Version 3.27 (Upcoming 2025)

OneSpan Authentication Server 3.26 supports the following operating systems:

Microsoft Windows

• Windows Server 2022
• Windows Server 2019
• Windows Server 2016

Linux

• Red Hat Enterprise Linux (RHEL) 9, 64-bit
• Red Hat Enterprise Linux (RHEL) 8, 64-bit
• Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.9)
• Rocky Linux 9, 64-bit
• Rocky Linux 8, 64-bit
• Ubuntu Server 22.04 LTS, 64-bit
• Ubuntu Server 20.04 LTS, 64-bit
• Ubuntu Server 18.04 LTS, 64-bit

• MariaDB 10.11.5 (included as embedded database)

  If you install the embedded MariaDB database, the DBeaver 23.3.0 database tool is also installed.

  OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.

• Oracle Database 19c

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).

• Microsoft SQL Server

  • Microsoft SQL Server 2022
  • Microsoft SQL Server 2019
  • Microsoft SQL Server 2017
  • Microsoft SQL Server 2016

  OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2022, 2019, 2017, and 2016.

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.

  OneSpan Authentication Server supports the following ODBC drivers:

  • Microsoft ODBC Driver 18 for SQL Server
  • Microsoft ODBC Driver 17 for SQL Server
  • Microsoft ODBC Driver 13.1 for SQL Server

The Administration Web Interface supports the following browsers:

• Google Chrome
• Mozilla Firefox
• Microsoft Edge

The Administration Web Interface supports all browser versions currently supported by the respective vendors.

The Administration Web Interface can be run on these web application servers (based on the respective JRE):

• Apache Tomcat 9.0–9.0.90 (included)

  • Oracle Server Java Runtime Environment 11
  • Azul Zulu 11 (included)
• Open Liberty (tested with 23.0.0.3-full-java11-openj9)
• WebSphere Liberty (tested with 23.0.0.2-full-java11-openj9-ubi)

The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for Open Liberty and WebSphere Liberty for manual deployment.

Software libraries

OneSpan Authentication Server supports direct upgrades from 3.24 or 3.26 to version 3.27 on the supported operating systems.

The Administration Web Interface now provides a new Bulk Cleanup DIGIPASS Instances. wizard to delete all unused authenticators instances based on certain search criteria. This allows you to clean up and purge unused authenticator data regularly in bulk to maintain clarity and avoid performance degradation issues.

An authenticator instance is considered unused if another authenticator instance for the same authenticator license exists, which uses the same DIGIPASS Push Notification Identifier (PNID) but has a higher sequence number.

The command schedules a server task that processes the authenticator instances in the specified search range. Administrators need the new Bulk Cleanup DIGIPASS Data privilege to use the new command.

The message parameter configuration and handling of HTTP gateways for SMS has been improved in Message Delivery Component (MDC):

• Custom HTTP header fields. MDC now allows you to add custom HTTP header fields to requests that are sent to SMS gateways.
• Improved request parameter configuration. The MDC Configuration Utility now allows you to configure the request parameters more conveniently. You can now specify HTTP header fields, query string parameters, and body request parameters in separate key–value pair lists.
• JSON structures. You can now set the content type encoding of the message data sent to the gateway. Depending on the requirements of the SMS gateway, you can set it either to use plain text (as before) or JSON. The response handling was improved to support response matching rules using valid JSON structures.

You can now limit the maximum number of interactive administrative sessions allowed to run at one time per user. This option supplements the existing global limit of concurrent interactive sessions. The limit applies to all interactive administrative sessions, e.g. Administration Web Interface and Tcl Command-Line Administration tool, it does not apply to non-interactive service user sessions.

Furthermore, you can also specify what should happen when a new session is initiated but the number of concurrent sessions of a user exceeds the limit (either invalidate the oldest session or deny the logon).

By default, the session limit per user is disabled.

Sensitive configuration data used by the Administration Web Interface, such as the Java keystore password, is encrypted.

To improve security, the encryption algorithm has been changed, sensitive configuration data is now encrypted using AES-256 by default. If you upgrade an existing deployment, the sensitive configuration values, such as the Java keystore password, stored with the old encryption are retained and can still be read. If you change the values after the upgrade, the new values will automatically be encrypted using AES-256.

Description: When you uninstall an AD deployment of OneSpan Authentication Server and attempt to reinstall an ODBC deployment afterward, the setup behaves like an AD deployment and will fail in the last step.

Affects: OneSpan Authentication Server 3.18 and later (on Microsoft Windows)

Status: No fix available. Delete any leftover folders and files from the previous OneSpan Authentication Server deployment before you reinstall.

Description: When you uninstall the embedded MariaDB database on Microsoft Windows 2016, the MariaDB setup leaves a registry subtree behind. Since the OneSpan Authentication Server Setup Utility uses that registry subtree to detect an existing MariaDB deployment, it will incorrectly indicate an external installation of MariaDB if you attempt to reinstall OneSpan Authentication Server afterward.

Affects: OneSpan Authentication Server 3.19 and later on Windows Server 2016

Status: No fix available. Delete the following registry subtree manually after you uninstalled the embedded MariaDB database:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MariaDB 10.6 (x64)]

Description: Chinese characters are not correctly displayed in XML and PDF reports.

