- 14 Oct 2024
- 22 Minutes à lire
- SombreLumière
Version 3.26 (August 2024)
- Mis à jour le 14 Oct 2024
- 22 Minutes à lire
- SombreLumière
Release information
Supported operating systems
OneSpan Authentication Server 3.26 supports the following operating systems:
Microsoft Windows
Windows Server 2022
Windows Server 2019
Windows Server 2016
Linux
Red Hat Enterprise Linux (RHEL) 9, 64-bit [NEW]
Red Hat Enterprise Linux (RHEL) 8, 64-bit
Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.9)
Rocky Linux 9, 64-bit [NEW]
Rocky Linux 8, 64-bit [NEW]
Ubuntu Server 22.04 LTS, 64-bit [NEW]
Ubuntu Server 20.04 LTS, 64-bit
Ubuntu Server 18.04 LTS, 64-bit
Supported ODBC databases
MariaDB 10.11.5 (included as embedded database)
If you install the embedded MariaDB database, the DBeaver 23.3.0 database tool is also installed.
OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.
Oracle Database 19c
OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).
Microsoft SQL Server
Microsoft SQL Server 2022 [NEW]
Microsoft SQL Server 2019
Microsoft SQL Server 2017
Microsoft SQL Server 2016
OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2022, 2019, 2017, and 2016.
OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.
OneSpan Authentication Server supports the following ODBC drivers:
Microsoft ODBC Driver 18 for SQL Server
Microsoft ODBC Driver 17 for SQL Server
Microsoft ODBC Driver 13.1 for SQL Server
Supported browsers (Administration Web Interface)
The Administration Web Interface supports the following browsers:
Google Chrome
Mozilla Firefox
Microsoft Edge
The Administration Web Interface supports all browser versions currently supported by the respective vendors.
Supported web servers (Administration Web Interface)
The Administration Web Interface can be run on these web application servers (based on the respective JRE):
Apache Tomcat 9.0–9.0.90 (included) [NEW]
This version of Apache Tomcat fixes a couple of critical security vulnerabilities, including CVE-2024-34750.
Oracle Server Java Runtime Environment 11
Azul Zulu 11 (included)
Open Liberty (tested with 23.0.0.3-full-java11-openj9)
WebSphere Liberty (tested with 23.0.0.2-full-java11-openj9-ubi)
The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for Open Liberty and WebSphere Liberty for manual deployment.
Other new third-party products
Software libraries
The software library lists are not exhaustive, but include the most notable and critical updates only. For a complete overview, refer to the third-party dependency files included with the installed product.
OneSpan Authentication Server now includes the following (updated) third-party libraries:
Cyrus SASL 2.1.28
Administration Web Interface now includes the following (updated) third-party libraries:
Apache Commons Codec 1.15
Apache Commons IO 2.14
Apache Commons Lang 3.14
Apache Commons Text 1.11
Apache FreeMarker 2.3.32
Apache HttpComponents Core 4.4.13
Apache Log4j 2.23.1
Apache Struts 6.3.0.2
Java Servlet API 4.0.1
json.org/json 20240303
This version of json.org/json fixes a couple of critical security vulnerabilities, including CVE-2023-5072, CVE-2022-45690, CVE-2022-45689, and CVE-2022-45688.
Opensymphony Sitemesh 2.5
SLF4J API Module 2.0.12
Utilities
OneSpan Authentication Server now requires the following products to be installed:
On Windows: Net-SNMP 5.9.4 (included)
On supported Linux environments, install the Net-SNMP version that comes with your Linux distribution.
OneSpan authentication platform
OneSpan Authentication Server 3.25 integrates and uses OneSpan Authentication Server Framework 3.22.
Upgrade path
OneSpan Authentication Server supports direct upgrades from 3.24 or 3.25 to version 3.26 on the supported operating systems.
