Version 3.24 (July 2023)
  • 03 Oct 2024
  • 9 Minutes à lire
  • Sombre
    Lumière

Version 3.24 (July 2023)

  • Sombre
    Lumière

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

Release information

Version numbering

Beginning with OneSpan Authentication Server 3.22, the product version numbering has been changed. Because OneSpan Authentication Server is a fundamental back-end part of the OneSpan cloud authentication services, i.e. OneSpan Cloud Authentication (OCA) and Intelligent Adaptive Authentication, the product versions of cloud and on-prem versions are now aligned.

The cloud authentication services and the OneSpan Authentication Server on-prem product share the same code base, but the cloud services naturally receive updates earlier and more frequently. Cloud releases use the third field of the product version (also called patch version) to indicate evolving product development. When a new on-prem version is released it usually consolidates and includes all enhancements and updates of the previous cloud releases. After an on-prem release, the second field of the product version (also called minor version) is increased and the patch version is reset to zero.

For you as on-prem customer this has no practical impact, except that the first release of a new product version may use a patch version higher than zero. For instance, unlike earlier releases the first on-prem release of 3.22 is 3.22.3 instead of 3.22.0.

Supported operating systems

OneSpan Authentication Server 3.24 supports the following operating systems:

Microsoft Windows

  • Windows Server 2022 [NEW]

  • Windows Server 2019

    Windows Server 2019 is supported in deployments where OneSpan Authentication Server uses an ODBC data store (e.g. the embedded MariaDB database). Windows Server 2019 is currently not supported with Active Directory (AD) as data store.

  • Windows Server 2016

  • Windows Server 2012 R2 Essentials

  • Windows Server 2012 Essentials

  • Windows Server 2012 R2

  • Windows Server 2012

Linux

  • CentOS 7, 64-bit (version 7.8 and later)

  • Red Hat Enterprise Linux (RHEL) 8, 64-bit [NEW]

  • Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.8 and later)

  • Ubuntu Server 20.04 LTS, 64-bit [NEW]

  • Ubuntu Server 18.04 LTS, 64-bit

Supported ODBC databases

  • MariaDB 10.6.12 (included) [NEW]

    OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.

  • Oracle Database 19c, 18c, and 12c

    OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).

  • Microsoft SQL Server

    • Microsoft SQL Server 2019

    • Microsoft SQL Server 2017

    • Microsoft SQL Server 2016

    • Microsoft SQL Server 2014

    • Microsoft SQL Server 2012 Service Pack 4

    OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2019, 2017, 2016, 2014, and 2012 Service Pack 4.

    OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.

    OneSpan Authentication Server supports the following ODBC drivers:

    • Microsoft ODBC Driver 17 for SQL Server

    • Microsoft ODBC Driver 13.1 for SQL Server

    • Microsoft ODBC Driver 11 for SQL Server

Supported browsers (Administration Web Interface)

The Administration Web Interface supports the following browsers:

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

  • Internet Explorer

The Administration Web Interface supports all browser versions currently supported by the respective vendors.

Supported web servers (Administration Web Interface)

The Administration Web Interface can be run on these web application servers (based on the respective JRE):

  • Apache Tomcat 9.0–9.0.73 (included) [NEW]

    • Oracle Server Java Runtime Environment 11 [NEW]

    • Azul Zulu 11 (included) [NEW]

  • Open Liberty (tested with 23.0.0.3-full-java11-openj9) [NEW]

  • WebSphere Liberty (tested with 23.0.0.2-full-java11-openj9-ubi) [NEW]

The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for Open Liberty and WebSphere Liberty for manual deployment.

Other new third-party products

Hardware security modules

  • Entrust nShield Connect XC (Red Hat Enterprise Linux 8, 64-bit only)

  • Entrust nShield Solo XC (Red Hat Enterprise Linux 8, 64-bit only)

  • Thales ProtectServer 3 HSM devices

Software libraries

OneSpan Authentication Server now includes the following (updated) third-party libraries:

  • cURL 8.1.2 [NEW]

    This version of cURL fixes a couple of security vulnerabilities, including CVE-2023-23916.

