TLS/SSL-Secured Administration Web Interface

Administration Web Interface can be deployed as TLS/SSL-secured during installation, i.e. your browser will use a TLS/SSL-secured connection (i.e. https) when it connects to the Administration Web Interface.

The OneSpan Authentication Server Setup Utility will deploy the Administration Web Interface TLS/SSL-secured if you deploy it locally. A TLS/SSL certificate and a random password will be generated for this purpose. You can configure these via the Apache Tomcat settings after installation.

Unlike other TLS/SSL certificates generated via the Maintenance Wizard, Apache Tomcat uses a Java keystore that contains the certificate, i.e.:

tomcat_cert.jks

For more information about the TLS/SSL certificates for the other server components generated by the Maintenance Wizard and their location, see Certificates generated via the Configuration Wizard.

The random password used by the TLS/SSL certificate is configured in the Apache Tomcat configuration file, i.e. server.xml. By default, this file is located in:

%PROGRAMFILES%\VASCO\IAS Web Administration\tomcat\conf\server.xml (Windows)

/opt/vasco/iaswas/tomcat/conf/server.xml (Linux)

The Connector element of the Apache Tomcat configuration file controls which certificate files are used, along with their corresponding password. For example:

<Connector 
    port="8443" 
    protocol="org.apache.coyote.http11.Http11NioProtocol" 
    scheme="https" 
    secure="true" 
    SSLEnabled="true" 
    clientAuth="want" 
    sslProtocol="TLS" 
    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
    ciphers="<cipher_suite_1>,<cipher_suite_2>" 
    keystoreFile="keystore.jks" 
    keyAlias="ias-tomcat" 
    keystorePass="68pML7bsY$V$!X3#"/>

The certificate file for the Apache Tomcat web server is automatically imported to the Java keystore. To use different certificate files or to configure TLS/SSL certificates for Apache Tomcat, you need to import the certificate file manually to the keystore after you configured the certificates. For more information about manually configuring and importing these certificates, see Manual TLS/SSL configuration for Apache Tomcat.

If you change the Apache Tomcat configuration after the initial setup to use non-SSL communication instead, users who have signed in before may experience issues accessing Administration Web Interface afterward. This issue occurs because of session cookies flagged as secure remaining in the browser cookies data, thus preventing new connections via HTTP.

To fix this issue users need to clear their browser cookies.

Accessing the default SSL-secured Administration Web Interface from some browsers may result in certificate validity issues (see Administration Web Interface connection issues).

Manual TLS/SSL configuration of Administration Web Interface connections to OneSpan Authentication Server

The Administration Web Interface uses the SOAP communicator module to connect to OneSpan Authentication Server. If you manually configured the SOAP SSL configuration after the initial installation (see Configuring SSL certificates), you also need to configure the Administration Web Interface accordingly.

To set up the certificates without re-installing the Administration Web Interface, add the new SOAP certificates manually using the OneSpan Web Configuration Tool (see OneSpan Web Configuration Tool (admintool)).

Manual TLS/SSL configuration for Apache Tomcat

You can use the Install SSL Server Certificate wizard to configure TLS/SSL certificates (see Configuring SSL certificates). These certificates are used for the following:

• SOAP communicator module
• SEAL communicator module
• RADIUS communicator module
• Message Delivery Component (MDC)
• Live auditing via the Audit Viewer

The certificate file for the Apache Tomcat web server is automatically imported to the Java keystore. To use different certificate files or to configure TLS/SSL certificates for Apache Tomcat, you need to import the certificate file manually to the keystore after you configured the certificates.

OneSpan Authentication Server ships with a specific version of the OpenSSL utility. We recommend that you use this version for any procedures involving the openssl command.

By default, this specific version of OpenSSL is located in %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin on Windows and in /opt/vasco/ias/bin on Linux, respectively.

To manually generate a certificate signing request for Apache Tomcat

1. Open a terminal window.

2. Run the following command:

   openssl req -out ikey_tomcat_new.csr -new -newkey rsa:2048 -keyout ikey_tomcat_new.key -config openssl.cnf

3. When prompted, provide a PEM passphrase.

4. When prompted, provide the requested information as follows:

   • Country Name: Country of your organization.
   • State or Province Name: State or province of your organization.
   • Locality Name: City of your organization.
   • Organization Unit: Branch/division of your organization which is using the certificate (e.g. accounting, IT).
   • Organization Name: Name of your organization.
   • Common Name: FQDN or IP address of the server for which the certificate is being created.
   • Email Address

   You can also enter the following optional attributes to include them in your certificate signing request:

   • Challenge Password: password with which the private key will be encrypted (optional)
   • Company Name

After providing all the required details, the certificate signing request file (ikey_tomcat_new.csr) is created in the same folder along with its corresponding private key file (ikey_tomcat_new.key). You can then submit the ikey_tomcat_new.csr file to a third-party certification authority (CA) for signing.

When you receive the signed certificate, configure Apache Tomcat to use it.

To configure Apache Tomcat to use certificates signed by a third-party CA

1. Once you receive the certificate signed by the certification authority (CA), save it as ikey_tomcat_serverca.pem.
2. Delete the old, default certificate used by Apache Tomcat, i.e. ikey_tomcat_cert.pem.
3. Create a new, blank certificate file named ikey_tomcat_cert.pem. This will be the new certificate file to be used by Apache Tomcat.

4. Copy the contents of the following files as is to this new, blank certificate file:

   • ikey_tomcat_new.key, i.e. the private key file previously generated using OpenSSL.
   • ikey_tomcat_serverca.pem, i.e. the certificate file signed by the third-party CA.
   • Note that the contents of ikey_tomcat_new.key should appear on top in the ikey_tomcat_cert.pem file. This means that, in most cases, the first line in ikey_tomcat_cert.pem should appear as follows:

   
   

   -----BEGIN ENCRYPTED PRIVATE KEY -----

   Whereas the last line in ikey_tomcat_cert.pem should typically be:

   ----- END CERTIFICATE -----

5. Copy the ikey_tomcat_cert.pem and ikey_tomcat_serverca.pem files to the default location of the Apache Tomcat TLS/SSL certificates:

   /etc/vasco/ias (Linux)

   %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin (Windows)

6. The certificate container file (.pem) needs to be converted to PKCS #12 format (.p12), so that the keystore can read it.

   
   

   openssl pkcs12 -export -in E:\temp\ikey_tomcat_cert.pem -passin pass:9999xtl3jx99flfu -out E:\temp\ikey_tomcat_cert.p12 -passout pass:!Test1234 -name ias-tomcat

7. Import the PKCS #12 container filer manually to the Java keystore.

   
   

   keytool -importkeystore -deststorepass !Test1234 -destkeystore E:\temp\keystore.jks -srckeystore e:\temp\ikey_tomcat_cert.p12 -srcstoretype PKCS12 -srcstorepass !Test1234

8. Restart Apache Tomcat.