DIGIPASS Gateway 5.9 (August 2024)
New features and enhancements
Notification priority can now be set
You can now set a notification priority when sending a notification. High priority notifications can be received without delay and wake up the screen, even if the target device is in Do Not Disturb or a sleep mode.
The sendNotification [v2] service now accepts an optional isHighPriority parameter to set the notification priority. If omitted, isHighPriority is set to true by default.
Upgrade path
DIGIPASS Gateway supports direct upgrades from version 5.7 or 5.8 to version 5.9 on the supported operating systems.
Supported platforms, data management systems, and other third-party products
Software libraries
The software library lists are not exhaustive, but include the most notable and critical updates only. For a complete overview, refer to the third-party dependency files included with the installed product.
DIGIPASS Gateway now includes the following (updated) third-party libraries:
- Apache Commons Lang 3.14
- Apache Commons Text 1.11
-
Spring Security Web 5.8.12
This version of Spring Security Web fixes a critical security vulnerability (CVE-2023-34034).
Web servers
DIGIPASS Gateway can now be run on these web application servers (based on the respective JRE):
-
Apache Tomcat 9.0–9.0.90 (included)
This version of Apache Tomcat fixes a couple of critical security vulnerabilities, including CVE-2024-34750.
- Oracle Server Java Runtime Environment 11
- Azul Zulu 11 (included)
Deprecated components and features, architectural changes
GCM/FCM server key string authorization (Deprecated)
Sending push notifications via Google Cloud Messaging (GCM) or legacy Firebase Cloud Messaging (FCM) APIs was deprecated by Google on June 20, 2023, and will be removed from the Google services in June 2024!
Do not use DIGIPASS Gateway with server key string authorization to Google messaging services for new deployments and migrate to use the current Firebase service account key file authorization at your earliest convenience! For more information, refer to the DIGIPASS Gateway Getting Started Guide, Section "Configure push notification web services".
The possibility to configure DIGIPASS Gateway to use a server key string to authorize to GCM/FCM (via the admintool push-notification android-legacy command) will be completely removed in a future release of DIGIPASS Gateway.
PDF documentation (Deprecated)
You can view the user documentation of most OneSpan products online already at https://community.onespan.com/documentation, and we plan to shift exclusively to online documentation.
This means that PDF documentation will be completely removed in future major releases of DIGIPASS Gateway (currently planned for 5.10).
Known issues
Issue OAS-7063 (Support case CS0049841): FQDN cannot start with number
Description: DIGIPASS Gateway cannot be installed if the fully qualified domain name (FQDN) of the server starts with a number, e.g. 001234-MYHOST. In that case, the setup will issue an error when it attempts to generate a self-signed certificate for the Apache Tomcat web server.
Status: No fix available. To circumvent this issue ensure that the FQDN meets the naming requirements before you install DIGIPASS Gateway.
Issue OAS-4908 (Support case CS0024103): Certificate must contain IP address when using FQDN
Description: If you use the FQDN to connect to the OneSpan Authentication Server instance, the respective server certificate for SOAP connections must specify the IP address of the OneSpan Authentication Server instance either as common name (CN) or the subject alternative name (SAN).
Otherwise, this can cause a "No subject alternative name matching IP address" error message during the setup, indicating that DIGIPASS Gateway verifies the SAN in the OneSpan Authentication Server certificate but does not find any matching IP address.
Status: No fix available. The OneSpan Authentication Server IP address must be set either as common name (CN) or the subject alternative name (SAN) in the certificate.
For more information, see KB0014260.
SSL certificate selection from network repository
Description: With the current version of the DIGIPASS Gateway installer, it is not possible to select the OneSpan Authentication Server SOAP certificate if it is located on a network drive.
Status: No fix available. To circumvent this issue the certificate must first be copied locally before being selected when installing DIGIPASS Gateway.
DIGIPASS Gateway 5.8 (January 2024)
New features and enhancements
Upgrade path
DIGIPASS Gateway supports direct upgrades from version 5.1 or 5.7 to version 5.8 on the supported operating systems.
Supported platforms, data management systems, and other third-party products
Software libraries
DIGIPASS Gateway now includes the following (updated) third-party libraries:
-
FasterXML/jackson-databind 2.15.2
This version of FasterXML/jackson-databind fixes a couple of security vulnerabilities, including CVE-2023-35116 and CVE-2021-46877.
Web servers
DIGIPASS Gateway can now be run on these web application servers (based on the respective JRE):
-
Apache Tomcat 9.0–9.0.82 (included)
The included version of Apache Tomcat was updated to fix a critical security vulnerability (CVE-2023-28709).