Supported systems | ||||||
OneSpan Authentication Server | ||||||
---|---|---|---|---|---|---|
3.26 | 3.25 | 3.24 | 3.23 | 3.22 | 3.21 | |
Operating systems | ||||||
Windows 2022 | ✓ | ✓ | ✓ | |||
Windows 2019 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Windows 2016 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Windows 2012 R2 | ✓ | ✓ | ✓ | ✓ | ||
Windows 2012 | ✓ | ✓ | ✓ | ✓ | ||
CentOS 7 | ✓ | ✓ | ✓ | ✓ | ✓ | |
CentOS 6 | ✓ | ✓ | ||||
RHEL 9 | ✓ | |||||
RHEL 8 | ✓ | ✓ | ✓ | ✓ | ||
RHEL 7 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
RHEL 6 | ✓ | ✓ | ||||
Rocky Linux 9 | ✓ | |||||
Rocky Linux 8 | ✓ | |||||
Ubuntu 22.04 | ✓ | |||||
Ubuntu 20.04 | ✓ | ✓ | ✓ | ✓ | ||
Ubuntu 18.04 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Ubuntu 16.04 | ✓ | ✓ | ||||
Database management systems | ||||||
MariaDB 10 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Oracle DB 19c | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Oracle DB 18c | ✓ | ✓ | ✓ | ✓ | ||
Oracle DB 12c | ✓ | ✓ | ✓ | ✓ | ||
SQL Server 2022[1] | ✓ | |||||
SQL Server 2019[1] | ✓ | ✓ | ✓ | ✓ | ✓ | |
SQL Server 2017[1] | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
SQL Server 2016[1] | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
SQL Server 2014[1] | ✓ | ✓ | ✓ | ✓ | ✓ | |
SQL Server 2012[1] | ✓ | ✓ | ✓ | ✓ |
Windows only
New features and enhancements
Audit database table partitioning on a monthly basis
Since version 3.23, you can use table partitioning to split up the audit data into smaller subsets (partitions) if you use MariaDB to host your audit database. Each partition contains the data for one day. This can improve database performance for queries and delete operations.
Beginning with 3.26, you can enable partitioning also on a monthly basis. This will create one partition per month. At the maximum 12 partitions in total will be kept at any time. If there are 12 partitions and a new one is needed, the partition with the oldest data will be re-used.
The ODBC Database Command-Line Utility now accepts a new ‑range parameter for the dpdbadmin checkauditpartitioning and the dpdbadmin partitionaudittables partitioning commands to specify the partition range.
Additionally, the database lock handling was improved and added to all partitioning commands to synchronize with other dpdbadmin instances (‑synctimeout) and to unlock existing database synchronization locks (‑unlockdb).
New policy setting to avoid initial authenticator time synchronization
When an authenticator is used for the first time, OneSpan Authentication Server calculates the initial deviation between the authenticator time and the server time. A new policy setting (Avoid Initial Time Synchronization) has been added to skip the initial time shift initialization on the server side. This can be useful, because the time shift is usually handled by the mobile app, so it can be omitted on the server side.
For fresh installations, the default value is Software DIGIPASS Only, which avoids the initialization for time-based software authenticators on the server side. If you upgrade an existing deployment, the default value is No, i.e. the initial time synchronization is never omitted, which is the same behavior as in previous versions.
Separate configuration settings for service users
Service users and interactive users now use separate session stores and configuration settings for session handling, such as the maximum number of concurrent sessions and maximum session length. By default, service users and interactive users have the same initial session configuration settings, except that services users are not stored in the persistent cache. You can configure and tweak the settings for both separately via the vdsConfiguration table in the database, depending on your environment and use cases.
Email messages now include message identifier
In previous versions, Message Delivery Component (MDC) did not include a message-id field in email messages as specified by RFC 5322.
Beginning with 3.26, all email messages sent by MDC include such a unique message identifier to comply with the specification. This can prevent some strict mail providers or clients, such as Gmail, to reject messages without such message identifier fields.
Configurable TCP listen backlog queue size
The TCP listen backlog queue determines the rate at which new incoming connections can be accepted. If a new connection should be established but the queue is full, the client connection request will be refused by the server. This can lead to performance and authentication issues during peak load, e.g. when a lot of Digipass Authentication for Windows Logon clients attempt to establish a connect at the same time.
