Setup with OneSpan Authentication Server on Linux

You can use Digipass Authentication for Windows Logon with OneSpan Authentication Server in a Linux environment.

Before you begin

You must have an Active Directory back end, and adjust the certificate settings for Active Directory.

To adjust the Active Directory certificate settings

  1. If Active Directory has been installed with SSL enabled, a CA certificate must be installed with Active Directory. Copy this certificate to %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\certs, via one of the following methods:

    • Go to the certificate store on Windows and export the certificate(s). The certificates will be exported as .cer files and must be converted to .pem files.

      -OR-

    • Type the following command:

      openssl s_client -connect name_of_domain_controller:636

      Then copy each returned certificate in its own file, and save each as a .pem file.

  2. Rename the .pem file. This step is mandatory regardless of whether the certificate is downloaded or exported from Windows.

    1. Type the following command to acquire the hash:

      openssl x509 -noout -hash -in certname.pem

    2. Record the hash which is the result of this command, and rename the .pem file to hashvalue.0.

      For example, if the hash result is 54321, the certname.pem file created previously will be renamed to 54321.0.

    3. Save the renamed file to:

      Windows

      %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\certs

      Linux

      Depending on the Linux distribution used, this could be e.g. /etc/ssl/ or /etc/pki/tls/certs/

Checklist for a system setup in Linux

To set up a live Digipass Authentication for Windows Logon system on Linux, copy the Active Directory SSL certificates into the X509 format, rename them, and save them to the appropriate location. In addition, complete the tasks described in the checklist in Checklist - system setup with OneSpan Authentication Server.

Checklist - system setup with OneSpan Authentication Server
Task Description
Import (more) Digipass records

Import all required Digipass records. See Import Digipass records for instructions to import the records.

Create Digipass user accounts

If required, create Digipass user accounts manually. Alternatively, enable Dynamic User Registration (DUR) in Digipass Authentication for Windows Logon. For more information about Dynamic User Registration, refer to the Digipass Authentication for Windows Logon Product Guide.

Assign Digipass records to a Digipass user account Decide on the type of Digipass assignment to deploy, and begin the deployment process. For more information about Digipass deployment options, refer to the Digipass Authentication for Windows Logon Product Guide.
SSL server certificate

Acquire and install a commercial SSL certificate for each instance of OneSpan Authentication Server.

Register OneSpan Authentication Server with DNS server

If Digipass Authentication for Windows Logon will use server discovery, use the Administration Web Interface to register each instance of OneSpan Authentication Server with its local DNS server.

Configure Digipass Authentication for Windows Logon client records

Ensure that the Digipass Authentication for Windows Logon records use the correct settings for a live environment. In particular, ensure that the default client record links to the correct policy for your setup. See Create a client record for instructions.

Valid Digipass Authentication for Windows Logon license - client-side

A valid Digipass Authentication for Windows Logon client-side license is required for the product to work with OneSpan Authentication Server.

See Licensing requirements for more information.

Install Password Synchronization Manager (PSM)

Install Password Synchronization Manager on a domain controller. This will allow OneSpan Authentication Server to receive updates on any Windows static password changes for Digipass users.

Install and configure a Digipass Authentication for Windows Logon client

The Digipass Authentication for Windows Logon client should be installed on all machines which will be used for one-time password logons. The configuration should include:

  • Server discovery, if required
  • Location of a specific instance of OneSpan Authentication Server if server discovery is not enabled.