Configuration of SSL/TLS
You can configure DIGIPASS Gateway to use encrypted communication, either during or after the initial setup.
There are two communication channels you need to protect:
- Between the DIGIPASS Gateway service and the mobile client applications.
- Between the DIGIPASS Gateway service and OneSpan Authentication Server.
Securing communication between DIGIPASS Gateway and the mobile client application
If you use the DIGIPASS Gateway installation packages, an Apache Tomcat web server is automatically installed to deploy the DIGIPASS Gateway web service.
This embedded Apache Tomcat web server is automatically configured to secure connections to the DIGIPASS Gateway web service via TLS v1.2. A TLS certificate and a random password are generated for that purpose.
If you manually deploy the DIGIPASS Gateway web application to an existing web or Java application server, you should configure it to use TLS to encrypt the communication.
Securing communication between DIGIPASS Gateway and OneSpan Authentication Server
If you use the DIGIPASS Gateway installation packages to install DIGIPASS Gateway on a machine, where OneSpan Authentication Server is already installed, the DIGIPASS Gateway setup configures the server connection settings (including the SSL certificate) automatically to use the local OneSpan Authentication Server deployment.
If you manually deploy the DIGIPASS Gateway web application to an existing web or Java application server, you should configure it to use TLS. This encrypts the communication to the OneSpan Authentication Server instances via the OneSpan Web Configuration Tool.
The certification authority (CA) for the certificate of the OneSpan Authentication Server instance must be added to the trust store of DIGIPASS Gateway.
For more information about protecting SSL certificates and private keys, refer to the IDENTIKEY Authentication Server Security Best Practices Guide.
Securing communication between DIGIPASS Gateway and third-party notification services
By default, communication between OneSpan Notification Gateway or DIGIPASS Gateway and third-party notification services is protected by encryption. Additionally, push notification messages sent are secured by encapsulating the actual message content within a Secure Channel message. This is done automatically, and you do not need special configuration for this.
For more information about the connection security implemented by Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM), see https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1 and https://firebase.google.com/docs/cloud-messaging/server#choose, respectively.