  • OpenSSL 1.1.1u [NEW]

  • zlib 1.2.12-r2 [NEW]

    This version of zlib fixes a couple of security vulnerabilities, including CVE-2022-37434.

Utilities

OneSpan Authentication Server now requires the following products to be installed:

  • On Windows: Net-SNMP 5.9.3 (included) [NEW]

  • On supported Linux environments, install the Net-SNMP version that comes with your Linux distribution.

OneSpan authentication platform

OneSpan Authentication Server 3.24 integrates and uses OneSpan Authentication Server Framework 3.22.

Upgrade path

OneSpan Authentication Server supports direct upgrades from 3.18, 3.22, or 3.23 to version 3.24 on the supported operating systems.

New features and enhancements

Grace period ends with MDL activation

In previous versions, the grace period of an authenticator instance ended automatically only if a successful OTP authentication happened.

Beginning with 3.24, the grace period also expires automatically after a successful multi-device licensing (MDL) activation, either using an OTP or a signature validation, since this indicates a properly working and activated authenticator as well.

Score-based responses with warnings are now rejected

In previous versions, OneSpan Authentication Server ignored scoring information in authenticator responses. That means that OTP values with score warning were gracefully accepted.

Beginning with 3.24, OneSpan Authentication Server evaluates scoring information in authenticator responses. If OneSpan Authentication Server detects a score warning, it will reject the OTP (even an otherwise valid one). You can detect such cases in the error stack information included in the respective audit message, e.g. "{Error Code: '(-140)' ; Error Message: 'Serial VDS1010000-1 Application APP 1 RO OTP Incorrect - Operation Successful with Platform & User Warning'}".

Multiple connections between OneSpan Authentication Server and MDC

In previous versions, OneSpan Authentication Server uses only one connection to the Message Delivery Component (MDC) service to submit message delivery requests. Each request is queued and processed one after another. This means that later requests can take quite long to be processed if the single connection is blocked by a previous request.

OneSpan Authentication Server now uses a connection pool, i.e. a number of concurrent connections to the Message Delivery Component (MDC) server. Each connection is used to handle one message delivery and will be closed when completed. If a message is taking longer to deliver, e.g. because the respective gateway is unresponsive, another connection is opened to process the next message, until all connections are in use.

You can configure the size of the connection pool in the general settings of the authentication scenario, either via the OneSpan Authentication Server Configuration Utility or the Administration Web Interface. The default value is 10 connections.

Elapsed time information in audit messages

To make performance investigations easier and to help tracking issues, OneSpan Authentication Server captures the elapsed time of specific (SOAP) operations. The elapsed time is added to the audit message record of the respective operation. The Elapsed time audit message field is only visible in the Audit Viewer application.

Note that you do not need to enable performance monitoring to capture the elapsed time, but only the following audit messages will include it:

  • I-009001

  • S-001001

  • S-001002

  • S-001003

  • S-002001

  • S-002002

  • S-002007

  • S-002008

  • S-004001

  • S-005009

  • S-005010

  • S-005011

  • S-005012

  • S-005013

  • S-005015

  • S-006001

Fixes and other updates

Issue OAS-18325: Incorrect operating system version logged (Tracing)

Description: When you enable full tracing on servers that run on Windows Server later than version 2016, the trace file incorrectly indicates Windows 2016 as the operating system in the trace file.

Affects: OneSpan Authentication Server on Windows

Status: This issue has been fixed. OneSpan Authentication Server now correctly detects and writes the operating system information to the trace file.

Issues OAS-17565, OAS-350 (Support cases CS0105478, CS0009172, CS0002902): Outdated DNS/IP addresses used for SMS and push delivery

Description: The Message Delivery Component (MDC) default settings for the OneSpan gateways to relay SMS and push notifications are outdated. The respective DNS names will become unavailable in the future. Moreover, the documentation lists outdated or incorrect values in different sections.

Affects: OneSpan Authentication Server 3.17–3.23

Status: This issue has been fixed. The default values are now set correctly during initial setups and corrected during upgrades if required, respectively. The occurrences in the documentation have been updated.