In previous versions, the TCP listen backlog queue size was fixed and pre-defined as 10. Beginning with 3.26, you can now configure this value via the OneSpan Authentication Server configuration file (identikeyconfig.xml) by setting the Listen-Backlog value.
<VASCO> <Communicators> <SoapCommunicator> <Listen-Backlog type="unsigned" data="10"/> ... </SoapCommunicator> ...
New system dashboard (Administration Web Interface)
The Administration Web Interface now provides a new system dashboard that aggregates and shows vital statistics and various metrics about the OneSpan Authentication Server environment.
To access the system dashboard, administrators need to have the View Usage Information privilege set.
The system dashboard is an experimental feature and subject to be vastly extended and enhanced in upcoming releases.
Administration Web Interface performance improvements
The Administration Web Interface now allows to tweak the behavior and look of the DIGIPASS list and the USERS list, so they do not show the total number of returned results, no links to individual pages, no Go to Last Page button, and no Select all from ALL pages link. This can be useful to improve the performance on some DBMS.
The database query for recent user activity was improved to increase database performance. As part of this change, the category is now excluded from the query which yields slightly different results in the recent user activity. For instance, actions performed by an administrator to manage a different user account are now included in the recent activity of that particular administrator. It may further include additional entries for administrative user accounts on OneSpan Authentication Server Appliance that were not previously shown.
Fixes and other updates
Issue OAS-23852 (Support case INC0013709): Failed registration of SSL certificates during installation on Japanese operating system
Description: When installing OneSpan Authentication Server on Japanese Windows operating systems, the registration of the DBeaver SSL certificates failed with the error message Unable to add the JAVA certificate.
Affects: OneSpan Authentication Server with MariaDB 3.25.
Status: This issue has been fixed.
Issue OAS-23002: Replication updates blocked indefinitely
Description: Under some circumstances the replication database can get locked and prevent the replication subsystem to start a new transaction. Because the timeout is handled incorrectly in that situation, subsequent operations that trigger replication commands can block indefinitely.
Status: This issue has been fixed.
Issue OAS-22657: Audit messages truncated in syslog
Description: In environments that use the Linux system logger (syslog) for auditing, some audit messages are truncated after the Reason field, and any following data (fields) of the same audit message are not written to the log.
Affects: OneSpan Authentication Server 3.25
Status: This issue has been fixed.
Issue OAS-22543: Default administration session parameters changed
Description: The default administration session parameters that are used by OneSpan Authentication Server may be too restrictive and cause issues in some environments.
For instance, the maximum number of concurrent administrative sessions is 20 by default. In a scenario that include a couple of automation components and/or help desk members working at the same time, this might not be enough and, in the worst case, prevent other administrative users from connecting via the Administration Web Interface.
Status: The following administration session parameters have been revised to use more reliable and more performant default values:
Maximum number of concurrent administrative sessions (200)
Minimum session read interval (30)
Minimum session update interval (60)
If you upgrade an existing deployment, the respective parameters will be updated by the data migration task, unless you have manually changed the previous default values. In that case, the existing parameter values will remain unchanged.
Issue OAS-22304: ODBC database command-line utility crashes when processing big tables
Description: The ODBC database command-line utility (dpdbadmin) can terminate unexpectedly when processing a database running on MariaDB if some database tables contain a lot of data. Due to its nature this is often the case for audit data. This issue affects the addschema command.
Affects: OneSpan Authentication Server 3.21–3.25 (with MariaDB)
Status: This issue has been fixed.
Issue OAS-22266: Confusing information about SSL cipher suite security levels (Documentation)
Description: In OneSpan Authentication Server 3.25, the OpenSSL library was updated to 3.0.9. This update influenced the resulting cipher lists.
While the cipher suite security levels define rules which protocols, protocol versions, and algorithms are allowed for a specific level, the resulting cipher lists depend on the OpenSSL library. This means that even if a higher cipher suite level defines stricter rules than a lower one, the applicable ciphers may be the same.
For instance, Very High is stricter than High, but effectively both levels allow the same ciphers. In that case, it does not make a difference, which cipher suite security level you select. The documentation does not explicitly explain that, which can cause confusion for readers.
