Version 3.22 (October 2021)

OneSpan Authentication Server 3.22 supports the following operating systems:

Microsoft Windows

• Windows Server 2019

  Windows Server 2019 is supported in deployments where OneSpan Authentication Server uses an ODBC data store (e.g. the embedded MariaDB database). Windows Server 2019 is currently not supported with Active Directory (AD) as data store.

• Windows Server 2016

• Windows Server 2012 R2 Essentials

• Windows Server 2012 Essentials

• Windows Server 2012 R2

• Windows Server 2012

Linux

• CentOS 7, 64-bit (version 7.8 and later)

• CentOS 6, 64-bit (version 6.10 and later)

• Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.8 and later)

• Red Hat Enterprise Linux (RHEL) 6, 64-bit (version 6.10 and later)

• Ubuntu Server 18.04 LTS, 64-bit

• Ubuntu Server 16.04 LTS, 64-bit

• MariaDB 10.2–10.4

  OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.

• Oracle Database 19c, 18c, and 12c

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).

• Microsoft SQL Server

  • Microsoft SQL Server 2019 [NEW]

  • Microsoft SQL Server 2017

  • Microsoft SQL Server 2016

  • Microsoft SQL Server 2014

  • Microsoft SQL Server 2012 Service Pack 4

  OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2019, 2017, 2016, 2014, and 2012 Service Pack 4.

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.

  OneSpan Authentication Serversupports the following ODBC drivers:

  • Microsoft ODBC Driver 17 for SQL Server

  • Microsoft ODBC Driver 13.1 for SQL Server

  • Microsoft ODBC Driver 11 for SQL Server

The Administration Web Interface supports the following browsers:

• Google Chrome

• Mozilla Firefox

• Microsoft Edge

• Internet Explorer

The Administration Web Interface supports all browser versions currently supported by the respective vendors.

The Administration Web Interface can be run on these web application servers:

• Apache Tomcat 9.0–9.0.48 [NEW]

  • Oracle Server Java Runtime Environment 8

  • Azul Zulu 8

• IBM WebSphere Application Server 8.5.5

  • IBM WebSphere SDK Java Technology Edition 8.0

  The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for IBM WebSphere EE for manual deployment.

OneSpan Authentication Server supports direct upgrades from 3.18 or 3.21 to version 3.22 on the supported operating systems.

OneSpan Authentication Server now allows you to restrict the maximum number of assigned authenticators per user for specific authenticator types. The new authenticator limit is configured via a new policy setting (DIGIPASS Assignment > DIGIPASS Type Limit). By default, no limit is set. For single-device licensing, it is possible to limit the number of assigned authenticators; for multi-device activation/multi-device licensing the setting limits the number of assigned authenticator licenses and activated authenticator instances.

If you need to have more than one authenticator provided to your users, you should still limit the number to avoid having too many authenticators (and/or instances) assigned or activated for single users.

You can now delete authenticators via the Manage User page of the Administration Web Interface. A new DELETE button has been added to the Assigned DIGIPASS tab, which can be useful in situations where you need to delete a user's authenticator but you do not know the serial number, e.g. when a user loses their authenticator.

The administrator level of users is now included as a separate column in the User list and the Admin session list of the Administration Web Interface. In the Admin session list it indicates the administrator level of the user owning the respective administrator session. For regular users the respective value is left empty.

A new command has been added to remove old finished tasks. This allows you to clean up the task list and remove completed tasks regularly to maintain clarity and avoid performance issues with the task management.

The command is available in the Administration Web Interface via SERVERS > Delete Finished Tasks. It takes the age in days of the finished tasks to be deleted as parameter. All finished tasks with an end date (completion) older or equal than this value will be deleted. The command schedules a server task itself that processes the server task table. If required, the cleanup task can be configured to recur on a daily or monthly basis.

If you attempt to delete a user who owns any report, report file, or server task, or is the target of a pending operation, OneSpan Authentication Server refuses to delete it. The validation when deleting a user account has been improved. If you delete a user under the aforementioned conditions, you will receive an error message listing the number of connected objects. The respective SOAP operation now returns STAT_INUSE (–20) as status code. This information will also be shown by Web Administration Service.

If maker–checker authorization is enabled, the validation is performed twice, once before the respective pending operation is scheduled and again when it is executed after approval.

The embedded Java Runtime Environment (JRE) deployed by the Web Administration Service setup packages has been replaced. Instead of Oracle Java, Web Administration Service now uses Azul Zulu (OpenJDK).

