Version 3.21 (January 2021)

You can now upload and process import files via the Administration Web Interface directly without using Data Migration Tool (DMT). A DIGIPASS import file is a comma-separated text file (.csv) that contains authenticator records. They are used, for instance, to import authenticator data from an existing OneSpan Authentication Server Framework environment to OneSpan Authentication Server.

To upload authenticator records in bulk you can now use DIGIPASS > Import DPX and DIGIPASS > Import CSV in the Administration Web Interface, respectively.

The Task Management page of the Administration Web Interface has been improved to handle large numbers of tasks. You can now refine the task list and filter it based on search criteria for most columns. Furthermore, you can also sort the task list by different columns.

The DIGIPASS Properties page of the Administration Web Interface now provides information about the user account to which the authenticator is assigned. You can click the user ID to open the corresponding User Properties page.

In addition to user ID and user name, you can now also search for user accounts by the email address. A respective option has been added to the quick search on the Administration Web Interface home page, the Find/Manage User page, and the respective pages of all wizards where you need to search for user accounts. The use of wildcard characters is supported.

You can now filter search results to include or exclude user accounts with administrative privileges when searching for users. Note that you cannot filter for a particular administrative privilege, but only limit the search results to user accounts that have either any administrative privilege assigned or none. This option is only available if you have the View Administrative Privileges permission assigned.

To improve the handling of report ownership, the following new features and changes have been implemented:

• Extended reports list

  The list of available reports in OneSpan Authentication Server Administration Web Interface has been extended to include an additional column for the report owner. In addition, if you want to search for a particular report in the list, you can now filter and sort the list by report name, report type, description, or owner.

• Administrative privileges

  The Take Report Ownership administrative privilege has been removed and replaced with the new Access Private Reports privilege. Domain administrators with this new privilege can view reports that have the usage and change permissions set to Private. If they have adequate administrative privileges, they can also change or run private reports.

  Administrators can only perform reporting actions in OneSpan Authentication Server Administration Web Interface for which they have sufficient administrative privileges. Actions that require additional/other privileges will not be available, i.e. the respective action buttons will not be displayed.

• Changing report ownership

  The CHANGE OWNER button has been added to the reports list page in OneSpan Authentication Server Administration Web Interface, to facilitate changing of report ownership for multiple reports. Instead of changing one report owner at a time, you can now select the relevant reports in the list and change their owner in bulk.

OneSpan Authentication Server supports direct upgrades from 3.18, 3.19, or 3.20 to version 3.21 on the supported operating systems.

Operating systems

Software libraries

Data management systems

Web servers (Web Administration Service)

Description: An issue exists when you schedule recurring reports to run on any instance in replicated environments where reporting is enabled on more than one OneSpan Authentication Server instance. Under some circumstances, e.g. in case of high network latency, this setup can result in the reporting task multiplied by the number of instances. If this happens regularly, you end up with a lot of scheduled reports that all try to run at the same time.

Affects: OneSpan Authentication Server 3.19–3.20 (with replication)

Status: This issue has been fixed. In replicated environments, tasks with the task mode set to ANY are handled as to run in SPECIFIC mode on replication instances. New tasks that are created in a replicated environment are set to SPECIFIC by default.

Description: Vulnerability CVE-2020-17530 in the Apache Struts framework can lead to remote code execution.

For more information refer to:

• https://cwiki.apache.org/confluence/display/WW/S2-061

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17530.

Affects: OneSpan Authentication Server 3.12–3.20

Status: This issue has been fixed. Apache Struts has been upgraded to version 2.5.26.

Description: OneSpan Authentication Server does not create new offline authentication data (OAD) after a successful push notification authentication using Digipass Authentication for Windows Logon. This issue does not occur if the push notification request method is set to KeywordOnly.

Affects: OneSpan Authentication Server 3.14–3.20

Status: This issue has been fixed.

Description: In the context of maker–checker authorization, deleting a user account fails after approval by the checker administrator if the user account is the owner of a report. In addition, the deletion task is removed from the list of pending operations.