Affects: OneSpan Authentication Server 3.25
Status: The documentation has been updated.
Issue OAS-21768: Incorrect service user API key accepted
Description: When a service user executes a SOAP operation with the correct API key once, subsequent SOAP calls within the same session will accept any API key, even a wrong one.
This issue occurs only if the API key is specified in the SOAP body. It does not occur if the API key is provided via the HTTP header.
Affects: OneSpan Authentication Server 3.19–3.25
Status: This issue has been fixed. The API key is now correctly cleared and verified for every SOAP call.
Issue OAS-21765 (Support case CS0154115): Wrong static password policy rules used
Description: In version 3.17, the mechanism for static password policy rules was changed: now always the password rules that are configured via the policy associated with the server component are evaluated in order that they apply to all users independent of the used client. Different password strength rules can be applied for administrators and regular users via the policy inheritance.
In some cases when the password of an administrative user is changed, the effective policy of the client component is used (instead of the server component).
Affects: OneSpan Authentication Server 3.17–3.25
Status: This issue has been fixed.
Issue OAS-20559: Parsing issue with encoded URL in message template (Message Delivery Component (MDC))
Description: Including a URL with %20-encoded whitespaces in custom email message templates, e.g. for offline activation data, can cause an issue when sending a message. The issue causes the MDC service to stop unexpectedly and OneSpan Authentication Server audits an F‑001003 error message ("A communications error occurred (Error executing the MDC server command)").
Affects: OneSpan Authentication Server 3.24–3.25
Status: This issue has been fixed.
Issue OAS-20400: Deleting audit data does not release disk space (Documentation)
Description: Depending on the used DBMS, deleting audit data does not automatically or immediately release the consumed disk space. Usually, unused disk space must be optimized and reclaimed after running the Delete Audit Data wizard.
Affects: OneSpan Authentication Server 3.21–3.25
Status: The documentation has been updated. It explicitly points out now that deleting audit data does not necessarily release the used disk space. The OneSpan Authentication Server Administrator Guide was extended to include basic optimization instructions for MariaDB.
Issues OAS-20204, OAS-15666 (Support case CS0110371): Unassigning authenticator instances from multiple users fail (Web Administration Service)
Description: When an administrator selects multiple users who have each at least one authenticator instance assigned, and clicks UNASSIGN DIGIPASS in the USERS >List tab, the Administration Web Interface displays an error after processing the first user account that it cannot unassign the user. The error message is incorrect and misleading, because the authenticator and the authenticator instance have been unassigned from the first user account before the operation was canceled.
This issue only occurs in the USERS > List tab, unassigning multiple authenticator (licenses) in the DIGIPASS > List tab succeeds.
Affects: OneSpan Authentication Server 3.21–3.25
Status: This issue has been fixed.
Issue OAS-19669: Confusing prompt when upgrading MariaDB
Description: When you upgrade an existing OneSpan Authentication Server deployment that includes an upgrade of the embedded MariaDB, e.g. from 10.4 to 10.6, the setup prompts if it should keep the old MariaDB configuration file (my.ini). Manual changes to the old configuration file are not automatically transfer to the new one by the setup, you need to restore them manually after the upgrade.
The confirmation is intended to preserve manual changes to the configuration file, so the changes can be verified more easily, but actually causes more confusion.
Affects: OneSpan Authentication Server 3.22–3.25
Status: This issue has been fixed. The confirmation prompt was removed, the old configuration file is automatically deleted.
Issue OAS-15619 (Support case CS0107839): Back-end authentication issue with '@' in user ID
Description: When OneSpan Authentication Server attempts back-end authentication for a user with an at sign ('@') character in the user ID, the operation behaves incorrectly if (a) the domain after the '@' does not exist and (b) a valid default domain is specified in the policy.
Consider the following example: user@invalid_domain. During user name translation, OneSpan Authentication Server correctly detects that invalid_domain is not a valid domain. In that case, it considers user@invalid_domain as the user ID and falls back to the specified default domain defined in the policy. Later, during back-end authentication, OneSpan Authentication Server splits the user ID again and uses user only as the user ID.
Affects: OneSpan Authentication Server 3.21–3.25
Status: This issue has been fixed.
