Version 3.23 (July 2022)

OneSpan Authentication Server 3.23 supports the following operating systems:

Microsoft Windows

• Windows Server 2019

  Windows Server 2019 is supported in deployments where OneSpan Authentication Server uses an ODBC data store (e.g. the embedded MariaDB database). Windows Server 2019 is currently not supported with Active Directory (AD) as data store.

• Windows Server 2016

• Windows Server 2012 R2 Essentials

• Windows Server 2012 Essentials

• Windows Server 2012 R2

• Windows Server 2012

Linux

• CentOS 7, 64-bit (version 7.8 and later)

• Red Hat Enterprise Linux (RHEL) 8, 64-bit [NEW]

• Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.8 and later)

• Ubuntu Server 20.04 LTS, 64-bit [NEW]

• Ubuntu Server 18.04 LTS, 64-bit

• MariaDB 10.4.22 [NEW]

  OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.

• Oracle Database 19c, 18c, and 12c

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).

• Microsoft SQL Server

  • Microsoft SQL Server 2019

  • Microsoft SQL Server 2017

  • Microsoft SQL Server 2016

  • Microsoft SQL Server 2014

  • Microsoft SQL Server 2012 Service Pack 4

  OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2019, 2017, 2016, 2014, and 2012 Service Pack 4.

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.

  OneSpan Authentication Server supports the following ODBC drivers:

  • Microsoft ODBC Driver 17 for SQL Server

  • Microsoft ODBC Driver 13.1 for SQL Server

  • Microsoft ODBC Driver 11 for SQL Server

The Administration Web Interface supports the following browsers:

• Google Chrome

• Mozilla Firefox

• Microsoft Edge

• Internet Explorer

The Administration Web Interface supports all browser versions currently supported by the respective vendors.

The Administration Web Interface can be run on these web application servers:

• Apache Tomcat 9.0–9.0.48

  • Oracle Server Java Runtime Environment 8

  • Azul Zulu 8

• IBM WebSphere Application Server 8.5.5

  • IBM WebSphere SDK Java Technology Edition 8.0

  The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for IBM WebSphere EE for manual deployment.

Software libraries

Utilities

OneSpan Authentication Server supports direct upgrades from 3.18 or 3.22 to version 3.23 on the supported operating systems.

In previous versions, when you attempted to delete a user account the operation failed if the target user account had items assigned that cannot be deleted and prevented the deletion, e.g. reports, recurring tasks, or pending operations (maker or checker role).

To delete such user accounts anyway, you can now specify a successor user that will take ownership of those items. The successor must be an administrative user account in the same domain as the user to be deleted.

As maker administrator, you can now specify an auto-execute option when scheduling a pending operation that requires maker–checker authorization. The pending operation is automatically executed on your behalf upon approval by the checker administrator. In that case, you do not need to execute it explicitly.

If maker–checker authorization is enabled when you attempt to delete an authenticator, the Administration Web Interface now verifies whether the authenticator is referenced in a pending operation:

• If it is explicitly referenced as the only target authenticator in a pending operation, you cannot delete it and will receive a respective error message.

• If the authenticator is referenced in a pending operation, either explicitly as part of an authenticator list or as range parameter or implicitly within a range, you will receive a warning message and need to confirm the deletion of the authenticator.

The server data migration process has been enhanced and optimized to improve the workflow and overall performance:

• Table-based data schema version. Unlike in previous versions where the data schema version applied to the whole database, OneSpan Authentication Server now tracks the data schema version for each database table individually. This means that the data schema version of a particular table is not changed, unless there are effective changes in the table data schema. If the table data schema has not changed, the table is skipped from the server data migration. This reduces the amount of processed data and speeds up the server data migration process.

• Optimized migration sequence. The order of the tables processed by the data migration task has been optimized. Admin-related tables are migrated first to minimize overhead on administrative commands while server data migration is still in progress. On the other hand, tables that usually contain large amount of data are migrated last, e.g. users, authenticators, and authenticator applications.

• Meaningful data migration task description. The data migration task description now contains the target schema version to better distinguish multiple data migration tasks.

If you use MariaDB to host your ODBC audit message database, you can use table partitioning. Instead of having all audit data in one big table, it is split up into smaller subsets (partitions). Each partition contains the data for one day. This can improve database performance for queries and delete operations.

You can enable partitioning during initial configuration via the OneSpan Authentication Server Installation Wizard. Otherwise, you can use the ODBC Database Command-Line Utility to enable and disable partitioning at any time with the new partitioning commands:

• dpdbadmin checkauditpartitioning

• dpdbadmin partitionaudittables

• dpdbadmin removeauditpartitioning

• dpdbadmin scheduleauditpartitioning

OneSpan Authentication Server provides a new policy setting (Use Generic Authentication Status Codes) that specifies whether certain status codes and messages should be mapped to generic status information in server responses, to prevent user account disclosure in authentication and provisioning scenarios. The real status code and message will still be visible in the audit and trace messages.

If enabled, the following status codes will be mapped to 1000 (STAT_INVCREDENTIALS), even if more specific status information is available:

• 1007

• 1009

• 1010

• 1011

• 1012

• 1023

• 1025

• 1033

• 1045

By default, the new policy setting is disabled for parentless policies.