Affects: OneSpan Authentication Server 3.12–3.20

Status: This issue has been fixed. A corresponding warning note has been added to the OneSpan Authentication Server Administrator Guide.

Description: When the service starts and reads encrypted values from the global configuration for the first time, it does not correctly decrypt them, which can lead to issues afterward. For example, if AD security principal credentials are configured, reading the encrypted values fails and causes ALL configuration values to be initialized incorrectly.

Affects: OneSpan Authentication Server 3.17–3.20 (ODBC deployments)

Status: This issue has been fixed.

Description: When assigning a previously assigned authenticator license used for multi-device licensing (MDL) to another user, the payload key is preserved and reused. This potentially allows the successful decryption of Secure Channel messages with the new user name on the old device.

Affects: OneSpan Authentication Server 3.7–3.20

Status: This issue has been fixed. Whenever an authenticator license used for multi-device licensing (MDL) is assigned, the payload key is automatically regenerated on assignment or re-assignment to another user (manual or via auto-assignment).

Description: Chinese characters are not correctly displayed in XML and PDF reports.

Affects: OneSpan Authentication Server 3.12–3.20

Status: This issue has been fixed for XML reports.

XML reports now support UTF-8 encoding. The issue can still occur in PDF reports in case of characters that are not defined in the used PDF font.

Description: The addschema command of dpdbadmin does not work properly if there are two separate databases on one database server, where the first database was configured by dpdbadmin, and with a user who has access to both databases. In such an environment, on the second database, the addschema command does not create indexes on the vdsauditmsg table (OneSpan Authentication Server 3.19 and earlier) or fails (OneSpan Authentication Server 3.20).

Affects: OneSpan Authentication Server 3.18–3.20

Status: This issue has been fixed.

Description: When generated and opened on Firefox, the Administration Activity Summary PDF report does not contain all relevant data. This issue does not occur with other supported web browsers.

Affects: OneSpan Authentication Server 3.20

Status: This issue has been fixed.

Description: The OneSpan Authentication Server Administrator Guide provides incomplete information about editing existing HTML reports. Instructions to adapt the corresponding report templates are missing.

Affects: OneSpan Authentication Server 3.7–3.20

Status: The documentation has been updated.

Description: There is a potential security issue when files are uploaded in OneSpan Authentication Server.

Affects: OneSpan Authentication Server 3.7–3.20

Status: This issue has been fixed. Security measures have been enhanced to improve the overall security of file uploads.

Description: The OneSpan Authentication Server Administrator Guide provides an overview about the different OneSpan Authentication Server administrator accounts used in ODBC deployments. The respective section is not too extensive in some cases and does not explain organizational unit administrators.

Affects: OneSpan Authentication Server 3.6–3.20

Status: The documentation has been updated.

Description: In some environments with two or more OneSpan Authentication Server instances that share one Oracle Database, OneSpan Authentication Server can become unresponsive due to a database lock. This issue is caused by multiple administrative calls issued with the same session ID virtually at the same time (within 3 milliseconds), e.g. when working locally in the Administration Web Interface via a slow VPN connection.

Affects: OneSpan Authentication Server (with Oracle Database)

Status: The persistent cache handling has been refactored to eliminate possible root causes for this or similar issues.

Description: In the OneSpan Authentication Server Administrator Reference, audit message codes do not contain a hyphen between the message type indicator and the number.

Affects: OneSpan Authentication Server 3.7–3.20

Status: The documentation has been updated.

Description: By default, Web Administration Service does not use HTTP response headers that can help to prevent malicious attacks.

Affects: OneSpan Authentication Server 3.9–3.20

Status: This issue has been fixed. Web Administration Service now uses recommended security-related HTTP response headers, such as to enable XSS filter in the web browser and Content Security Policy (CSP) settings.

Description: The OneSpan Authentication Server product documentation does not contain a list of authenticators and their product name abbreviations used in the DIGIPASS export file (DPX).

