Configuring SSL for back-end authentication (via IBM Security Directory Server)

Configuring OneSpan Authentication Server to authenticate via LDAP SSL requires binding an SSL certificate with the Bind with SSL option and importing the certificate into OneSpan Authentication Server. You can use an SSL certificate from a trusted certification authority (CA), or generate a self-signed certificate using the Global Security Kit.

When using a self-signed certificate that was generated by IBM Security Directory Server, it must be created as a binary DER-encoded file (.der). This file needs to be converted to PEM format, and then imported into OneSpan Authentication Server.

To convert a DER-encoded certificate and import it to OneSpan Authentication Server

1. Convert the binary DER-encoded certificate file (.cer) to an ASCII-armored certificate file (.pem) using the following command:

   openssl x509 ‑inform DER ‑outform PEM ‑in certname.cer ‑out certname.pem

   where certname is the name of the self-signed CA certificate.

   OneSpan Authentication Server ships with a specific version of the OpenSSL utility. We recommend that you use this version for any procedures involving the openssl command.

   By default, this specific version of OpenSSL is located in %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin on Windows and in /opt/vasco/ias/bin on Linux, respectively.

2. Depending on your platform, do one of the following:

   • If you are using Ubuntu Server:

     1. Change the extension of the certificate file to .crt and copy it to the CA certificate store:

        mv certname.pem certname.crt

        cp certname.crt /usr/local/share/ca-certificates

     2. Update the CA certificate store:

        update-ca-certificates

   • If your are using another Linux distribution or Microsoft Windows:

     1. Obtain the hash of the .pem file:

        openssl x509 ‑noout ‑hash ‑in certname.pem

     2. Rename certname.pem to hashvalue.0, where hashvalue is the hash value calculated by the openssl command.

        For example, if the hash result is 54321, the file name would be 54321.0.

     3. Copy the renamed certificate file (hashvalue.0) to the following location, depending on the platform:

        • /etc/ssl/certs (Linux)
        • %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\certs (Windows, default).
     4. On Linux, ensure that the run user of OneSpan Authentication Server can access the certificate file. If required, change access rights and/or file ownership with the chmod and chown commands.

3. Restart the OneSpan Authentication Server service or daemon, respectively.

   The new certificate files are read only when the service/daemon starts.

After importing the certificate file into OneSpan Authentication Server, enable SSL on the IBM Security Directory Server instance (via the Security Properties page).