Installing IAS Web Administration Service
After configuring OneSpan Authentication Server using the Configuration Wizard, IAS Web Administration Service can be installed.
Web Administration Service can be installed with the following options:
- Local. Web Administration Service and OneSpan Authentication Server will be installed on the same server.
- Remote. Web Administration Service will be installed and deployed standalone, allowing for OneSpan Authentication Server and Web Administration Service to be installed on separate servers.
Before you begin
- Web Administration Service includes an embedded Apache Tomcat web server. If you want to use an existing web server, you need to deploy Administration Web Interface manually (see Deploying and configuring Administration Web Interface manually (optional)).
- Ensure that you have successfully installed OneSpan Authentication Server and that you specified the correct location of Web Administration Service when configuring OneSpan Authentication Server using the Configuration Wizard during initial installation.
- Ensure that you do not have a version of Apache Tomcat installed that was previously bundled with OneSpan Authentication Server.
- Ensure that at least one of the default ports used by Apache Tomcat is not used by another program, i.e. port 8443 or 9443. The setup package tests whether the ports are in use and automatically binds Apache Tomcat to the first unused port.
Installing Web Administration Service
To install Web Administration Service (local installation)
-
Click Install IAS Web Administration in the Select Components page in the setup program to launch the Web Administration Service Setup.
If you are upgrading an existing installation of OneSpan Authentication Server, the Web Administration Service Setup is performed automatically without user interaction.
-
Click Next to begin.
-
If required, read the OneSpan license agreement, select I agree to the terms of the license agreement, and click Next.
-
Click Install to start the installation.
Web Administration Service is being installed. If OneSpan Authentication Server has already been installed, Web Administration Service is configured to use the local OneSpan Authentication Server instance automatically. If OneSpan Authentication Server has not yet been installed, Web Administration Service remains unconfigured and you need to configure it later manually (see Additional tasks).
-
Click Finish to close the Web Administration Service Setup and return to the Select Components page.
-
To install Web Administration Service (remote installation)
-
On the remote server, open a Command Prompt window.
-
Change to the folder on the product CD where the Web Administration Service Setup is located, i.e. cd_drive\Software\Windows\IAS 3.26.
-
Type the following command:
msiexec /i ias-web-administration_version_arch.msi SERVER_LOCATION=server_location SERVER_PORT=server_port
where:
- server_location is the server name or IP address of the OneSpan Authentication Server instance.
- server_port is the server port of the OneSpan Authentication Server instance, usually 8888.
This installs Web Administration Service using the specified server parameters to configure the connection to the OneSpan Authentication Server instance.
If a connection to the OneSpan Authentication Server instance cannot be established, Web Administration Service will be installed but remains unconfigured.
Additional considerations
If you skip installing Web Administration Service during the initial installation of OneSpan Authentication Server, you can install it at a later time by using the steps for a remote (standalone) installation (see To install Web Administration Service (remote installation)).
Additional tasks
Configuring Administration Web Interface manually
If the Web Administration Service Setup does not detect OneSpan Authentication Server, Administration Web Interface will not be configured. If you install OneSpan Authentication Server on the same computer later, you need to manually configure Administration Web Interface after the installation.
To configure Administration Web Interface
-
Open a Command Prompt window.
-
Change to the Web Administration Service installation folder, by default %PROGRAMFILES%\VASCO\IAS Web Administration, and run the following command:
admintool autoadd name url
where:
- name is the display name for OneSpan Authentication Server.
- url is the web address of the OneSpan Authentication Server instance in URL format. This includes the protocol string, the host component (IP address, host name, or FQDN), and the SOAP port, e.g. https://192.0.2.15:8888. If you are using a host name or FQDN, it must be correctly resolved by a DNS server. If the host name or FQDN resolves to more than one IP address, the first IP address returned by the DNS server will be used.
This creates a server record for OneSpan Authentication Server and adds any available TLS/SSL certificates to the Administration Web Interface trust store.
The URL host component that is used to connect to the OneSpan Authentication Server instance (either IP address, host name, or FQDN) must match the common name (CN) or the subject alternative name (SAN) in the TLS/SSL server certificate for SOAP connections. Otherwise, you will receive an error that the certificate does not match the common name of the certificate subject when Administration Web Interface attempts to connect to OneSpan Authentication Server, e.g. if you are trying to connect via the FQDN, but the certificate is issued for the IP address.
The self-signed TLS/SSL certificates created by the OneSpan Authentication Server Configuration Wizard contain only the IP address in the subject alternative name (SAN). If you need to use the FQDN when establishing the connection, you have to create a certificate that contains the FQDN in the SAN.
-
Restart the VASCO IAS Web Administration service.
Configuring X-Frame-Options
You can configure the X‑Frame‑Options HTTP response header sent by Web Administration Service to effectively allow or prevent it from being embedded inside other websites. To configure the HTTP response header, edit the deployment descriptor file (WEB‑INF/web.xml) and set the frameOption parameter of the com.vasco.webadmin.CacheHeaderResponseFilter filter class accordingly:
<filter>
<filter-name>Cache Header Response Filter</filter-name>
<filter-class>com.vasco.webadmin.CacheHeaderResponseFilter</filter-class>
<init-param>
<param-name>frameOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
By default, embedding is only allowed into other websites on the same origin as Web Administration Service itself.
Next steps
- If required, verify and perform any post-installation tasks necessary to complete the installation (see Post-installation tasks and considerations).