Configuring OneSpan Authentication Server (upgrade)

When the required components have been upgraded, the Configuration Wizard is started to complete the upgrade configuration.

Before you begin

  • Ensure that you have successfully upgraded OneSpan Authentication Server (see Upgrading OneSpan Authentication Server).
  • If you want to license OneSpan Authentication Server during initial configuration, obtain and prepare an appropriate license file (see Finalizing pre-installation). Alternatively, you can apply a valid license file after installation via the Administration Web Interface.

Configuring OneSpan Authentication Server

To configure OneSpan Authentication Server (upgrade)

  1. In the Welcome page, select Next.

  2. If required, confirm that you want to update the database schema.

    This step is only required if the schema has changed in the current version.

    The database schema update cannot be reverted. After updating the database schema, you cannot use an older version of OneSpan Authentication Server.

    For more information about schema updates, see ODBC database manual setup.

  3. If required, select Migrate to migrate the data from an existing embedded PostgreSQL to a new MariaDB database.

    This step is only required if you are upgrading from a version using an embedded PostgreSQL database.

    The embedded database and existing data are automatically migrated from the PostgreSQL database to a new MariaDB database.

    This migration can take quite some time depending on the size of the database. To minimize migration time, you can first reduce the amount of data to migrate by exporting and deleting audit data from the database.

  4. If required, configure OneSpan Authentication Server to use a valid license.

    1. Open a new command window. From there, copy the license file to /opt/vasco/ias.
    2. Return to the Configuration Wizard and type the location and file name of the license file.

  5. (OPTIONAL) Specify an administrative user ID to assign any new administrative privileges.

    The user ID must exist in the master domain and already have the Administrative Logon privilege assigned.

    All new administrative privileges introduced in all upgrades since the version of OneSpan Authentication Server that is currently upgraded will be assigned to the specified user.

    If you do not want to assign any new administrative privileges to a specific user now, leave User ID blank and click Next to skip this step. To assign the new administrative privileges later, you need to use Rescue Administrator in the Maintenance Wizard.

  6. If required, migrate to HSM.

    If SSM is configured for this instance of OneSpan Authentication Server, the Configuration Wizard will display the HSM Migration page.

    • Select Migrate to Thales ProtectServer (formerly SafeNet) HSM to use and configure a Thales ProtectServer HSM.

      1. Specify the location of the PKCS#11 library file. The file is typically named libcryptoki.so.
      2. Specify the HSM storage data key details: storage key label, storage key KCV (key check value checksum), slot ID, token label, and token PIN.
      3. Specify the HSM sensitive data key details: sensitive data key, sensitive data key KCV, token label, and token PIN.

      For more information about setting up a Thales ProtectServer HSM, see Thales ProtectServer hardware security modules (HSM).

    • Select Migrate to Entrust nShield (formerly nCipher) HSM to use and configure an Entrust nShieldHSM.

      Note that you need to install and configure the Entrust nShield Hardserver to successfully connect to the HSM.

      Provide all the required information:

      1. Specify the HSM storage key label.
      2. Specify the file name of the sensitive data key BLOB file (see Creating a sensitive data key (Entrust nShield)).
      3. Specify the key hash (see Creating a sensitive data key (Entrust nShield)).

      For more information about setting up an Entrust nShield HSM, see Entrust nShield hardware security modules (HSM).

    Passwords used for hardware security module setup must comply with the default password rules:

    • At least 7 characters long
    • Contains at least 1 lowercase character
    • Contains at least 1 uppercase character
    • Contains at least 1 numeric character

    For more information, refer to the OneSpan Authentication Server Administrator Guide.

    To effectively migrate to HSM, start rotation from SSM to HSM keys in the OneSpan Authentication Server Administration Web Interface. Only when the rotation is finished will the migration from SSM to HSM be completed. The HSM keys need to be visible in the Administration Web Interface.

    The migration from an SSM to an HSM deployment cannot be reverted. Migrating back to an SSM deployment is not possible.

  7. (OPTIONAL) Configure the Secure Auditing settings for the HSM, when migrating from SSM to HSM.

    The OneSpan Authentication Server Configuration Wizard allows this configuration only if Secure Auditing was configured before migrating to an HSM. It is not possible to change configuration settings, e.g. epoch settings.

    Existing audit data will not be migrated to the HSM.

  8. Configure partitioning for the audit database tables.

    This step is available only if you are using the embedded MariaDB database.

    If you enable partitioning, audit data is split up into smaller subsets (partitions), instead of having all audit data in one big table. Each partition contains the data for one day. This can improve database performance for queries and delete operations.

    If you select this option during upgrade, all historical audit data is split into respective partitions. If you already have a lot of audit data, this can take some time to complete. You can, however, enable audit partitioning at any time after the upgrade.

  9. Select Proceed.

    The configured settings are being applied. OneSpan Authentication Server will be configured and all respective daemons are started.

  10. Select Finish to close the Configuration Wizard.

The Configuration Wizard applies the configuration to the upgraded OneSpan Authentication Server.

Additional considerations

The Installation Wizard creates a trace file to log the configuration process in the following location:

/var/log/vasco/identikey/ikconfigwizardconsole.trace

If the Configuration Wizard is canceled during the installation or upgrade of OneSpan Authentication Server, the Web Administration Service will not be installed automatically. You can manually initiate the Web Administration Service installation at any time. For instructions, see Installing OneSpan Authentication Server Web Administration Service).

Next steps

  • (OPTIONAL) Install OneSpan Authentication Server Administration Web Interface.
  • If required, verify and perform any post-upgrade tasks necessary to complete the upgrade.