Version 3.24 (July 2023)
New features and enhancements
Grace period ends with MDL activation
In previous versions, the grace period of an authenticator instance ended automatically only if a successful OTP authentication happened.
Beginning with 3.24, the grace period also expires automatically after a successful multi-device licensing (MDL) activation, either using an OTP or a signature validation, since this indicates a properly working and activated authenticator as well.
Score-based responses with warnings are now rejected
In previous versions, OneSpan Authentication Server ignored scoring information in authenticator responses. That means that OTP values with score warning were gracefully accepted.
Beginning with 3.24, OneSpan Authentication Server evaluates scoring information in authenticator responses. If OneSpan Authentication Server detects a score warning, it will reject the OTP (even an otherwise valid one). You can detect such cases in the error stack information included in the respective audit message, e.g. "{Error Code: '(-140)' ; Error Message: 'Serial VDS1010000-1 Application APP 1 RO OTP Incorrect - Operation Successful with Platform & User Warning'}".
Multiple connections between OneSpan Authentication Server and MDC
In previous versions, OneSpan Authentication Server uses only one connection to the Message Delivery Component (MDC) service to submit messages delivery requests. Each request is queued and processed one after another. This means that later requests can take quite long to be processed if the single connection is blocked by a previous request.
OneSpan Authentication Server now uses a connection pool, i.e. a number of concurrent connections to the Message Delivery Component (MDC) server. Each connection is used to handle one message delivery and will be closed when completed. If a message is taking longer to deliver, e.g. because the respective gateway is unresponsive, another connection is opened to process the next message, until all connections are in use.
You can configure the size of the connection pool in the general settings of the authentication scenario, either via the OneSpan Authentication Server Configuration Utility or the Administration Web Interface. The default value is 10 connections.
Elapsed time information in audit messages
To make performance investigations easier and to help tracking issues, OneSpan Authentication Server captures the elapsed time of specific (SOAP) operations. The elapsed time is added to the audit message record of the respective operation. The Elapsed time audit message field is only visible in the Audit Viewer application.
Note that you do not need to enable performance monitoring to capture the elapsed time, but only the following audit messages will include it:
|
|
|
Fixes and other updates
Issue OAS-18325: Incorrect operating system version logged (Tracing)
Description: When you enable full tracing on servers that run on Windows Server later than version 2016, the trace file incorrectly indicates Windows 2016 as the operating system in the trace file.
Affects: OneSpan Authentication Server Appliance on Windows
Status: This issue has been fixed. OneSpan Authentication Server now correctly detects and writes the operating system information to the trace file.
Issues OAS-17565, OAS-350 (Support cases CS0105478, CS0009172, CS0002902): Outdated DNS/IP addresses used for SMS and push delivery
Description: The Message Delivery Component (MDC) default settings for the OneSpan gateways to relay SMS and push notifications are outdated. The respective DNS names will become unavailable in the future. Moreover, the documentation lists outdated or incorrect values in different sections.
Affects: OneSpan Authentication Server Appliance 3.17–3.23
Status: This issue has been fixed. The default values are now set correctly during initial setups and corrected during upgrades if required, respectively. The occurrences in the documentation have been updated.
Issue OAS-16908: SMTP line ending rules violated (Message Delivery Component)
Description: In some cases, the Message Delivery Component (MDC) attempts to send emails that violate SMTP line ending rules by using a bare line feed (LF). This behavior can cause SMTP gateways to reject such messages.
Status: This issue has been fixed. MDC now always uses CR/LF line ending for SMTP messages.
Issue OAS-16389, OAS-282 (Support case CS0116388, 182290, 179691): SSL required for Active Directory connections (Documentation)
Description: The documentation contains a warning note, which recommends that you set up SSL for connections between OneSpan Authentication Server Appliance and Active Directory back-end servers.
This recommendation is obsolete, since you need to set up and use SSL for connections between OneSpan Authentication Server Appliance and the Active Directory back-end server. Unencrypted connections to an Active Directory back-end server do not work reliably (if at all), unless you have a very old and specially configured version of Windows Server.
OneSpan Authentication Server Appliance does not officially support unencrypted connections to Active Directory via LDAP!
Status: The documentation has been updated. The note text has been rephrased to explicitly require SSL for Active Directory connections. The option to disable SSL for Active Directory back-end connections is deprecated and will be removed in a future version of OneSpan Authentication Server Appliance.
Issue OAS-16342 (Support case CS0115832): High processor load with enabled replication
Description: In environments where offline authentications are handled and OneSpan Authentication Server Appliance replication is enabled, the memory and CPU load can increase tremendously under certain circumstances. Authentication requests are properly processed and the replication connections remain active, but replication is not processed fast enough and the replication queue keeps increasing.
Status: This issue has been fixed.
Issue OAS-15457 (Support case CS0107435): Provisioning fails with correct password and OTP
Description: In environments where Stored Password Proxy is set to No and Back-End Authentication is set to Always in the effective policy, provisioning fails even with correct credentials. In such scenarios, the static password and a valid one-time password (OTP) are required as a combined input for the password field. Although the OTP is verified successfully, the static password is not correctly extracted from the combined input. The subsequent back-end authentication fails.
Affects: OneSpan Authentication Server Appliance 3.23
Status: This issue has been fixed.
Issue OAS-15824 (Support case CS0110765): Database connection issue when sending push notifications
Description: Sometimes, when the Message Delivery Component (MDC) service attempts to send a message via a push notification gateway, that external gateway can take long to respond (up to several minutes). During this period, OneSpan Authentication Server keeps the related connection to the database alive, thus blocking valuable resources. Under some circumstances, this behavior can yield issues when the database connections are released later.
Affects: OneSpan Authentication Server Appliance 3.18–3.23
Status: This issue has been fixed. The storage subsystem handling has been improved to allow more efficient resource usage. The request-related database connections are released and become available for other threads, while push notifications are being sent.
Issues OAS-13240 (Support case CS0089370): Performance loss due to LDAP connection issue
Description: In some circumstances, the performance can decrease drastically when OneSpan Authentication Server has connection issues with a slow LDAP back-end server and the number of transactions is still increasing. Because resource sharing between threads is handled incorrectly in this case, all threads used for LDAP back-end communication get blocked. In the worst case, this can lead to authentication failures.
Affects: OneSpan Authentication Server Appliance 3.18–3.23
Status: This issue has been fixed.
Deprecated components and features
Active Directory data stores (Deprecated)
Using Active Directory as the data store is deprecated. Beginning with version 3.24, you can only upgrade existing deployments with Active Directory as data store, but you can no longer select this option for new installations.
There are no plans to further enhance this feature or fix any related issues. The possibility to use AD as data store will be completely removed in a future release of OneSpan Authentication Server (currently planned for 3.25).
You will still be able to use Active Directory for other supported purposes, such as back-end authentication or password and data synchronization.
If you are using AD as data store, we strongly recommend to migrate to an ODBC-based data store to allow future upgrades. For more information, refer to the OneSpan Authentication Server Data Migration Guide.
Supported platforms, data management systems, and other third-party products
OneSpan Authentication Server Appliance no longer supports the following products:
Web servers (Web Administration Service)
- IBM WebSphere 8.5.5
Known issues
Issue OAS-9159 (Support case CS0057804): Usability issues when two reports are started at the same time (Reporting)
Description: When two reports are started at the same time, e.g. with two different browsers, a (nonfunctional) download link for the second report will be available before the report task has even started. The corresponding report results cannot be accessed.
Affects: OneSpan Authentication Server Appliance 3.19 and later
Status: No fix available. To avoid this issue, do not run multiple reports at the same time.
Issue OAS-5605 (Support cases CS0039109, CS0046614): Issues with Chinese characters in XML and PDF reports (Web Administration Service)
Description: Chinese characters are not correctly displayed in XML and PDF reports.
Affects: OneSpan Authentication Server Appliance 3.12 and later
Status: This issue has been fixed for XML reports in OneSpan Authentication Server Appliance 3.21. The issue can still occur in PDF reports in case they contain characters that are not defined in the used PDF font. Workaround for PDF reports: Generate an HTML report and print it to PDF.
Issue 58722: Mobile Authenticator Studio timeshift no longer supported
Description: When the Timeshift feature of Mobile Authenticator Studio is used, it causes the offline data to become invalid. The option to set a timeshift for Mobile Authenticator Studio authenticators is no longer supported. This feature is outdated and has become obsolete because mobile devices are now correctly synchronized with OneSpan Authentication Server Appliance at shorter intervals.
Affects: OneSpan Authentication Server Appliance 3.6 and later
Status: Do not use the Mobile Authenticator Studio Timeshift feature to avoid the offline data to become invalid.
Issue 46294 (Support case PS-141029): SafeNet HSM mode setup causes installation failure (OneSpan Authentication Server Setup)
Description: Deployments of OneSpan Authentication Server Appliance with SafeNet ProtectServer HSM only support HSMs that run in Normal mode. If the HSM is run in High Availability or Workload Distribution mode, the installation of OneSpan Authentication Server Appliance fails.
Affects: OneSpan Authentication Server Appliance 3.6 and later
Status: The SafeNet ProtectServer HSM must be run in Normal mode, i.e. ET_PTKC_GENERAL_LIBRARY_MODE must be set to NORMAL.
Issue 41616: Self-signed certificates created by Microsoft Internet Information Services (IIS) cannot be used (Message Delivery Component (MDC))
Description: When trying to configure email delivery with SSL/TLS using a self-signed certificate created using Microsoft Internet Information Services (IIS) and converted to PEM format using OpenSSL, MDC cannot recognize a valid self-signed certificate and displays an error message. This is caused by the OpenSSL library. In some circumstances, the OpenSSL application itself may display an "Unable to get local issuer certificate (20)" error message.
Affects: All platforms.
Status: No fix available. This is a compatibility issue between OpenSSL and Microsoft IIS. Do not use self-signed certificates generated using Microsoft IIS.
Version 3.23 (July 2022)
Release information
Software versions
This release includes:
- OneSpan Authentication Server 3.23.1 with OneSpan Authentication Server Framework 3.18
- OneSpan Authentication Server Administration Web Interface 3.23.1
Upgrade path
When upgrading to this version, replication between OneSpan Authentication Server Appliance instances will be disabled to avoid compatibility issues that may result from different product versions. You can enable replication after all OneSpan Authentication Server Appliance instances have been upgraded.
You can upgrade to OneSpan Authentication Server Appliance 3.23 from the following product versions:
- OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance 3.22.2
- OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance 3.22.1
- OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance 3.22.0
New features and enhancements
Improved deletion of users with assigned items
In previous versions, when you attempted to delete a user account the operation failed if the target user account had items assigned that cannot be deleted and prevented the deletion, e.g. reports, recurring tasks, or pending operations (maker or checker role).
To delete such user accounts anyway, you can now specify a successor user that will take ownership of those items. The successor must be an administrative user account in the same domain as the user to be deleted.
Automatic execution option for pending operations
As maker administrator, you can now specify an auto-execute option when scheduling a pending operation that requires maker–checker authorization. The pending operation is automatically executed on your behalf upon approval by the checker administrator. In that case, you do not need to execute it explicitly.
Improved verification before deleting authenticators with maker–checker authorization enabled
If maker–checker authorization is enabled when you attempt to delete an authenticator, the Administration Web Interface now verifies whether the authenticator is referenced in a pending operation:
- If it is explicitly referenced as the only target authenticator in a pending operation, you cannot delete it and will receive a respective error message.
- If the authenticator is referenced in a pending operation, either explicitly as part of an authenticator list or as range parameter or implicitly within a range, you will receive a warning message and need to confirm the deletion of the authenticator.