Description: SQLite performance issues affect the replication between multiple OneSpan Authentication Server instances and increase the replication backlog.

Affects: OneSpan Authentication Server 3.21

Status: This issue has been fixed.

Description: According to the OneSpan Authentication Server Administrator Reference and the Administration Web Interface Help, an administrator account expires by default after 90 days of inactivity. This information is misleading because the default setting of 90 days applies to all user accounts (not only administrator accounts).

Affects: OneSpan Authentication Server 3.17–3.21

Status: The documentation has been updated.

Description: A potential memory issue affecting administrative operations has been identified. In some environments this can lead to growing memory usage.

Especially in scenarios that involve LDAP user synchronization, OneSpan Authentication Server memory usage can grow rapidly. The consumed memory is not released after synchronization has completed.

Affects: OneSpan Authentication Server 3.17–3.21 (with LDAP Synchronization Tool)

Status: This issue has been fixed.

Description: When upgrading an existing deployment using Oracle Database, the ODBC Database Command-Line Utility (dpdbadmin) evaluates the value of NLS_CHARACTERSET. If this parameter is set to AL32UTF8, new text columns will be created as VARCHAR2 or CLOB (depending on the column size). This can lead to issues during upgrades if the existing text table columns were created as NVARCHAR2 or NCLOB. This issue is indicated by error messages such as "ORA-02267: column type incompatible with referenced column type" in the trace file.

Usually, this is only the case if the initial database has been created using the NVARCHAR2 type and NLS_CHARACTERSET was changed later to AL32UTF8.

Affects: OneSpan Authentication Server 3.10–3.21

Status: This issue has been fixed. The dpdbadmin command now verifies whether a value for string_type is set in the vdsControl table (cf. Issues OAS‑336, 95862 (Support case PS‑203002): Performance issues during Oracle Database queries). This value is set by the dpdbadmin command itself if it does not already exist based on NLS_CHARACTERSET. If it is already set, it will be used regardless of the value of NLS_CHARACTERSET.

If you want to upgrade an existing deployment that uses NVARCHAR2 columns, but NLS_CHARACTERSET is set to use VARCHAR2, you can manually set vdsControl.string_type to wchar to force NVARCHAR2 for new columns before you upgrade to OneSpan Authentication Server 3.22.

If string_type is set to wchar, the dpdbadmin addschema command automatically converts all existing columns from VARCHAR2 to NVARCHAR2 and from CLOB to NCLOB, respectively. This conversion cannot be reverted! Do not set string_type manually, unless you need to do so as described!

Description: When a user attempts an authentication via push notification (push and login) with a user account that is linked to another account, the push notification is correctly sent. Since the user and domain information in the notification is different, the request is rejected by the mobile app and the authentication process fails.

Affects: OneSpan Authentication Server 3.12–3.21 (Mobile app on Android devices)

Status: This issue has been fixed.

Description: When you attempt to assign an authenticator you can specify a range of serial numbers to automatically pick an authenticator from that range. However, the serial number range is incorrectly evaluated if any of the range parameters specifies either a serial number that contains alphabetic character prefixes, e.g. VDS0000001, or a number larger than 2147483648. In either case, the first authenticator found in the database is used for assignment, regardless of its serial number.

Affects: OneSpan Authentication Server 3.12–3.21

Status: This issue has been fixed.

Description: If Web Administration Service attempts to connect to OneSpan Authentication Server via the FQDN, but the TLS/SSL certificate for SOAP connections is issued for the IP address only (or vice versa), the connection cannot be established. You will receive an error that the certificate does not match the common name of the certificate subject.

Affects: OneSpan Authentication Server 3.21

Status: In version 3.21, the certificate handling has been improved, the host name specified in the TLS/SSL certificate is now correctly verified by Web Administration Service. The server address used to connect to the OneSpan Authentication Server instance (either IP address or FQDN) must match the common name or the subject alternative name (SAN) in the TLS/SSL certificate for SOAP connections.

The self-signed TLS/SSL certificates created by the OneSpan Authentication Server Configuration Wizard contain only the IP address in the subject alternative name (SAN). If you need to use the FQDN when establishing the connection, you have to create a certificate that contains the FQDN in the SAN.

The user documentation has been extended to explain this now correct behavior.

Description: When you create a task that should run with a daily recurrence on only one particular day of the week, the time of the next execution run is incorrectly calculated. This miscalculation causes the task to run every minute on the particular day of the week.

Status: This issue has been fixed.