- Oracle Server Java Runtime Environment 11
- Azul Zulu 11 (included)
DIGIPASS Gateway 5.7 (July 2023)
New features and enhancements
Upgrade path
DIGIPASS Gateway supports direct upgrades from version 5.1 or 5.6 to version 5.7 on the supported operating systems.
Supported platforms, data management systems, and other third-party products
Web servers
-
Apache Tomcat 9.0.73 (included)
- Azul Zulu 11 (included)
Fixes and other updates
Issue OAS-14148 (Support case CS0095435): Correlation ID not included in trace messages
Description: Beginning with version 3.21, OneSpan Authentication Server forwards the correlation ID to the Message Delivery Component (MDC) service when a push notification is requested. MDC forwards the correlation ID to the OneSpan Notification Gateway.
In an on-prem-only deployment, where MDC forwards the request to the on-premises DIGIPASS Gateway instance, the correlation ID is received by DIGIPASS Gateway, but not processed or included in the trace file. This makes it difficult to troubleshoot issues in the push notification workflow.
Affects: DIGIPASS Gateway 5.4–5.6
Status: This issue has been fixed. DIGIPASS Gateway now provides a servlet filter (LogCorrelationIdFilter) to retrieve the correlation ID from a request and write it to the trace log file. By default, the filter is disabled and must be enabled via the deployment descriptor file (web.xml).
Issue OAS-9592 (Support case CS0067508): Sensitive data in the property file is stored in plain text
Description: DIGIPASS Gateway uses a Java property file to store configuration settings, including sensitive data, such as passwords to access proxy servers and API keys used for HTTP authentication. The values in the property file are stored in plain text.
Furthermore, the password and user name for proxy servers are incorrectly stored using the inverted property names, i.e. the user name is stored in the password property and vice versa.
Affects: DIGIPASS Gateway 5.0–5.6
Status: This issue has been fixed. The value of sensitive properties are now encrypted using a static software-level key by default. The property names are now used correctly. The OneSpan Web Configuration Tool that is used to maintain these property files only indicates whether those properties are set without displaying the actual values.
Since the default value encryption provides only basic protection, we recommend that you additionally restrict file access to the property file.
Deprecated components and features, architectural changes
Supported platforms and other third-party products
DIGIPASS Gateway no longer supports the following products:
Web servers
- IBM WebSphere 9.0
- IBM WebSphere 8.5.5
DIGIPASS Gateway 5.6 (July 2022)
New features and enhancements
Upgrade path
DIGIPASS Gateway supports direct upgrades from version 5.1 or 5.5 to version 5.7 on the supported operating systems.
Supported platforms, data management systems, and other third-party products
DIGIPASS Gateway now supports the following products:
Operating systems
- Red Hat Enterprise Linux (RHEL) 8, 64-bit
- Ubuntu Server 20.04 LTS, 64-bit
Software libraries
DIGIPASS Gateway now includes the following (updated) third-party libraries:
-
Apache Log4j Core 2.17.1
This version of Apache Log4j fixes a couple of security vulnerabilities that were recently discovered (see Issues OAS‑12169, OAS‑11872: Vulnerabilities CVE-2021-45105, CVE-2021-45046, CVE-2021-44832, and CVE-2021-44228 in Apache Log4j2).
Fixes and other updates
Issues OAS‑12169, OAS‑11872: Vulnerabilities CVE-2021-45105, CVE-2021-45046, CVE-2021-44832, and CVE-2021-44228 in Apache Log4j2
Description: Recently, the Apache foundation announced a number of security vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the Log4j2 library for Java applications, affecting all versions from 2.0-beta-9 to 2.16.0. These vulnerabilities allow attackers who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The fix provided in 2.17.0 includes another security vulnerability (CVE-2021-44832) that allows remote code execution (RCE) attacks where attackers can construct malicious configurations with a JDBC Appender. This vulnerability is difficult to exploit and considered non-criticial for DIGIPASS Gateway.
For more information, refer to:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- https://nvd.nist.gov/vuln/detail/CVE-2021-44832
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Affects: DIGIPASS Gateway 5.0–5.5
Description: These issues have been fixed. The affected library files have been upgraded to Log4j Core library version 2.17.1. This version of the library mitigates the remote code execution and denial-of-service attacks that could result from the vulnerabilities.
A hotfix (including Apache Log4j 2.17.0) for the affected versions of DIGIPASS Gateway to fix the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 vulnerabilities was released on December 21, 2021. For more information, refer to https://www.onespan.com/remote-code-execution-vulnerability-in-log4j2-cve-2021-44228.