Improved server data migration
The server data migration process has been enhanced and optimized to improve the workflow and overall performance:
- Table-based data schema version. Unlike in previous versions where the data schema version applied to the whole database, OneSpan Authentication Server Appliance now tracks the data schema version for each database table individually. This means that the data schema version of a particular table is not changed, unless there are effective changes in the table data schema. If the table data schema has not changed, the table is skipped from the server data migration. This reduces the amount of processed data and speeds up the server data migration process.
- Optimized migration sequence. The order of the tables processed by the data migration task has been optimized. Admin-related tables are migrated first to minimize overhead on administrative commands while server data migration is still in progress. On the other hand, tables that usually contain large amount of data are migrated last, e.g. users, authenticators, and authenticator applications.
- Meaningful data migration task description. The data migration task description now contains the target schema version to better distinguish multiple data migration tasks.
Generic authentication status codes (Support case CS0087535)
OneSpan Authentication Server Appliance provides a new policy setting (Use Generic Authentication Status Codes) that specifies whether certain status codes and messages should be mapped to generic status information in server responses, to prevent user account disclosure in authentication and provisioning scenarios. The real status code and message will still be visible in the audit and trace messages.
If enabled, the following status codes will be mapped to 1000 (STAT_INVCREDENTIALS), even if more specific status information is available:
- 1007
- 1009
- 1010
- 1011
- 1012
- 1023
- 1025
- 1033
- 1045
By default, the new policy setting is disabled for parentless policies.
Push notification when Active Directory password has expired (Support case CS0080279)
OneSpan Authentication Server Appliance now includes a new workflow for push–notification-based authentication when the Active Directory password has expired. This workflow applies if back-end authentication is configured along with push–notification-based authentication.
With this setup, if a user's Active Directory password has expired, the user will first receive a push notification message for the first authentication step. After the user has authenticated via this message, they will be notified about the expiration of the Active Directory password and prompted to change the password. When the password has been changed, the authentication process is successfully completed.
Fixes and other updates
Issues OAS-14042, OAS-12065 (Support case CS0083610): Incorrect administrative privilege check for session management settings and misleading configuration privileges
Description: If an administrator without the View Admin Session privilege attempts to view the session management settings via the SERVERS > Session Management > Settings tab, a respective error message will be displayed and access to the page is denied. The same administrator can, however, circumvent the privilege check by accessing the page directly via the URL.
Status: This issue has been fixed. In addition, the following improvements have been implemented for the administrative privilege configuration:
- In previous versions, the existing View Back-End Settings and Update Back-End Settings privileges misleadingly determined the access to the global configuration settings. These privileges have now been renamed to View Global Configuration Options and Set Global Configuration Options, respectively, to align with their actual meaning. In addition, they have been moved to the Configuration section on the USERS > Admin Privileges tab, together with the View Server Configuration Options and Set Server Configuration Options privileges.
- The global configuration settings have been consolidated. The SERVERS > Session Management > Settings tab was moved to the SERVERS > Global Configuration > Session Management tab. The BACK-END > Global Settings tab was moved to the SERVERS > Global Configuration > Back-End Servers tab.
- Since the session management settings are global settings, they are now correctly available only if the administrator has the View Global Configuration Options privilege.
Issue OAS-13095 (Support cases CS0090562, CS0089587): Offline authentication data not sent for linked user in different domain
Description: If a user authenticates via Digipass Authentication for Windows Logon using an authenticator of a linked user account that is in a different domain, OneSpan Authentication Server Appliance does not send offline authentication data (OAD) to the client.
Status: This issue has been fixed.
Issue OAS-12757 (Support case CS0087166): Authentication fails if domain name is part of user ID
Description: Users who have the domain name in their user ID can experience authentication issues because OneSpan Authentication Server Appliance uses the corresponding part of the user ID as the domain name.
Status: To prevent this issue, users with the domain name in their user ID need to also provide the domain when logging in. This information has been added to the OneSpan Authentication Server Appliance Administrator Guide.
Issues OAS-12732, OAS-3485 (Support cases CS0086813, CS0084947, CS0021852): SOAP enabled by default (Licensing)
Description: As of OneSpan Authentication Server Appliance 3.23, SOAP is by default enabled in all licenses. If your license was created prior to this product version, you can contact OneSpan Support and request a free license upgrade.
Issues OAS‑12169, OAS-11872: Vulnerabilities CVE-2021-45105, CVE-2021-45046, CVE-2021-44832, and CVE-2021-44228 in Apache Log4j2 (Web Administration Service)
Description: Recently, the Apache foundation announced a number of security vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the Log4j2 library for Java applications, affecting all versions from 2.0-beta-9 to 2.16.0. These vulnerabilities allow attackers who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The fix provided in 2.17.0 included another security vulnerability (CVE-2021-44832) that allows remote code execution (RCE) attacks where attackers can construct malicious configurations using a JDBC Appender. This vulnerability is difficult to exploit and considered non-criticial for Web Administration Service.
For more information, refer to:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- https://nvd.nist.gov/vuln/detail/CVE-2021-44832
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Affects: OneSpan Authentication Server Appliance
Status: These issues have been fixed. The affected library files have been upgraded to Log4j Core library version 2.17.1. This version of the library mitigates the remote code execution and denial-of-service attacks that could result from the vulnerabilities.
Note that a hotfix (including Apache Log4j 2.17.0) for the affected versions of Web Administration Service to fix the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 vulnerabilities was released on December 21, 2021. For more information, refer to https://www.onespan.com/remote-code-execution-vulnerability-in-log4j2-cve-2021-44228.
Issue OAS-12130 (Support case CS0084327): SNMP endpoints are not accessible
Description:
Affects: OneSpan Authentication Server Appliance
Status: This issue has been fixed.
Issue OAS-11647 (Support case CS0082520): Authentication via push notification fails (Message Delivery Component)
Description: Authentication via push notification fails if OneSpan Notification Gateway and Digipass Authentication for Windows Logon are used. This is because OneSpan Notification Gateway does not support the uppercase Digipass Authentication for Windows Logon correlation IDs.
Affects: OneSpan Authentication Server Appliance 3.22
Status: This issue has been fixed. Message Delivery Component now forwards the lowercase correlation ID to OneSpan Notification Gateway.
Issue OAS‑11432 (Support case CS0080787): OneSpan Authentication Server Appliance does not create core dumps
Description: Due to a faulty signal handler implementation, OneSpan Authentication Server Appliance only creates core dumps if the main process is terminated by SIGSEGV. If a specific thread is terminated by SIGSEGV, all other threads incorrectly receive SIGKILL and no core dump is generated.
Affects: OneSpan Authentication Server Appliance
Status: This issue has been fixed.
Issue OAS-11422 (Support case CS0076551): Selection issue with MDL register and auto-assignment
Description: Under some circumstances (particularly in slow environments), multiple multi-device licensing (MDL) registration requests that are processed almost at the same time can yield errors because auto-assignment attempts to use the same authenticator for more that one request. In that case, the user receives an error that the authenticator is already assigned and needs to retry the registration.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed. The MDL registration process has been refactored and now uses correct authenticator selection/assigment logic (randomly select an authenticator and lock the respective authenticator record).
Issue OAS‑11407 (Support case CS0079970): OneSpan Authentication Server service/daemon terminates on DNS query
Description: When performing a DNS query, the OneSpan Authentication Server service/daemon can terminate unexpectedly if the DNS response is too large.
Affects: OneSpan Authentication Server Appliance
Status: This issue has been fixed.
Issue OAS-11218 (Support case CS0079957): Incomplete list of OneSpan Authentication Server Framework error codes (Documentation)
Description: The list of OneSpan Authentication Server Framework (formerly VACMAN Controller) error codes in the OneSpan Authentication Server Appliance Administrator Reference is incomplete. Error code 1119 (Unsupported Payload Key Blob) is missing.
Status: The documentation has been updated.
Issue OAS‑10888 (Support case CS0077906): Organizational unit lists do not include more than 1000 OUs (Web Administration Service)
Description: If you want to select an organizational unit (OU) from a list, e.g. when moving/renaming a user account via the Move Users wizard, only the first 1000 OUs are listed, even if there are more defined in the organizational structure.
Affects: OneSpan Authentication Server Appliance 3.21–3.22
Status: This issue has been fixed.
Issue OAS‑8234: Copy Admin Privileges wizard allows to copy from non-administrative user accounts (Web Administration Service)
Description: The Copy Admin Privileges From wizard copies administrative privileges from one user account to another. If the target user account has privileges assigned that the source user account does not have, then the target user account will lose those privileges. If you select a non-administrative user account to copy the privileges from by mistake, the target user account will lose all privileges.
Status: The wizard behavior has been changed. You cannot select non-administrative user accounts to copy privileges from anymore.
Issue OAS-7351 (Support case CS0053506): Tasks prevent deletion of administrative user account (Web Administration Service)
Description: If an administrator has finished or scheduled tasks assigned, it is not possible to delete the administrator's user account.
Affects: OneSpan Authentication Server Appliance
Status: This issue has been fixed. It is now possible to specify a successor user who will take ownership of the items assigned to the user account to be deleted. For instructions to delete a user account, refer to the Administration Web Interface Help.
Issue OAS-6194 (Support case CS0041259): Replication queue exceeds maximum file size (Replication)
Description: If replication between multiple OneSpan Authentication Server Appliance instances is not possible, the specified maximum file size for Replication.DB is ignored, and the replication queue will exceed the limit and continue to grow.
Affects: OneSpan Authentication Server Appliance 3.18–3.22
Status: This issue has been fixed.
Issue OAS-1650 (Support case CS0012609): Performance issues related to persistent cache data
Description: In environments where the persistent cache table is highly fragmented, e.g. due to inadequate database maintenance, system load can increase significantly, thus leading to reduced database performance or even service outage.
Status: This issue has been fixed. The database indexes for the persistent cache have been reviewed and optimized.
Issue 136846: SFTP backup fingerprint update
Description: If SFTP backup is configured, it stores a fingerprint from the server to which backups are written. OneSpan Authentication Server Appliance has been updated to use a more secure fingerprint.
The SFTP fingerprint will be automatically updated. Verify the change by checking your automatic SFTP backups.
Affects: OneSpan Authentication Server Appliance 3.22 and earlier
Issue 134407: Audit Copy Warnings on 31st of the Month
Description: On the 31st of the month, errors related to audit copy appear in the logs. These errors self-correct on the 1st of the following month and can be ignored.
Affects: OneSpan Authentication Server Appliance 3.22
Status: This issue has been fixed.
Version 3.22 (October 2021)
Release information
Software versions
This release includes:
- OneSpan Authentication Server 3.22.4 with OneSpan Authentication Server Framework 3.18
- OneSpan Authentication Server Administration Web Interface 3.22.4
Upgrade path
When upgrading to this version, replication between OneSpan Authentication Server Appliance instances will be disabled to avoid compatibility issues that may result from different product versions. You can enable replication after all OneSpan Authentication Server Appliance instances have been upgraded.
New features and enhancements
Authenticator type limit policy
OneSpan Authentication Server Appliance now allows you to restrict the maximum number of assigned authenticators per user for specific authenticator types. The new authenticator limit is configured via a new policy setting (DIGIPASS Assignment > DIGIPASS Type Limit). By default, no limit is set. For single-device licensing, it is possible to limit the number of assigned authenticators; for multi-device activation/multi-device licensing the setting limits the number of assigned authenticator licenses and activated authenticator instances.
If you need to have more than one authenticator provided to your users, you should still limit the number to avoid having too many authenticators (and/or instances) assigned or activated for single users.
Delete authenticators via Manage User page
You can now delete authenticators via the Manage User page of the Administration Web Interface. A new DELETE button has been added to the Assigned DIGIPASS tab, which can be useful in situations where you need to delete a user's authenticator but you do not know the serial number, e.g. when a user loses their authenticator.