Description: Dialog boxes in the Administration Web Interface are no longer opened in a separate browser window but are now displayed as an overlay on the same browser page (lightbox pop-up). Issues with pop-up blocker software will no longer occur.

Description: When you import authenticators from a DIGIPASS import file (.csv) the value of the description column is ignored and not written to the description of the authenticator record in the database.

Affects: OneSpan Authentication Server 3.21

Status: This issue has been fixed.

Description: The instructions to create an ODBC data source name for MariaDB in the OneSpan Authentication Server Installation Guide for Linux are incomplete. OPTIONS=2 is a mandatory option to be added to odbc.ini, but it is not documented.

Affects: OneSpan Authentication Server 3.12–3.21

Status: The documentation has been updated.

Description: When an organizational unit (OU) administrator attempts to move a user account from the same OU to a child OU, the command fails. An error message in the trace file incorrectly indicates that the administrator does not have access to the top-level domain, which is not required in this case anyway.

Status: This issue has been fixed.

Description: The Message Delivery Component (MDC) service cannot send one-time password (OTP) notifications via an SMTP host that requires SSL encryption. Attempts to do so will fail. This issue is indicated by messages like "A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision." in the trace file. This issue occurs on Windows only, the Linux version of MDC is not affected.

Affects: OneSpan Authentication Server 3.19–3.20 (on Windows)

Status: This issue has been fixed.

Description: In environments with user accounts and authenticators in different organizational units (OU), provisioning using auto-assignment can fail. OneSpan Authentication Server attempts to assign the first authenticator based on the alphabetically sorted serial number, independent of the authenticator's location. If that authenticator is in an organizational unit inaccessible to the user, the assignment process will fail, although a valid authenticator is present in an accessible OU.

Affects: OneSpan Authentication Server 3.16–3.21

Status: This issue has been fixed.

Description: The Set Authentication Policy Overrides administrative privilege is not correctly evaluated for global administrators in some circumstances. This allows global administrators without that specific administrative privilege to modify user-specific settings and override the effective client policy settings via the USERS > Policy Overrides tab.

Affects: OneSpan Authentication Server 3.12–3.21

Status: This issue has been fixed.

Description: As of OneSpan Authentication Server 3.21 it is possible to upload and process a DIGIPASS import file (CSV) via the Administration Web Interface directly. To help administrators to inspect the file structure and prepare such files themselves more easily, a couple of sample files are now included on the product CD.

Description: When OneSpan Authentication Server is upgraded to a newer product version, the server policy is changed to Identikey Administration Logon.

Affects: OneSpan Authentication Server 3.20–3.21.x

Status: This issue has been fixed.

Description: If upgrading OneSpan Authentication Server involves an upgrade of the embedded MariaDB database server, the database settings for the upgraded system may be different from the previous installation. This is due to multiple my.ini files after a MariaDB upgrade. OneSpan Authentication Server uses the settings from the old installation.

Affects: OneSpan Authentication Server 3.20–3.21.x

Status: This issue has been fixed. OneSpan Authentication Server now uses the my.ini file of the new product version. In addition, the OneSpan Authentication Server Installation Guide for Windows has been updated and now includes instructions to verify and adapt the MariaDB custom settings in my.ini after each upgrade.

Description: Log rotation that has been configured using the OneSpan Authentication Server Configuration Utility cannot be maintained in the Administration Web Interface. Opening the log rotation settings in the Administration Web Interface (SYSTEM > Server Configuration > Edit) results in an exception.

Affects: OneSpan Authentication Server 3.20–3.21

Status: This issue has been fixed.

Description: When creating a new date filter in Audit Viewer, an error message is displayed which indicates that the date format is not correct. The error message does not contain information about the supported date format.

Affects: OneSpan Authentication Server 3.20-3.21

Status: This issue has been fixed. Audit Viewer and OneSpan Authentication Server only accept dates in the format YYYY-MM-DD. The error message has been updated to provide information about the supported date format.

Description: When you attempt to assign an authenticator you can specify a range of serial numbers. If maker–checker authorization is enabled and the range of serial numbers contains non-existent authenticators, you get an error message that a foreign key constraint is violated. No pending operation is scheduled. A workaround is to specify a valid serial number range containing existent authenticators or to use the Search now to select DIGIPASS to assign option in the Assign DIGIPASS wizard.

Affects: OneSpan Authentication Server 3.12–3.21

Status: This issue has been fixed.

