Setup with OneSpan Authentication Server on Linux
You can use Digipass Authentication for Windows Logon with OneSpan Authentication Server in a Linux environment.
Before you begin
You must have an Active Directory back end, and adjust the certificate settings for Active Directory.
To adjust the Active Directory certificate settings
-
If Active Directory has been installed with SSL enabled, a CA certificate must be installed with Active Directory. Copy this certificate to %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\certs, via one of the following methods:
-
Go to the certificate store on Windows and export the certificate(s). The certificates will be exported as .cer files and must be converted to .pem files.
-OR-
-
Type the following command:
openssl s_client -connect name_of_domain_controller:636
Then copy each returned certificate in its own file, and save each as a .pem file.
-
-
Rename the .pem file. This step is mandatory regardless of whether the certificate is downloaded or exported from Windows.
-
Type the following command to acquire the hash:
openssl x509 -noout -hash -in certname.pem
-
Record the hash which is the result of this command, and rename the .pem file to hashvalue.0.
For example, if the hash result is 54321, the certname.pem file created previously will be renamed to 54321.0.
-
Save the renamed file to:
Windows
%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\certs
Linux
Depending on the Linux distribution used, this could be e.g. /etc/ssl/ or /etc/pki/tls/certs/
-
Checklist for a system setup in Linux
To set up a live Digipass Authentication for Windows Logon system on Linux, copy the Active Directory SSL certificates into the X509 format, rename them, and save them to the appropriate location. In addition, complete the tasks described in the checklist in Checklist - system setup with OneSpan Authentication Server.
| Task | Description |
|---|---|
| Import (more) Digipass records |
Import all required Digipass records. See Import Digipass records for instructions to import the records. |
| Create Digipass user accounts |
If required, create Digipass user accounts manually. Alternatively, enable Dynamic User Registration (DUR) in Digipass Authentication for Windows Logon. For more information about Dynamic User Registration, refer to the Digipass Authentication for Windows Logon Product Guide. |
| Assign Digipass records to a Digipass user account | Decide on the type of Digipass assignment to deploy, and begin the deployment process. For more information about Digipass deployment options, refer to the Digipass Authentication for Windows Logon Product Guide. |
| SSL server certificate |
Acquire and install a commercial SSL certificate for each instance of OneSpan Authentication Server. |
| Register OneSpan Authentication Server with DNS server |
If Digipass Authentication for Windows Logon will use server discovery, use the Administration Web Interface to register each instance of OneSpan Authentication Server with its local DNS server. |
| Configure Digipass Authentication for Windows Logon client records |
Ensure that the Digipass Authentication for Windows Logon records use the correct settings for a live environment. In particular, ensure that the default client record links to the correct policy for your setup. See Create a client record for instructions. |
| Valid Digipass Authentication for Windows Logon license - client-side |
A valid Digipass Authentication for Windows Logon client-side license is required for the product to work with OneSpan Authentication Server. See Licensing requirements for more information. |
| Install Password Synchronization Manager (PSM) |
Install Password Synchronization Manager on a domain controller. This will allow OneSpan Authentication Server to receive updates on any Windows static password changes for Digipass users. |
| Install and configure a Digipass Authentication for Windows Logon client |
The Digipass Authentication for Windows Logon client should be installed on all machines which will be used for one-time password logons. The configuration should include:
|