When establishing a connection to an Oracle database, OneSpan Authentication Server now sets the client info field in the session to its IP address. This enhancement facilitates identification of OneSpan Authentication Server instances in environments that use an Oracle database and simplifies maintenance and troubleshooting.

OneSpan Authentication Server now includes a new workflow for push–notification-based authentication when the Active Directory password has expired. This workflow applies if back-end authentication is configured along with push–notification-based authentication.

With this setup, if a user's Active Directory password has expired, the user will first receive a push notification message for the first authentication step. After the user has authenticated via this message, they will be notified about the expiration of the Active Directory password and prompted to change the password. When the password has been changed, the authentication process is successfully completed.

Description: If an administrator without the View Admin Session privilege attempts to view the session management settings via the SERVERS > Session Management > Settings tab, a respective error message will be displayed and access to the page is denied. The same administrator can, however, circumvent the privilege check by accessing the page directly via the URL.

Status: This issue has been fixed. In addition, the following improvements have been implemented for the administrative privilege configuration:

• In previous versions, the existing View Back-End Settings and Update Back-End Settings privileges misleadingly determined the access to the global configuration settings. These privileges have now been renamed to View Global Configuration Options and Set Global Configuration Options, respectively, to align with their actual meaning. In addition, they have been moved to the Configuration section on the USERS > Admin Privileges tab, together with the View Server Configuration Options and Set Server Configuration Options privileges.

• The global configuration settings have been consolidated. The SERVERS > Session Management > Settings tab was moved to the SERVERS > Global Configuration > Session Management tab. The BACK-END > Global Settings tab was moved to the SERVERS > Global Configuration > Back-End Servers tab.

• Since the session management settings are global settings, they are now correctly available only if the administrator has the View Global Configuration Options privilege.

Description: The procedure to create an ODBC data source for Oracle Database in the OneSpan Authentication Server Installation Guide for Linux contains instructions to specify the database credentials in odbc.ini. This information should be removed from the guide because the credentials are stored in clear text in odbc.ini and should not be specified in this file.

Affects: OneSpan Authentication Server 3.12–3.22.3

Status: The documentation has been updated.

Description: If a user authenticates via Digipass Authentication for Windows Logon using an authenticator of a linked user account that is in a different domain, OneSpan Authentication Server does not send offline authentication data (OAD) to the client.

Status: This issue has been fixed.

Description: Users who have the domain name in their user ID can experience authentication issues because OneSpan Authentication Server uses the corresponding part of the user ID as the domain name.

Status: To prevent this issue, users with the domain name in their user ID need to also provide the domain when logging in. This information has been added to the OneSpan Authentication Server Administrator Guide.

Description: As of OneSpan Authentication Server 3.23, SOAP is by default enabled in all licenses. If your license was created prior to this product version, you can contact OneSpan Support and request a free license upgrade.

Description: Recently, the Apache foundation announced a number of security vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the Log4j2 library for Java applications, affecting all versions from 2.0-beta-9 to 2.16.0. These vulnerabilities allow attackers who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

The fix provided in 2.17.0 included another security vulnerability (CVE-2021-44832) that allows remote code execution (RCE) attacks where attackers can construct malicious configurations using a JDBC Appender. This vulnerability is difficult to exploit and considered non-criticial for Web Administration Service.

For more information, refer to:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

• https://nvd.nist.gov/vuln/detail/CVE-2021-45105

• https://nvd.nist.gov/vuln/detail/CVE-2021-45046

• https://nvd.nist.gov/vuln/detail/CVE-2021-44832

• https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Affects: OneSpan Authentication Server 3.15–3.22.3

Status: These issues have been fixed. The affected library files have been upgraded to Log4j Core library version 2.17.1. This version of the library mitigates the remote code execution and denial-of-service attacks that could result from the vulnerabilities.

Note that a hotfix (including Apache Log4j 2.17.0) for the affected versions of Web Administration Service to fix the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 vulnerabilities was released on December 21, 2021. For more information, refer to https://www.onespan.com/remote-code-execution-vulnerability-in-log4j2-cve-2021-44228.

Description: In the OneSpan Authentication Server Administrator Guide, the procedure to import the certificate file for back-end authentication with Active Directory does not contain instructions to verify access rights to the file on Linux. This information is important because in case the run-user of OneSpan Authentication Server cannot access the file, any connection attempts to the back end will fail.

Status: The documentation has been updated.

Description: SNMP endpoints are no longer accessible in environments where OneSpan Authentication Server is running on a Linux server.

Affects: OneSpan Authentication Server 3.19–3.22.3 (on Linux)

Status: This issue has been fixed.

Description: During OneSpan Authentication Server upgrade from version 3.18 to version 3.22.3, certificates are installed even if encryption of the embedded database and of the database connections has not been enabled during product installation.

Affects: OneSpan Authentication Server 3.22.3

Status: This issue has been fixed.

Description: The OneSpan Authentication Server Installation Guide for Windows provides incorrect information about the Apache Tomcat for IAS Web Administration location in the start menu.

