Data in Transit

Data in transit refers to data that are actively moved from one place to another, e.g. across the Internet or through a private network. The data being moved is unencrypted, and should be encrypted with Secure Sockets Layer (SSL), a cryptographic protocol used to secure communications over the Internet for email, web browsing, and other types of web protocols.

SSL is the method by which a client can obtain a secure connection to an SSL-enabled server. The SSL-enabled server can identify itself to the client in a trusted manner before any information is passed between the client and the SSL-enabled server.

For more information about SSL, refer to the OneSpan Authentication Server Appliance Administrator Guide.

SEAL/SOAP/RADIUS communicator modules

OneSpan Authentication Server Appliance provides a communicator module for each protocol for which it can receive and handle requests. Each communicator module can be enabled or disabled as required, subject to support in the server license.

You can use SSL to protect connections between the communicator modules and the communication end points. Enabling and configuring SSL for communicator module connections requires your server's certificate and its corresponding private key password (if you set one). Configuring the SEAL and SOAP communicator modules will also require a certification authority (CA) certificate file for (optional) client certificate verification.

SEAL protocol

The SEAL protocol is a proprietary OneSpan protocol used by some of the OneSpan authentication modules.

SOAP protocol

RADIUS protocol

Configuring SOAP and SEAL communication protocols

When configuring the SOAP or SEAL communication protocol in the Configuration Utility, you can specify whether the client certificate verification is any of the following:

• Never
• Required
• Optional
• Required - Signed Address Only. The client certificate must include the IP address of the client. The server will check the IP address from the client certificate against the client it is establishing a connection with, and the handshake will fail if the two IP addresses do not match.

OneSpan Authentication Server Appliance contains a built-in certification authority (CA) used to sign all automatically generated default certificates. This list contains the root CA certificate for the OneSpan Authentication Server Appliance CA. The certificates used by default for the communicator modules are signed by this CA. They are time-limited but can be renewed. It is also possible to upload your own certificates, whether signed by a commercial entity or not.

In the Configuration Tool, the SOAP and SEAL communication protocol page also contains a Re-Verify on Re-Negotiation checkbox. Select this box to force the connection between SOAP/SEAL and OneSpan Authentication Server Appliance to be re-verified each time a connection is established.

Enabling the Re-Verify on Re-Negotiation option may incur a performance penalty. As such, do not do so unless absolutely necessary.

Generating certificates

Certificates can either be uploaded to OneSpan Authentication Server Appliance, or generated via the OneSpan Authentication Server Appliance CA by navigating to Settings > Certificates.It is also possible to create a certificate signing request (CSR) that can then be signed by a third party such as a commercial entity. A passphrase is automatically created for generated certificates.

Configuring SSL certificates

Via the communicator settings any certificate added to the OneSpan Authentication Server Appliance CA can be configured. When using a certificate signed by the appliance root CA, its public key should be added to clients for certificate verification. For other certificates, the CA certificate of the signing party should be used. Alternatively, the public key of the certificate itself (also downloadable from the CA screen) can be used.

For more information about configuring SSL certificates, refer to the OneSpan Authentication Server Appliance Administrator Guide.

Whenever you are required to provide a private key password for an SSL certificate, note that such passwords must comply with the following requirements:

• At least 16 characters long

• Contain at least one of each of the following:

  • Lower case character
  • Upper case character
  • Numeric character

Using SSL with SOAP

OneSpan Authentication Server Appliance uses SSL to secure SOAP connections between itself and OneSpan Authentication Server Appliance applications and components. The SOAP client will verify the server with the help of SSL when connecting to OneSpan Authentication Server Appliance.

The SOAP communicator on port 8888 always uses SSL. A second SOAP communicator listens on port 8887, and is only used internally by OneSpan Authentication Server Appliance (e.g. for the OneSpan Authentication Server Administration Web Interface). External applications should not connect to it.

The following OneSpan Authentication Server Appliance products use SOAP:

Digipass Authentication for Windows Logon (DAWL)

LDAP Synchronization Tool

Using SSL with SEAL

Some products that are communicating with OneSpan Authentication Server Appliance use the SEAL protocol. The protocol has to be configured to use SSL encryption to be regarded as safe.

SEAL over SSL is enabled by default in OneSpan Authentication Server Appliance.

The SEAL communicator on port 20004 always uses SSL. A second SEAL communicator that listens on port 20003 is used internally only and SSL is by default disabled. External applications should not be allowed to connect to it.

For more information about enabling SSL encryption for SEAL, refer to the OneSpan Authentication Server Appliance Administrator Guide.

The following components of OneSpan Authentication Server Appliance need to be encrypted with SSL to assure compliance:

Live Audit Viewer

RADIUS

OneSpan Authentication Server Appliance can be used in a RADIUS environment in a number of ways, depending on your company's requirements.

In the RADIUS protocol, attributes are used for authorization and configuration of the remote access session in many cases. OneSpan Authentication Server Appliance can return authorization attributes from the user account. Alternatively, a separate RADIUS server can provide these attributes instead.

In many cases, a RADIUS client may be a dial-up network access server (NAS), firewall/VPN appliance, wireless access point (WAP), or another device that uses the RADIUS protocol for user authentication. Some software applications can also use RADIUS for authentication, and can therefore also act as RADIUS clients.

RADIUS provides connection encryption, however, its standards are no longer considered as safe. If your organization uses the RADIUS communication protocol, we recommend to set the SSL security level for OneSpan Authentication Server Appliance to the highest possible value compatible with the used client software.

Features that do not support encryption (data in transit)

Certain features in OneSpan Authentication Server Appliance do not support encryption, and must be encrypted manually with a workaround to be GDPR-compliant.

Data Migration Tool

The Data Migration Tool (DMT) is a general-purpose utility that allows you to migrate your data from one OneSpan authentication product to another. DMT accesses OneSpan Authentication Server Appliance via a SEAL connection and uses the SEAL port that is not SSL-encrypted to connect to OneSpan Authentication Server. To be GDPR-compliant, we recommend to place the machines with DMT in an isolated network.

RADIUS

The RADIUS communication protocol provides connection encryption, however, its standards are no longer considered as safe. For more information, see  RADIUS.