Issue OAS‑11847 (Support case CS0082448): Insufficient failover behavior
Description: If DIGIPASS Gateway cannot connect to the primary OneSpan Authentication Server instance, it uses the backup server if configured. However, when DIGIPASS Gateway establishes another connection, it again attempts to connect to the primary server first. The connection attempt uses a default timeout of 50 seconds. If the primary server is offline for some time, requests to DIGIPASS Gateway are permanently delayed.
Affects: DIGIPASS Gateway 5.0–5.5
Status: This issue has been fixed. The failover behavior has been improved. If no connection to the primary server can be established and a backup server instance is configured, DIGIPASS Gateway uses the backup server, and vice versa. If DIGIPASS Gateway falls back to the backup server, DIGIPASS Gateway keeps using the backup server until it becomes unreachable.
You can configure the connection timeout for each server with the OneSpan Web Configuration Tool.
Deprecated components and features, architectural changes
Supported platforms and other third-party products
DIGIPASS Gateway no longer supports the following products:
Operating systems
- Ubuntu Server 16.04 LTS, 64-bit
DIGIPASS Gateway 5.5 (October 2021)
New features and enhancements
Embedded JRE changed to OpenJDK
The embedded Java Runtime Environment (JRE) deployed by the DIGIPASS Gateway setup packages has been replaced. Instead of Oracle Java, DIGIPASS Gateway now uses Azul Zulu (OpenJDK).
Upgrade path
DIGIPASS Gateway supports direct upgrades from version 5.1, 5.2, 5.3, or 5.4 to version 5.5 on the supported operating systems.
Supported platforms, data management systems, and other third-party products
DIGIPASS Gateway now supports the following products:
Web servers
- Apache Tomcat 9.0–9.0.48 (included)
Fixes and other updates
Issue OAS‑6446 (Support case CS0046669): Unclear information regarding OneSpan Mobile Authenticator setup (Documentation)
Description: The DIGIPASS Gateway Getting Started Guide contains unclear information about the steps which are required to set up deployments that target the OneSpan Mobile Authenticator app. This also includes misleading information about the DIGIPASS Gateway API keys, how to configure source IP address ranges, and which OneSpan Authentication Server policies to use.
Status: The documentation has been updated.
Deprecated components and features, architectural changes
Supported platforms, data management systems, and other third-party products
DIGIPASS Gateway no longer supports the following products:
Web servers
- Apache Tomcat 8.x
DIGIPASS Gateway 5.4.1 (April 2021)
New features and enhancements
Support for HTTP/2-based APNs provider API
DIGIPASS Gateway now fully supports and uses the current HTTP/2-based Apple Push Notification service (APNs) provider API to send messages and notifications to iOS devices. The legacy binary protocol is no longer used.
APNs will no longer support the legacy binary protocol as of March 31, 2021!
For more information, refer to https://developer.apple.com/news/?id=c88acm2b.
Upgrade path
DIGIPASS Gateway supports direct upgrades from version 5.1, 5.2, 5.3, or 5.4 to version 5.4.1 on the supported operating systems.
DIGIPASS Gateway 5.4 (January 2021)
New features and enhancements
Upgrade path
DIGIPASS Gateway supports direct upgrades from version 5.1, 5.2, or 5.3 to version 5.4 on the supported operating systems.
Supported platforms, data management systems, and other third-party products
DIGIPASS Gateway now supports the following products:
Software libraries
DIGIPASS Gateway now includes the following updated software libraries:
- Jackson Databind 2.11.2
- Jackson Core 2.11.2
- Jackson Annotations 2.11.2
- Jackson JAXRS Base 2.11.2
- Jackson JAXRS JSON 2.11.2
- Jackson Module: JAXB Annotations 2.11.2
- Apache Log4j Core 2.13.3
- Apache Log4j API 2.13.3
Web servers
- Apache Tomcat 8.5.60 (included)
Fixes and other updates
Issue OAS-6236 (Support Case CS0044622): Reference to unsupported mask for Mobile Authenticator Studio customization (Documentation)
Description: The DIGIPASS Gateway Getting Started Guide, Section "Configure Mobile Authenticator Studio Classic or Premium Edition", includes an example XML customization snippet for push notification workflows. This snippet contains a reference to a %_ServiceName_% mask, which is actually not supported.
Status: The documentation has been updated. The reference to %_ServiceName_% has been removed.
Issue OAS-349 (Support Case CS0002614): Missing information about used network protocol (Documentation)
Description: The DIGIPASS Gateway Getting Started Guide states that DIGIPASS Gateway requires an open network port for incoming requests, by default 11080. However, the documentation does not specify, which network protocol is required (that is, TCP).
Status: The documentation has been updated.