Status: The documentation has been updated.

Description: OneSpan Authentication Server upgrade from version 3.18 to version 3.22.3 fails if encryption of the embedded database and of the database connections has not been enabled during product installation. This issue is caused by incorrect entries in the my.ini file that is created during the upgrade.

Affects: OneSpan Authentication Server 3.22.3 (on Windows)

Status: This issue has been fixed.

Description: Authentication via push notification fails if OneSpan Notification Gateway and Digipass Authentication for Windows Logon are used. This is because OneSpan Notification Gateway does not support the uppercase Digipass Authentication for Windows Logon correlation IDs.

Affects: OneSpan Authentication Server 3.22.3

Status: This issue has been fixed. Message Delivery Component now forwards the lowercase correlation ID to OneSpan Notification Gateway.

Description: Due to a faulty signal handler implementation, OneSpan Authentication Server only creates core dumps if the main process is terminated by SIGSEGV. If a specific thread is terminated by SIGSEGV, all other threads incorrectly receive SIGKILL and no core dump is generated.

Affects: OneSpan Authentication Server 3.12–3.22.3 (on Linux)

Status: This issue has been fixed.

Description: Under some circumstances (particularly in slow environments), multiple multi-device licensing (MDL) registration requests that are processed almost at the same time can yield errors because auto-assignment attempts to use the same authenticator for more that one request. In that case, the user receives an error that the authenticator is already assigned and needs to retry the registration.

Affects:  OneSpan Authentication Server 3.12–3.22

Status: This issue has been fixed. The MDL registration process has been refactored and now uses correct authenticator selection/assigment logic (randomly select an authenticator and lock the respective authenticator record).

Description: When performing a DNS query, the OneSpan Authentication Server service/daemon can terminate unexpectedly if the DNS response is too large.

Affects: OneSpan Authentication Server 3.12–3.22.3 (on Linux)

Status: This issue has been fixed.

Description: The list of OneSpan Authentication Server Framework (formerly VACMAN Controller) error codes in the OneSpan Authentication Server Administrator Reference is incomplete. Error code 1119 (Unsupported Payload Key Blob) is missing.

Status: The documentation has been updated.

Description: OneSpan Authentication Server for Linux no longer includes the Net-SNMP packages for Red Hat Enterprise Linux/CentOS and Ubuntu Server. On Linux environments, if you want to use system or performance monitoring via SNMP, install and configure the Net-SNMP version that comes with your Linux distribution. For more information, refer to the OneSpan Authentication Server Installation Guide for Linux.

Description: If you want to select an organizational unit (OU) from a list, e.g. when moving/renaming a user account via the Move Users wizard, only the first 1000 OUs are listed, even if there are more defined in the organizational structure.

Affects: OneSpan Authentication Server 3.21–3.22.3

Status: This issue has been fixed.

Description: The Copy Admin Privileges From wizard copies administrative privileges from one user account to another. If the target user account has privileges assigned that the source user account does not have, then the target user account will lose those privileges. If you select a non-administrative user account to copy the privileges from by mistake, the target user account will lose all privileges.

Status: The wizard behavior has been changed. You cannot select non-administrative user accounts to copy privileges from anymore.

Description: If an administrator has finished or scheduled tasks assigned, it is not possible to delete the administrator's user account.

Affects: OneSpan Authentication Server 3.12–3.22.3

Status: This issue has been fixed. It is now possible to specify a successor user who will take ownership of the items assigned to the user account to be deleted. For instructions to delete a user account, refer to the Administration Web Interface Help.

Description: If replication between multiple OneSpan Authentication Server instances is not possible, the specified maximum file size for Replication.DB is ignored, and the replication queue will exceed the limit and continue to grow.

Affects: OneSpan Authentication Server 3.18–3.22.3

Status: This issue has been fixed.  When the maximum file size is reached, no new entries can be written to the replication queue. In addition, you can now configure OneSpan Authentication Server to send a warning message when the replication queue file size exceeds a specified size threshold before reaching the maximum size limit.

Description: It is no longer possible to select the unit for the Rotate on size and Rotate When Size Reached options in the tracing settings. Instead, the size is always specified in MB. Any values specified in KB or GB in previous OneSpan Authentication Server versions will be rounded to the nearest integer MB value.

This change affects the Administration Web Interface, the Message Delivery Component, and the OneSpan Authentication Server Configuration Utility.

Description: The IDENTIKEY Extension to the Active Directory Users and Computers Extension times out after 15 minutes of inactivity. The connection to OneSpan Authentication Server is not re-established, and all authenticator-related operations fail.

Affects: OneSpan Authentication Server 3.19–3.22.3 (Active Directory deployments)

Status: This issue has been fixed. The extension handles elevated and restricted sessions more effectively now. In addition, it attempts to re-connect and renew expired sessions automatically.

Description: In environments where the persistent cache table is highly fragmented, e.g. due to inadequate database maintenance, system load can increase significantly, thus leading to reduced database performance or even service outage.

Status: This issue has been fixed. The database indexes for the persistent cache have been reviewed and optimized. The OneSpan Authentication Server Administrator Guide has been extended with information about table fragmentation and possible solutions.