Configuring OneSpan Authentication Server (advanced installation)

When the required components have been installed, the Configuration Wizard is started to complete the initial configuration.

Before you begin

  • Ensure that you have successfully installed OneSpan Authentication Server (see Installing OneSpan Authentication Server (advanced installation)).
  • If you want to license OneSpan Authentication Server during initial configuration, obtain and prepare an appropriate license file (see Finalizing pre-installation). Alternatively, you can apply a valid license file after installation via the Administration Web Interface.
  • If required, ensure that your ODBC database is correctly set up and running, including the required data source names (see Setting up UnixODBC).
  • If required, prepare the necessary storage and sensitive data key details and files to configure your hardware security module (HSM).
  • If you want to use sensitive data encryption with an existing key pair, prepare your data encryption file.
  • If you want to use a software security module with an existing key pair, prepare the certificate file for Secure Auditing.
  • Prepare any commercial SSL certificates you want to use for encrypted communication.
  • If you want to integrate OneSpan Authentication Server with a domain name system (DNS) server, verify that the configuration file for the DNS resolver library is up to date, i.e. /etc/resolv.conf.

Configuring OneSpan Authentication Server

To configure OneSpan Authentication Server (advanced installation)

  1. In the Welcome page, select Next.

  2. If required, select or add an IP address to use for OneSpan Authentication Server.

  3. Configure OneSpan Authentication Server to use a valid license:

    1. Open a new command window. From there, copy the license file to /opt/vasco/ias.
    2. Return to the Configuration Wizard and type the location and file name of the license file.

  4. Configure the server functionality.

    On the Server Functionality page, enable the server functionalities as needed. By default, all options permitted by any license loaded previously will be enabled.

  1. Specify user ID and domain name case conversion.

    You can specify that OneSpan Authentication Server converts user IDs and domain names to lowercase before accessing the data store. This can prevent issues with multiple user accounts created for a single user, if the data store is case-sensitive.

  2. Configure the master domain. The default name is master.

  3. Configure the data source settings.

    Specify the ODBC data source name (DSN) for the database that OneSpan Authentication Server will use, along with the required username and password.

    If you are using the embedded MariaDB database supplied with OneSpan Authentication Server, the default credentials are:

    User name: digipass

    Password: digipassword

    For more information about changing these settings later, refer to the OneSpan Authentication Server Administrator Guide.

    When you select Next, the Configuration Wizard will test the connection settings and display an error message if the connection fails.

  4. Configure partitioning for the audit database tables.

    This step is available only if you are using the embedded database (MariaDB).

    If you enable partitioning, audit data is split up into smaller subsets (partitions), instead of having all audit data in one big table. Each partition contains the data for one day. This can improve database performance for queries and delete operations.

  5. Configure the login details for the first administrator account.

    The first administrator account will have a full set of administrative privileges.

    Type a user ID and a password twice to prevent typing errors.

    The password for this account must comply with the default password rules:

    • At least 7 characters long
    • Contains at least 1 lowercase character
    • Contains at least 1 uppercase character
    • Contains at least 1 numeric character

    For more information, refer to the OneSpan Authentication Server Administrator Guide.

  6. Specify which hardware security module (HSM) to use and configure it.

    • Select Do not use a Hardware Security Module if you do not want to use an HSM.

      In this case, OneSpan Authentication Server uses a software security module.

    • Select Use Thales ProtectServer (formerly SafeNet) HSM to use and configure a Thales ProtectServer HSM.

      1. Specify the location of the PKCS#11 library file. The file is typically named libcryptoki.so.
      2. Specify the HSM storage data key details: storage key label, storage key KCV (key check value checksum), slot ID, token label, and token PIN.
      3. Specify the HSM sensitive data key details: sensitive data key, sensitive data key KCV, token label, and token PIN.

      For more information about setting up a Thales ProtectServer HSM, see Thales ProtectServer hardware security modules (HSM).

    • Select Use Entrust nShield (formerly nCipher) HSM to use and configure an Entrust nShield HSM.