Administrator levels shown in user lists (Administration Web Interface)
The administrator level of users is now included as a separate column in the User list and the Admin session list of the Administration Web Interface. In the Admin session list it indicates the administrator level of the user owning the respective administrator session. For regular users the respective value is left empty.
Schedulable task to remove finished tasks
A new command has been added to remove old finished tasks. This allows you to clean up the task list and remove completed tasks regularly to maintain clarity and avoid performance issues with the task management.
The command is available in the Administration Web Interface via SERVERS > Delete Finished Tasks. It takes the age in days of the finished tasks to be deleted as parameter. All finished tasks with an end date (completion) older or equal than this value will be deleted. The command schedules a server task itself that processes the server task table. If required, the cleanup task can be configured to recur on a daily or monthly basis.
Improved validation when deleting users
If you attempt to delete a user who owns any report, report file, or server task, or is the target of a pending operation, OneSpan Authentication Server Appliance refuses to delete it. The validation when deleting a user account has been improved. If you delete a user under the aforementioned conditions, you will receive an error message listing the number of connected objects. The respective SOAP operation now returns STAT_INUSE (–20) as status code. This information will also be shown by Web Administration Service.
If maker–checker authorization is enabled, the validation is performed twice, once before the respective pending operation is scheduled and again when it is executed after approval.
Embedded JRE changed to OpenJDK (Web Administration Service)
The embedded Java Runtime Environment (JRE) deployed by the Web Administration Service setup packages has been replaced. Instead of Oracle Java, Web Administration Service now uses Azul Zulu (OpenJDK).
Supported platforms, data management systems, and other third-party products
Software libraries
OneSpan Authentication Server Appliance now includes the following (updated) third-party libraries:
- OpenSSL 1.1.1h
Fixes and other updates
Issue OAS‑11872: Vulnerabilities CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228 in Apache Log4j2
Description: Recently, the Apache foundation announced a number of security vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the Log4j2 library for Java applications, affecting all versions from 2.0-beta-9 to 2.16.0. These vulnerabilities allow attackers who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
For more information, refer to:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Affects: OneSpan Authentication Server Appliance 3.15.16–3.21
Status: This issue has been fixed. The affected library files have been upgraded to Log4j Core library version 2.17.0. This version of the library mitigates the remote code execution and denial-of-service attacks that could result from the vulnerabilities.
Issue OAS-11647 (Support case CS0082520): Authentication via push notification fails (Message Delivery Component)
Description: Authentication via push notification fails if OneSpan Notification Gateway and Digipass Authentication for Windows Logon are used. This is because OneSpan Notification Gateway does not support the uppercase Digipass Authentication for Windows Logon correlation IDs.
Affects: OneSpan Authentication Server Appliance 3.22
Status: This issue has been fixed.Message Delivery Component now forwards the lowercase correlation ID to OneSpan Notification Gateway.
Issue OAS‑11432 (Support case CS0080787): OneSpan Authentication Server Appliance does not create core dumps
Description: Due to a faulty signal handler implementation, OneSpan Authentication Server Appliance only creates core dumps if the main process is terminated by SIGSEGV. If a specific thread is terminated by SIGSEGV, all other threads incorrectly receive SIGKILL and no core dump is generated.
Affects: OneSpan Authentication Server Appliance 3.12.13–3.22
Status: This issue has been fixed.
Issue OAS‑11407 (Support case CS0079970): OneSpan Authentication Server service/daemon terminates on DNS query
Description: When performing a DNS query, the OneSpan Authentication Server service/daemon can terminate unexpectedly if the DNS response is too large.
Affects: OneSpan Authentication Server Appliance 3.12.13–3.21
Status: This issue has been fixed.
Issue OAS-10513 (Support case CS0075857): SQLite performance issues (Replication)
Description: SQLite performance issues affect the replication between multiple OneSpan Authentication Server Appliance instances and increase the replication backlog.
Affects: OneSpan Authentication Server Appliance 3.21
Status: This issue has been fixed.
Issue OAS-10464 (Support case CS0075857): Replication issues after upgrade to OneSpan Authentication Server Appliance 3.21.1
Description: After a product upgrade to version 3.21.1, the replication backlog can significantly increase in environments with multiple OneSpan Authentication Server Appliance instances. This can cause replication between multiple product instances to fail.
Affects: OneSpan Authentication Server Appliance 3.21.1
Status: This issue was caused by and has been fixed along with issue OAS-10513.
Issue OAS-10200 (Support case CS0073104): Inaccurate description of Max Days Between Authentications (Documentation)
Description: According to the OneSpan Authentication Server Appliance Administrator Reference and the Administration Web Interface Help, an administrator account expires by default after 90 days of inactivity. This information is misleading because the default setting of 90 days applies to all user accounts (not only administrator accounts).
Affects: OneSpan Authentication Server Appliance 3.17–3.21
Status: The documentation has been updated.
Issue OAS-9928 (Support case CS0070255): High memory usage when using LDAP Synchronization Tool
Description: A potential memory issue affecting administrative operations has been identified. In some environments this can lead to growing memory usage.
Especially in scenarios that involve LDAP user synchronization, OneSpan Authentication Server Appliance memory usage can grow rapidly. The consumed memory is not released after synchronization has completed.
Affects: OneSpan Authentication Server Appliance 3.17–3.21
Status: This issue has been fixed.
Issue OAS-9476 (Support case CS0063329): Push notifications are rejected for linked users
Description: When a user attempts an authentication via push notification (push and login) with a user account that is linked to another account, the push notification is correctly sent. Since the user and domain information in the notification is different, the request is rejected by the mobile app and the authentication process fails.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed.
Issue OAS-9297 (Support case CS0064510): Assign authenticator fails with certain serial number range parameters (Administration)
Description: When you attempt to assign an authenticator you can specify a range of serial numbers to automatically pick an authenticator from that range. However, the serial number range is incorrectly evaluated if any of the range parameters specifies either a serial number that contains alphabetic character prefixes, e.g. VDS0000001, or a number larger than 2147483648. In either case, the first authenticator found in the database is used for assignment, regardless of its serial number.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed.
Issue OAS-9102 (Support cases CS0058750, CS0058489): Connection issue due to certificate error (Web Administration Service)
Description: If Web Administration Service attempts to connect to OneSpan Authentication Server Appliance via the FQDN, but the TLS/SSL certificate for SOAP connections is issued for the IP address only (or vice versa), the connection cannot be established. You will receive an error that the certificate does not match the common name of the certificate subject.
Affects: OneSpan Authentication Server Appliance 3.21
Status: In version 3.21, the certificate handling has been improved, the host name specified in the TLS/SSL certificate is now correctly verified by Web Administration Service. The server address used to connect to the OneSpan Authentication Server Appliance instance (either IP address or FQDN) must match the common name or the subject alternative name (SAN) in the TLS/SSL certificate for SOAP connections.
The self-signed TLS/SSL certificates created by the OneSpan Authentication Server Configuration Wizard contain only the IP address in the subject alternative name (SAN). If you need to use the FQDN when establishing the connection, you have to create a certificate that contains the FQDN in the SAN.
The user documentation has been extended to explain this now correct behavior.
Issue OAS-8967 (Support case CS0062858): Incorrect scheduling of tasks with daily recurrence (Task scheduling)
Description: When you create a task that should run with a daily recurrence on only one particular day of the week, the time of the next execution run is incorrectly calculated. This miscalculation causes the task to run every minute on the particular day of the week.
Status: This issue has been fixed.
Issues OAS-8877, OAS-8180: New dialog boxes in the Administration Web Interface
Description: Dialog boxes in the Administration Web Interface are no longer opened in a separate browser window but are now displayed as an overlay on the same browser page (lightbox pop-up). Issues with pop-up blocker software will no longer occur.
Issue OAS-8812 (Support case CS0058873): Authenticator description not populated from DIGIPASS import file
Description: When you import authenticators from a DIGIPASS import file (.csv) the value of the description column is ignored and not written to the description of the authenticator record in the database.
Affects: OneSpan Authentication Server Appliance 3.21
Status: This issue has been fixed.
Issue OAS-8397 (Support case CS0058121): OU administrator cannot move user account to child OU
Description: When an organizational unit (OU) administrator attempts to move a user account from the same OU to a child OU, the command fails. An error message in the trace file incorrectly indicates that the administrator does not have access to the top-level domain, which is not required in this case anyway.
Status: This issue has been fixed.
Issue OAS-8249 (Support case CS0056576): Incorrect authenticators selected for auto-assignment
Description: In environments with user accounts and authenticators in different organizational units (OU), provisioning using auto-assignment can fail. OneSpan Authentication Server Appliance attempts to assign the first authenticator based on the alphabetically sorted serial number, independent of the authenticator's location. If that authenticator is in an organizational unit inaccessible to the user, the assignment process will fail, although a valid authenticator is present in an accessible OU.
Affects: OneSpan Authentication Server Appliance 3.16
Status: This issue has been fixed.
Issue OAS-8248 (Support case CS0057547): Set Authentication Policy Overrides privilege not always effective
Description: The Set Authentication Policy Overrides administrative privilege is not correctly evaluated for global administrators in some circumstances. This allows global administrators without that specific administrative privilege to modify user-specific settings and override the effective client policy settings via the USERS > Policy Overrides tab.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed.
Issue OAS-8184: New DIGIPASS import file examples
Description: As of OneSpan Authentication Server Appliance 3.21 it is possible to upload and process a DIGIPASS import file (CSV) via the Administration Web Interface directly. To help administrators to inspect the file structure and prepare such files themselves more easily, a couple of sample files are now included on the product CD.
Issue OAS-8068 (Support case CS0053630): Server policy is changed to default policy during upgrade
Description: When OneSpan Authentication Server Appliance is upgraded to a newer product version, the server policy is changed to Identikey Administration Logon.
Affects: OneSpan Authentication Server Appliance 3.20–3.21.x
Status: This issue has been fixed.
Issue OAS-6848 (Support cases CS0053447, CS0049052): Assign authenticator fails with invalid serial number range (Administration)
Description: When you attempt to assign an authenticator you can specify a range of serial numbers. If maker–checker authorization is enabled and the range of serial numbers contains non-existent authenticators, you get an error message that a foreign key constraint is violated. No pending operation is scheduled. A workaround is to specify a valid serial number range containing existent authenticators or to use the Search now to select DIGIPASS to assign option in the Assign DIGIPASS wizard.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed.
Issue OAS-6598 (Support case CS0044946): Service does not recover from ODBC connection failure
Description: In some circumstances, the OneSpan Authentication Server Appliance service cannot properly recover if the connection to the ODBC database is lost and the service attempts to reconnect bad nodes. This issue is indicated by an info message in the trace file: "Not attempting a reconnect, next try allowed earliest at 1969-12-31 23:59:59"
Affects: OneSpan Authentication Server Appliance 3.18–3.21
Status: This issue has been fixed.
Issue OAS‑6446 (Support case CS0046669): Unclear information regarding OneSpan Mobile Authenticator setups (Documentation)
Description: The Push Notification Getting Started Guide contains unclear information about the steps which are required to set up deployments that target the OneSpan Mobile Authenticator app. This also includes misleading information about the DIGIPASS Gateway API keys, how to configure your firewall, and which OneSpan Authentication Server client components to use.
Status: The documentation has been updated.
Issue OAS-5264: Incorrect report sorting results (Web Administration Service)
Description: Sorting in the Reports list does not work correctly. If you select to sort by report name, the report list is actually sorted by the internal report ID instead of the displayed report name. Sorting by any column does not take letter casing into consideration. Both can lead to incorrect and unexpected sorting results.
