Version 3.27 (Upcoming 2025)

OneSpan Authentication Server 3.27 supports the following operating systems:

Microsoft Windows

• Windows Server 2022
• Windows Server 2019
• Windows Server 2016

Linux

• Red Hat Enterprise Linux (RHEL) 9, 64-bit
• Red Hat Enterprise Linux (RHEL) 8, 64-bit
• Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.9)
• Rocky Linux 9, 64-bit
• Rocky Linux 8, 64-bit
• Ubuntu Server 22.04 LTS, 64-bit
• Ubuntu Server 20.04 LTS, 64-bit
• Ubuntu Server 18.04 LTS, 64-bit

• MariaDB 10.11.5 (included as embedded database)

  If you install the embedded MariaDB database, the DBeaver 23.3.0 database tool is also installed.

  OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.

• Oracle Database 19c

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).

• Microsoft SQL Server

  • Microsoft SQL Server 2022
  • Microsoft SQL Server 2019
  • Microsoft SQL Server 2017
  • Microsoft SQL Server 2016

  OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2022, 2019, 2017, and 2016.

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.

  OneSpan Authentication Server supports the following ODBC drivers:

  • Microsoft ODBC Driver 18 for SQL Server
  • Microsoft ODBC Driver 17 for SQL Server
  • Microsoft ODBC Driver 13.1 for SQL Server

The Administration Web Interface supports the following browsers:

• Google Chrome
• Mozilla Firefox
• Microsoft Edge

The Administration Web Interface supports all browser versions currently supported by the respective vendors.

The Administration Web Interface can be run on these web application servers (based on the respective JRE):

• Apache Tomcat 10.1–10.1.34 (included)

  • Oracle Server Java Runtime Environment 17
  • Azul Zulu 17 (included)
• Open Liberty (tested with 25.0.0.1-full-java17-openj9)
• WebSphere Liberty (tested with 25.0.0.1-full-java17-openj9-ubi)

The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for Open Liberty and WebSphere Liberty for manual deployment.

Software libraries

OneSpan Authentication Server 3.27 integrates and uses Authentication Suite Server SDK 4.0.1 (formerly OneSpan Authentication Server Framework).

This version is a major upgrade and introduces breaking changes. Once BLOB data is processed by this version, it cannot be processed by any earlier version anymore.

OneSpan Authentication Server supports direct upgrades from 3.24 or 3.26 to version 3.27 on the supported operating systems.

The Administration Web Interface now provides a new Bulk Cleanup DIGIPASS Instances. wizard to delete all unused authenticators instances based on certain search criteria. This allows you to clean up and purge unused authenticator data regularly in bulk to maintain clarity and avoid performance degradation issues.

An authenticator instance is considered unused if another authenticator instance for the same authenticator license exists, which uses the same DIGIPASS Push Notification Identifier (PNID) but has a higher sequence number.

The command schedules a server task that processes the authenticator instances in the specified search range. Administrators need the new Bulk Cleanup DIGIPASS Data privilege to use the new command.

The message parameter configuration and handling of HTTP gateways for SMS has been improved in Message Delivery Component (MDC):

• Custom HTTP header fields. MDC now allows you to add custom HTTP header fields to requests that are sent to SMS gateways.
• Improved request parameter configuration. The MDC Configuration Utility now allows you to configure the request parameters more conveniently. You can now specify HTTP header fields, query string parameters, and body request parameters in separate key–value pair lists.
• JSON structures. You can now set the content type encoding of the message data sent to the gateway. Depending on the requirements of the SMS gateway, you can set it either to use plain text (as before) or JSON. The response handling was improved to support response matching rules using valid JSON structures.

You can now limit the maximum number of interactive administrative sessions allowed to run at one time per user. This option supplements the existing global limit of concurrent interactive sessions. The limit applies to all interactive administrative sessions, e.g. Administration Web Interface and Tcl Command-Line Administration tool, it does not apply to non-interactive service user sessions.

Furthermore, you can also specify what should happen when a new session is initiated but the number of concurrent sessions of a user exceeds the limit (either invalidate the oldest session or deny the logon).

By default, the session limit per user is disabled.