Issue OAS-15127 (Support case CS0105648): Full replication queue does not prevent further authentication requests
Description: To prevent data loss, OneSpan Authentication Server should stop processing incoming authentication and administration requests if the replication queue exceeds the maximum size.
An issue in the error handling of the authentication operation can prevent this, further authentication requests are processed and even return success or an Access-Accept reply (in case of RADIUS).
Affects: OneSpan Authentication Server 3.21–3.25
Status: This issue has been fixed. The error handling for replication was improved for SOAP and RADIUS authentication requests.
Issue OAS-14423 (Support case CS0096425): Disclosing HTTP header
Description: OneSpan Authentication Server includes an HTTP header in each SOAP response that identifies the service as IAS, i.e. "Server: IAS". Although this header is not a security concern by itself, it may disclose unwanted information to potential attackers.
Affects: OneSpan Authentication Server 3.21–3.25
Status: This issue has been fixed. The HTTP header was completely removed and is no longer returned in server responses.
Issue OAS-11826 (Support cases CS0041100, CS0029614): Concurrent authenticator updates can corrupt authenticator BLOB data
Description: Unassigning an authenticator or moving a user account with assigned authenticators while certain other operations are in progress can corrupt the authenticator BLOB data. This issue can happen rarely, it requires another operation that changes the BLOB data, e.g. generating a virtual signature, almost concurrently as the unassign or move operation..
Affects: OneSpan Authentication Server 3.21–3.25
Status: This issue has been fixed. The update query was improved, the unassign or move operation will fail with a "Database update failed attempting to update a digipass application record" error message, but the BLOB data will remain correct.
Issue OAS-10373 (Support case CS0074321): Audit data is not replicated (Documentation)
Description: The documentation about OneSpan Authentication Server replication does not explicitly explain that audit data from the replication source is not replicated to the replication target. Both replication instances keep and maintain their own audit data. This means that the audit data differ between the source and the target instance, although the configuration and user data are synchronized.
Affects: OneSpan Authentication Server 3.21–3.25
Status: The documentation has been updated.
Issue OAS-10067 (Support case CS0070114): User lock count increases because of technical/configuration issue
Description: The user lock count tracks the number of consecutive unsuccessful authentication attempts. However, there are some cases where OneSpan Authentication Server incorrectly increases the user lock count due to wrong configuration or technical issues. For example, if a user attempts a push notification–based authentication, but the PNID is missing or invalid.
Affects: OneSpan Authentication Server 3.21–3.25
Status: This issue has been fixed. The user lock count only increases if a wrong OTP or password was used for an authentication or signature validation request.
Issue OAS-9099 (Support case CS0061534): Signature validation uses incorrect authenticator application and succeeds
Description: In some environments where more than one signature authenticator application is used, the signature validation operation may use an incorrect authenticator application to process the request and still create a valid signature.
Consider a scenario where two signature authenticator applications exist on an authenticator, SG1 that accepts exactly one data field and SG2 that accepts two data fields. Now assume that a user attempts a transaction signature validation for a business application that requires two data fields, but mistakenly selects the authenticator application that is accepting only one data field. The signature validation can still be successful, because it uses SG1 to successfully process the request (ignoring the second data field).
Affects: OneSpan Authentication Server 3.21–3.25
Status: This issue has been fixed. The data field handling when performing a signature validation was improved, any authenticator application that cannot process as many data fields as required by the request will be ignored.
Issue OAS-5698 (Support case CS0033287): Upgrade creates invalid configuration file (Configuration Wizard)
Description: When upgrading a deployment where SSL is enabled for MDC client connections in the Authentication scenario, the Configuration Wizard modifies the configuration file in an incorrect way. Afterward the OneSpan Authentication Server service does not start anymore.
Affects: OneSpan Authentication Server 3.21–3.25
Status: This issue has been fixed.
Issue OAS-266 (Support case PS‑177042): Delegated administrator cannot reset authenticator activation
Description: In environments with multiple domains, a delegated administrator with an administrative scope across multiple domains can receive an error message when attempting to reset the activation of a Mobile Authenticator Studio authenticator that is assigned to a user. A global administrator can reset the respective activation without any problems.
