You must provide the URL of a OneSpan Sign server.
If you are exploring the system or performing tests, you can connect to our Sandbox environment. Alternatively, if you have completed your integration with our system and want to launch your product, you can connect to our Production environment.
Sandbox Accounts are not equivalent to Production Accounts. To connect to the OneSpan Sign Production Environment, you must purchase a Production Account.
Your configuration settings depend on the URL into which you log. If you aren't sure which URL to use, in the email you received when you signed up, click Log into your account. In the Login screen that appears, your login URL will appear in your browser's address bar.
To ensure continuous service, you must whitelist certain IP addresses. To see which IP addresses need to be whitelisted, consult the tab for your environment.
New Incoming IP Whitelists for OneSpan Sign
Please review this section to ensure your OneSpan Sign service continues to function normally.
In order to further optimize the security posture of OneSpan Sign, we made the following changes:
-
We introduced a Web Application Firewall (WAF) and additional protection against Denial-of-Service attacks. This protection is provided through Cloudflare and we switched the inbound IP addresses used by OneSpan Sign to CloudFlareIP addresses.
-
We enhanced the TLS cipher suites supported by OneSpan Sign. Transport Layer Security (TLS) is a protocol that protects the confidentiality and integrity of data exchanged between OneSpan Sign and customers. For more information, see TLS Support.
Please read below for more details about these changes:
What do I need to do?
If you are not whitelisting IPs in your integration, there is no action required on your part.
If you are whitelisting our public IPs, please add the respective FQDN (fully qualified domain name) to your inbound whitelist to continue accessing our services:
| Environment | FQDN |
|---|---|
| Canada Sandbox | sandbox.e-signlive.ca |
| US2 Sandbox | sandbox.esignlive.com |
| US1 Sandbox | sandbox.e-signlive.com |
| Europe Production | apps.esignlive.eu |
| Canada Production | apps.e-signlive.ca |
| US2 Production | apps.esignlive.com |
| US1 Production | apps.e-signlive.com |
| Australia Production | apps.esignlive.com.au |
If your Security policy does not permit FQDN whitelisting, see Cloudflare's IP ranges. These IPs are subject to change at Cloudflare's discretion.
IP whitelisting for outgoing IP addresses is not impacted by this change and is still required.
Support for IPv6 on the AU Production environment was dropped on October 3, 2021.
Below is the list of New Incoming IP addresses (IPv4) applicable to all environments:
-
173.245.48.0/20
-
103.21.244.0/22
-
103.22.200.0/22
-
103.31.4.0/22
-
141.101.64.0/18
-
108.162.192.0/18
-
190.93.240.0/20
-
188.114.96.0/20
-
197.234.240.0/22
-
198.41.128.0/17
-
162.158.0.0/15
-
104.16.0.0/13
-
104.24.0.0/14
-
172.64.0.0/13
-
131.0.72.0/22
Changes to TLS cipher suites
At the same time as the above-mentioned IP switch, we updated the TLS configuration used by OneSpan Sign. OneSpan Sign now uses the following TLS versions and cipher suites:
TLS 1.2 cipher suites
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
- AES128-GCM-SHA256
- AES128-SHA256
- AES256-GCM-SHA384
- AES256-SHA256
TLS 1.3 cipher suites
-
TLS13-CHACHA20-POLY1305-SHA256
-
TLS13- AES-256-GCM-SHA384
-
TLS13- AES-128-GCM-SHA256
What do I need to do?
We recommend that you start working with your IT team immediately to upgrade your integration framework to the latest security library supporting the above-mentioned TLS versions and cipher suites. Once completed, please test your OneSpan Sign Sandbox environment to ensure that all TLS communications are working properly. This is an important step that ensures that your organization does not encounter service disruptions:
URL Update for OneSpan Sign Sign API Calls
What do I need to do?
If you have not integrated OneSpan Sign via our API/SDKs and are not using mutual TLS protocols in your integration, there is no action required on your part.
If you HAVE integrated OneSpan Sign via our API/SDKs and are using mutual TLS protocols, in addition to the requirement of switching the IP addresses used by OneSpan Sign to IP addresses of Cloudflare as described above, please change your integration from using port 8443 to using a path.
For example:
| Old | New |
|---|---|
| https://apps.esignlive.com:8443/api | https://apps.esignlive.com/mtls/api |
We also recommend that you start working with your IT team immediately to upgrade your integration framework to the latest security library using strong ciphers. Once completed, please test your OneSpan Sign Sandbox environment to ensure that all TLS communications work properly. This is an important step that ensures that your organization does not encounter service disruptions:
Your configuration settings depend on the URL into which you log. If you aren't sure which URL to use, in the email you received when you signed up, click Log into your account. In the Login screen that appears, your login URL will appear in your browser's address bar.