Status: This issue has been fixed. The Reports list is now correctly sorted by the report name and casing is handled correctly.
Issue OAS-4354 (Support case PS‑CS0028491): Log rotation not working with log size greater than 1 GB
Description: If the log size is set to a value greater than 1 GB, log rotation will not work properly.
Affects: OneSpan Authentication Server Appliance 3.17–3.21
Status: This issue has been fixed.
Issue OAS‑3897 (Support cases CS0045397, CS0024776, CS0024325, CS0022985): Finished scheduled tasks result in performance issues (Task management)
Description: Scheduled tasks are not removed from the database when they are completed. This can lead to a large number of finished tasks if they are scheduled but not removed regularly. However, OneSpan Authentication Server Appliance queries the tasks once a minute to update their progress and state information. In some environments this can yield higher resource consumption after some time and lead to delayed response times, in the worst case to replication failures.
Affects: OneSpan Authentication Server Appliance 3.15
Status: This area of issues has been improved in several steps:
- In OneSpan Authentication Server Appliance 3.22, a new command has been added to remove old finished tasks. This allows you to clean up the task list and remove completed tasks regularly to maintain clarity and avoid performance issues with the task management.
- In OneSpan Authentication Server Appliance 3.21, the Task Management page of the Administration Web Interface has been improved to filter the task list based on search criteria for most columns and sort it by different columns.
- In OneSpan Authentication Server Appliance 3.20, the affected queries have been optimized.
Issue OAS-345 (Support case CS0001464): Missing information about deleting administrators who are report owners (Documentation)
Description: Deleting an administrative user account is not possible if the user is a report owner. The ownership of any affected reports needs to be changed before an administrator can be deleted. This information is missing in the OneSpan Authentication Server Appliance Administrator Guide.
Affects: OneSpan Authentication Server Appliance 3.12
Status: The documentation has been updated.
Issue OAS-265 (Support case PS‑176974): Service stops when importing invalid user import file
Description: When attempting to import user accounts via a user import file that contains lines longer than 1023 characters, the OneSpan Authentication Server service/daemon terminates ungracefully.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed.
Issue 133197: Various security improvements
Description: Various security improvements have been made. MariaDB does no longer listen on external interfaces. The SSL cipher suite was upgraded for the replication daemon.
Affects: OneSpan Authentication Server Appliance 3.21 and earlier
Status: Security has been improved.
Issue 130713: Update of minimum requirements in documentation
Description: The minimum disk requirements mentioned in the OneSpan Authentication Server Virtual Appliance installation manuals are incorrect.
Affects: OneSpan Authentication Server Appliance 3.18–3.21
Status: The documentation has been updated.
Issue 127392 (Support Case CS0064700): LDAP synchronization test run fails with special characters
Description: Test runs of LDAP synchronization fail if there are user names that contain special characters.
Affects: OneSpan Authentication Server Appliance 3.21
Status: This issue has been fixed.
Deprecated components and features
Digipass Authentication for Windows Logon 1.x
OneSpan Authentication Server Appliance no longer supports Digipass Authentication for Windows Logon 1.x. The related features, e.g. Dynamic Component Registration (DCR) and the Identikey Windows Logon Client client component, have been removed.
OneSpan Authentication Server Appliance continues to support Digipass Authentication for Windows Logon 2.0 and later.
Future platform support changes
This section summarizes planned and upcoming changes of supported platforms and other third-party products that will become effective in future versions. You are highly encouraged to plan and modify your deployments accordingly to allow future upgrades.
Version 3.23
OneSpan Authentication Server Appliance 3.23 will no longer support the following products:
Web browsers
- Internet Explorer
Version 3.21 (January 2021)
Release information
Software versions
This release includes:
- OneSpan Authentication Server 3.21.0 with OneSpan Authentication Server Framework 3.18
- OneSpan Authentication Server Administration Web Interface 3.21.0
Upgrade path
When upgrading to this version, replication between OneSpan Authentication Server Appliance instances will be disabled to avoid compatibility issues that may result from different product versions. You can enable replication after all OneSpan Authentication Server Appliance instances have been upgraded.
OneSpan Authentication Server Appliance supports direct upgrades from 3.20 and 3.20.1 to version 3.21.
New features and enhancements
Administrator levels
OneSpan Authentication Server Appliance 3.21 introduces administrator levels. These are optional values that can be used to create an administrative account hierarchy that controls which other administrator accounts a particular administrator account can view, edit, and update (as long as they are within the administrative scope). Administrators cannot modify, delete, or even view administrator accounts that have an administrator level higher than their own.
You can view and manage the administrator level of administrator accounts via the Administration Web Interface.
DIGIPASS import file upload (Web Administration Service)
You can now upload and process import files via the Administration Web Interface directly without using Data Migration Tool (DMT). A DIGIPASS import file is a comma-separated text file (.csv) that contains authenticator records. They are used, for instance, to import authenticator data from an existing OneSpan Authentication Server Framework environment to OneSpan Authentication Server.
To upload authenticator records in bulk you can now use DIGIPASS > Import DPX and DIGIPASS > Import CSV in the Administration Web Interface, respectively.
Improved task management page (Web Administration Service)
The Task Management page of the Administration Web Interface has been improved to handle large numbers of tasks. You can now refine the task list and filter it based on search criteria for most columns. Furthermore, you can also sort the task list by different columns.
Information about assigned user on DIGIPASS Properties page (Web Administration Service)
The DIGIPASS Properties page of the Administration Web Interface now provides information about the user account to which the authenticator is assigned. You can click the user ID to open the corresponding User Properties page.
Search for user accounts by email address (Web Administration Service)
In addition to user ID and user name, you can now also search for user accounts by the email address. A respective option has been added to the quick search on the Administration Web Interface home page, the Find/Manage User page, and the respective pages of all wizards where you need to search for user accounts. The use of wildcard characters is supported.
Search for administrative user accounts (Web Administration Service)
You can now filter search results to include or exclude user accounts with administrative privileges when searching for users. Note that you cannot filter for a particular administrative privilege, but only limit the search results to user accounts that have either any administrative privilege assigned or none. This option is only available if you have the View Administrative Privileges permission assigned.
Improved report ownership handling (OAS-343, OAS-339, OAS-222, support cases CS0008821, CS0001464, PS-145045, PS-203998)
To improve the handling of report ownership, the following new features and changes have been implemented:
-
Extended reports list
The list of available reports in OneSpan Authentication Server Administration Web Interface has been extended to include an additional column for the report owner. In addition, if you want to search for a particular report in the list, you can now filter and sort the list by report name, report type, description, or owner.
-
Administrative privileges
The Take Report Ownership administrative privilege has been removed and replaced with the new Access Private Reports privilege. Domain administrators with this new privilege can view reports that have the usage and change permissions set to Private. If they have adequate administrative privileges, they can also change or run private reports.
Administrators can only perform reporting actions in OneSpan Authentication Server Administration Web Interface for which they have sufficient administrative privileges. Actions that require additional/other privileges will not be available, i.e. the respective action buttons will not be displayed.
-
Changing report ownership
The CHANGE OWNER button has been added to the reports list page in OneSpan Authentication Server Administration Web Interface, to facilitate changing of report ownership for multiple reports. Instead of changing one report owner at a time, you can now select the relevant reports in the list and change their owner in bulk.
Upgrade path
OneSpan Authentication Server Appliance supports direct upgrades from 3.20 and 3.20.1 to version 3.21.
Supported platforms, data management systems, and other third-party products
OneSpan authentication platform
OneSpan Authentication Server 3.21 has been integrated in OneSpan Authentication Server Appliance 3.21.
Software libraries
Web Administration Service now includes the following updated software libraries:
- Jackson Databind 2.11.2
- Apache Log4j Core 2.13.3
- Apache Commons Codec 1.14
- Apache Axis2 Transport HTTP 1.7.9
- Apache Standard Taglib Implementation 1.2.5
- Apache Struts 2.5.26
- Apache HttpClient 4.5.13
- Apache Axis2 JAXWS 1.7.9
Web servers (Web Administration Service)
- Apache Tomcat 8.5.60 (included)
Fixes and other updates
Issue OAS‑7341 (Support case CS0052220): Scheduled recurring reports multiplied on replication (Task management)
Description: An issue exists when you schedule recurring reports to run on any instance in replicated environments where reporting is enabled on more than one OneSpan Authentication Server Appliance instance. Under some circumstances, e.g. in case of high network latency, this setup can result in the reporting task multiplied by the number of instances. If this happens regularly, you end up with a lot of scheduled reports that all try to run at the same time.
Affects: OneSpan Authentication Server Appliance 3.19–3.20 (with replication)
Status: This issue has been fixed. In replicated environments, tasks with the task mode set to ANY are handled as to run in SPECIFIC mode on replication instances. New tasks that are created in a replicated environment are set to SPECIFIC by default.
Issue OAS-7190 (Support case PS‑CS0052267): Vulnerability in Apache Struts (Web Administration Service)
Description: Vulnerability CVE-2020-17530 in the Apache Struts framework can lead to remote code execution.
For more information refer to:
- https://cwiki.apache.org/confluence/display/WW/S2-061
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17530.
Affects: OneSpan Authentication Server 3.12
Status: This issue has been fixed. Apache Struts has been upgraded to version 2.5.26.
Issue OAS‑7177 (Support case CS0049343): Offline authentication data not always created upon push notification authentication
Description: OneSpan Authentication Server Appliance does not create new offline authentication data (OAD) after a successful push notification authentication using Digipass Authentication for Windows Logon. This issue does not occur if the push notification request method is set to KeywordOnly.
Affects: OneSpan Authentication Server Appliance 3.14
Status: This issue has been fixed.
Issue OAS‑6741 (Support case CS0048259): File on product ISO image refers to VASCO website
Description: The product ISO image contains a zero-byte file that refers to the VASCO website instead of the OneSpan website.
Affects: OneSpan Authentication Server Appliance 3.6–3.20
Status: This issue has been fixed.
Issue OAS-6599, OAS-3967 (Support cases CS0046162, CS0026991): Updating OneSpan Authentication Server Appliance license invalidates replication setup
Description: Whenever you change or update the OneSpan Authentication Server Appliance license key, the replication configuration is invalidated and you need to reconfigure OneSpan Authentication Server Appliance replication.
Affects: OneSpan Authentication Server Appliance 3.6–3.20
Status: No fix available yet! The OneSpan Authentication Server Appliance Product Guide and the OneSpan Authentication Server Appliance Administrator Guide have been updated to include a note in the respective sections to remind administrators to reconfigure replication accordingly.
Issue OAS‑6540 (Support cases CS0051496, CS0049955, CS0046025): Encrypted values from global configuration are not correctly decrypted
Description: When the service starts and reads encrypted values from the global configuration for the first time, it does not correctly decrypt them, which can lead to issues afterward. For example, if AD security principal credentials are configured, reading the encrypted values fails and causes ALL configuration values to be initialized incorrectly.
Affects: OneSpan Authentication Server Appliance 3.17–3.20 (ODBC deployments)
Status: This issue has been fixed.
Issues OAS‑6153, OAS‑4043 (Support case CS0022514): Re-assigning authenticator licenses preserves payload keys (Provisioning)
Description: When assigning a previously assigned authenticator license used for multi-device licensing (MDL) to another user, the payload key is preserved and reused. This potentially allows the successful decryption of Secure Channel messages with the new user name on the old device.
Affects: OneSpan Authentication Server Appliance 3.7–3.20
Status: This issue has been fixed. Whenever an authenticator license used for multi-device licensing (MDL) is assigned, the payload key is automatically regenerated on assignment or re-assignment to another user (manual or via auto-assignment).
Issue OAS-5605 (Support cases CS0039109, CS0046614): Chinese characters in XML and PDF reports are broken (Web Administration Service)
Description: Chinese characters are not correctly displayed in XML and PDF reports.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed for XML reports.
