Version 3.21 (January 2021)

This release includes:

• OneSpan Authentication Server 3.21.0 with OneSpan Authentication Server Framework 3.18

• OneSpan Authentication Server Administration Web Interface 3.21.0

When upgrading to this version, replication between OneSpan Authentication Server Appliance instances will be disabled to avoid compatibility issues that may result from different product versions. You can enable replication after all OneSpan Authentication Server Appliance instances have been upgraded.

OneSpan Authentication Server Appliance supports direct upgrades from 3.20 and 3.20.1 to version 3.21.

You can now upload and process import files via the Administration Web Interface directly without using Data Migration Tool (DMT). A DIGIPASS import file is a comma-separated text file (.csv) that contains authenticator records. They are used, for instance, to import authenticator data from an existing OneSpan Authentication Server Framework environment to OneSpan Authentication Server.

To upload authenticator records in bulk you can now use DIGIPASS > Import DPX and DIGIPASS > Import CSV in the Administration Web Interface, respectively.

The Task Management page of the Administration Web Interface has been improved to handle large numbers of tasks. You can now refine the task list and filter it based on search criteria for most columns. Furthermore, you can also sort the task list by different columns.

The DIGIPASS Properties page of the Administration Web Interface now provides information about the user account to which the authenticator is assigned. You can click the user ID to open the corresponding User Properties page.

In addition to user ID and user name, you can now also search for user accounts by the email address. A respective option has been added to the quick search on the Administration Web Interface home page, the Find/Manage User page, and the respective pages of all wizards where you need to search for user accounts. The use of wildcard characters is supported.

You can now filter search results to include or exclude user accounts with administrative privileges when searching for users. Note that you cannot filter for a particular administrative privilege, but only limit the search results to user accounts that have either any administrative privilege assigned or none. This option is only available if you have the View Administrative Privileges permission assigned.

To improve the handling of report ownership, the following new features and changes have been implemented:

• Extended reports list

  The list of available reports in OneSpan Authentication Server Administration Web Interface has been extended to include an additional column for the report owner. In addition, if you want to search for a particular report in the list, you can now filter and sort the list by report name, report type, description, or owner.

• Administrative privileges

  The Take Report Ownership administrative privilege has been removed and replaced with the new Access Private Reports privilege. Domain administrators with this new privilege can view reports that have the usage and change permissions set to Private. If they have adequate administrative privileges, they can also change or run private reports.

  Administrators can only perform reporting actions in OneSpan Authentication Server Administration Web Interface for which they have sufficient administrative privileges. Actions that require additional/other privileges will not be available, i.e. the respective action buttons will not be displayed.

• Changing report ownership

  The CHANGE OWNER button has been added to the reports list page in OneSpan Authentication Server Administration Web Interface, to facilitate changing of report ownership for multiple reports. Instead of changing one report owner at a time, you can now select the relevant reports in the list and change their owner in bulk.

OneSpan Authentication Server Appliance supports direct upgrades from 3.20 and 3.20.1 to version 3.21.

OneSpan authentication platform

Software libraries

Web servers (Web Administration Service)

Description: An issue exists when you schedule recurring reports to run on any instance in replicated environments where reporting is enabled on more than one OneSpan Authentication Server Appliance instance. Under some circumstances, e.g. in case of high network latency, this setup can result in the reporting task multiplied by the number of instances. If this happens regularly, you end up with a lot of scheduled reports that all try to run at the same time.

Affects: OneSpan Authentication Server Appliance 3.19–3.20 (with replication)

Status: This issue has been fixed. In replicated environments, tasks with the task mode set to ANY are handled as to run in SPECIFIC mode on replication instances. New tasks that are created in a replicated environment are set to SPECIFIC by default.

Description: Vulnerability CVE-2020-17530 in the Apache Struts framework can lead to remote code execution.

For more information refer to:

• https://cwiki.apache.org/confluence/display/WW/S2-061

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17530.

Affects: OneSpan Authentication Server 3.12.13–3.20

Status: This issue has been fixed. Apache Struts has been upgraded to version 2.5.26.

Description: OneSpan Authentication Server Appliance does not create new offline authentication data (OAD) after a successful push notification authentication using Digipass Authentication for Windows Logon. This issue does not occur if the push notification request method is set to KeywordOnly.

Affects: OneSpan Authentication Server Appliance 3.14.15–3.20

Status: This issue has been fixed.