Affects: OneSpan Authentication Server 3.7–3.20

Status: The documentation has been updated. A list of authenticators has been added to the OneSpan Authentication Server Administrator Reference.

Description: An issue has been reported when delayed activation is enabled and configured to send delayed activation messages via SMS and a user without a configured mobile number is attempting to activate an authenticator.

Affects: OneSpan Authentication Server 3.9–3.20

Status: This issue has been fixed. The activation is completed successfully. The warning audit message W‑009002 has been extended to include the information that a mobile number is missing.

Description: In reports and runtime query definitions, you can type any date format or string value for the date fields. The provided value is not validated, and OneSpan Authentication Server cannot process the request.

Affects: OneSpan Authentication Server 3.12–3.20

Status: This issue has been fixed. A datepicker has been added to the Administration Web Interface. The Administration Web Interface and OneSpan Authentication Server accept dates in ISO format (e.g. YYYY-MM-DD) and in the format YYYY/MM/DD.

Description: The Push Notification Getting Started Guide states that DIGIPASS Gateway requires an open network port within the IP range 11000–11100. This information is misleading. DIGIPASS Gateway requires a known public IP address. The chosen port has to be open and accessible. The default port used by DIGIPASS Gateway is 11080 and has to be used if you are using the OneSpan Mobile Authenticator app.

Affects: OneSpan Authentication Server 3.12–3.20

Status: The documentation has been updated.

Description: In the Administration Web Interface, if you want to retrieve a report, you need to switch to the SYSTEM menu. Instead, the corresponding menu item should be part of the REPORTS menu.

Affects: OneSpan Authentication Server 3.12–3.20

Status: This issue has been fixed. The Report Retrieval menu item was renamed to Retrieve report and moved to the REPORTS menu.

Description: The Push Notification Getting Started Guide contains incorrect information about the OneSpan User Websites client type in OneSpan Authentication Server. The OneSpan User Websites license requires the client type to be IDENTIKEY User Websites (instead of OneSpan User Websites).

Affects: OneSpan Authentication Server 3.17–3.20

Status: The documentation has been updated.

Description: The Push Notification Getting Started Guide provides information about how to test if DIGIPASS Gateway has been correctly installed and is reachable. The -v option is missing from the curl command that is used for this test.

Affects: OneSpan Authentication Server 3.12–3.20

Status: The documentation has been updated.

Description: The Push Notification Getting Started Guide states that DIGIPASS Gateway requires an open network port for incoming requests, by default 11080. However, the documentation does not specify, which network protocol is required (that is, TCP).

Affects: OneSpan Authentication Server 3.12–3.20

Status: The documentation has been updated.

Description: The User Dashboard in the Administration Web Interface does not correctly show whether a user account has administrative privileges assigned or not.

Affects: OneSpan Authentication Server 3.17–3.20

Status: This issue has been fixed.

Description: Specifying custom service account names for the OneSpan Authentication Server or the Message Delivery Component (MDC) daemon during setup, does not work. Instead of using the specified service account names, the default ones are used, causing an error later during the configuration using OneSpan Authentication Server Maintenance Wizard ("Could not change ownership of identikeyconfig.xml.").

Affects: OneSpan Authentication Server 3.14–3.20 (on Red Hat Enterprise Linux)

Status: This issue has been fixed.

Digipass Authentication for Steel-Belted RADIUS Server has reached end of life and is no longer shipped with OneSpan Authentication Server.

OneSpan Authentication Server continues to support previous versions of Digipass Authentication for Steel-Belted RADIUS Server.

Digipass Authentication for Epic Hyperspace has reached end of life and is no longer shipped with OneSpan Authentication Server.

OneSpan Authentication Server continues to support previous versions of Digipass Authentication for Epic Hyperspace.

OneSpan Authentication Server no longer supports the following products:

Software libraries

• Apache Commons HttpClient 3.1

Data management systems

• Microsoft SQL Server 2012 Service Pack 2