Post-installation tasks and considerations

Create a client component in OneSpan Authentication Server

After installing DIGIPASS Gateway, you need to create a respective client component on your OneSpan Authentication Server instance(s) specified during the initial DIGIPASS Gateway configuration.

OneSpan Authentication Server uses client component records to determine which requests from which clients can be processed. Component records also specify which policy should be used when processing requests. For more information about component records, refer to the OneSpan Authentication Server Product Guide.

To create a client component for Mobile Authenticator Studio Starter Edition

  1. Log in to the OneSpan Authentication Server Administration Web Interface.

  2. Select CLIENTS > Register and configure the new client component using the following values:

    • Client Type: DIGIPASS Gateway Provisioning DP4MOB Starter
    • Location: The IP address of the host running DIGIPASS Gateway.
    • Protocol ID: SOAP
    • Policy ID: Identikey DP4Mobile 4 Provisioning 2
  3. If required, repeat this procedure on the backup OneSpan Authentication Server instance.

To create a client component for Digipass 760 or Mobile Authenticator Studio Classic or Premium Edition offline or online provisioning

  1. Log in to the OneSpan Authentication Server Administration Web Interface.

  2. Select CLIENTS > Register and configure the new client component using the following values:

    • Client Type: DIGIPASS Gateway Provisioning DP760
    • Location: The IP address of the host running DIGIPASS Gateway.
    • Protocol ID: SOAP
    • Policy ID: IDENTIKEY Provisioning for Multi-Device Licensing
  3. If required, repeat this procedure on the backup OneSpan Authentication Server instance.

To create a client component for OneSpan Mobile Authenticator or OneSpan Mobile Security Suite with online activation and push notification (in the cloud)

  1. Log in to the OneSpan Authentication Server Administration Web Interface.

  2. Select CLIENTS > Register and configure the new client component using the following values:

    • Client Type: Gateway Provisioning
    • Location: The IP address of the host running DIGIPASS Gateway.
    • Protocol ID: SOAP

    • Policy ID: IDENTIKEY Provisioning for Multi-Device Licensing (or a custom policy that inherits from it, e.g. Push Notification – Provisioning)

  3. Select CLIENTS > Register and configure the new client component using the following values:

    • Client Type: DIGIPASS Gateway
    • Location: The IP address of the host running DIGIPASS Gateway.
    • Protocol ID: SOAP

    • Policy ID: Depending on whether you want to set up push and login or push and sign, select one of the following:

      • IDENTIKEY Authentication with Secure Channel (or a custom policy that inherits from it, e.g. Push Notification – Authentication)
      • IDENTIKEY Signature Validation with Secure Channel (or a custom policy that inherits from it, e.g. Push Notification – Signature Validation)
  4. If required, repeat this procedure on the backup OneSpan Authentication Server instance.

To create a client component for OneSpan Mobile Security Suite with online activation and push notification (on-premises)

  1. Log in to the OneSpan Authentication Server Administration Web Interface.

  2. Select CLIENTS > Register and configure the new client component using the following values:

    • Client Type: Gateway Provisioning
    • Location: The IP address of the host running DIGIPASS Gateway.
    • Protocol ID: SOAP

    • Policy ID: IDENTIKEY Provisioning for Multi-Device Licensing (or a custom policy that inherits from it, e.g. Push Notification – Provisioning)

  3. Select CLIENTS > Register and configure the new client component using the following values:

    • Client Type: DIGIPASS Gateway
    • Location: The IP address of the host running DIGIPASS Gateway.
    • Protocol ID: SOAP

    • Policy ID: Depending on whether you want to set up push and login or push and sign, select one of the following:

      • IDENTIKEY Authentication with Secure Channel (or a custom policy that inherits from it, e.g. Push Notification – Authentication)
      • IDENTIKEY Signature Validation with Secure Channel (or a custom policy that inherits from it, e.g. Push Notification – Signature Validation)
  4. If required, repeat this procedure on the backup OneSpan Authentication Server instance.

Configure your firewall

DIGIPASS Gateway uses several different network ports to communicate (see Ports used by DIGIPASS Gateway). If these are blocked by a firewall, some features will not work correctly. Before using DIGIPASS Gateway or if you are experiencing issues, verify that the respective ports are not blocked by a firewall and not in use by other services.

Ports used by DIGIPASS Gateway
Port description Default Protocol Configuration Source
Incoming ports
Apache Tomcat

11080

TCP Apache Tomcat configuration files (automatically during initial setup)

Mobile authenticator apps
Outgoing ports

SOAP

8888

TCP

OneSpan Web Configuration Tool

OneSpan Authentication Server

Some mobile client applications, such as the OneSpan Mobile Authenticator app, send requests back to the on-prem DIGIPASS Gateway via the OneSpan cloud services.

To be able to do so, you need to allow incoming traffic from the following DNS name and IP addresses:

from.push.onespan.cloud

52.212.65.44, 54.195.122.202, 52.18.53.166

Furthermore, you need to allow outgoing traffic to the following DNS name and IP address:

to.push.onespan.cloud

34.247.152.60

Set up Message Delivery Component (MDC) and DIGIPASS Gateway for on-premises notification sending

Message Delivery Component (MDC) is a service included with OneSpan Authentication Server that interfaces with SMS, email, voice, and push notification gateways to send messages to users' mobile phones or email addresses.

By default, MDC is configured to relay push notification messages to the respective cloud-based notification services (Apple APNs, Google FCM) via VASCO Notification Gateway (OneSpan cloud services).

You can configure MDC to use an on-premises deployment of DIGIPASS Gateway that sends push notifications directly to the respective third-party notification services without using OneSpan cloud infrastructure. That way you can use the Mobile Authenticator Studio app and customized apps that integrate OneSpan Mobile Security Suite with an on-premises-only deployment.

You cannot use an on-prem DIGIPASS Gateway to send push notifications if you want to use the OneSpan Mobile Authenticator app. That app works solely with the cloud-only solution.

You need to use an on-prem DIGIPASS Gateway if you want to implement push notifications for transaction data signing (see Push and sign).

Configure your firewall

The firewall configuration of the server hosting DIGIPASS Gateway must allow access to the following endpoints:

  • Android:

    • https://oauth2.googleapis.com
    • https://fcm.googleapis.com/fcm/send

  • iOS:

    • Development mode (Sandbox): api.sandbox.push.apple.com
    • Production mode: api.push.apple.com

    Both servers use TCP port 443. You can also use port 2197 instead to allow APNs traffic but block other HTTPS communication.

The connection details here are provided for your convenience only. Since it refers to third-party services the information is subject to change without prior notice. In case of doubt refer to the documentation of the respective service provider.

Configure Message Delivery Component (MDC) for on-prem notification sending

To use an on-premises deployment of DIGIPASS Gateway for sending push notifications, modify the Message Delivery Component (MDC) settings of all OneSpan Authentication Server instances.

To configure Message Delivery Component (MDC) for on-prem notification sending

  1. Configure MDC to relay push notifications to the on-premises DIGIPASS Gateway instance:

    1. Launch the MDC Configuration Utility.
    2. Switch to the Push Delivery tab.

    3. Set the URL and port of the push notification gateway accordingly.

      • URL: protocol://dpgateway_host/rest/v2/notification/push/sendNotification
      • Port: dpgateway_port

      where:

      • protocol is the protcol used by the DIGIPASS Gateway service, by default https.
      • dpgateway_host is the host running DIGIPASS Gateway.
      • dpgateway_port is the port of the DIGIPASS Gateway service, by default 11080.
    4. Click OK to save the changes and exit the MDC Configuration Utility.

  2. If required, add the certification authority (CA) certificate used by the DIGIPASS Gateway service to the CA bundle file used by MDC, as specified by Certificate File in the Push Delivery tab of the MDC Configuration Utility:

    1. <SSL>
    2.   <CertFile data="curl_ca_bundle_crt" type="string" />
    3. </SSL>

    This is only required, if you are using a custom CA.

  3. Use the front-end API key (see Configure DIGIPASS Gateway API keys) to register DIGIPASS Gateway in OneSpan Authentication Server via the Administration Web Interface (SERVERS > Global Configuration > Push Notification > API Key).

    For more information, refer to the Push Notification Solution Guide in the OneSpan Authentication Server documentation package.

Configure the DIGIPASS Gateway log level

DIGIPASS Gateway can be installed using the provided installation packages that already include an Apache Tomcat web server. In this case, DIGIPASS Gateway logs to the following file:

dpgateway_install_folder/tomcat/logs

By default, dpgateway_install_folder is %PROGRAMFILES%\OneSpan\DIGIPASS Gateway for Windows and /opt/onespan/dpgateway for Linux.

Only errors are logged by default. You can change logging to a more verbose level to include also positive results.

To set the log level to include all information possible

  1. Open the following file in a text editor:

    dpgateway_install_folder/tomcat/webapps/ROOT/WEB‑INF/classes/log4j2.xml

  2. Locate the following line inside the Loggers element:

    <Root level="info">

    Change it to the following:

    <Root level="all">