Configuring OneSpan Authentication Server for ODBC deployments (advanced installation)

When the required components have been installed, use the Configuration Wizard to complete the initial configuration. To launch the Configuration Wizard, click Run Configuration Wizard in the Select Components page of the OneSpan Authentication Server Setup Utility.

On some versions of Windows, the Configuration Wizard requires an administrative logon to the OneSpan Authentication Server host. Therefore you may be prompted to do one of the following:

• Confirm that the application should be run as an administrator.
• Enter valid administrator credentials for the OneSpan Authentication Server host.

The purpose of either prompt is to elevate your privileges to those required by the application you are attempting to run. If you cannot elevate your privileges, the application will run in a non-elevated state, which will likely result in unexpected behavior.

Before you begin

• Ensure that you have successfully installed OneSpan Authentication Server (see Installing OneSpan Authentication Server for ODBC deployments (advanced installation)).
• If you want to license OneSpan Authentication Server during initial configuration, obtain and prepare an appropriate license file (see Finalizing pre-installation). Alternatively, you can apply a valid license file after installation via the Administration Web Interface.

Configuring OneSpan Authentication Server(ODBC deployment)

To configure an advanced ODBC deployment

1. In the Start page of the Configuration Wizard, click Next.

2. Select the IP address to use for OneSpan Authentication Server.

3. Configure OneSpan Authentication Server to use a valid license.

   If you need a new license, you must first download it from the OneSpan Customer Portal. If you have not already done that you can do it now by going to the specified website, or by clicking Request a License Key. You can click Copy URL to Clipboard to copy the URL to the clipboard; doing so allows you to download the license manually.

   Copy URL to Clipboard is useful for servers that do not have a web browser installed, or if you wish to register for a license after the installation instead.

   If you already have a license key file, load it by navigating to the file. You can continue without loading a license key file, but you must load one before you can start to use OneSpan Authentication Server.

4. Configure the server functionality.

   On the Server Functionality page, enable the server functionalities as needed. By default, all options permitted by any license loaded previously will be enabled.

5. Configure user ID and domain conversion.

   Select the case conversion format you require from the Case Conversion list. Select Use Windows Name Resolution to use Windows Name Resolution; it is recommended that you do so if Dynamic User Registration (DUR) is also enabled.

   For more information, see User ID and domain name conversion.

6. Configure the master domain.

   The default name is master.

7. Configure the data source settings.

   Specify the ODBC data source name (DSN) for the database that OneSpan Authentication Server will use, along with the required username and password.

   If you are using the embedded MariaDB database supplied with OneSpan Authentication Server, the default credentials are:

   User name: digipass

   Password: digipassword

   For more information about changing these settings later, refer to the OneSpan Authentication Server Administrator Guide.

   Upon clicking Next, the Configuration Wizard will test the connection settings and display an error message if the connection fails.

8. Configure the login details for the first administrator account.

   The first administrator account will have a full set of administrative privileges.

   Type a user ID and a password twice to prevent typing errors.

   The password for this account must comply with the default password rules:

   • At least 7 characters long
   • Contains at least 1 lowercase character
   • Contains at least 1 uppercase character
   • Contains at least 1 numeric character

   For more information, refer to the OneSpan Authentication Server Administrator Guide.

9. Select whether or not to use a hardware security module.

   The HSM-related wizard pages are available only if you have enabled the hardware security module server functionality.

   Select Use Thales ProtectServer (formerly SafeNet) HSM to use and configure a Thales ProtectServer HSM:

   1. Provide the location of the PKCS11 library file. This file is typically named cryptoki.dll. Click Next to continue.

   2. Provide the storage key details in the HSM Storage Key page:

      • Storage Key Label: the name of the key used
      • Storage Key KCV: the key check value checksum
      • Slot ID: name of the slot where tokens and keys are stored
      • Token label
      • Token PIN

   3. Use the HSM Sensitive Data Encryption Key page to provide the following:

      • Sensitive Data Key label
      • Sensitive Data Key KCV
      • Token Label
      • Token PIN

      For more information about hardware security module setup, refer to Thales ProtectServer hardware security modules (HSM).

10. If you did not configure a hardware security module, configure sensitive data encryption. If you configured an HSM, you will be directed to the Secure Auditing page.