Affects: OneSpan Authentication Server 3.12 and later

Status: This issue has been fixed for XML reports in OneSpan Authentication Server 3.21. The issue can still occur in PDF reports in case they contain characters that are not defined in the used PDF font. Workaround for PDF reports: Generate an HTML report and print it to PDF.

Description: The Assign DIGIPASS wizard allows you to assign authenticators to users. Although you can select multiple authenticators and multiple users, you can only assign exactly one authenticator to one user at a time. For instance, if you select two authenticators in the wizard, you need to specify two different user accounts, one user to assign each one authenticator.

Affects: OneSpan Authentication Server 3.21 and later

Status: No fix available. To assign additional authenticators to a user, you need to run the Assign DIGIPASS wizard again.

Description: The Assign DIGIPASS wizard allows you to explicitly select the authenticators to assign to multiple users (by selecting Search now to select DIGIPASS to assign in the Search DIGIPASS page). However, the Select DIGIPASS page may also show authenticators that are actually inaccessible to assign to the respective users, because they are in another domain than the users. If you select such an authenticator and continue, you will receive a "Failed to find available token for assignment." error.

This issue does not occur if you only select one user to assign an authenticator. In this case, the Select DIGIPASS page correctly shows only authenticators in the same domain as the user account.

Affects: OneSpan Authentication Server 3.21 and later

Status: No fix available. Ensure to explicitly select only authenticators that are in the same domain as the users you selected to assign an authenticator.

Description: When you open a text audit file in Audit Viewer, the application loads and processes the complete text audit file in batches that are continuously added to the audit message list. Each batch takes a while to process, but there is no indication whether loading the complete audit file has been finished yet.

If you deselect and select the Auto Scroll Down box, while the file is still being processed, you may receive a "No more new messages to display" error message.

Affects: OneSpan Authentication Server 3.22 and later

Status: No fix or workaround available.

Description: When integrating a hardware security module (HSM) with OneSpan Authentication Server, you will need to configure the HSM driver before you install OneSpan Authentication Server. On all Linux distributions using the UNIX System V operating system, the HSM driver must be configured for communication with OneSpan Authentication Server because the script created upon driver installation does not automatically start the system service.

Affects: OneSpan Authentication Server 3.6 and later

Status: No fix available. Workaround: replace the init.d file created during driver installation with the system.d file in the corresponding link. Refer to the OneSpan Authentication Server Installation Guide for Linux for detailed instructions.

Description: When the Timeshift feature of Mobile Authenticator Studio is used, it causes the offline data to become invalid. The option to set a timeshift for Mobile Authenticator Studio authenticators is no longer supported. This feature is outdated and has become obsolete because mobile devices are now correctly synchronized with OneSpan Authentication Server at shorter intervals.

Affects: OneSpan Authentication Server 3.6 and later

Status: Do not use the Mobile Authenticator Studio Timeshift feature to avoid the offline data to become invalid.

Description: OneSpan Authentication Server allows for the configuration of two RADIUS authentication ports and two RADIUS accounting ports. By default, one authentication and one accounting port is specified, the second ports can only be edited in the configuration file of OneSpan Authentication Server , not directly in the Administration Web Interface.

Affects: OneSpan Authentication Server 3.5 and later

Status: If a second authentication and/or a second accounting port for the RADIUS Communicator will be used, the port specifications need to be edited in the identikeyconfig.xml file.

Description: Deployments of OneSpan Authentication Server with Thales ProtectServer HSM only support HSMs that run in Normal mode. If the HSM is run in High Availability or Workload Distribution mode, the installation of OneSpan Authentication Server fails.

Affects: OneSpan Authentication Server 3.6 and later

Status: The Thales ProtectServer HSM must be run in Normal mode, i.e. ET_PTKC_GENERAL_LIBRARY_MODE must be set to NORMAL.

Description: The OneSpan Authentication Server SNMP agent cannot store its persistent data (e.g. EngineBoots, EngineID), as the default persistent directory is not created by the installation script. By default, the SNMP agent stores its persistent data in the /var/net-snmp  directory.

Affects: OneSpan Authentication Server on Ubuntu Server with the vasco-netsnmp package installed.

Status: A /var/net-snmp directory must be created and the vasco-ias user must have write access to this directory. If this directory does not exist and/or the vasco-ias user does not have write access to it, the EngineID and related information used by the OneSpan Authentication Server SNMP agent will not be persistent. This may result in issues on the machine that receives SNMP TRAPv3 traps from OneSpan Authentication Server.

Description: When trying to configure email delivery with SSL/TLS using a self-signed certificate created using Microsoft Internet Information Services (IIS) and converted to PEM format using OpenSSL, MDC cannot recognize a valid self-signed certificate and displays an error message. This is caused by the OpenSSL library. In some circumstances, the OpenSSL application itself may display an "Unable to get local issuer certificate (20)" error message.

Affects: All platforms.

Status: No fix available. This is a compatibility issue between OpenSSL and Microsoft IIS. Do not use self-signed certificates generated using Microsoft IIS.

Description: A Windows installation will fail if the TEMP environmental variable is undefined or empty.

Affects: All Windows platforms.

Status: No fix available.