OneSpan Authentication Server setup checklist

This topic provides a checklist for the correct GDPR-compliant setup of OneSpan Authentication Server and its components.

OneSpan Authentication Server

  • If Basic installation with an embedded MariaDB is selected, ensure that Yes is clicked in the OneSpan Authentication Server Installation Wizard window when asked "to enable encryption".
  • If Advanced installation is selected, the database that will be installed must be encrypted adequately:

    • Transparent Data Encryption configured
    • Encrypted communication configured
  • SOAP communication interface configured with SSL.
  • SEAL communication interface configured with SSL only.

    In case a component does not support SSL, the SEAL interface must be configured without SSL. However, to be GDPR-compliant, an encrypted VPN tunnel must be setup to ensure a secure communication flow.

  • RADIUS communication interface configured via an encrypted VPN tunnel.
  • When using auditing:

    • Encrypt the database.
    • Encrypt the folder or the disk containing the auditing data, or
    • If configured, auditing to database only.
    • Windows Event Logs folder is encrypted (also on remote machine, if remote logging is enabled).
    • Linux syslog folder is encrypted (also on remote machine if remote logging is enabled).
  • If using tracing or diagnostic log files:

    • Configure log file rotation.
  • When using replication (if configured):

    • Temporal database folder or disk storing replication data is encrypted.
    • SEAL protocol used for communication with OneSpan Authentication Server is SSL enabled.

Data Migration Tool

  • Encrypted VPN tunnel established between Data Migration Tool and OneSpan Authentication Server for the SEAL communication.

    This is usually performed in migration mode, which is not a standard operational mode, and is performed before a standard operation of OneSpan Authentication Server. This workaround enables the migration in an unencrypted manner.

  • If using tracing or diagnostic log files:

    • Configure log file rotation.

Digipass Authentication Module

  • SOAP protocol used for communication with OneSpan Authentication Server is SSL enabled.
  • Trace files are disabled, or tracing folder or disk is encrypted.

LDAP Synchronization Tool

  • Secure version of LDAP (LDAPS) is used.
  • Verify SSL is selected. With this option, the server TLS/SSL certificate is checked for validity when establishing secure connections via TLS/SSL.
  • Trace files are disabled, or tracing folder or disk is encrypted.
  • If using tracing or diagnostic log files:

    • Configure log file rotation.

Message Delivery Component

  • SEAL protocol used for communication with OneSpan Authentication Server is SSL enabled in the MDC Configuration Utility.
  • Trace files are disabled, or tracing folder or disk is encrypted.
  • If using tracing or diagnostic log files:

    • Configure log file rotation.
  • If the Email Delivery option is selected:

    • Gateway server must be configured to use SSL and TLS encryption.

Password Synchronization Manager

  • SEAL protocol used for communication with OneSpan Authentication Server is SSL enabled.
  • If using tracing or diagnostic log files:

    • Configure log file rotation.

Digipass Authentication for Windows Logon

  • SOAP protocol used for communication with OneSpan Authentication Server is SSL enabled.
  • If using tracing or diagnostic log files:

    • Configure log file rotation.

DIGIPASS Gateway

  • DIGIPASS Gateway is run on an encrypted disk.

Tcl Command-Line Administration tool

  • dpadmincmd.xml configuration file has SSL option configured.