XML reports now support UTF-8 encoding. The issue can still occur in PDF reports in case of characters that are not defined in the used PDF font.
Issue OAS‑5000: Administration Activity Summary report is incomplete (Web Administration Service)
Description: When generated and opened on Firefox, the Administration Activity Summary PDF report does not contain all relevant data. This issue does not occur with other supported web browsers.
Affects: OneSpan Authentication Server Appliance 3.20
Status: This issue has been fixed.
Issue OAS-4990 (Support case CS0033390): Incomplete instructions to edit HTML reports (Documentation)
Description: The OneSpan Authentication Server Appliance Administrator Guide provides incomplete information about editing existing HTML reports. Instructions to adapt the corresponding report templates are missing.
Affects: OneSpan Authentication Server Appliance 3.7–3.20
Status: The documentation has been updated.
Issue OAS-4613 (Support case CS0023004): Vulnerability when uploading files (Web Administration Service)
Description: There is a potential security issue when files are uploaded in OneSpan Authentication Server Appliance.
Affects: OneSpan Authentication Server Appliance 3.7–3.20
Status: This issue has been fixed. Security measures have been enhanced to improve the overall security of file uploads.
Issue OAS-4602 (Support case CS0046453): Information about administrator accounts incomplete (Documentation)
Description: The OneSpan Authentication Server Appliance Administrator Guide provides an overview about the different OneSpan Authentication Server administrator accounts used in ODBC deployments. The respective section is not too extensive in some cases and does not explain organizational unit administrators.
Affects: OneSpan Authentication Server Appliance 3.6–3.20
Status: The documentation has been updated.
Issue OAS-4281 (Support case CS0031375): Wrong format of audit message codes (Documentation)
Description: In the OneSpan Authentication Server Appliance Administrator Reference, audit message codes do not contain a hyphen between the message type indicator and the number.
Affects: OneSpan Authentication Server Appliance 3.7–3.20
Status: The documentation has been updated.
Issue OAS-4008: Security-related HTTP response headers missing (Web Administration Service)
Description: By default, Web Administration Service does not use HTTP response headers that can help to prevent malicious attacks.
Affects: OneSpan Authentication Server Appliance 3.9
Status: This issue has been fixed. Web Administration Service now uses recommended security-related HTTP response headers, such as to enable XSS filter in the web browser and Content Security Policy (CSP) settings.
Issue OAS-3982 (Support case CS0027704): Digipass product name abbreviations are not described (Documentation)
Description: The OneSpan Authentication Server Appliance product documentation does not contain a list of authenticators and their product name abbreviations used in the DIGIPASS export file (DPX).
Affects: OneSpan Authentication Server Appliance 3.7–3.20
Status: The documentation has been updated. A list of authenticators has been added to the OneSpan Authentication Server Appliance Administrator Reference.
Issue OAS‑3732 (Support case CS0024329): Issue with delayed activation without configured user contact information (Provisioning)
Description: An issue has been reported when delayed activation is enabled and configured to send delayed activation messages via SMS and a user without a configured mobile number is attempting to activate an authenticator.
Affects: OneSpan Authentication Server Appliance 3.9
Status: This issue has been fixed. The activation is completed successfully. The warning audit message W‑009002 has been extended to include the information that a mobile number is missing.
Issue OAS-2505: Missing date input validation for reports (Reporting)
Description: In reports and runtime query definitions, you can type any date format or string value for the date fields. The provided value is not validated, and OneSpan Authentication Server Appliance cannot process the request.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed. A datepicker has been added to the Administration Web Interface. The Administration Web Interface and OneSpan Authentication Server Appliance accept dates in ISO format (e.g. YYYY-MM-DD) and in the format YYYY/MM/DD.
Issue OAS-1700 (Support case CS0002641): Misleading information about IP port range (Documentation)
Description: The Push Notification Getting Started Guide states that DIGIPASS Gateway requires an open network port within the IP range 11000–11100. This information is misleading. DIGIPASS Gateway requires a known public IP address. The chosen port has to be open and accessible. The default port used by DIGIPASS Gateway is 11080 and has to be used if you are using the OneSpan Mobile Authenticator app.
Affects: OneSpan Authentication Server Appliance 3.12
Status: The documentation has been updated.
Issue OAS-1199: Report retrieval is not user friendly (Web Administration Service)
Description: In the Administration Web Interface, if you want to retrieve a report, you need to switch to the SYSTEM menu. Instead, the corresponding menu item should be part of the REPORTS menu.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed. The Report Retrieval menu item was renamed to Retrieve report and moved to the REPORTS menu.
Issue OAS-352 (Support case CS0002789): Incorrect OneSpan User Websites client type in Push Notification Getting Started Guide (Documentation)
Description: The Push Notification Getting Started Guide contains incorrect information about the OneSpan User Websites client type in OneSpan Authentication Server Appliance. The OneSpan User Websites license requires the client type to be IDENTIKEY User Websites (instead of OneSpan User Websites).
Affects: OneSpan Authentication Server Appliance 3.17–3.20
Status: The documentation has been updated.
Issue OAS-351 (Support case CS0002617): Incomplete curl command in Push Notification Getting Started Guide (Documentation)
Description: The Push Notification Getting Started Guide provides information about how to test if DIGIPASS Gateway has been correctly installed and is reachable. The -v option is missing from the curl command that is used for this test.
Affects: OneSpan Authentication Server Appliance 3.12
Status: The documentation has been updated.
Issue OAS-349 (Support case CS0002614): Missing information about used network protocol (Documentation)
Description: The Push Notification Getting Started Guide states that DIGIPASS Gateway requires an open network port for incoming requests, by default 11080. However, the documentation does not specify, which network protocol is required (that is, TCP).
Affects: OneSpan Authentication Server Appliance 3.12
Status: The documentation has been updated.
Issue OAS-346 (Support case CS0001701): Administrator privileges not correctly reflected on User Dashboard (Web Administration Service)
Description: The User Dashboard in the Administration Web Interface does not correctly show whether a user account has administrative privileges assigned or not.
Affects: OneSpan Authentication Server Appliance 3.17–3.20
Status: This issue has been fixed.
Issue 122911 (Support case CS0048784): Stale PostgreSQL files removed
Description: In OneSpan Authentication Server Appliance 3.17, PostgreSQL was replaced with MariaDB. Systems that have been upgraded from OneSpan Authentication Server Appliance 3.16 may still have some PostgreSQL files on their file system.
Affects: OneSpan Authentication Server Appliance 3.17–3.20
Status: This issue has been fixed. The stale files have been removed in OneSpan Authentication Server Appliance 3.21.
Issue 123015 (Support case CS0048470): Restoring a backup can introduce upgrade errors
Description: When restoring a backup on OneSpan Authentication Server Appliance 3.20, spurious tables are sometimes created in the database. These tables can lead to errors during later upgrades or backup restores.
Affects: OneSpan Authentication Server Appliance 3.17–3.20
Status: This issue has been fixed. On OneSpan Authentication Server Appliance 3.21, no more spurious tables will be created when restoring a backup, and unexpected tables will be removed.
Issue 123067 (Support case CS0048394): Backups from OneSpan Authentication Server Appliance 3.20.0 cannot be restored on version 3.20.1
Description: Backups from OneSpan Authentication Server Appliance 3.20.0 cannot be restored on version 3.20.1. However, backups from OneSpan Authentication Server Appliance 3.20.0 are correctly restored on version 3.20.0, and backups from OneSpan Authentication Server Appliance 3.20.1 are correctly restored on version 3.20.1.
Affects: OneSpan Authentication Server Appliance 3.20.1
Status: This issue has been fixed. Backups from OneSpan Authentication Server Appliance 3.20.0 can be restored on version 3.21. A patch is available for OneSpan Authentication Server Appliance 3.20.1.
Issue 124092 (Support case CS0052889): Add missing performance monitoring filters
Description: Some valid performance filters are missing from the UI.
Affects: OneSpan Authentication Server Appliance 3.20 and earlier
Status: This issue has been fixed. The missing performance filters have been added to the UI.
Issue 122523 (Support case CS0036568): Certificate revocation list has been added to all new appliance certificates
Description: Windows will find the default OneSpan Authentication Server Appliance SEAL and SOAP certificates invalid because they have no valid certificate revocation list.
Affects: Windows operating system with certificates created on OneSpan Authentication Server Appliance 3.20.x or earlier
Status: This issue has been fixed. A certificate revocation list has been added to all new certificates (generated on version 3.21 or later). Existing certificates have not been amended so as not to impact any production services.
Issue 121875 (Support case CS0043403): Audit copier network error handling
Description: The audit copier component starts consuming 100% CPU when certain network exceptions occurred.
Affects: OneSpan Authentication Server Appliance 3.17–3.20
Status: This issue has been fixed. A patch is available for versions 3.17–3.20.
Issue 122018 (Support case CS0043185): Replication setup can break LDAP Synchronization Tool
Description: When setting up replication, the initial database synchronization causes one host to receive all settings from its replication partner. This can cause the ikldapsync settings to be no longer valid, resulting in ldapsync no longer working.
Affects: OneSpan Authentication Server Appliance 3.20
Status: This issue has been fixed. ldapsync is reconfigured after setting up replication.
Issue 121732 (Support case CS0043701): Report scenario cannot be enabled/disabled
Description: It is not possible to enable/disable the report scenario from the UI.
Affects: OneSpan Authentication Server Appliance 3.20 and earlier
Status: This issue has been fixed.
Issue 121278 (Support case CS0038015): Unclear error message
Description: For some operations, when the UI loses connection to the server, an unclear error message is displayed.
Affects: OneSpan Authentication Server Appliance 3.20 and earlier
Status: This issue has been fixed. The error message now provides more useful information.
Issue 120972 (Support case CS0038590): "Invalid page counter" error in Audit Viewer
Description: Certain database errors are badly handled, causing an invalid page counter to be returned to the UI. This invalid page counter error is not useful for reporting the underlying problem.
Affects: OneSpan Authentication Server Appliance 3.17–3.20
Status: This issue has been fixed. Database errors are now correctly handled and displayed.
Issue 122123 (Support case CS0045570): Missing database indexes causing performance issues
Description: When (re-)creating the audit database and the OneSpan Authentication Server database already exists, no indexes are created. This results in poor performance of OneSpan Authentication Server Appliance. This situation does not normally occur and has only been observed after support interventions.
Affects: OneSpan Authentication Server Appliance 3.20 and earlier
Status: This issue has been fixed.
Deprecated components and features
Digipass Authentication for Steel-Belted RADIUS Server
Digipass Authentication for Steel-Belted RADIUS Server has reached end of life and is no longer shipped with OneSpan Authentication Server Appliance.
OneSpan Authentication Server Appliance continues to support previous versions of Digipass Authentication for Steel-Belted RADIUS Server.
Digipass Authentication for Epic Hyperspace
Digipass Authentication for Epic Hyperspace has reached end of life and is no longer shipped with OneSpan Authentication Server Appliance.
OneSpan Authentication Server Appliance continues to support previous versions of Digipass Authentication for Epic Hyperspace.
Version 3.20 (July 2020)
Release information
Software versions
This release includes:
- OneSpan Authentication Server 3.20.0 with OneSpan Authentication Server Framework 3.18
- OneSpan Authentication Server Administration Web Interface 3.20.0
Upgrade path
When upgrading to this version, replication between OneSpan Authentication Server Appliance instances will be disabled to avoid compatibility issues that may result from different product versions. You can enable replication after all OneSpan Authentication Server Appliance instances have been upgraded.
OneSpan Authentication Server Appliance supports direct upgrades from 3.19.0 and 3.19.1 to version 3.20.
New features and enhancements
Enhanced user move
The user move command has been enhanced. Besides its current capability to move a user account to another organizational unit within the same domain, it can now also be used to:
- Change the user ID of a user account.
- Move a user account to another domain.
- Move user accounts with administrative privileges.
Both, the Tcl Command-Line Administration tool and Web Administration Service have been extended to support the new user move capabilities.
Renaming user accounts or moving them between domains is not supported in Active Directory deployments!
Automatic correlation ID
OneSpan Authentication Server SDK 3.18 introduced a parameter to the HTTPHeaderParameters class to specify an optional correlation ID. Beginning with this release OneSpan Authentication Server Appliance verifies whether a correlation ID value exists in the request header of a SOAP command. If not, it automatically generates a unique correlation ID.
The correlation ID relates audit messages to the respective SOAP commands to trace and allow easier diagnostics of errors, performance problems, and other issues. It is now included in audit messages, relevant tracing output, and performance monitoring output.
Scope context in tracing output
The tracing output has been extended to include scope context at the beginning and the end of major execution blocks to facilitate issue investigations. The scope context is based on performance monitoring transaction names. However, performance monitoring does not need to be enabled to have the context information included in the tracing output.
Asymmetrical audit copying
OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance supports asymmetrical/one-way audit copying.
When setting up replication, the new Continuously Download Audit Logs option replaces the Copy Remote Audit Log setting from previous product versions. The server where this setting is enabled will download logs from its replication partner. You can enable the downloading of audit logs on either replication instance. If the setting is enabled on both instances, audit copying will work bi-directionally as in previous product versions.
Chaining asymmetrical replication is also possible. For example, if server A downloads audit logs from server B, and server B downloads audit logs from server C, then server A will store the logs from servers A, B and C. Cycles in replication setup are also supported.
Asymmetrical audit copying enables server administrators to remove unnecessary audit traffic and can thus significantly improve performance, especially on larger/multi-node deployments.
Supported platforms, data management systems, and other third-party products
Software libraries
Web Administration Service now includes the following updated software libraries:
- Prototype.js 1.7.3
- flatpickr v4 (replaces Tigra Calendar)
- Sortable 1.10.2
Data management systems
- MariaDB 10.4.12 (embedded database)
- ODBC 3.1.7 (installed with embedded database)
Web servers (Web Administration Service)
- Apache Tomcat 8.5.54 (included)
Fixes and other updates
Issue OAS‑3991 (Support cases CS0024776, CS0024325, CS0022985): Finished scheduled tasks result in performance issues (Task management)
Description: Scheduled tasks are not removed from the database when they are completed. This can lead to a large number of finished tasks if they are scheduled but not removed regularly. However, OneSpan Authentication Server Appliance queries the tasks once a minute to update their progress and state information. In some environments this can yield higher resource consumption after some time and lead to delayed response times, in the worst case to replication failures.
Affects: OneSpan Authentication Server Appliance 3.15
Status: The affected queries have been optimized.
Issue OAS‑3967 (Support case CS0026991): Updating server license invalidates replication setup
Description: Whenever you change or update the server license key, the replication configuration is invalidated and you need to reconfigure OneSpan Authentication Server Appliance replication.
Affects: OneSpan Authentication Server Appliance 3.6–3.19
Status: No fix available yet! The documentation has been updated to include a note in the respective sections to remind administrators to reconfigure replication accordingly.
Issue OAS‑3642 (Support case CS0022992): Apache Tomcat information exposure (Web Administration Service)
Description: The embedded web server exposes information about being Apache Tomcat in case of HTTP error responses. This information discloses valuable information for malicious attackers.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed.
Issue OAS‑3622 (Support case CS0022729): Inaccurate provisioning scenario reference (Documentation)
Description: The option reference for the provisioning scenario settings is inaccurate about the effects on multi-device licensing (MDL), in particular regarding the Max Attempts and Min Intervals option.
Affects: OneSpan Authentication Server Appliance 3.12
Status: The documentation has been updated.
Issue OAS‑3601 (Support case CS0022819): Data migration matrix incomplete about OneSpan Authentication Server Appliance (Documentation)
Description: The data migration matrix in the OneSpan Authentication Server Data Migration Guide contains incomplete information about migrating from OneSpan Authentication Server Appliance.
Affects: OneSpan Authentication Server Appliance 3.10
Status: The documentation has been updated.
Issue OAS-3562 (Support case CS0022123): Missing button labels (Web Administration Service)
Description: When an administrator with specific administrative privileges inspects an authenticator of a user via the DIGIPASS > DIGIPASS tab in the Administration Web Interface, the Generate Activation Data and Send Activation Data buttons are visible, but do not contain text labels.
Affects: OneSpan Authentication Server Appliance 3.19
Status: This issue has been fixed.
Issue OAS‑3521 (Support cases CS0022832, CS0022830): Authenticator instance can incorrectly be selected to be unassigned (Web Administration Service)
Description: Authenticator instances are not allowed to be unassigned. When attempting to unassign one via the USERS list, Web Administration Service does not complete the operation, but neither does it yield any warning or error message. The selected item count shows 1 selected item afterward, although no user account is selected.
Affects: OneSpan Authentication Server Appliance 3.7–3.19
Status: This issue has been fixed.
Issue OAS-3415: Incorrect secure channel transaction title set in message (Transaction data signing)
Description: The secure channel transaction title in the Secure Channel message is incorrectly set to the message title configured in the effective push notification policy settings instead of the message title specified by the respective application initiating the data signing transaction.
Affects: OneSpan Authentication Server Appliance 3.17–3.19
Status: This issue has been fixed.
Issue OAS-3309 (Support case CS0021347): DPX re-import is incomplete in case of existing authenticator records (Administration)
Description: Re-importing a DIGIPASS export file (DPX) does not import all authenticators if there are already authenticator records in the database.
Affects: OneSpan Authentication Server Appliance 3.19
Status: This issue has been fixed.
Issue OAS-3257 (Support case CS0020675): Typo in Web Administration Service Help (Documentation)
Description: The Web Administration Service Help contains several topics with the same typo ("acccount").
Affects: OneSpan Authentication Server Appliance 3.19
Status: The documentation has been updated.
Issue OAS‑3098 (Support case CS0012856): Moving authenticators across organizational units not replicated (Replication)
Description: When attempting to move authenticators in a replicated environment from one organizational unit to another one that is higher up in the hierarchy, the operation is completed successfully on the first instance but not properly replicated to the replication target instances.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed.
Issue OAS-3092 (Support case CS0016873): Foreign key error during authenticator assignment if serial number range is in reverse order (Web Administration Service)
Description: If the authenticator serial number range to be assigned is specified in reverse order or if the specified serial number does not exist, a foreign key error occurs and the assignment process fails.
Affects: OneSpan Authentication Server Appliance 3.10
Status: This issue has been fixed.
Issue OAS-3090 (Support case CS0019639): Static password authentication not mentioned in documentation (Documentation)
Description: The Static Password Authentication field found in the License tab of the server configuration in Web Administration Service is not described in the documentation.
Affects: OneSpan Authentication Server Appliance 3.11
Status: The documentation has been updated.
Issue OAS-2989 (Support case CS0019010): Validation of Class RADIUS attribute is incorrect (Web Administration Service)
Description: Validation rules for the Class RADIUS attribute have changed, which may lead to issues with data migration and when creating RADIUS user attributes.
Affects: OneSpan Authentication Server Appliance 3.10
Status: This issue has been fixed.
Issue OAS-2330 (Support case CS0014263): Description of multi-device activation workflow is incorrect (Documentation)
Description: The multi-device activation workflow described in the OneSpan Authentication Server Administrator Guide includes the test signature as a mandatory step to finalize the authenticator instance activation process. The test signature is an optional step that can be added after the scanning of Activation Message 2.
Affects: OneSpan Authentication Server Appliance 3.7–3.19
Status: The documentation has been updated.
Issue OAS-2297 (Support case CS0015024): User IDs are not displayed in correct OU in reports (Reporting)
Description: User IDs are not grouped by their organizational units in reports although the grouping level is set to Organizational Unit.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed.
Issue OAS-2296 (Support case CS0015220): Recent activity omits authentications for uppercase SAM account names (Active Directory user name resolution)
Description: In some (case-sensitive) environments using an LDAP back-end server with Active Directory user name resolution enabled, recent user activity data will exclude authentication audit messages if the sAMAccountName attribute in the back-end system is uppercase.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed.
Issue OAS-2010 (Support case CS0014079): Issues with Chinese characters (Web Administration Service)
Description: Creating a user account with a user ID that contains Chinese characters results in a memory allocation error.
Affects: OneSpan Authentication Server Appliance 3.16
Status: This issue has been fixed.
Issue OAS-1689 (Support case CS0011390): User list does not show all users (Web Administration Service)
Description: When an administrator in an organizational unit attempts to view the users in the User list spanning multiple pages, users from organizational units further down the organizational hierarchy are not shown in the list, although they are included in the result count.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed.
Issue OAS-1555 (Support case CS0012507): Updating authenticator properties corrupts BLOB data (Web Administration Service)
Description: When updating certain authenticator properties after the initial assignment, e.g. setting a grace period, the authenticator BLOB data is incorrectly updated by Web Administration Service. The respective authenticator can no longer be used.
Affects: OneSpan Authentication Server Appliance 3.17–3.19
Status: This issue has been fixed.
Issue OAS‑1410 (Support case CS0011420): Failure when approving pending operations that target users in subordinate organizational units (Administration)
Description: An issue has been reported with maker–checker authorization in the case when a maker administrator schedules to assign an authenticator to a user in an organizational unit, but specifies a checker administrator in an organizational unit higher up in the organizational hierarchy than the target user (with the target user being within the administrative scope of the checker administrator). In that case, approving the pending operation by the checker administrator fails, because OneSpan Authentication Server Appliance incorrectly reports that the target user cannot be found. If both, the target user and the checker administrator are in the same organizational unit, the command can be approved.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed.
Issue OAS-1100 (Support case CS0008989): Inconsistent error handling for maker–checker authorization (Administration)
Description: In the context of maker–checker authorization, if an administrator modifies user account or authenticator settings while an associated operation is pending, the operation will fail and disappear from the list of pending operations.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed. Information about the implications of changing user account or authenticator settings while an associated operation is pending has been added to the OneSpan Authentication Server Administrator Guide.
Issue OAS-832: XSLT transformation to CSV includes XML declaration (Reporting)
Description: When creating a CSV report based on an XSLT report template, the created CSV file incorrectly includes an XML declaration.
Affects: OneSpan Authentication Server Appliance 3.6–3.19
Status: This issue has been fixed. Furthermore, the documentation has been updated to provide more precise information about creating CSV reports using XSLT report templates.
Issue OAS-831: Server discloses back-end password expiration state on failed authentication (Active Directory back-end authentication)
Description: When attempting to authenticate using an invalid password, while the back-end password has expired, the authentication fails. It returns the information that the password has expired instead of being invalid. This incorrectly discloses the password expiration state.
Affects: OneSpan Authentication Server Appliance 3.17–3.19 with Active Directory back-end system
Status: This issue has been fixed.
Issue OAS-376 (Support cases CS0015086, CS0020720, CS0025169): Various issues and vulnerabilities with embedded MariaDB (Embedded database)
Description: The current version of the embedded MariaDB contains vulnerabilities and various issues.
Affects: OneSpan Authentication Server Appliance 3.19 with embedded MariaDB
Status: This issue has been fixed by upgrading the embedded MariaDB to version 10.4.12.