    In the Encryption Mode list select:

    • Standard with embedded key. No further details are required.
    • Custom with embedded and custom key combination. Specify your storage data cryptographic key and select its cipher in the next screen (Custom Data Encryption). The required storage depends on your selected cipher; for AES-128-CBC ciphers, the storage key is a 32-digit HEX number. Storage data cryptographic keys are used for securing authenticator BLOBs. Each cryptographic application for each authenticator has its own BLOB. This BLOB contains authenticator configuration and other important information about the device.
    • Load from file. If you have created your own data encryption file, specify the encryption file path and the password in the next screen (Load Data Encryption).

    If you want to use a custom encryption key for sensitive data, this should be set before any authenticator is imported to the live version of OneSpan Authentication Server. For more information, refer to the OneSpan Authentication Server Administrator Guide.

11. Configure Secure Auditing.

    Specify whether to use Secure Auditing from the list.

    • If you chose to use a hardware security module (HSM):

      1. Specify the epoch details.

         Epochs can be measured in elapsed time or lines in the audit file; you can configure either or both.

      2. Specify the HSM key settings.

         A self-signed certificate will be generated based on the master audit public key. The name of the certificate is IDENTIKEY Master Audit Certificate.

    • If you chose to use a software security module:

      1. Specify the epoch details.

         Epochs can be measured in elapsed time or lines in the audit file; you can configure either or both.

      2. Specify the SSM master keypair settings.

         • Generate and install new keypair and certificate (self-signed). Provide the passwords to the master audit key store. The keys in the master audit keypair will generate an ECDSA keypair for use as master audit keypair. This keypair will be NIST P-256 compliant and will be stored in PKCS #12 format. The name of the certificate is IDENTIKEY Master Audit Certificate.

         • Install my own keypair. Provide the certificate file and its corresponding private key password.

           Certification authority (CA) files should be located on the same host as OneSpan Authentication Server. If your CA file is located on a network share, you need to copy the file locally before you browse to it and select it.

    The password for the master audit key store must comply with the following requirements:

    • At least 16 characters long
    • Contains at least 1 lowercase character
    • Contains at least 1 uppercase character
    • Contains at least 1 numeric character

    Manually created Secure Auditing certificate files must be generated from supported elliptic curve keys. Secure Auditing for OneSpan Authentication Server only supports elliptic curve keys that are:

    • ECDSA
    • NIST P-256 compliant
    • Stored in PKCS #12 format
    • Password-protected (i.e. empty password is not valid)

    Additionally, the certificate file must meet the following requirements:

    • It must be in the correct file format:

      • If you are installing the certificate file via the Configuration Wizard during installation, it should be in .pem file format
      • If you are installing the certificate file via the Configuration Utility, it should be in .p12 file format.
    • The elliptic curve must be password-protected (i.e. an empty password is not valid).
    • The certificate must be generated from the elliptic curve key.
    • The elliptic curve key must be placed in the certificate file.

    For more information about Secure Auditing, refer to the OneSpan Authentication Server Administrator Guide.

12. Configure partitioning for the audit database tables.

    This step is available only if you are using the embedded database (MariaDB).

    If you enable partitioning, audit data is split up into smaller subsets (partitions), instead of having all audit data in one big table. Each partition contains the data for one day. This can improve database performance for queries and delete operations.

13. Configure the SSL certificate for the SOAP communicator.

    • To install your own SSL certificate:

      1. Select Install my own SSL certificate.

      2. Specify the required private SSL certificate details in the SSL Server Certificate Selection page.

         • Private key file
         • Private key password
         • Certificate file
         • (OPTIONAL) Intermediate certificate bundle
         • Certificate authority (CA) file

    • To generate and install a new test SSL certificate:

      1. Select Generate and Install a self-signed certificate.

      2. Type a password for the private key twice to prevent typing errors.

      3. Select a signature algorithm.

    Private key passwords used for SSL certificates must comply with the following requirements:

    • At least 16 characters long
    • Contains at least 1 lowercase character
    • Contains at least 1 uppercase character
    • Contains at least 1 numeric character

14. Repeat the previous step to configure the SSL certificates for:

    • SEAL communicator
    • RADIUS communicator
    • MDC server
    • Live Audit connection

    When you configure the SSL certificates for these components, you can also choose to use an existing certificate by selecting Use an existing certificate from another component.

    For more information, refer to the OneSpan Authentication Server Administrator Guide.

    If you re-run the Installation Wizard via the Maintenance Wizard and you have multiple Live Audit connections configured, you need to manually configure all Live Audit connections (see SSL re-configuration of multiple live audit connections).

15. Configure the initial SNMPv3 user.

    This page is available only if the Net-SNMP package has been installed via the OneSpan Authentication Serverinstallation package.

    1. Type the IP address and the port to use for SNMPv3 requests.

       By default, the SNMP agent will run on the local host and listen on port 161.

    2. Type a security name.

    3. Configure either authentication only or both of the following:

       • Authentication type. Specifies whether messages sent will be signed and which protocol to use for signing: None, MD5, or SHA.
       • Privacy type. Specifies whether messages sent will be encrypted and which protocol to use for encryption: None, AES, or DES.

       These two configurations set which authentication (MD5 or SHA) and privacy (AES or DES) protocols to use for SNMPv3 requests. When enabling and configuring authentication and privacy type, include a passphrase (authentication/privacy secret) for it.

       When you configure SNMP targets, make sure to set either the authentication type only or both authentication and privacy type for a complete trap configuration in the OneSpan Authentication Server Configuration Utility, i.e. you cannot set a privacy type without setting an authentication type.

       Only the following combinations for SNMP communication are valid:

       • Without authentication and privacy (both set to None).
       • With authentication, but without privacy.
       • With authentication and privacy.

    For more information about configuring the initial SNMPv3 user, refer to the OneSpan Authentication Server Administrator Guide.

16. Configure automatic server discovery support.

    • Select No DNS service registration to skip integrating OneSpan Authentication Server with a DNS server now.

    • Select DNS registration supporting Dynamic DNS to integrate OneSpan Authentication Server with a DNS server via dynamic DNS (DDNS).

      1. Type the DNS domain name.
      2. Type the host name or IP address of the DNS server in the Host Name field.
      3. Set the priority for OneSpan Authentication Server, i.e. primary server or backup server.

    • Select DNS registration supporting Dynamic DNS with TSIG authentication to integrate OneSpan Authentication Server with a DNS server via DDNS using Transaction SIGnature (TSIG) authentication.

      1. Type the full path and file name for the shared key file.
      2. Type the DNS domain name.
      3. Type the host name or IP address of the DNS server in Host Name.
      4. Set the priority for OneSpan Authentication Server, i.e. primary server or backup server.

      The shared key file must be in regular TSIG format, GSS-TSIG is currently not supported.

    • Select DNS registration supporting Secure Dynamic Update (Microsoft AD) to implement DNS registration with secure dynamic update support.

      1. Type the DNS domain name.
      2. Type the host name or IP address of the DNS server in Host Name.
      3. Set the priority for OneSpan Authentication Server, i.e. primary server or backup server.

    Click Test Settings to verify that the DNS server settings are correct. The Configuration Wizard will test the connection and list the result on-screen.

17. Specify the location of Web Administration Service.

    This information is required to create a client record of type Administration Program for Web Administration Service. It depends on whether you are planning to install Web Administration Service locally on the same computer as OneSpan Authentication Server or remotely on another computer.

    • Local. Select this option to create a client record for a Web Administration Service instance installed on the local computer.

    • Remote. Select this option and type a remote IP address to create a client record for a Web Administration Service instance installed on a remote computer.

      If you want to install more than one stand-alone instances of Web Administration Service, you need to create additional client records manually after initial installation.

18. (OPTIONAL) Specify the IP address of the SDK client host.

    Type the IP address if the OneSpan Authentication Server SDK Sample Web Client has been installed. A client component record will be created for the machine.

19. Review the configured settings and click Next to start the initial configuration.

    In most cases, a warning will appear, informing you that some ports will need to be enabled in order for OneSpan Authentication Server to function.

    Click Yes to automatically enable the required ports. For more information about incoming and outgoing ports used by OneSpan Authentication Server, see Open port numbers on firewall.

    A summary of all operations will be displayed, including any errors occurred.

20. Click Finish to close the Configuration Wizard.

    You are now returned to the OneSpan Authentication Server Setup Utility.

Next steps

• (OPTIONAL) Install IAS Web Administration Service.
• If required, verify and perform any post-installation tasks necessary to complete the installation (see Post-installation tasks and considerations).