Configuring OneSpan Authentication Server (upgrade)

When the required components have been installed, use the Configuration Wizard to complete the initial configuration. To launch the Configuration Wizard, click Run Configuration Wizard in the Select Components page of the OneSpan Authentication Server Setup Utility.

On some versions of Windows, the Configuration Wizard requires an administrative logon to the OneSpan Authentication Server host. Therefore you may be prompted to do one of the following:

• Confirm that the application should be run as an administrator.
• Enter valid administrator credentials for the OneSpan Authentication Server host.

The purpose of either prompt is to elevate your privileges to those required by the application you are attempting to run. If you cannot elevate your privileges, the application will run in a non-elevated state, which will likely result in unexpected behavior.

Before you begin

• Ensure that you have successfully upgraded OneSpan Authentication Server (see Upgrading OneSpan Authentication Server).

ConfiguringOneSpan Authentication Server after upgrade

To configure OneSpan Authentication Server after a product upgrade

1. In the Start page of the Configuration Wizard, click Next to begin.

2. On the Update Schema page, click Next to update the database schema.

   This page is displayed only if the schema has changed in the current version.

   The database schema update cannot be reverted. After upgrading the database schema, you cannot use an older version of OneSpan Authentication Server.

   For more information about schema updates, see ODBC database manual setup.

3. If required, click Migrate to migrate the data from an existing embedded PostgreSQL to a new MariaDB database.

   This page is displayed only if you are upgrading from a version that uses an embedded PostgreSQL database.

   The embedded database and existing data are automatically migrated from the PostgreSQL database to a new MariaDB database.

   This migration can take some time depending on the size of the database. To minimize migration time, you can first reduce the amount of data to migrate by exporting and deleting audit data from the database.

4. If required, configure OneSpan Authentication Serverto use a valid license.

   This step is optional and required only if your existing installation of OneSpan Authentication Server does not have a valid license.

   If you need a new license, you must first download it from the OneSpan Customer Portal. If you have not already done that you can do it now by going to the specified website, or by clicking Request a License Key. You can click Copy URL to Clipboard to copy the URL to the clipboard; doing so allows you to download the license manually.

   Copy URL to Clipboard is useful for servers that do not have a web browser installed, or if you wish to register for a license after the installation instead.

   If you already have a license key file, click Browse and select the license key file. You can continue without loading a license key file, but you must load one before you can start to use OneSpan Authentication Server.

5. (OPTIONAL) Specify an administrative user ID to assign any new administrative privileges.

   The user ID must exist in the master domain and already have the Administrative Logon privilege assigned.

   All new administrative privileges introduced in all upgrades since the version of OneSpan Authentication Server that is currently upgraded will be assigned to the specified user.

   If you do not want to assign any new administrative privileges to a specific user now, leave User ID blank and click Next to skip this step. To assign the new administrative privileges later, you need to use Rescue Administrator in the Maintenance Wizard.

6. If required, migrate to HSM.

   If SSM is configured for this instance of OneSpan Authentication Server, and if an ODBC storage is used, the Configuration Wizard will display the HSM Migration page.

   If you choose Migrate to Thales ProtectServer (formerly SafeNet) HSM:

   1. Provide the location of the PKCS11 library file. This file is typically named cryptoki.dll. Click Next to continue.

   2. Provide the storage key details in the HSM Storage Key page:

      • Storage Key Label: the name of the key used
      • Storage Key KCV: the key check value checksum
      • Slot ID: name of the slot where tokens and keys are stored
      • Token label
      • Token PIN

   3. Use the HSM Sensitive Data Encryption Key page to provide the following:

      • Sensitive Data Key label
      • Sensitive Data Key KCV
      • Token Label
      • Token PIN

      For more information about hardware security module setup, refer to Thales ProtectServer hardware security modules (HSM).

   To effectively migrate to the HSM, start the rotation from SSM to HSM keys in the OneSpan Authentication Server Administration Web Interface. Only when the rotation is finished, will the migration from SSM to HSM be completed. The HSM keys need to be visible in the Administration Web Interface.

   The migration from an SSM to an HSM deployment cannot be reverted. Migrating back to an SSM deployment is not possible.

7. (OPTIONAL) Configure the Secure Auditing settings for the HSM, when migrating from SSM to HSM.

   The OneSpan Authentication Server Configuration Wizard allows this configuration only if Secure Auditing was configured before migrating to an HSM. It is not possible to change configuration settings, e.g. epoch settings.

   Existing audit data will not be migrated to the HSM.

8. Configure partitioning for the audit database tables.

   This step is available only if you are using the embedded MariaDB database.

   If you enable partitioning, audit data is split up into smaller subsets (partitions), instead of having all audit data in one big table. Each partition contains the data for one day. This can improve database performance for queries and delete operations.

   If you select this option during upgrade, all historical audit data is split into respective partitions. If you already have a lot of audit data, this can take some time to complete. You can, however, enable audit partitioning at any time after the upgrade.

9. On the Confirmation page, review the configured settings and click Next to update the configuration.

10. On the Summary page, review the summary of all operations and errors that may have occurred, and click Next to continue.

11. Click Finish to close the Configuration Wizard.

    You are now returned to the OneSpan Authentication Server Setup Utility.

Next steps

• (OPTIONAL) Install IAS Web Administration Service.
• If required, verify and perform any post-upgrade tasks necessary to complete the installation.