Affects: OneSpan Authentication Server 3.21–3.25
Status: This issue has been fixed.
Deprecated components and features
PDF documentation (Deprecated)
You can view the user documentation of most OneSpan products online already at https://docs.onespan.com/docs/, and we plan to shift exclusively to online documentation.
This means that PDF documentation will be completely removed in future major releases of OneSpan Authentication Server (currently planned for 3.27).
Supported platforms, data management systems, and other third-party products
OneSpan Authentication Server no longer supports the following products:
Operating systems
CentOS 7
Data management systems
Microsoft SQL Server 2014
Known issues
Issue OAS-9159 (Support case CS0057804): Usability issues when two reports are started at the same time (Reporting)
Description: When two reports are started at the same time, e.g. with two different browsers, a (nonfunctional) download link for the second report will be available before the report task has even started. The corresponding report results cannot be accessed.
Affects: OneSpan Authentication Server 3.19 and later
Status: No fix available. To avoid this issue, do not run multiple reports at the same time.
Issue OAS‑7856: Unable to install an ODBC deployment after uninstalling an AD deployment (Setup)
Description: When you uninstall an AD deployment of OneSpan Authentication Server and attempt to reinstall an ODBC deployment afterward, the setup behaves like an AD deployment and will fail in the last step.
Affects: OneSpan Authentication Server 3.18 and later (on Microsoft Windows)
Status: No fix available. Delete any leftover folders and files from the previous OneSpan Authentication Server deployment before you reinstall.
Issue OAS‑7855 (Support cases CS0115168, CS0108075): Leftover registry subtree when uninstalling the embedded database (Setup)
Description: When you uninstall the embedded MariaDB database on Microsoft Windows 2016, the MariaDB setup leaves a registry subtree behind. Since the OneSpan Authentication Server Setup Utility uses that registry subtree to detect an existing MariaDB deployment, it will incorrectly indicate an external installation of MariaDB if you attempt to reinstall OneSpan Authentication Server afterward.
Affects: OneSpan Authentication Server 3.19 and later on Windows Server 2016
Status: No fix available. Delete the following registry subtree manually after you uninstalled the embedded MariaDB database:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MariaDB 10.6 (x64)]
Issue OAS-5605 (Support cases CS0039109, CS0046614): Issues with Chinese characters in XML and PDF reports (Web Administration Service)
Description: Chinese characters are not correctly displayed in XML and PDF reports.
Affects: OneSpan Authentication Server 3.12 and later
Status: This issue has been fixed for XML reports in OneSpan Authentication Server 3.21. The issue can still occur in PDF reports in case they contain characters that are not defined in the used PDF font. Workaround for PDF reports: Generate an HTML report and print it to PDF.
Issue OAS-4163 (Support case CS0030058): Cannot assign multiple authenticators to a single user in one step (Web Administration Service)
Description: The Assign DIGIPASS wizard allows you to assign authenticators to users. Although you can select multiple authenticators and multiple users, you can only assign exactly one authenticator to one user at a time. For instance, if you select two authenticators in the wizard, you need to specify two different user accounts, one user to assign each one authenticator.
Affects: OneSpan Authentication Server 3.21 and later
Status: No fix available. To assign additional authenticators to a user, you need to run the Assign DIGIPASS wizard again.
Issue OAS-3761 (Support case CS0024326): Inaccessible authenticators proposed for manual assignment (Web Administration Service)
Description: The Assign DIGIPASS wizard allows you to explicitly select the authenticators to assign to multiple users (by selecting Search now to select DIGIPASS to assign in the Search DIGIPASS page). However, the Select DIGIPASS page may also show authenticators that are actually inaccessible to assign to the respective users, because they are in another domain than the users. If you select such an authenticator and continue, you will receive a "Failed to find available token for assignment." error.
This issue does not occur if you only select one user to assign an authenticator. In this case, the Select DIGIPASS page correctly shows only authenticators in the same domain as the user account.