Description: The product ISO image contains a zero-byte file that refers to the VASCO website instead of the OneSpan website.

Affects: OneSpan Authentication Server Appliance 3.6–3.20

Status: This issue has been fixed.

Description: Whenever you change or update the OneSpan Authentication Server Appliance license key, the replication configuration is invalidated and you need to reconfigure OneSpan Authentication Server Appliance replication.

Affects: OneSpan Authentication Server Appliance 3.6–3.20

Status: No fix available yet! The OneSpan Authentication Server Appliance Product Guide and the OneSpan Authentication Server Appliance Administrator Guide have been updated to include a note in the respective sections to remind administrators to reconfigure replication accordingly.

Description: When the service starts and reads encrypted values from the global configuration for the first time, it does not correctly decrypt them, which can lead to issues afterward. For example, if AD security principal credentials are configured, reading the encrypted values fails and causes ALL configuration values to be initialized incorrectly.

Affects: OneSpan Authentication Server Appliance 3.17–3.20 (ODBC deployments)

Status: This issue has been fixed.

Description: When assigning a previously assigned authenticator license used for multi-device licensing (MDL) to another user, the payload key is preserved and reused. This potentially allows the successful decryption of Secure Channel messages with the new user name on the old device.

Affects: OneSpan Authentication Server Appliance 3.7–3.20

Status: This issue has been fixed. Whenever an authenticator license used for multi-device licensing (MDL) is assigned, the payload key is automatically regenerated on assignment or re-assignment to another user (manual or via auto-assignment).

Description: Chinese characters are not correctly displayed in XML and PDF reports.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.20

Status: This issue has been fixed for XML reports.

XML reports now support UTF-8 encoding. The issue can still occur in PDF reports in case of characters that are not defined in the used PDF font.

Description: When generated and opened on Firefox, the Administration Activity Summary PDF report does not contain all relevant data. This issue does not occur with other supported web browsers.

Affects: OneSpan Authentication Server Appliance 3.20

Status: This issue has been fixed.

Description: The OneSpan Authentication Server Appliance Administrator Guide provides incomplete information about editing existing HTML reports. Instructions to adapt the corresponding report templates are missing.

Affects: OneSpan Authentication Server Appliance 3.7–3.20

Status: The documentation has been updated.

Description: There is a potential security issue when files are uploaded in OneSpan Authentication Server Appliance.

Affects: OneSpan Authentication Server Appliance 3.7–3.20

Status: This issue has been fixed. Security measures have been enhanced to improve the overall security of file uploads.

Description: The OneSpan Authentication Server Appliance Administrator Guide provides an overview about the different OneSpan Authentication Server administrator accounts used in ODBC deployments. The respective section is not too extensive in some cases and does not explain organizational unit administrators.

Affects: OneSpan Authentication Server Appliance 3.6–3.20

Status: The documentation has been updated.

Description: In the OneSpan Authentication Server Appliance Administrator Reference, audit message codes do not contain a hyphen between the message type indicator and the number.

Affects: OneSpan Authentication Server Appliance 3.7–3.20

Status: The documentation has been updated.

Description: By default, Web Administration Service does not use HTTP response headers that can help to prevent malicious attacks.

Affects: OneSpan Authentication Server Appliance 3.9.10–3.20

Status: This issue has been fixed. Web Administration Service now uses recommended security-related HTTP response headers, such as to enable XSS filter in the web browser and Content Security Policy (CSP) settings.

Description: The OneSpan Authentication Server Appliance product documentation does not contain a list of authenticators and their product name abbreviations used in the DIGIPASS export file (DPX).

Affects: OneSpan Authentication Server Appliance 3.7–3.20

Status: The documentation has been updated. A list of authenticators has been added to the OneSpan Authentication Server Appliance Administrator Reference.

Description: An issue has been reported when delayed activation is enabled and configured to send delayed activation messages via SMS and a user without a configured mobile number is attempting to activate an authenticator.

Affects: OneSpan Authentication Server Appliance 3.9.10–3.20

Status: This issue has been fixed. The activation is completed successfully. The warning audit message W‑009002 has been extended to include the information that a mobile number is missing.

Description: In reports and runtime query definitions, you can type any date format or string value for the date fields. The provided value is not validated, and OneSpan Authentication Server Appliance cannot process the request.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.20

Status: This issue has been fixed. A datepicker has been added to the Administration Web Interface. The Administration Web Interface and OneSpan Authentication Server Appliance accept dates in ISO format (e.g. YYYY-MM-DD) and in the format YYYY/MM/DD.