      Note that you need to install and configure the Entrust nShield Hardserver to successfully connect to the HSM.

      Provide all the required information:

      1. Specify the HSM storage key label.
      2. Specify the file name of the sensitive data key BLOB file (see Creating a sensitive data key (Entrust nShield)).
      3. Specify the key hash (see Creating a sensitive data key (Entrust nShield)).

      For more information about setting up an Entrust nShield HSM, see Entrust nShield hardware security modules (HSM).

    Passwords used for hardware security module setup must comply with the default password rules:

    • At least 7 characters long
    • Contains at least 1 lowercase character
    • Contains at least 1 uppercase character
    • Contains at least 1 numeric character

    For more information, refer to the OneSpan Authentication Server Administrator Guide.

  7. If required, specify the encryption mode for sensitive data.

    This option is only available if OneSpan Authentication Server.

    In the Encryption Mode list select:

    • Standard with embedded key. No further details are required.
    • Custom with embedded and custom key combination. Specify your storage data cryptographic key and select its cipher in the next screen (Custom Data Encryption). The required storage depends on your selected cipher; for AES-128-CBC ciphers, the storage key is a 32-digit HEX number. Storage data cryptographic keys are used for securing authenticator BLOBs. Each cryptographic application for each authenticator has its own BLOB. This BLOB contains authenticator configuration and other important information about the device.
    • Load from file. If you have created your own data encryption file, specify the encryption file path and the password in the next screen (Load Data Encryption).

    If you want to use a custom encryption key for sensitive data, this should be set before any authenticator is imported to the live version of OneSpan Authentication Server. For more information, refer to the OneSpan Authentication Server Administrator Guide.

  8. Configure Secure Auditing.

    Specify whether to use Secure Auditing from the list.

    • If you chose to use a hardware security module (HSM):

      1. Specify the epoch details.

        Epochs can be measured in elapsed time or lines in the audit file; you can configure either or both.

      2. Specify the HSM key settings.

        A self-signed certificate will be generated based on the master audit public key. The name of the certificate is IDENTIKEY Master Audit Certificate.

    • If you chose to use a software security module:

      1. Specify the epoch details.

        Epochs can be measured in elapsed time or lines in the audit file; you can configure either or both.

      2. Specify the SSM master keypair settings.

        • Generate and install new keypair and certificate (self-signed). Provide the passwords to the master audit key store. The keys in the master audit keypair will generate an ECDSA keypair for use as master audit keypair. This keypair will be NIST P-256 compliant and will be stored in PKCS #12 format. The name of the certificate is IDENTIKEY Master Audit Certificate.

        • Install my own keypair. Provide the certificate file and its corresponding private key password.

          Certification authority (CA) files should be located on the same host as OneSpan Authentication Server. If your CA file is located on a network share, you need to copy the file locally before you browse to it and select it.

    The password for the master audit key store must comply with the following requirements:

    • At least 16 characters long
    • Contains at least 1 lowercase character
    • Contains at least 1 uppercase character
    • Contains at least 1 numeric character

    Manually created Secure Auditing certificate files must be generated from supported elliptic curve keys. Secure Auditing for OneSpan Authentication Server only supports elliptic curve keys that are:

    • ECDSA
    • NIST P-256 compliant
    • Stored in PKCS #12 format
    • Password-protected (i.e. empty password is not valid)

    Additionally, the certificate file must meet the following requirements:

    • It must be in the correct file format:

      • If you are installing the certificate file via the Configuration Wizard during installation, it should be in .pem file format
      • If you are installing the certificate file via the Configuration Utility, it should be in .p12 file format.
    • The elliptic curve must be password-protected (i.e. an empty password is not valid).
    • The certificate must be generated from the elliptic curve key.
    • The elliptic curve key must be placed in the certificate file.

    For more information about Secure Auditing, refer to the OneSpan Authentication Server Administrator Guide.