Affects: OneSpan Authentication Server 3.21 and later
Status: No fix available. Ensure to explicitly select only authenticators that are in the same domain as the users you selected to assign an authenticator.
Issue 83511: HSM driver must be manually configured on Linux
Description: When integrating a hardware security module (HSM) with OneSpan Authentication Server, you will need to configure the HSM driver before you install OneSpan Authentication Server. On all Linux distributions using the UNIX System V operating system, the HSM driver must be configured for communication with OneSpan Authentication Server because the script created upon driver installation does not automatically start the system service.
Affects: OneSpan Authentication Server 3.6 and later
Status: No fix available. Workaround: replace the init.d file created during driver installation with the system.d file in the corresponding link. Refer to the OneSpan Authentication Server Installation Guide for Linux for detailed instructions.
Issue 58722: Mobile Authenticator Studio timeshift no longer supported
Description: When the Timeshift feature of Mobile Authenticator Studio is used, it causes the offline data to become invalid. The option to set a timeshift for Mobile Authenticator Studio authenticators is no longer supported. This feature is outdated and has become obsolete because mobile devices are now correctly synchronized with OneSpan Authentication Server at shorter intervals.
Affects: OneSpan Authentication Server 3.6 and later
Status: Do not use the Mobile Authenticator Studio Timeshift feature to avoid the offline data to become invalid.
Issue 48452 (Support case PS-144964): Multiple authentication and accounting ports on OneSpan Authentication Server (RADIUS communicator)
Description: OneSpan Authentication Server allows for the configuration of two RADIUS authentication ports and two RADIUS accounting ports. By default, one authentication and one accounting port is specified, the second ports can only be edited in the configuration file of OneSpan Authentication Server , not directly in the Administration Web Interface.
Affects: OneSpan Authentication Server 3.5 and later
Status: If a second authentication and/or a second accounting port for the RADIUS Communicator will be used, the port specifications need to be edited in the identikeyconfig.xml file.
Issue 46294 (Support case PS-141029): SafeNet HSM mode setup causes installation failure (OneSpan Authentication Server Setup)
Description: Deployments of OneSpan Authentication Server with Thales ProtectServer HSM only support HSMs that run in Normal mode. If the HSM is run in High Availability or Workload Distribution mode, the installation of OneSpan Authentication Server fails.
Affects: OneSpan Authentication Server 3.6 and later
Status: The Thales ProtectServer HSM must be run in Normal mode, i.e. ET_PTKC_GENERAL_LIBRARY_MODE must be set to NORMAL.
Issue 42477: OneSpan Authentication Server SNMP agent persistent data storage (OneSpan Authentication Server Linux installation script)
Description: The OneSpan Authentication Server SNMP agent cannot store its persistent data (e.g. EngineBoots, EngineID), as the default persistent directory is not created by the installation script. By default, the SNMP agent stores its persistent data in the /var/net-snmp directory.
Affects: OneSpan Authentication Server on Ubuntu Server with the vasco-netsnmp package installed.
Status: A /var/net-snmp directory must be created and the vasco-ias user must have write access to this directory. If this directory does not exist and/or the vasco-ias user does not have write access to it, the EngineID and related information used by the OneSpan Authentication Server SNMP agent will not be persistent. This may result in issues on the machine that receives SNMP TRAPv3 traps from OneSpan Authentication Server.
Issue 41616: Self-signed certificates created by Microsoft Internet Information Services (IIS) cannot be used (Message Delivery Component (MDC))
Description: When trying to configure email delivery with SSL/TLS using a self-signed certificate created using Microsoft Internet Information Services (IIS) and converted to PEM format using OpenSSL, MDC cannot recognize a valid self-signed certificate and displays an error message. This is caused by the OpenSSL library. In some circumstances, the OpenSSL application itself may display an "Unable to get local issuer certificate (20)" error message.
Affects: All platforms.
Status: No fix available. This is a compatibility issue between OpenSSL and Microsoft IIS. Do not use self-signed certificates generated using Microsoft IIS.
Issue 25333: Undefined TEMP path not supported
Description: A Windows installation will fail if the TEMP environmental variable is undefined or empty.
Affects: All Windows platforms.
Status: No fix available.