Issue OAS-16908: SMTP line ending rules violated (Message Delivery Component)

Description: In some cases, the Message Delivery Component (MDC) attempts to send emails that violate SMTP line ending rules by using a bare line feed (LF). This behavior can cause SMTP gateways to reject such messages.

Status: This issue has been fixed. MDC now always uses CR/LF line ending for SMTP messages.

Issue OAS-16389, OAS-282 (Support case CS0116388, 182290, 179691): SSL required for Active Directory connections (Documentation)

Description: The documentation contains a warning note, which recommends that you set up SSL for connections between OneSpan Authentication Server and Active Directory back-end servers.

This recommendation is obsolete, since you need to set up and use SSL for connections between OneSpan Authentication Server and the Active Directory back-end server. Unencrypted connections to an Active Directory back-end server do not work reliably (if at all), unless you have a very old and specially configured version of Windows Server.

OneSpan Authentication Server does not officially support unencrypted connections to Active Directory via LDAP!

Status: The documentation has been updated. The note text has been rephrased to explicitly require SSL for Active Directory connections. The option to disable SSL for Active Directory back-end connections is deprecated and will be removed in a future version of OneSpan Authentication Server.

Issue OAS-16342 (Support case CS0115832): High processor load with enabled replication

Description: In environments where offline authentications are handled and OneSpan Authentication Server replication is enabled, the memory and CPU load can increase tremendously under certain circumstances. Authentication requests are properly processed and the replication connections remain active, but replication is not processed fast enough and the replication queue keeps increasing.

Status: This issue has been fixed.

Issue OAS-15457 (Support case CS0107435): Provisioning fails with correct password and OTP

Description: In environments where Stored Password Proxy is set to No and Back-End Authentication is set to Always in the effective policy, provisioning fails even with correct credentials. In such scenarios, the static password and a valid one-time password (OTP) are required as a combined input for the password field. Although the OTP is verified successfully, the static password is not correctly extracted from the combined input. The subsequent back-end authentication fails.

Affects: OneSpan Authentication Server 3.23

Status: This issue has been fixed.

Issue OAS-15824 (Support case CS0110765): Database connection issue when sending push notifications

Description: Sometimes, when the Message Delivery Component (MDC) service attempts to send a message via a push notification gateway, that external gateway can take long to respond (up to several minutes). During this period, OneSpan Authentication Server keeps the related connection to the database alive, thus blocking valuable resources. Under some circumstances, this behavior can yield issues when the database connections are released later.

Affects: OneSpan Authentication Server 3.18–3.23

Status: This issue has been fixed. The storage subsystem handling has been improved to allow more efficient resource usage. The request-related database connections are released and become available for other threads, while push notifications are being sent.

Issues OAS-13240 (Support case CS0089370): Performance loss due to LDAP connection issue

Description: In some circumstances, the performance can decrease drastically when OneSpan Authentication Server has connection issues with a slow LDAP back-end server and the number of transactions is still increasing. Because resource sharing between threads is handled incorrectly in this case, all threads used for LDAP back-end communication get blocked. In the worst case, this can lead to authentication failures.

Affects: OneSpan Authentication Server 3.18–3.23

Status: This issue has been fixed.

Deprecated components and features

Active Directory data stores (Deprecated)

Using Active Directory as the data store is deprecated. Beginning with version 3.24, you can only upgrade existing deployments with Active Directory as data store, but you can no longer select this option for new installations.

There are no plans to further enhance this feature or fix any related issues. The possibility to use AD as data store will be completely removed in a future release of OneSpan Authentication Server (currently planned for 3.25).

You will still be able to use Active Directory for other supported purposes, such as back-end authentication or password and data synchronization.

If you are using AD as data store, we strongly recommend to migrate to an ODBC-based data store to allow future upgrades. For more information, refer to the OneSpan Authentication Server Data Migration Guide.

Supported platforms, data management systems, and other third-party products

OneSpan Authentication Server no longer supports the following products:

Web servers (Web Administration Service)

  • IBM WebSphere 8.5.5


Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle