Authentication Suite Server SDK for HSM Version 4.0.1 (December 2024)
- 28 Mar 2025
- 5 Minutes to read
- Print
- DarkLight
- PDF
Authentication Suite Server SDK for HSM Version 4.0.1 (December 2024)
- Updated on 28 Mar 2025
- 5 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
As of version 4.0, OneSpan Authentication Server Framework has been renamed to Authentication Suite Server SDK for HSM. If not explicitly stated otherwise, any information and references to OneSpan Authentication Server Framework or VACMAN Controller also apply to Authentication Suite Server SDK for HSM.
New features and enhancements
Security enhancement
This version provides full support of DPX files with AES-256 encryption.
.NET support for Linux
The .NET wrapper now supports Linux .NET Core applications. It loads the proper native library depending on the running environment. The .NET wrapper is now included in the Linux package.
Entrust Connect XC Security World v3 support
This version provides support of Security World v3 for Entrust nShield Connect XC HSM. Security World v3 requires that the storage keys are created with the updated Key Management Tool provided with Authentication Suite Server SDK 4.0.1. BLOB data from Security World v1 or Security World v2 is automatically migrated on the fly by Authentication Suite Server SDK.
Deprecated components and features
End-of-life of OneSpan Authentication Server Framework
Authentication Suite Server SDK supersedes all previous versions of OneSpan Authentication Server Framework and VACMAN Controller. All versions of OneSpan Authentication Server Framework/VACMAN Controller up to 3.22 will reach end-of-life in March 2025. For more information, refer to the OneSpan product life cycle reference, available at https://www.onespan.com/support/security/product-life-cycle.
We strongly recommend to migrate to Authentication Suite Server SDK 4.0 at your earliest convenience to allow future upgrades and receive further product enhancements.
PDF documentation (Deprecated)
You can view the user documentation of most OneSpan products online already at https://docs.onespan.com/, and we plan to shift exclusively to online documentation.
This means that PDF documentation will be completely removed in future releases of Authentication Suite Server SDK for HSM.
Known issues
Authentication Suite Server SDK for Thales ProtectServer HSM
Usage restriction with the Thales ProtectServer2 HSMs in case of FIPS security mode enabled:
If the FIPS Algorithm Only flag is enabled on ProtectServer2 HSMs, the following restrictions will apply with the Authentication Suite Server SDK for Thales ProtectServer HSM:
Usage of HSM transport keys being double-length 3DES keys (DES2) is not possible.
Usage of HSM storage keys being double-length 3DES keys (DES2) is not possible.
Usage of HSM transport keys and HSM storage keys being triple-length 3DES keys (DES3) is not recommended in case of FIPS security mode enabled. For PSE2, as of the release PTK 5.6 / FW 5.03.00 in FIPS mode, DES3 keys can be only used a limited number of times before becoming inactive. It is strongly recommended to use AES HSM transport keys and AES HSM storage keys when the FIPS security mode is enabled.
Usage of DIGIPASS using a DES or 3DES algorithm is not possible.
Usage restriction with the Thales ProtectServer HSMs in case of FIPS security mode enabled:
If the FIPS Algorithm Only flag is enabled on ProtectServer HSMs, the following restriction will apply with the Authentication Suite Server SDK for Thales ProtectServer HSM:
Usage of DIGIPASS using a DES or 3DES algorithm is not possible.
Authentication Suite Server SDK for Entrust nShield HSM
Communication issue of the key management tool with a hardserver 11.70 or later (nCipher netHSM and Entrust nShield):
On Unix platforms (Linux, AIX, Solaris SPARC…), the location of the TCP communication socket used by the hardserver has changed in hardserver 11.70 and later. (hardserver installed with the Entrust nShield support software, Entrust CipherTools, or Entrust CodeSafe toolkit).
The Unix versions of the manager tool 3.x provided with Authentication Suite Server SDK for Entrust nShield HSM comply with the TCP communication sockets of previous version of the hardserver (prior 11.70).
On Unix platforms where hardserver 11.70 or more is running, the manager tool 3.x may fail due to communication issue with the hardserver: “Open session error : 603 -> Error NFastApp Connect”.
In such situation, in order to allow the manager tool 3.x communicating with the hardserver 11.70 or more, the hardserver must be configured to maintain backward compatibility with the legacy socket location. To do this:
Create the file /etc/nfast.conf with the entry: NFAST_CREATEDEVNFAST=1
Perform an /opt/nfast/sbin/init.d-ncipher restart to get the socket backward compatibility applied
See Entrust nShield software package v11.70 release notes for more information (rnotes.pdf).
The manager-xc tool 4.x provided with the Linux 64-bit version of the Authentication Suite Server SDK for Entrust nShield HSM is not concerned by this need of backward compatibility with the legacy socket location.
Usage restriction with the Entrust nShield XC HSMs in case of FIPS 140-2 Level 3 Security World:
In case of FIPS 140-2 Level 3 Security World, the following restrictions will apply when generating keys with the manager-xc tool and with the nShield XC HSMs:
Generation of HSM storage keys being double-length 3DES keys (DES2) is not possible.
Generation of key encrypting keys being double-length 3DES keys (DES2) is not possible.
Generation of HSM transport keys being double-length 3DES keys (DES2) is not possible.
Usage restriction with FIPS 140-2 Level 3 Security World created as of nCipher security world software 12.50:
Since the version 12.50 of the nCipher Software and Firmware, the new security worlds which are created as from this version in strict FIPS 140-2 level 3 mode no longer alow the usage of the 3DES operations with the nShield HSM.
To possibly use 3DES HSM transport keys or 3DES HSM storage keys with the Authentication Suite Server SDK for Entrust nShield HSM, customers must either:
Use a security world (whatever FIPS 140-2 level 2 or FIPS 140-2 level 3) that was created prior the nCipher security world software 12.50
Use mandatorily a security world FIPS 140-2 level 2 if it is created as from the nCipher security world software 12.50
Limited performances with the Entrust nShield XC Base HSM:
The symmetric cryptography performances of the nShield XC Base when executed from a SEE machine are very low compared to the former nShield HSM devices based on the former PowerPCSXF architecture (nShield Connect/Connect+/Solo/Solo+). As a result the performances of the Authentication Suite Server SDK for Entrust nShield HSM when using a nShield XC Base HSM are significantly lower than when using a former nShield HSM.
Compared to usage with a former nShield HSM (nShield Connect/Connect+/Solo/Solo+), the performances of Authentication Suite Server SDK for Entrust nShield HSM are:
Around 5 to 6 times slower when using a nShield XC Base performance level
Almost similar when using a nShield XC Mid performance level
Around 2 to 3 times faster when using a nShield XC High performance level
Was this article helpful?