Running multiple OneSpan Authentication Server instances on a single Linux host machine
You can run multiple OneSpan Authentication Server instances on a single Linux host machine.
Each instance must have its own:
- Configuration file
- Unique, unused port numbers to be used by the following communicators and services:
- RADIUS Authentication/Accounting
- SEAL
- SOAP
- DNS Update
- Live Audit Viewer
- Trace file
All OneSpan Authentication Server instances are launched via the same daemon startup script.
Deploying an additional OneSpan Authentication Server instance
The following procedure deploys a single additional OneSpan Authentication Server instance that uses an ODBC data store created within the embedded MariaDB server.
To deploy an additional OneSpan Authentication Server instance
-
Disable OneSpan Authentication Server system monitoring and performance monitoring.
-
Duplicate the original OneSpan Authentication Server configuration file, by default:
/etc/vasco/ias/identikeyconfig.xml
This duplicate configuration file (e.g. /etc/vasco/ias/identikeyconfig2.xml) will be used for the second OneSpan Authentication Server instance.
-
Configure the second OneSpan Authentication Server instance via its configuration file.
-
Configure the trace file.
Tracing is configured via the Trace-File tag:
<Trace-File type="string" data="/var/log/vasco/identikey/ias.trace"/>
Change the data attribute to a different trace file, e.g. /var/log/vasco/identikey/ias2.trace, to allow the second OneSpan Authentication Server instance to keep its own trace logs.
-
Configure the audit directory.
The audit directory is configured via the Log-File tag:
<Log-File type="string" data="/var/log/vasco/identikey/identikeyserver/ikeyserver{year}{month}.audit"/>
Change the data attribute to a different base file name, e.g. /var/log/vasco/identikey/identikeyserver/ikeyserver2-{year}{month}.audit.
-
Configure different ports for each service/communicator used by OneSpan Authentication Server.
The following lists these services/communicators, along with the related tags. Ensure that you replace the default ports.
RADIUS Authentication/Accounting<RadiusCommunicator>
[...]
<Authentication-Port type="string" data="1812"/>
<Accounting-Port type="string" data="1813"/>SEAL<SealCommunicator>
[...]
<IP-Address type="string" data="127.0.0.1"/>
<IP-Port type="unsigned" data="20004"/>
[...]
<SealCommunicator2>
[...]
<IP-Address type="string" data="127.0.0.1"/>
<IP-Port type="unsigned" data="20003"/>Message Delivery Component (MDC)<VDPClient>
[...]
<MDC-IP type="string" data="127.0.0.1"/>
<MDC-Port type="unsigned" data="20007"/>DNS Update<DNS-Update>
[...]
<Service-Target type="string" data="127.0.0.1"/>
<Service-Port type="unsigned" data="20004"/>Live Audit Viewer<Profile03>
[...]
<Plugincfg>
<IP-Address type="string" data="127.0.0.1"/>
<Server-Port type="unsigned" data="20006"/>
-
-
Change the user and group file attributes of the duplicate configuration file:
chown daemon_user:vasco duplicate_configuration_file
where daemon_user is the user account that the OneSpan Authentication Server daemon has been configured to run as during initial installation, by default vasco-ias.
-
Configure the OneSpan Authentication Server startup script (i.e. /etc/init.d/vasco-ias, depending on your Linux distribution) to include the second OneSpan Authentication Server instance in each startup, stop, and restart.
Add the configuration file path of the second OneSpan Authentication Server instance to the CONFIG_FILES parameter.
CONFIG_FILES=”/etc/vasco/ias/identikeyconfig.xml”
For example, if the configuration file of the second OneSpan Authentication Server instance is /etc/vasco/ias/identikeyconfig2.xml, then change this entry to:
CONFIG_FILES=”/etc/vasco/ias/identikeyconfig2.xml”
-
Add the new OneSpan Authentication Server instance to the list of available servers for the Administration Web Interface:
./admintool server add server2 https://host_ip_address:port
where port is the SOAP port used by the second OneSpan Authentication Server instance.
-
Restart the OneSpan Authentication Server daemon:
/etc/init.d/vasco-ias restart
Since the OneSpan Authentication Server startup script now also points to an additional configuration file, OneSpan Authentication Server will run another instance using that configuration file's settings.
- If required, re-enable system monitoring and performance monitoring.
Additional considerations
Only one OneSpan Authentication Server instance can be configured with System Monitoring enabled, even if multiple Net-SNMP instances are running on the same system.
Next steps
Repeat this procedure for each OneSpan Authentication Server instance you wish to deploy.