Issue OAS-357 (Support case CS0002886): Incorrect/incomplete instructions to configure SSL for Active Directory back-end authentication (Documentation)
Description: The OneSpan Authentication Server Appliance Administrator Guide contains inaccurate information about configuring SSL for back-end authentication with Active Directory. When registering the back end, users need to provide the fully qualified domain name (FQDN) or host name rather than the IP address of the back-end server. In addition, instructions to import the back-end CA certificate in OneSpan Authentication Server Appliance are incomplete.
Affects: OneSpan Authentication Server Appliance 3.15.16–3.19
Status: The documentation has been updated.
Issue OAS-329 (Support case PS‑202332): Assignment using license with no activations left (Provisioning)
Description: When performing offline activations with auto-assignment enabled, OneSpan Authentication Server Appliance always uses the first authenticator license available to create instances without verifying whether any activations are left.
Affects: OneSpan Authentication Server Appliance 3.17–3.19
Status: This issue has been fixed.
Issue OAS-315 (Support cases CS0024500, PS‑195362): Inaccessible authenticators selected for auto-assignment
Description: In environments with user accounts and authenticators in different organizational units, provisioning using auto-assignment can fail, because an authenticator from a different organizational unit on the same level is incorrectly selected. If the authenticator is in an organizational unit on the same level, it is effectively inaccessible and cannot be assigned.
Affects: OneSpan Authentication Server Appliance 3.16
Status: This issue has been fixed.
Issue OAS-312 (Support case PS‑193345): First administrative logon times out after upgrade (Upgrade)
Description: In environments with a large number of organizational units, the first administrative logon after an upgrade can take long and finally time out if the server data migration has not been completed yet.
Affects: OneSpan Authentication Server Appliance 3.10
Status: This issue has been fixed.
Issue OAS-292 (Support cases PS‑187332, PS-146003): Disk space issues of replication database (Replication)
Description: The replication database (Replication.DB) is not cleaned up after completed replication and continues to grow, which may cause replication between multiple OneSpan Authentication Server Appliance instances to fail once disk space is full.
Affects: OneSpan Authentication Server Appliance 3.10
Status: This issue has been fixed. Auto-vacuum of Replication.DB has been enabled.
Issue OAS-277 (Support cases CS0012107, PS‑182936): User policy initially not verified when creating new user accounts with maker–checker authorization (Administration)
Description: In environments with maker–checker authorization enabled, the specified user parameters are not validated against the effective user policy when a pending operation to create a new user account is submitted. When the maker administrator later attempts to execute the approved pending operation, the command parameters are verified and the command will fail if the user account to create violates the effective policy, e.g. the static password given does not meet the password complexity rules.
Affects: OneSpan Authentication Server Appliance 3.12
Status: This issue has been fixed. The parameters of the user account to be created are now verified twice, once when creating the pending operation and once when executing the approved pending operation.
However, if the effective policy is modified in between, executing an approved pending operation can still fail!
Issue 120972: Empty lines in Syslog viewer
Description: Sometimes empty lines appear in the System Logs viewer. They are caused by multiline syslog entries, whereby only the first line of a multi-line message is shown correctly and the other lines are displayed as blank.
Affects: OneSpan Authentication Server Appliance 3.8.9–3.19
Status: This issue has been fixed. Multiline syslog entries are now correctly displayed.
Issue 120299: Apache Tomcat log cleanup
Description: Apache Tomcat logs are cleaned up upon every reboot. On OneSpan Authentication Server Appliance instances with a lot of traffic and very high uptime, this may lead to disk space issues.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed. Apache Tomcat log rotation has been added to prevent OneSpan Authentication Server Appliance from running out of disk space.
Issue 119021: Provisioning scenario disabled after uploading a license or restoring a backup
Description: In the license, there is a property called provisioning: yes/no. When first uploading a license, the provisioning scenario obtains its default value from the license. You can then change this value at any time. When uploading a new license, or when restoring a backup, the license defaults override any existing custom settings, causing the provisioning scenario to be unexpectedly disabled.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed. License changes will no longer modify existing settings.
Issue 118320: Issues with Delete audit data menu item in the Administration Web Interface
Description: On OneSpan Authentication Server Appliance, you can delete old audit logs via in the OneSpan Authentication Server Administration Web Interface, or via Delete Audit Logs in the OneSpan Authentication Server Appliance Configuration Tool. Using the Administration Web Interface menu item sometimes causes OneSpan Authentication Server Appliance to stop working properly, resulting in authentication failures due to timeouts and resource issues.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed. The menu item has been removed for OneSpan Authentication Server Appliance.
Issue 117664: Restoring a backup without the default MDC or LDAP synchronization profiles fails
Description: When creating a backup after deleting the default Message Delivery Component (MDC) or LDAP synchronization profiles, this backup cannot be restored without intervention from customer support.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed. Backups without default profiles will be correctly restored.
Issue 117173: MDC time-out issues
Description: In OneSpan Authentication Server, the Message Delivery Component (MDC) gateway timeout was increased to 10 seconds. This change has not been applied to OneSpan Authentication Server Appliance, which may lead to timeout issues.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed. The timeout has been increased.
Issue 117024: Downloaded CSV files are not opened automatically
Description: Due to a wrong extension, exported CSV files are not recognized and are therefore not automatically opened. This issue does not occur if the files are manually imported.
Affects: OneSpan Authentication Server Appliance 3.18–3.19
Status: This issue has been fixed.
Issue 116576: OneSpan Authentication Server Appliance Configuration Tool events logged to syslog
Description: OneSpan Authentication Server Appliance will log OneSpan Authentication Server Appliance Configuration Tool events, e.g. login, configuration changes, to the audit database. OneSpan Authentication Server has a feature to send audit messages to syslog. However, this feature did not apply to OneSpan Authentication Server Appliance Configuration Tool events.
Affects: OneSpan Authentication Server Appliance 3.11.12–3.19
Status: This issue has been fixed. OneSpan Authentication Server Appliance Configuration Tool events are now logged to syslog when configured.
Issue 116525: Issues with audit copying and database maintenance performance and stability
Description: When a machine is under high load, OneSpan Authentication Server performance may be affected due to resource issues, possibly causing authentication processes to time out.
Affects: OneSpan Authentication Server Appliance 3.17–3.19
Status: This issue has been fixed. Various improvements have been made to audit copying performance and stability. Database maintenance tasks such as audit log deletion have also been optimized.
Deprecated components and features
Supported platforms, data management systems, and other third-party products
OneSpan Authentication Server Appliance no longer supports the following products:
Software libraries
- Tigra Calendar
- Scriptaculous
- Lightbox
LDAP servers
- Microsoft Active Directory on Windows Server 2008 R2
Version 3.19 (December 2019)
Release information
Software versions
This release includes:
- OneSpan Authentication Server 3.19.0 with OneSpan Authentication Server Framework 3.18
- OneSpan Authentication Server Administration Web Interface 3.19.0
Upgrade path
When upgrading to this version, replication between OneSpan Authentication Server Appliance instances will be disabled to avoid compatibility issues that may result from different product versions. You can enable replication after all OneSpan Authentication Server Appliance instances have been upgraded.
New features and enhancements
Software authenticator commands extended
The software authenticator commands PROVISIONCMD_ACTIVATE, PROVISIONCMD_DSAPPACTIVATE, PROVISIONCMD_MDL_ACTIVATE, and dsappSRPActivate have been extended to return the user ID and domain of the user associated to the activation, and the serial number of the activated authenticator.
In addition, the organizational unit attribute is returned for the PROVISIONCMD_ACTIVATE command.
List of supported characters for Web Administration Service and CSV import files
Web Administration Service and CSV import file have been updated to support the special characters (') (&) (#) for the User ID field, as well as the (') (,) (&) (#) characters for the User Name field.
Load balancing of reports and improved report handling
To optimize CPU and memory usage, multiple report tasks are now processed in serial order, with each OneSpan Authentication Server instance allowed to run one report task at a time. By default, multiple report tasks are distributed across all server instances and are thus automatically load balanced.
In a multi-server environment with a dedicated reporting server, this implies that if you want to run (scheduled) reports solely on the reporting server, you now need to disable the Reporting Scenario in the OneSpan Authentication Server Configuration Utility for all other OneSpan Authentication Server instances. In this case, the reporting server will be the only instance for report handling, and it will process and run one report task at a time. If the Reporting Scenario remains enabled on the other OneSpan Authentication Server instances, the load balancing applies and reports are run on any server instance.
New user type: service user
OneSpan Authentication Server now offers a new user type, the service user – a set of specific users for administrative operations within OneSpan Authentication Server services. Service users require administrative privileges like human or interactive users, and service user accounts also expire. In contrast to human or interactive users, certain limitations apply; for instance, a service user cannot log on interactively to components such as the Administration Web Interface. Furthermore, password policies do not apply and service user passwords do not expire. Service users authorize each administrative operation individually via the API key OneSpan Authentication Server generates. This key is displayed, when the user account of the relevant user is edited; once the changes are saved, the API key is set as the user password.
In the Administration Web Interface, the Service User field is available on the User Account property page of each user and can be set when editing the relevant user.
Service user authorization
Service users can be authorized by providing credentials within the sessionID SOAP field or the HTTP header:
- As sessionID in the corresponding SOAP field with the key word as part of the API key: Apikey serviceUserId:1234567890abcdef
- As HTTP key in the HTTP authorization header: Authorization: Apikey serviceUserId:1234567890abcdef
Authorization via HTTP header takes precedence over authorization via session ID!
The logon operation via API key authorization is not audited. If a wrong API key is detected, the user lock count is increased. Administrative users who can log on to OneSpan Authentication Server interactively cannot authorize via API key.
Improved look and feel (Web Administration Service)
The style sheets used by the Administration Web Interface have been reworked completely to provide a smoother user experience, use fewer resources, and support responsive design. Furthermore, the look and feel of the Administration Web Interface has been adapted to match the new OneSpan branding.
Remote syslog protocol
The remote syslog has been enhanced to communicate accordingly with the syslog protocol described in RFC 5424. With this enhancement, the year will be included in the timestamp when it is sent across the network.
Supported platforms, data management systems, and other third-party products
Web browsers
- Google Chrome 76
- Microsoft Edge 44
- Mozilla Firefox ESR 68
Fixes and other updates
Issue 115865: Restoring OneSpan Authentication Server Appliance 3.18 backup fails
Description: A backup of OneSpan Authentication Server Appliance 3.18 system cannot be restored on a 3.18 version of OneSpan Authentication Server Appliance. The backup is recognized, and the system attempts to reboot but fails in the middle of the restore process.
Affects: OneSpan Authentication Server Appliance 3.18.0
Status: This issue has been fixed. Backups from OneSpan Authentication Server Appliance 3.18 and OneSpan Authentication Server Appliance 3.19 can be successfully restored on OneSpan Authentication Server Appliance 3.19. A separate patch will be made available for OneSpan Authentication Server Appliance 3.18.
Issue 115722: OneSpan Authentication Server Appliance inaccessible after start/upgrade sequence
Description: OneSpan Authentication Server Appliance is not accessible until the entire boot/upgrade sequence has been completed. This sometimes causes a boot or upgrade process to become unresponsive, making OneSpan Authentication Server Appliance inaccessible.
Affects: OneSpan Authentication Server Appliance 3.18.0
Status: This issue has been fixed. A hidden rescue console has been added on console 4, so that customers can now open a rescue console should the boot/upgrade hang.
Note that this console will not be available for the revert process until OneSpan Authentication Server Appliance 3.20.
Issue 115651: FTP/SFTP backup time-out
Description: When testing the connection of an automatic backup to an FTP or SFTP server via the button in the OneSpan Authentication Server Appliance user interface, backups with large databases may time out the test connection attempt.
Affects: OneSpan Authentication Server Appliance 3.18.0
Status: The time-out period has been increased.