To ensure continuous service, you must whitelist certain IP addresses. To see which IP addresses need to be whitelisted, consult the tab for your environment:
Before continuing, verify the domain that you are using for your OneSpan Sign instance. The following domains are available:
US 2 (esignlive.com)
US instances that use US 2 (esignlive.com) as their domain must whitelist the following IP addresses:
| Environment | URL | Incoming IP Address | Outgoing IP Address |
|---|---|---|---|
| US 2 OneSpan Sign Production | apps.esignlive.com |
52.4.146.88 23.22.76.174 52.38.114.149 54.213.153.138 IPv4 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 |
52.200.120.227 52.38.93.133 3.223.61.148 |
| US 2 Sandbox | sandbox.esignlive.com |
54.85.59.26 54.164.84.186 IPv4 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 |
18.204.61.4 3.227.220.132 |
US 1 (e-signlive.com)
US instances that use US 1 (e-signlive.com) must whitelist the following IP addresses:
| Environment | URL | Incoming IP Address | Outgoing IP Address |
|---|---|---|---|
| US 1 OneSpan Sign Production | apps.e-signlive.com |
54.85.79.26 54.85.78.62 54.201.3.64 54.200.10.69 IPv4 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 |
54.85.128.97 54.201.188.127 52.25.125.58 18.235.196.149 |
| US 1 Sandbox | sandbox.e-signlive.com |
54.84.132.241 54.85.54.201 IPv4 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 |
54.84.89.182 |
US Government instances must whitelist the following IP addresses:
| Environment | URL | Incoming IP Address | Outgoing IP Address |
|---|---|---|---|
| OneSpan Sign Sandbox for Government | signer-sandbox-gov.esignlive.com | 23.97.15.51 |
Old: 20.141.73.10 New: 20.141.141.113 |
| OneSpan Sign Production for Government | signer-gov.esignlive.com | 23.97.15.51 |
Old: 52.227.164.112 New: 20.141.143.170 |
Updated IP Addresses
Our FedRAMP Sandbox and Production servers have been migrated to new Operating Systems. Because of this migration the Outgoing IP Addresses for these servers changed. You will need to update your list of whitelisted IP addresses to use the new IP addresses listed above. You can add these IP addresses to your whitelist at any time.
There is no change to the list of Incoming IP Addresses.
These updates were performed on the following dates:
| Environment | URL | Date |
|---|---|---|
| OneSpan Sign Sandbox for Government | signer-sandbox-gov.esignlive.com | Friday, April 14th, 2023 at 8:00 PM (ET) |
| OneSpan Sign Production for Government | signer-gov.esignlive.com | Friday, April 21st , 2023 at 8:00 PM (ET) |
While you can keep the old IP addresses in your whitelisted IP addresses, we do recommend that you remove the old outgoing IP addresses.
Canadian instances on esignlive.ca must whitelist the following IP addresses:
| Environment | URL | Incoming IP Address | Outgoing IP Address |
|---|---|---|---|
| PRDC Canada Production | apps.e-signlive.ca |
52.60.92.229 52.60.122.173 169.54.69.11 169.54.69.14 IPv4 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 |
52.60.142.251 52.60.143.116 169.54.69.6 169.54.69.10 |
| SBXC Canada Sandbox | sandbox.e-signlive.ca |
52.60.105.234 52.60.155.238 158.85.81.52 IPv4 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 |
52.60.135.61 52.60.146.3 158.85.82.181 158.85.82.182 |
Australian instances on esignlive.com.au must whitelist the following IP address:
| Environment | URL | Incoming IP Address | Outgoing IP Address |
|---|---|---|---|
| Australia Production | apps.esignlive.com.au |
52.62.209.65 13.55.131.135 168.1.38.249 168.1.38.253 168.1.69.165 168.1.69.174 13.236.244.18 13.237.181.70 |
168.1.38.251 13.55.54.140 52.62.192.176 168.1.69.163 168.1.69.169 13.237.234.180 3.105.3.153 |
|
Cloudflare IP ranges (new) IPv4 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 |
European instances on esignlive.eu must whitelist the following IP address:
| Environment | URL | Incoming IP Address | Outgoing IP Address |
|---|---|---|---|
| Europe Production | apps.esignlive.eu |
18.196.249.213 34.243.5.41 34.243.143.168 35.157.85.150 IPv4 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 |
18.197.87.157 18.197.87.175 52.215.67.32 52.209.144.54 |