  1. Configure the SSL certificate for the SOAP communicator.

    • To install your own SSL certificate:

      1. Select Install my own SSL certificate from the Certificate Option list.

      2. Specify the required private SSL certificate details in the SSL Server Certificate Selection page.

        • Private key file
        • Private key password
        • Certificate file
        • (OPTIONAL) Intermediate certificate bundle
        • Certificate authority (CA) file

    • To generate and install a new test SSL certificate:

      1. Select Generate and Install a self-signed certificate from the Certificate Option list.

      2. Type a password for the private key twice to prevent typing errors.

      3. Select a signature algorithm.

    Private key passwords used for SSL certificates must comply with the following requirements:

    • At least 16 characters long
    • Contains at least 1 lowercase character
    • Contains at least 1 uppercase character
    • Contains at least 1 numeric character

  2. Repeat the previous step to configure the SSL certificates for:

    • SEAL communicator
    • RADIUS communicator
    • MDC server
    • Live Audit connection

    When you configure the SSL certificates for these components, you can also choose to use an existing certificate by selecting Use an existing certificate from another component from the Certificate Option list.

    For more information, refer to the OneSpan Authentication Server Administrator Guide.

    If you re-run the Installation Wizard via the Maintenance Wizard and you have multiple Live Audit connections configured, you need to manually configure all Live Audit connections (see SSL re-configuration of multiple live audit connections).

  3. Configure automatic server discovery support.

    • Select No DNS service registration to skip integrating OneSpan Authentication Server with a DNS server now.

    • Select DNS registration supporting Dynamic DNS to integrate OneSpan Authentication Server with a DNS server via dynamic DNS (DDNS).

      1. Type the DNS domain name.
      2. Type the host name or IP address of the DNS server in the Host Name field.
      3. Set the priority for OneSpan Authentication Server, i.e. primary server or backup server.

    • Select DNS registration supporting Dynamic DNS with TSIG authentication to integrate OneSpan Authentication Server with a DNS server via DDNS using Transaction SIGnature (TSIG) authentication.

      1. Type the full path and file name for the shared key file.
      2. Type the DNS domain name.
      3. Type the host name or IP address of the DNS server in Host Name.
      4. Set the priority for OneSpan Authentication Server, i.e. primary server or backup server.

      The shared key file must be in regular TSIG format, GSS-TSIG is currently not supported.

  4. Specify the location of Web Administration Service.

    This information is required to create a client record of type Administration Program for Web Administration Service. It depends on whether you are planning to install Web Administration Service locally on the same computer as OneSpan Authentication Server, or remotely on another computer.

    • Local. Select this option to create a client record for a Web Administration Service instance installed on the local computer.

    • Remote. Select this option and type a remote IP address to create a client record for a Web Administration Service instance installed on a remote computer.

      If you want to install more than one standalone instances of Web Administration Service, you need to create additional client records manually after initial installation.

  5. (OPTIONAL) Specify the IP address of the SDK client host.

    Type the IP address if the OneSpan Authentication Server SDK Sample Web Client has been installed. A client component record will be created for the machine.

  6. Select Proceed.

    The configured settings are being applied. OneSpan Authentication Server will be configured and all respective daemons are started.

  7. (OPTIONAL) Import authenticator records from an authenticator record file.

    1. Type yes to do so, or no to skip this step.

    2. Specify the following information:

      • Administrator username
      • Administrator password
      • Domain to import the authenticator entries into
      • Location and file name of the authenticator import file
      • Transport key (for a demo authenticator, this is 11111111111111111111111111111111)

    3. If required, type yes to import authenticator records from another import file.

Additional considerations

The Installation Wizard creates a trace file to log the configuration process in the following location:

/var/log/vasco/identikey/ikconfigwizardconsole.trace

If the Configuration Wizard is canceled during the installation or upgrade of OneSpan Authentication Server, the Web Administration Service will not be installed automatically. You can manually initiate the Web Administration Service installation at any time. For instructions, see Installing OneSpan Authentication Server Web Administration Service).

Next steps