Deprecated components and features
Supported platforms, data management systems, and other third-party products
OneSpan Authentication Server Appliance no longer supports the following products:
Web browsers
- Microsoft Internet Explorer 10
Version 3.18 (July 2019)
Release information
Software versions
This release includes:
- OneSpan Authentication Server 3.18.0 with OneSpan Authentication Server Framework 3.18
- OneSpan Authentication Server Administration Web Interface 3.18.0
Upgrade path
When upgrading to this version, replication between OneSpan Authentication Server Appliance instances will be disabled to avoid compatibility issues that may result from different product versions. You can enable replication after all OneSpan Authentication Server Appliance instances have been upgraded.
New features and enhancements
Improved OneSpan Authentication Server tracing (PS-191225, 191228, 187086, 201665, 201189, 201001, 192458)
OneSpan Authentication Server tracing has been improved and no longer affects the performance of OneSpan Authentication Server services. Instead of flushing log entries one at a time, log records are now stored in cache and released when the cache is full. Configuring log rotation is recommended to appropriately handle the resulting amount of log information.
For easier investigation of server and application failures, you can configure OneSpan Authentication Server to disable log caching, by selecting the corresponding option in the Administration Web Interface. Permanently disabling log caching is, however, not recommended as the constant writing of log information again impacts OneSpan Authentication Server performance.
Case-insensitivity support for user name search (Web Administration Service)
The Administration Web Interface now supports case-insensitive user name searches.
Platform-independent user name resolution: Active Directory user name resolution
If enabled, the Active Directory User Name Resolution allows the user to authenticate with their User Principal Name (UPN) or Security Account Manager (SAM) account name. This feature is a platform-independent alternative to Windows User Name Resolution for Active Directory users. You can enable or disable this feature via the back-end settings in the Administration Web Interface.
To provide additional logon security and simplify user names, you can provide alternative UPN suffixes in the UPN Suffixes tab. Alternative UPN suffixes allow users to authenticate with their User Principal Name (UPN), even if it contains an alternative domain suffix. In addition, you can provide an NT4-style domain as an alternative suffix, which is required for the name resolution of NT4-style user names with Active Directory User Name Resolution.
Conveniently control user name resolution
The OneSpan Authentication Server Administration Web Interface now allows to conveniently enable the required type of user name resolution in one place. To enable or disable both Windows User Name Resolution and Active Directory User Name Resolution, navigate to BACK-END > Settings and click Edit.
With this, it is no longer possible to enable and configure Windows User Name Resolution in the OneSpan Authentication Server Configuration Utility.
Authenticator or password authentication mode license-free in provisioning scenario
Use of the DIGIPASS or Password local authentication mode is no longer subject to licensing in the context of provisioning operations.
For the authentication scenario, use of this authentication mode continues to require a license.
Health check endpoint
A dedicated health check endpoint has been introduced to monitor the OneSpan Authentication Server service and check if the service is available and working properly. The health check endpoint is enabled by default using port 8889 and /health as URL extension. If you send an HTTP GET request to this endpoint, one of the following HTTP status codes is returned, according to the service status:
- Succeeding health check request: HTTP 200
- Failed health check request: HTTP 503
- Non-supported URL: HTTP 404
Changing expired back-end passwords from the Administration Web Interface login page (ESC-2015004192)
When users attempt to log on to the Administration Web Interface and their back-end password has expired or has been set to be changed at the next logon, they are now automatically redirected to a change password page. That page allows users to set a new back-end password using either their current back-end password or a one-time password (OTP) generated by their authenticator.
Description of authenticator instance during multi-device activation (PS-200074)
The multi-device activation (MDA) workflow now supports adding a description of the authenticator instance that is being activated. This description is optional and can have up to 255 characters. It is displayed on the respective Manage DIGIPASS page in the Administration Web Interface.
Notifying when the static password is about to expire (Web Administration Service) (PS‑196094)
When using DIGIPASS or Password as local authentication mode, you can specify the maximum age of static passwords and a time period to notify users accordingly if their passwords are about to expire via policy (since OneSpan Authentication Server 3.11). Beginning with this release, if the static password of a user is about to expire, a respective warning message is also displayed on the Administration Web Interface home page.
Creating reports from user and authenticator data (Reporting) (PS‑195036, PS‑194648)
You can now create reports based on user and authenticator data by selecting the new data source option Users + Digipass. The new data source option can be used for list reports and detailed analysis reports. A new standard report – DP per User – has been included to get a detailed list of all users and their assigned authenticators, grouped by the user.
Replication Setup wizard enhanced (PS-196580)
The Replication Setup wizard has been enhanced to provide a clearer distinction between the different replication scenarios available for OneSpan Authentication Server Appliance. For more information about replication, refer to the OneSpan Authentication Server Appliance Administrator Guide.
Increase disk volume size (ESC-190162, ESC-190257, CS0007514)
To cope with different installation and usage scenarios, and to avoid disk space shortage and minimize the need of constant cleanups, some of the disk volumes have been increased in size. Additionally, temporary files are now stored on a real disk volume instead of runtime memory, which can avoid memory shortage. The updated size depend on the size of the disk OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance is installed on. See the following table for the changes on the various disks:
Volume name | 50GB disk | 100GB | 200GB | 500GB | 1TB |
---|---|---|---|---|---|
Memory swap | 1GB → 2.5GB | 1GB → 4GB | 1GB → 4GB | 1GB → 4GB | 1GB → 4GB |
OneSpan Authentication Server data | 768MB → 2.5GB | 1GB → 5GB | 2GB → 10GB | 5GB → 10GB | 10GB (no change) |
Logging | 512MB → 1GB | 1GB → 2GB | 2GB → 4GB | 4GB (no change) | 4GB (no change) |
Temporary files | 128MB → 1GB | 128MB → 2GB | 128MB → 4GB | 128MB → 8GB | 128MB → 8GB |
Client certificate verification for replication peers
To improve security, the OneSpan Authentication Server communicator for handling replication exchanges is now configured to check the remote system's certificate both ways.
Fixes and other updates
Issue 96967: Audit Viewer search filter fails on some field combinations
Description: When filtering on certain combinations of fields in the Audit Viewer, an error occurs in the back-end system and the filter does not return any results.
Affects: OneSpan Authentication Server Appliance 3.17
Status: This issue has been fixed.
Issue 96844 (Support case CS0004391): Linked authenticator user not supported for authentication signature applications
Description: OneSpan Authentication Server does not support linked authenticator user accounts for authentication signature applications.
Affects: Versions up to OneSpan Authentication Server Appliance 3.17
Status: This issue has been fixed.
Issue 96889 (Support case CS0004556): Failed scheduled task causes OneSpan Authentication Server to stop working properly (Administration)
Description: When a scheduled task fails, OneSpan Authentication Server becomes unresponsive. The task continues to run and cannot be canceled or deleted; any administrative action, e.g. logging on to the Administration Web Interface, will fail. The task can only be stopped by restarting the database service.
This issue does not occur with tasks that are run immediately.
Affects: OneSpan Authentication Server Appliance 3.6
Status: This issue has been fixed.
Issue 96330: User attributes not shown in PDF reports (Reporting)
Description: In PDF reports that contain user attributes, the report shows a label (User Attributes) for each attribute but omits the value. The user attribute values are included when generating an XML report, though.
Affects: OneSpan Authentication Server Appliance 3.15
Status: This issue has been fixed.
Issue 95998 (Support cases PS‑203907, PS‑203810, PS‑134292): Missing RADIUS attributes in Access-Reject packets (Back-end authentication)
Description: When an authentication request is rejected by a RADIUS back-end server, the Access-Reject packet returned by OneSpan Authentication Server does not include the respective Reply-Message and Proxy-State attributes.
Affects: OneSpan Authentication Server Appliance 3.6
Status: This issue has been fixed.
Issue 95713 (Support case PS‑203232): Incorrect information about DIGIPASS Gateway setup (Documentation)
Description: The custom database setup is incorrectly documented in the Push Notification Getting Started Guide
Affects: OneSpan Authentication Server Appliance 3.17
Status: The documentation has been updated.
Issue 95263 (Support case PS‑200214): Attempted multi-device activation fails with authenticators imported as inactive and then set to active (Provisioning)
Description: A multi-device activation attempt fails if new authenticator applications were imported as inactive, and then set to active after the DIGIPASS export file (DPX) import.
Affects: OneSpan Authentication Server Appliance 3.16
Status: This issue has been fixed.
Issue 95248 (Support cases PS‑201738, PS‑201737, PS‑201734, PS‑201728): Missing or incorrect information regarding configuring push notifications (Documentation)
Description: Some issues were discovered in the Push Notification Getting Started Guide. It is missing information about authenticator control parameters when configuring policies. It specifies an incorrect client type to use for OneSpan User Websites. The example commands to get the API keys currently set contain an incorrect command parameter.
Affects: OneSpan Authentication Server Appliance 3.17
Status: The documentation has been updated.
Issue 94784 (Support case PS‑200399): List of audit administrative privileges incomplete (Documentation)
Description: The list of administrative privileges for auditing is incomplete for both the Active Directory and ODBC data stores in the OneSpan Authentication Server Administrator Reference and the Web Administration ServiceHelp.
Affects: OneSpan Authentication Server Appliance 3.16
Status: The documentation has been updated.
Issue 94641 (Support case PS‑200298): Empty page opens when clicking link of linked user's authenticator (Web Administration Service)
Description: A blank DIGIPASS page opens, when the authenticator link of the linked user is clicked on the Users page in the Administration Web Interface.
Affects: OneSpan Authentication Server Appliance 3.16
Status: This issue has been fixed.
Issue 93292 (Support case PS-196580): Description of replication chapter unclear in OneSpan Authentication Server Appliance Administrator Guide (Documentation)
Description: The chapter describing how to setup replication between two instances of OneSpan Authentication Server Appliance contains unclear information in the OneSpan Authentication Server Appliance Administrator Guide.
Affects: OneSpan Authentication Server Appliance 3.17 and earlier
Status: The documentation has been updated.
Issue 93012 (Support case PS‑195667): Missing connection details for push notification services (Documentation)
Description: The documentation, in particular the Push Notification Getting Started Guide and the OneSpan Authentication Server Administrator Guide, does not contain information about the default connection details for push notification delivery via the cloud-based OneSpan services.
Affects: OneSpan Authentication Server Appliance 3.16
Status: The documentation has been updated.
Issue 91784 (Support case PS‑195221): Password policy description incomplete (Documentation)
Description: The note box in the "Password Strength" section of the OneSpan Authentication Server Administrator Guide does not mention that password policies only apply to static passwords when they need to be created or updated.
Affects: OneSpan Authentication Server Appliance 3.16–3.17
Status: The documentation has been updated.
Issue 90396 (Support case PS‑194648): Cannot generate reports including user attributes (Reporting)
Description: When attempting to generate a report that includes a user attribute as field, OneSpan Authentication Server returns an unspecified error and the report is not generated.
Affects: OneSpan Authentication Server Appliance 3.8–3.17
Status: This issue has been fixed.
Issue 79710 (Support case PS‑187182): Linked user account restrictions (Documentation)
Description: The description in the linked user account section in the OneSpan Authentication Server Product Guide is incomplete.
Affects: OneSpan Authentication Server Appliance 3.14
Status: The documentation has been updated.
Issue 75708: Audit Viewer search not working for IP address field
Description: Since the introduction of the IP Address audit field in OneSpan Authentication Server 3.14, it is possible to use it as search term in the audit viewer. However, due to the way the field is stored in the database, these search operations do not yield correct results.
Affects: OneSpan Authentication Server Appliance 3.14.15–3.17
Status: This issue has been fixed. Note that it is only possible to exactly match an IP address and not to look for a range or a partial IP address.