TLS/SSL Encryption Setup for Server-Side Components

You can use TLS/SSL encryption to secure the communication flow between OneSpan Authentication Server and its side products.

Using TLS/SSL with SOAP

OneSpan Authentication Server uses SSL to secure SOAP connections between itself and OneSpan Authentication Server applications and components. The SOAP client verifies the server with the help of SSL when connecting to OneSpan Authentication Server.

To enable TLS/SSL encryption for SOAP

1. Start the OneSpan Authentication Server Configuration Utility.
2. Click the Communicators icon, and switch to the SOAP tab.
3. Select the  Enable SOAP checkbox to enable the SOAP protocol and select  Enable SSL to use encryption.
4. Load the Certificate File, and enter your password.
5. Click OK.

The following OneSpan Authentication Server components can use SSL over SOAP:

• Digipass Authentication for Windows Logon
• Digipass Authentication Module products
• LDAP Synchronization Tool

To enable TLS/SSL for Digipass Authentication for Windows Logon

1. Start the Digipass Authentication for Windows Logon Configuration Center.
2. Switch to the Connection Settings tab and select Verify server SSL certificate in the Authentication Server connection settings section.
3. Click OK.
4. Install the CA certificate in the Trusted Root Certification Authorities certificate store.

For more information about Digipass Authentication for Windows Logon, refer to the Digipass Authentication for Windows Logon Getting Started Guide and the Digipass Authentication for Windows Logon Product Guide.

To enable TLS/SSL for Digipass Authentication Module

1. Start the respective configuration application of your product.
2. Switch to the Connection Settings page and select the Verify server SSL certificate option in the Authentication Server connection settings section.
3. Click OK.
4. Install the CA certificate in the Trusted Root Certification Authorities certificate store.

All Digipass Authentication Module products have the same configuration to enable SSL encryption.

To enable TLS/SSL for LDAP Synchronization Tool

1. Start the LDAP Synchronization Tool Configuration Utility.
2. Click the Profiles icon.
3. Click Add to create a profile.
4. In the LDAP tab, configure the Connection section, and ensure that the LDAPS option is selected.

5. In the OAS tab, configure the Connection section:

   • Ensure that Verify SSL is selected.
   • On Linux, specify the path to the CA certificate of OneSpan Authentication Server.
   • On Windows, you need to install the certificate in the Trusted Root Certification Authorities certificate store.
6. Click OK.

Using TLS/SSL encryption for SEAL

Some products that are communicating with OneSpan Authentication Server use the SEAL protocol. The protocol has to be configured to use SSL encryption to be regarded as safe.

SEAL over SSL is enabled by default in OneSpan Authentication Server.

SEAL without SSL is also enabled by default in OneSpan Authentication Server. For additional security, consider disabling SEAL without SSL.

To enable TLS/SSL encryption for SEAL

1. Start the OneSpan Authentication Server Configuration Utility.
2. Click the Communicators icon, and select the SEAL tab.
3. In the SEAL tab, select the  Enable SEAL checkbox to enable the SEAL protocol and select  Enable SSL to use encryption.
4. Load the Certificate File, and enter your password.
5. Click OK.

The following OneSpan Authentication Server components/features can use SSL over SEAL:

• Audit Viewer (for live audit)
• Replication
• Message Delivery Component (MDC)
• Tcl Command-Line Administration tool

To enable TLS/SSL encryption for live audit

1. Start the OneSpan Authentication Server Configuration Utility.
2. Click the Auditing icon and select Live Auditing Viewer in the Available Audit Methods tab.
3. Click Edit.
4. Select Enable SSL in the Live Audit Settings section.
5. Load the Certificate file (.pem) in the Server Certificate section, and type your Password.
6. Click OK.

To enable TLS/SSL for replication

1. Start the OneSpan Authentication Server Configuration Utility.
2. Click the Replication icon.
3. In the Replication Settings, select the Enable Replication checkbox.
4. Switch to the Destination Servers tab and then click Add.
5. Select Enabled, enter the Display Name, IP Address, and the Port.
6. Select Use SSL, load the SSL certificate file, and enter the corresponding password (if you set one), and the certification authority (CA) file of the destination server.

To enable TLS/SSL for Message Delivery Component (MDC)

1. Start the MDC Configuration Utility.
2. In the General  settings tab, select Enable SSL, and load the Certificate file (.pem) in the Server Certificate section, and enter your Password.
3. Click OK.

If the e-mail delivery option is selected, you must additionally ensure that encryption is used for the e-mail server host.

To enable TLS/SSL for e-mail delivery in Message Delivery Component (MDC)

1. Launch the MDC Configuration Utility.
2. Click the Email Delivery icon, and select Enable Email Delivery.
3. In the SMTP Host section select Use SSL and Use TLS.
4. Click OK.

To enable TLS/SSL for Tcl Command-Line Administration tool

1. Open the dpadmincmd.xml file.
2. Locate the SSL parameter in the configuration file: VASCO>AAL3>SEAL>SSL.
3. Set Enabled to true.
4. CA-File should contain the location of the certificate file, e.g. %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin\ikey_seal_serverca.pem.
5. Save the file.