Sensitive configuration data used by the Administration Web Interface, such as the Java keystore password, is encrypted.

To improve security, the encryption algorithm has been changed, sensitive configuration data is now encrypted using AES-256 by default. If you upgrade an existing deployment, the sensitive configuration values, such as the Java keystore password, stored with the old encryption are retained and can still be read. If you change the values after the upgrade, the new values will automatically be encrypted using AES-256.

The date and time when an authenticator was used the last time for a successful authentication is now displayed in the relevant pages of the Administration Web Interface. Note that it is only set and updated if the authenticator is assigned and used by the respective user.

You can now generate a new secure auditing certificate after installation with the Maintenance Wizard.

Note that the secure auditing certificate is used to verify the authenticity of audit messages. If you change the certificate or generate a new one, all existing secure audit entries will be reported as invalid/modified.

To prevent this, we recommend that you purge the audit table before renewing the secure auditing certificate.

Description: An encoding issue with special characters, such as Eastern European characters, used in the message title and data fields was detected, caused by the policy's font table index being ignored. When the client attempts to decrypt the request it fails with an error.

Affects: OneSpan Authentication Server 3.22–3.26

Status: This issue has been fixed.

Description: If you enable Windows group check, you need to specify a list of the Windows groups to be considered in the policy. This list has a size limit of 1024 characters, which can be too small if you have a lot of Windows groups defined.

Affects: OneSpan Authentication Server 3.22–3.26

Status: The size of the Windows group list has been increased to 4000 characters.

Description: When you perform an upgrade of OneSpan Authentication Server, several elements of the configuration file (identikeyconfig.xml) are reset to their default values, including:

• /VASCO/Replication/Queue
• /VASCO/Communicators/SealCommunicator/DPX-Upload-Location
• /VASCO/Scenarios/ScenarioModule04/Report-Location

Affects: OneSpan Authentication Server 3.22–3.26

Status: This issue has been fixed.

Description: When you import MDL authenticator instances from a DIGIPASS import file (*.csv), you cannot specify Push Notification Identifier (PNID) values.

Furthermore, the DirectAssignOnly column is not correctly evaluated and incorrectly set in the database. The respective authenticators cannot be used for auto-assignment, and future data migration from that server instance via DMT can fail.

Affects: OneSpan Authentication Server 3.22–3.26

Status: This issue has been fixed. You can now specify PNID values when you import from a DIGIPASS import file (via DevicePNId). The DirectAssignOnly column is handled correctly.

Description: When you delete an authenticator license or authenticator instance, the operation is not shown in the recent activity of the user to whom the authenticator is assigned (User Dashboard).

Affects: OneSpan Authentication Server 3.22–3.26

Status: This issue has been fixed.

Description: Recently, a server-side request forgery (SSRF) vulnerability has been identified in the login page of the Administration Web Interface, which allows to redirect login requests to a malicious SOAP server returning forged responses.

Although this vulnerability does not allow to bypass authentication or to gain access to a OneSpan Authentication Server instance, it may facilitate other attacks such as cross-site scripting (XSS) or other injection exploits.

Affects: OneSpan Authentication Server 3.22–3.26

Status: This issue has been fixed.

Description: When you import MDL authenticator licenses from a DIGIPASS import file (*.csv) that contains specific invalid message vector data, the import process may complete but create invalid authenticator parameters in the database (vdsDPSoftParams). As a result, the authenticator license cannot be used to activate authenticator instances afterward.

Affects: OneSpan Authentication Server 3.22–3.26

Status: This issue has been fixed. The data and parameter verification has been improved to prevent invalid authenticator license records.

Description: You can define custom result matching rules in HTTP gateway definitions used for SMS and order them to match more specific gateway response messages first.

In some cases, the sort order shown in the MDC Configuration Utility is different from the order that is stored in the MDC configuration file. This can be confusing, since the result matching rules are effectively evaluated in the order actually stored in the MDC configuration file.

Status: This issue has been fixed.

Description: When using multi-device licensing (MDL) authenticators for signature validation and multiple MDL instances exist, in some circumstances, an incorrect authenticator instance number is written to the audit.

