OneSpan Web Configuration Tool examples

Configuring OneSpan Authentication Server instances and server certificates

To configure an OneSpan Authentication Server instance and automatically retrieve and add the respective server certificates to the trust store use the following command:

admintool autoadd name url

where:

  • name is the display name of the OneSpan Authentication Server entry.
  • url is the web address of the OneSpan Authentication Server instance in URL format. This includes the protocol string, the host component (IP address, host name, or FQDN), and the SOAP port, e.g. https://10.2.2.15:8888. If you are using a host name or FQDN, it must be correctly resolved by a DNS server. If the host name or FQDN resolves to more than one IP address, the first IP address returned by the DNS server will be used.

The display name and URL must both be unique. Attempting to add another server with either an existing name or URL will fail.

 

admintool autoadd IKServer1 https://192.0.2.1:8888 (Windows)

./admintool autoadd IKServer1 https://192.0.2.1:8888 (Linux)

This example command creates a new OneSpan Authentication Server record that will:

  • Be displayed in the Administration Web Interface application with the name IKServer1.
  • Connect to the SOAP communicator using https at the IP address 192.0.2.1 and port 8888.

It also adds the OneSpan Authentication Server TLS/SSL server certificate to the default trust store.

 

admintool autoadd IKServer2 https://host.example.org:8888 (Windows)

./admintool autoadd IKServer2 https://host.example.org:8888 (Linux)

This example command creates a new OneSpan Authentication Server record that will:

  • Be displayed in the Administration Web Interface application with the name IKServer2.
  • Connect to the SOAP communicator using https at host.example.org and port 8888. The FQDN host.example.com must correctly resolve to a valid IP address.

It also adds the OneSpan Authentication Server TLS/SSL server certificate to the default trust store. The URL host component (host.example.org) must be set either as common name (CN) or the subject alternative name (SAN) in the certificate.

The URL host component that is used to connect to the OneSpan Authentication Server instance (either IP address, host name, or FQDN) must match the common name (CN) or the subject alternative name (SAN) in the TLS/SSL server certificate for SOAP connections. Otherwise, you will receive an error that the certificate does not match the common name of the certificate subject when Administration Web Interface attempts to connect to OneSpan Authentication Server, e.g. if you are trying to connect via the FQDN, but the certificate is issued for the IP address.

The self-signed TLS/SSL certificates created by the OneSpan Authentication Server Configuration Wizard contain only the IP address in the subject alternative name (SAN). If you need to use the FQDN when establishing the connection, you have to create a certificate that contains the FQDN in the SAN.

To add an OneSpan Authentication Server record only without adding a certificate to the trust store type:

admintool server add name url

where:

  • name is the display name of the OneSpan Authentication Server entry.
  • url is the IP address (or FQDN) and SOAP port of the OneSpan Authentication Server instance, including the protocol string.

 

admintool server add "Admin Server" https://192.0.2.1:8888 (Windows)

./admintool server add "Admin Server" https://192.0.2.1:8888 (Linux)

This creates a new OneSpan Authentication Server record which will be displayed in the Administration Web Interface application using the name Admin Server and will connect to the IDENTIKEY SOAP communicator using https at address 192.0.2.1 and port 8888.

To display the current list of OneSpan Authentication Server instances type:

admintool server list

Using a server certificate for a OneSpan Authentication Server instance

The certification authority (CA) for the certificate of the OneSpan Authentication Server instance must be added to the trust store of the Administration Web Interface. In the case of a self-signed certificate, this will be the self-signed certificate itself.

To add the SSL certificate for SOAP connections to the OneSpan Authentication Server instance to the trust store use the following command:

admintool certificate add certificate_file

where:

  • certificate_file is the path to the OneSpan Authentication Server SSL certificate used by the SOAP communicator.

    By default, the self-signed certificates created when installing OneSpan Authentication Server are located in:

    /etc/vasco/ias (Linux)

    %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin (Windows)

    The CA certificate used for the Administration Web Interface trust store should be the SOAP communicator SSL certification authority (CA), i.e. ikey_soap_serverca.pem.

 

admintool certificate add "%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin\ikey_soap_serverca.pem" (Windows)

./admintool certificate add /etc/vasco/ias/ikey_soap_serverca.pem (Linux)

This adds the ikey_soap_serverca.pem certificate authority to the default trust store.

Ensure that the connection URL to the server is specified to use https if you add a certificate.

Using a client certificate for the Administration Web Interface

To install a SOAP SSL client certificate for the Administration Web Interface type:

admintool certificate add ca_file private_key_file keystore_password

where:

  • ca_file is the location and file name for the SOAP SSL certificate authority file
  • private_key_file is the location and file name of the private key file for the client certificate file.

This certificate is used to authenticate the Administration Web Interface when it attempts to connect to the OneSpan Authentication Server.

 

admintool certificate add "%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin\ikey_soap_serverca.pem" "%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin\clientkey.der" password01 (Windows)

./admintool certificate add /etc/vasco/ias/ikey_soap_serverca.pem /etc/vasco/ias/clientkey.der password01 (Linux)

This configures Administration Web Interface to use the supplied certificate authority.

Configuring the OneSpan User Websites with the OneSpan Web Configuration Tool

To configure the OneSpan User Websites via the OneSpan Web Configuration Tool and select which product is being configured, type:

admintool type votp autoadd primary ip_address

To verify and display the current list of OneSpan Authentication Server instances type:

admintool type votp server list

The type command specifies which product or website to configure with the (executive) command. Using type is optional, the default value for this option is webadmin.

Use the type command

type=webadmin

Write the configuration to admintool.properties and use the webadmin namespace for the properties.

# webadmin servers, where the name is a base64 encoded name

com.vasco.webadmin.SOAP.Servers.MTAuMTAuMjAwLjc1.URL=https\://192.0.2.1\:8888

type=votp

Write the configuration to admintool.properties and use the votp namespace for the properties.

# votp primary and backup servers. Only the names "primary" and "backup" are allowed.

com.vasco.identikey.votp.SOAP.Servers.primary.URL=https\://192.0.2.1\:8888

com.vasco.identikey.votp.SOAP.Servers.backup.URL=https\://192.0.2.1\:8888

type=selfmgmt

Write the configuration to admintool.properties and use the selfmgmt namespace for the properties.

# selfmgmt primary and backup servers. Only the names "primary" and "backup" are allowed.

com.vasco.identikey.selfmgmt.SOAP.Servers.primary.URL=https\://192.0.2.1\:8888

com.vasco.identikey.selfmgmt.SOAP.Servers.backup.URL=https\://192.0.2.1\:8888