options
- iproute
- libcom_err
- libnsl
- libpmem
- openssl
- openssl-libs
- pam
- pcre2
- perl (including perl-DBI, perl-File-Copy, perl-Sys-Hostname)
- pv (EPEL package)
- socat
- zlib
Example: yum install perl-DBI boost-program-options socat libpmem
The following default packages need to be additionally installed on Red Hat Enterprise Linux 8 and Rocky Linux 8 if you want to install the embedded MariaDB:
- boost-program-options
- compat-openssl10
- iproute
- libpmem
- libnsl
- openssl
- openssl-libs
- pam
- pcre2
- perl (including perl-DBI, perl-File-Copy, perl-Sys-Hostname)
- socat
- zlib
Example: yum install openssl-libs openssl compat-openssl10 libnsl libpmem
The following default packages need to be additionally installed on Red Hat Enterprise Linux 9 and Rocky Linux 9:
- chkconfig
- coreutils
- initscripts
- gtk2
- ncurses-compat-libs (EPEL package)
- unixODBC
Example: dnf install chkconfig coreutils initscripts gtk2 ncurses-compat-libs unixODBC
The following default packages need to be additionally installed on Red Hat Enterprise Linux 9 and Rocky Linux 9 if you want to install the embedded MariaDB:
- boost-program-options
- iproute
- libedit
- libpmem
- ncurses-libs
- openssl
- openssl-libs
- pam
- pcre2
- perl (including perl-DBI, perl-File-Copy, perl-Sys-Hostname)
- socat
- zlib
Example: dnf install openssl-libs openssl libpmem socat zlib
Some packages are part of the Extra Packages for Enterprise Linux (EPEL) repository. If you haven't done so already, you need to include the EPEL repository before you can install any packages from it:
- RHEL 7: sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
- RHEL 9: sudo dnf install epel-release
The following default packages need to be additionally installed on Ubuntu Server 22.04 LTS:
- libgtk2.0-0
- libncurses5
- init-system-helpers
- unixodbc
Example: apt install libgtk2.0-0 libncurses5 init-system-helpers unixodbc
The following default packages need to be additionally installed on Ubuntu Server 22.04 LTS if you want to install the embedded MariaDB:
- iproute2
- libpmem1
- libcrypt1
- libedit2
- libgcc-s1
- libncurses6
- libpam0g
- libpcre2-8-0
- libssl3
- libtinfo6
- liburing2
- perl
- procps
- psmisc
- socat
- zlib1g
Example: apt install iproute2 libpmem1 libcrypt1 libedit2
On Red Hat Enterprise Linux 7, you need to update OpenSSL if the following error message occurs during installation:
error: Failed dependencies:
libcrypto.so.10(OPENSSL_1.0.2)(64bit) is needed by MariaDB-client-10.6.12-1.el7.centos.x86_64
Error: Cannot install package(s).
- With internet access, you can update OpenSSL with yum install openssl-libs openssl
- In environments without internet access, you can update OpenSSL from the OneSpan Authentication Server ISO image using sudo rpm -U libsepol-2.5-10.el7.x86_64.rpm openssl-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm. The RPM files are located in Software/Linux/IAS_3.20/redhat/rhel7.
When you install the embedded MariaDB database on Red Hat Enterprise Linux, you might get a conflict with older MariaDB or MySQL packages, such as:
file /etc/my.cnf from install of MariaDB-common-10.11.5-1.el7.centos.x86_64 conflicts with file from package mysql-libs-5.1.73-3.el6_5.x86_64
or
error: Failed dependencies:
mariadb-libs < 1:10.1.0 conflicts with MariaDB-compat-10.11.5-1.el7.centos.x86_64
mariadb-libs is obsoleted by MariaDB-compat-10.11.5-1.el7.centos.x86_64
To resolve this issue, the conflicting package needs to be removed. This can be done using rpm --erase --nodeps <package-name> for mariadb-libs.
This command normally needs to be executed with root permissions (e.g. using sudo).
When you install the embedded MariaDB database on Red Hat Enterprise Linux 9 or Rocky Linux 9, you might get a package conflict, such as:
Package rhel9/MariaDB-shared obsoletes following packages: mariadb-connector-c, mariadb-connector-c-config
To resolve this issue, the conflicting package needs to be removed. This can be done using the following command:
dnf remove mariadb-connector-c*
Note that removing the mariadb-connector-c and mariadb-connector-c-config packages might also implicitly remove other applications installed.
The installation script installs all selected packages.
Additional tasks
In some cases, you may need to configure the database as needed, or set the necessary permissions before configuring OneSpan Authentication Server.
If required, perform the following tasks:
- Configure and test the database.
- Modify the database schema.
- Verify the database permissions.
Configuring the database
If you use the embedded MariaDB database, the installation script automatically installs and configures the database. In this case, you can skip this task.
If you have not already configured the database for your OneSpan Authentication Server environment, you should do so now, including setting up UnixODBC (see Setting up UnixODBC).
Testing the database
If you use the embedded MariaDB database, the installation script automatically installs and configures the database. In this case, you can skip this task.
Open a terminal window and type the following command to test the database connection:
isql -v DSN db_username db_password
where:
- DSN is the data source name set up earlier in the database setup stage (these instructions used a DSN of Identikey-DataSrc).
- db_username and db_password are the credentials for a database administrator account.
If the database connection attempt fails, an error message will be displayed. Re-check your database configuration to adapt any incorrect settings.
Modifying the database schema
If you use the embedded MariaDB database, the installation script automatically installs and configures the database. In this case, you can skip this task.
dpdbadmin only retrieves tables that are owned by the calling user. For this reason, you need to use either the table owner user to call dpdbadmin, or use consistently the same user for database schema creation, update, and/or validation.
To set up the required schema in the database, open a terminal and type the following command:
/usr/sbin/dpdbadmin addschema –u dbusername –p dbpassword -d DSN
where:
- DSN is the Data Source Name set up earlier in the Database Setup stage (these instructions used a DSN of Identikey-DataSrc).
- dbusername and dbpassword are the credentials for a database administrator account with schema modification privileges.
If you want to specify your own master domain name and/or lowercase conversion for user IDs and domain names, specify the -domain and/or -case options.
After performing an ODBC data store extension, wait several minutes for the schema extensions to replicate across the system.
To check whether ODBC schema updates have been completed
-
Use the following command:
dpdbadmin checkschema –u db_username –p db_password -d dsn
where:
- db_username is the user name of the database user account.
- db_password is the corresponding password of db_username.
- dsn is the ODBC data source name.
Do not continue with the installation until checkschema returns a successful result!
For more information on dbdbadmin, see ODBC database manual setup.
By default, OneSpan Authentication Server runs with the username vasco-ias, and the Message Delivery Component runs with the username vasco-mdc. You can change these settings at the respective prompts during the installation.
Verifying database permissions
If the database user account used by OneSpan Authentication Server is not the owner of the tables and is not a database administrator account, you must either:
- Provide the database user account with permissions for the tables.
- Transfer ownership of the tables to the database user account.
For instructions, refer to your database documentation. As an added precaution, perform the permission or ownership modifications in a separate terminal window.
Ensure that it is possible for the account(s) mentioned to reference the tables by name without a schema prefix. If this cannot be done, refer to the OneSpan Authentication Server Administrator Guide, Section "Database User Accounts".
Next steps
When the required components have been installed, the Configuration Wizard is started to complete the initial configuration (see Configuring OneSpan Authentication Server (advanced installation)).