Installing OneSpan Authentication Server Web Administration Service

After configuring OneSpan Authentication Server using the Configuration Wizard, IAS Web Administration Service can be installed.

Web Administration Service can be installed with the following options:

• Local. Web Administration Service and OneSpan Authentication Server will be installed on the same server.
• Remote. Web Administration Service will be installed and deployed standalone, allowing for OneSpan Authentication Server and Web Administration Service to be installed on separate servers.

Before you begin

• Web Administration Service includes an embedded Apache Tomcat web server. If you want to use an existing web server, you need to deploy Administration Web Interface manually (see Deploying and configuring Administration Web Interface manually (optional)).
• Ensure that you have successfully installed OneSpan Authentication Server and that you specified the correct location of Web Administration Service when configuring OneSpan Authentication Server using the Configuration Wizard during initial installation.
• Ensure that you do not have a version of Apache Tomcat installed that was previously bundled with OneSpan Authentication Server.
• Ensure that at least one of the default ports used by Apache Tomcat is not used by another program, i.e. port 8443 or 9443. The setup package tests whether the ports are in use and automatically binds Apache Tomcat to the first unused port.

Installing Web Administration Service

Although this section outlines installation via the command line, you can also install Web Administration Service using your distribution's graphical package management system.

To install Web Administration Service

1. On the local or remote server, open a terminal window.

2. Log in as root using the hyphen option (su -).

   This ensures that you load the root profile, not the default profile.

3. Navigate to the mounted disk or ISO image containing the OneSpan Authentication Server setup files and locate the Web Administration Service installation package for your Linux distribution:

   • Red Hat Enterprise Linux: cd_drive/Software/Linux/IAS_version/redhat/vasco-ias-web-administration-version.disttag.arch.rpm
   • Ubuntu Server: cd_drive/Software/Linux/IAS_version/ubuntu/vasco-ias-web-administration_version_arch.deb

4. Install the appropriate installation package.

5. If you are installing Web Administration Service on the local server, the connection to OneSpan Authentication Server is configured automatically and no further configuration steps are necessary.

   If you are installing Web Administration Service on a remote server, configure the OneSpan Authentication Server details using the OneSpan Web Configuration Tool (see Additional tasks).

Additional considerations

• If you want to install Web Administration Service on the local server, we recommend that you install it along with OneSpan Authentication Server during initial installation using the server's install script.
• If you skip installing Web Administration Service during the initial installation of OneSpan Authentication Server, or if you want to install Web Administration Service on a remote server, you can do so at any time by using the Web Administration Service installation package for your distribution.

Additional tasks

Configuring Administration Web Interface manually

If the Web Administration Service setup does not detect OneSpan Authentication Server, Administration Web Interface is not configured. If you install OneSpan Authentication Server on the same computer later, you need to configure Administration Web Interface after the installation manually.

To configure Administration Web Interface

1. Open a terminal window.

2. Change to the Web Administration Service installation folder, by default /opt/vasco/iaswas, and run the following command:

   ./admintool autoadd nameurl

   where:

   • name is the display name for OneSpan Authentication Server.
   • url is the web address of the OneSpan Authentication Server instance in URL format. This includes the protocol string, the host component (IP address, host name, or FQDN), and the SOAP port, e.g. https://192.0.2.15:8888. If you are using a host name or FQDN, it must be correctly resolved by a DNS server. If the host name or FQDN resolves to more than one IP address, the first IP address returned by the DNS server will be used.

   This creates a server record for OneSpan Authentication Server and adds any available SSL certificates to the Administration Web Interface trust store.

   The URL host component that is used to connect to the OneSpan Authentication Server instance (either IP address, host name, or FQDN) must match the common name (CN) or the subject alternative name (SAN) in the TLS/SSL server certificate for SOAP connections. Otherwise, you will receive an error that the certificate does not match the common name of the certificate subject when Administration Web Interface attempts to connect to OneSpan Authentication Server, e.g. if you are trying to connect via the FQDN, but the certificate is issued for the IP address.

   The self-signed TLS/SSL certificates created by the OneSpan Authentication Server Configuration Wizard contain only the IP address in the subject alternative name (SAN). If you need to use the FQDN when establishing the connection, you have to create a certificate that contains the FQDN in the SAN.

3. Restart the Web Administration Service daemon:

   /etc/init.d/vasco-was restart

Configuring X-Frame-Options

You can configure the X‑Frame‑Options HTTP response header sent by Web Administration Service to effectively allow or prevent it from being embedded inside other websites. To configure the HTTP response header, edit the deployment descriptor file (WEB‑INF/web.xml) and set the frameOption parameter of the com.vasco.webadmin.CacheHeaderResponseFilter filter class accordingly:

<filter>
    <filter-name>Cache Header Response Filter</filter-name>
    <filter-class>com.vasco.webadmin.CacheHeaderResponseFilter</filter-class>
        <init-param>
            <param-name>frameOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
</filter>

By default, embedding is only allowed into other websites on the same origin as Web Administration Service itself.

Next steps

• If required, verify and perform any post-installation tasks necessary to complete the installation (see Post-installation tasks and considerations).