Hostname-based licenses
- 15 Jan 2025
- 2 Minutes à lire
- SombreLumière
- PDF
Hostname-based licenses
- Mis à jour le 15 Jan 2025
- 2 Minutes à lire
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
Server and component licenses
Generally, OneSpan Authentication Server license keys for server and client components are tied to static IP addresses. This does not easily allow orchestrated container setups, where containers are created and deleted automatically (and IP addresses are assigned dynamically).
To allow orchestrated container setups, e.g. Kubernetes environments where guaranteeing a static IP address for a container is cumbersome, OneSpan Authentication Server supports hostname-based locations for server components, client component, and license keys.
You need to retrieve hostname-based license keys for container setups from the OneSpan Customer Portal at https://cp.onespan.com/.
However, the OneSpan Authentication Server license still requires a stable pod hostname. Hence the use of the StatefulSet object for the OneSpan Authentication Server pod definition in the provided example helm chart, despite the OneSpan Authentication Server being a stateless application.
| Server/component location | License location | ||
|---|---|---|---|
| IP address | CIDR | Hostname | |
| IP address | Requires exact match | Requires license CIDR range to contain the S/C address | Requires exact match of resolved license location and S/C IP |
| CIDR | Issues invalid license error unless CIDR range contains only the license IP address | Requires exact match | Issues invalid license error unless CIDR range contains only the resolved license address |
| Hostname | Requires exact match of resolved S/C location and license IP | Requires license CIDR range to contain the resolved S/C address | Requires exact match |
Note that hostnames that resolve to multiple IP addresses in the OneSpan Authentication Server pod(s) are not accepted as valid server or component locations.
Automatic Mounting of OAS Licenses
To enable that the OneSpan Authentication Server pod can automatically install a server license when the pod is started, we recommend adding a ConfigMap definition to the example helm chart:
apiVersion: v1
kind: ConfigMap
metadata:
name: licenses
data:
{{ (.Files.Glob "licenses/*.dat").AsConfig | indent 2 }}In this example, the license folder tree may take the following form:
licenses/
+--- ias-0.dat
+--- ias-1.dat
\--- ...The OneSpan Authentication Server pod can then select and mount the relevant subpath of the defined ConfigMap definition, e.g. by using the metadata.name field:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: ias
spec:
...
template:
...
spec:
...
containers:
- name: ias
...
env:
- ...
- name: CARG_SERVER_LOCATION
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- ...
- name: licenses
mountPath: /tmp/vasco/license.dat
subPathExpr: $(CARG_SERVER_LOCATION).dat
volumes:
- ...
- name: licenses
configMap:
name: licensesHostname-based client component locations
OneSpan Authentication Server client components that require a license, e.g. DIGIPASS Gateway, need a stable network identity (location), either a hostname or as CIDR notation.
Note that the client component location, as stored in the vdsComponent table, must match or, in the case of a hostname-based location, resolve to the IP address of the request source. This may require additional helm chart configuration, e.g. using hostAliases or headless services (services with .spec.clusterIP="None" set) when using components registered with hostname-based locations.
Cet article vous a-t-il été utile ?