Description: In some circumstances, the OneSpan Authentication Server service cannot properly recover if the connection to the ODBC database is lost and the service attempts to reconnect bad nodes. This issue is indicated by an info message in the trace file: "Not attempting a reconnect, next try allowed earliest at 1969-12-31 23:59:59"

Affects: OneSpan Authentication Server 3.18–3.21

Status: This issue has been fixed.

Description: The Push Notification Getting Started Guide contains unclear information about the steps which are required to set up deployments that target the OneSpan Mobile Authenticator app. This also includes misleading information about the DIGIPASS Gateway API keys, how to configure your firewall, and which OneSpan Authentication Server client components to use.

Status: The documentation has been updated.

Description: Sorting in the Reports list does not work correctly. If you select to sort by report name, the report list is actually sorted by the internal report ID instead of the displayed report name. Sorting by any column does not take letter casing into consideration. Both can lead to incorrect and unexpected sorting results.

Status: This issue has been fixed. The Reports list is now correctly sorted by the report name and casing is handled correctly.

Description: If the log size is set to a value greater than 1 GB, log rotation will not work properly.

Affects: OneSpan Authentication Server 3.17–3.21

Status: This issue has been fixed.

Description: Scheduled tasks are not removed from the database when they are completed. This can lead to a large number of finished tasks if they are scheduled but not removed regularly. However, OneSpan Authentication Server queries the tasks once a minute to update their progress and state information. In some environments this can yield higher resource consumption after some time and lead to delayed response times, in the worst case to replication failures.

Affects: OneSpan Authentication Server 3.15–3.21

Status: This area of issues has been improved in several steps:

• In OneSpan Authentication Server 3.22, a new command has been added to remove old finished tasks. This allows you to clean up the task list and remove completed tasks regularly to maintain clarity and avoid performance issues with the task management.

• In OneSpan Authentication Server 3.21, the Task Management page of the Administration Web Interface has been improved to filter the task list based on search criteria for most columns and sort it by different columns.

• In OneSpan Authentication Server 3.20, the affected queries have been optimized.

Description: Deleting an administrative user account is not possible if the user is a report owner. The ownership of any affected reports needs to be changed before an administrator can be deleted. This information is missing in the OneSpan Authentication Server Administrator Guide.

Affects: OneSpan Authentication Server 3.12–3.21

Status: The documentation has been updated.

Description: In deployments where OneSpan Authentication Server uses Oracle Database as data store together with Oracle Database Client version 12.2.0.1 and later, the Administration Web Interface performance is significantly reduced during database queries. This issue is caused by a change in how the Oracle ODBC driver handles string conversion  when binding strings to SQL queries. As a result, database indexes become unusable, which leads to full table scans during SQL queries.

Affects: OneSpan Authentication Server 3.12–3.21

Status: This issue has been fixed. The dpdbadmin command now verifies the SQL string types of the existing database columns to determine the data type used for SQL string binding. If it detects mixed column types it issues an appropriate warning. Instructions how to correct mismatching SQL string types and prevent performance issues were added to the user documentation.

Description: When permission issues occur during an OneSpan Authentication Server upgrade on Linux installations, the upgrade process is canceled and an incorrect error message is displayed ("Installation cancelled - data migration from previous upgrade is incomplete.").

Affects: OneSpan Authentication Server 3.10–3.21 (Linux only)

Status: This issue has been fixed. A new error message for permission issues has been introduced.

Description: When attempting to import user accounts via a user import file that contains lines longer than 1023 characters, the OneSpan Authentication Server service/daemon terminates ungracefully.

Affects: OneSpan Authentication Server 3.12–3.21

Status: This issue has been fixed.

Description: The User Dashboard of the Administration Web Interface does not display audit data for a user. OneSpan Authentication Server cannot connect to the audit database.

Affects: OneSpan Authentication Server with PostgreSQL

Status: This issue has been fixed. Support for PostgreSQL was dropped in OneSpan Authentication Server 3.15.

OneSpan Authentication Server no longer supports Digipass Authentication for Windows Logon 1.x. The related features, e.g. Dynamic Component Registration (DCR) and the Identikey Windows Logon Client client component, have been removed.

OneSpan Authentication Server continues to support Digipass Authentication for Windows Logon 2.0 and later.

OneSpan Authentication Server no longer supports the following products:

Web servers (Web Administration Service)

• Apache Tomcat 8.x

This section summarizes planned and upcoming changes of supported platforms and other third-party products that will become effective in future versions. You are highly encouraged to plan and modify your deployments accordingly to allow future upgrades.

Version 3.23

Version 3.24