Affects: OneSpan Authentication Server 3.22–3.26

Status: This issue has been fixed. For authentication and signature validation using secure channel, the authentication application handling when preparing the respective requests was improved. The data written to the audit log has been unified:

• If a single authenticator instance exists, the instance number is written to the audit.
• If multiple authenticator instances exist, the license number is written audit.
• If multiple authenticator licenses exist and either scan and login or scan and sign is used, a comma-separated list of licenses or instance numbers is written to the audit.

Description: You cannot import user records from a user import file if maker–checker authorization is enabled for practical reasons (because each imported user would need to be verified by a checker administrator). This is clearly described in the user documentation, but administrators can effectively attempt to import a user import file nonetheless and receive an error message.

Affects: OneSpan Authentication Server 3.22–3.26

Status: This issue has been fixed. You can no longer select USERS > Import if maker–checker authorization (for creating new user accounts) is enabled.

Description: When a user performs an authenticator activation and auto-assignment is activated, OneSpan Authentication Server randomly selects an available authenticator to prevent collisions during parallel assignment of authenticators.

During this process, it decodes the authenticator data to find an authenticator that can be assigned. In case of offline activation, OneSpan Authentication Server unnecessarily processes authenticators that are not applicable for offline activation at all, such as hardware authenticators.

In environments where a lot of hardware authenticators exist in the database, the hardware authenticators are processed before applicable authenticators (MDL) are. This can lead to high server load and higher response times in general.

Status: This issue has been fixed.

EMV-CAP is no longer supported, and its functionality has been removed. If you attempt to use EMV-CAP smart card readers or other EMV-CAP functionality, you will receive an EMV not supported error.

Any remaining references to EMV-CAP in the code base, UI, and documentation will be removed in a future release of OneSpan Authentication Server (currently planned for 3.28).

You can view the user documentation of most OneSpan products online already at https://docs.onespan.com/, and we plan to shift exclusively to online documentation.

This means that PDF documentation will be completely removed in future major releases of OneSpan Authentication Server (currently planned for 3.28).

Description: When you uninstall an AD deployment of OneSpan Authentication Server and attempt to reinstall an ODBC deployment afterward, the setup behaves like an AD deployment and will fail in the last step.

Affects: OneSpan Authentication Server 3.18 and later (on Microsoft Windows)

Status: No fix available. Delete any leftover folders and files from the previous OneSpan Authentication Server deployment before you reinstall.

Description: When you uninstall the embedded MariaDB database on Microsoft Windows 2016, the MariaDB setup leaves a registry subtree behind. Since the OneSpan Authentication Server Setup Utility uses that registry subtree to detect an existing MariaDB deployment, it will incorrectly indicate an external installation of MariaDB if you attempt to reinstall OneSpan Authentication Server afterward.

Affects: OneSpan Authentication Server 3.19 and later on Windows Server 2016

Status: No fix available. Delete the following registry subtree manually after you uninstalled the embedded MariaDB database:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MariaDB 10.6 (x64)]

Description: Chinese characters are not correctly displayed in XML and PDF reports.

Affects: OneSpan Authentication Server 3.12 and later

Status: This issue has been fixed for XML reports in OneSpan Authentication Server 3.21. The issue can still occur in PDF reports in case they contain characters that are not defined in the used PDF font. Workaround for PDF reports: Generate an HTML report and print it to PDF.

Description: The Assign DIGIPASS wizard allows you to assign authenticators to users. Although you can select multiple authenticators and multiple users, you can only assign exactly one authenticator to one user at a time. For instance, if you select two authenticators in the wizard, you need to specify two different user accounts, one user to assign each one authenticator.

Affects: OneSpan Authentication Server 3.21 and later

Status: No fix available. To assign additional authenticators to a user, you need to run the Assign DIGIPASS wizard again.

Description: The Assign DIGIPASS wizard allows you to explicitly select the authenticators to assign to multiple users (by selecting Search now to select DIGIPASS to assign in the Search DIGIPASS page). However, the Select DIGIPASS page may also show authenticators that are actually inaccessible to assign to the respective users, because they are in another domain than the users. If you select such an authenticator and continue, you will receive a "Failed to find available token for assignment." error.

This issue does not occur if you only select one user to assign an authenticator. In this case, the Select DIGIPASS page correctly shows only authenticators in the same domain as the user account.

Affects: OneSpan Authentication Server 3.21 and later

Status: No fix available. Ensure to explicitly select only authenticators that are in the same domain as the users you selected to assign an authenticator.

Description: When you open a text audit file in Audit Viewer, the application loads and processes the complete text audit file in batches that are continuously added to the audit message list. Each batch takes a while to process, but there is no indication whether loading the complete audit file has been finished yet.

If you deselect and select the Auto Scroll Down box, while the file is still being processed, you may receive a "No more new messages to display" error message.

Affects: OneSpan Authentication Server 3.22 and later

Status: No fix or workaround available.

Description: When integrating a hardware security module (HSM) with OneSpan Authentication Server, you will need to configure the HSM driver before you install OneSpan Authentication Server. On all Linux distributions using the UNIX System V operating system, the HSM driver must be configured for communication with OneSpan Authentication Server because the script created upon driver installation does not automatically start the system service.

Affects: OneSpan Authentication Server 3.6 and later

Status: No fix available. Workaround: replace the init.d file created during driver installation with the system.d file in the corresponding link. Refer to the OneSpan Authentication Server Installation Guide for Linux for detailed instructions.

Description: When the Timeshift feature of Mobile Authenticator Studio is used, it causes the offline data to become invalid. The option to set a timeshift for Mobile Authenticator Studio authenticators is no longer supported. This feature is outdated and has become obsolete because mobile devices are now correctly synchronized with OneSpan Authentication Server at shorter intervals.

Affects: OneSpan Authentication Server 3.6 and later

Status: Do not use the Mobile Authenticator Studio Timeshift feature to avoid the offline data to become invalid.

Description: OneSpan Authentication Server allows for the configuration of two RADIUS authentication ports and two RADIUS accounting ports. By default, one authentication and one accounting port is specified, the second ports can only be edited in the configuration file of OneSpan Authentication Server , not directly in the Administration Web Interface.

Affects: OneSpan Authentication Server 3.5 and later

Status: If a second authentication and/or a second accounting port for the RADIUS Communicator will be used, the port specifications need to be edited in the identikeyconfig.xml file.

Description: Deployments of OneSpan Authentication Server with Thales ProtectServer HSM only support HSMs that run in Normal mode. If the HSM is run in High Availability or Workload Distribution mode, the installation of OneSpan Authentication Server fails.

Affects: OneSpan Authentication Server 3.6 and later

Status: The Thales ProtectServer HSM must be run in Normal mode, i.e. ET_PTKC_GENERAL_LIBRARY_MODE must be set to NORMAL.

Description: The OneSpan Authentication Server SNMP agent cannot store its persistent data (e.g. EngineBoots, EngineID), as the default persistent directory is not created by the installation script. By default, the SNMP agent stores its persistent data in the /var/net-snmp directory.

Affects: OneSpan Authentication Server on Ubuntu Server with the vasco-netsnmp package installed.

Status: A /var/net-snmp directory must be created and the vasco-ias user must have write access to this directory. If this directory does not exist and/or the vasco-ias user does not have write access to it, the EngineID and related information used by the OneSpan Authentication Server SNMP agent will not be persistent. This may result in issues on the machine that receives SNMP TRAPv3 traps from OneSpan Authentication Server.

Description: When trying to configure email delivery with SSL/TLS using a self-signed certificate created using Microsoft Internet Information Services (IIS) and converted to PEM format using OpenSSL, MDC cannot recognize a valid self-signed certificate and displays an error message. This is caused by the OpenSSL library. In some circumstances, the OpenSSL application itself may display an "Unable to get local issuer certificate (20)" error message.

Affects: All platforms.

Status: No fix available. This is a compatibility issue between OpenSSL and Microsoft IIS. Do not use self-signed certificates generated using Microsoft IIS.

Description: A Windows installation will fail if the TEMP environmental variable is undefined or empty.

Affects: All Windows platforms.

Status: No fix available.