Description: The Push Notification Getting Started Guide states that DIGIPASS Gateway requires an open network port within the IP range 11000–11100. This information is misleading. DIGIPASS Gateway requires a known public IP address. The chosen port has to be open and accessible. The default port used by DIGIPASS Gateway is 11080 and has to be used if you are using the OneSpan Mobile Authenticator app.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.20

Status: The documentation has been updated.

Description: In the Administration Web Interface, if you want to retrieve a report, you need to switch to the SYSTEM menu. Instead, the corresponding menu item should be part of the REPORTS menu.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.20

Status: This issue has been fixed. The Report Retrieval menu item was renamed to Retrieve report and moved to the REPORTS menu.

Description: The Push Notification Getting Started Guide contains incorrect information about the OneSpan User Websites client type in OneSpan Authentication Server Appliance. The OneSpan User Websites license requires the client type to be IDENTIKEY User Websites (instead of OneSpan User Websites).

Affects: OneSpan Authentication Server Appliance 3.17–3.20

Status: The documentation has been updated.

Description: The Push Notification Getting Started Guide provides information about how to test if DIGIPASS Gateway has been correctly installed and is reachable. The -v option is missing from the curl command that is used for this test.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.20

Status: The documentation has been updated.

Description: The Push Notification Getting Started Guide states that DIGIPASS Gateway requires an open network port for incoming requests, by default 11080. However, the documentation does not specify, which network protocol is required (that is, TCP).

Affects: OneSpan Authentication Server Appliance 3.12.13–3.20

Status: The documentation has been updated.

Description: The User Dashboard in the Administration Web Interface does not correctly show whether a user account has administrative privileges assigned or not.

Affects: OneSpan Authentication Server Appliance 3.17–3.20

Status: This issue has been fixed.

Description: In OneSpan Authentication Server Appliance 3.17, PostgreSQL was replaced with MariaDB. Systems that have been upgraded from OneSpan Authentication Server Appliance 3.16 may still have some PostgreSQL files on their file system.

Affects: OneSpan Authentication Server Appliance 3.17–3.20

Status: This issue has been fixed. The stale files have been removed in OneSpan Authentication Server Appliance 3.21.

Description: When restoring a backup on OneSpan Authentication Server Appliance 3.20, spurious tables are sometimes created in the database. These tables can lead to errors during later upgrades or backup restores.

Affects:  OneSpan Authentication Server Appliance 3.17–3.20

Status: This issue has been fixed. On OneSpan Authentication Server Appliance 3.21, no more spurious tables will be created when restoring a backup, and unexpected tables will be removed.

Description: Backups from OneSpan Authentication Server Appliance 3.20.0 cannot be restored on version 3.20.1. However, backups from OneSpan Authentication Server Appliance 3.20.0 are correctly restored on version 3.20.0, and backups from OneSpan Authentication Server Appliance 3.20.1 are correctly restored on version 3.20.1.

Affects: OneSpan Authentication Server Appliance 3.20.1

Status: This issue has been fixed. Backups from OneSpan Authentication Server Appliance 3.20.0 can be restored on version 3.21. A patch is available for OneSpan Authentication Server Appliance 3.20.1.

Description: Some valid performance filters are missing from the UI.

Affects: OneSpan Authentication Server Appliance 3.20 and earlier

Status: This issue has been fixed. The missing performance filters have been added to the UI.

Description: Windows will find the default OneSpan Authentication Server Appliance SEAL and SOAP certificates invalid because they have no valid certificate revocation list.

Affects: Windows operating system with certificates created on OneSpan Authentication Server Appliance 3.20.x or earlier

Status: This issue has been fixed. A certificate revocation list has been added to all new certificates (generated on version 3.21 or later). Existing certificates have not been amended so as not to impact any production services.

Description: The audit copier component starts consuming 100% CPU when certain network exceptions occurred.

Affects: OneSpan Authentication Server Appliance 3.17–3.20

Status: This issue has been fixed. A patch is available for versions 3.17–3.20.

Description: When setting up replication, the initial database synchronization causes one host to receive all settings from its replication partner. This can cause the ikldapsync settings to be no longer valid, resulting in ldapsync no longer working.

Affects: OneSpan Authentication Server Appliance 3.20

Status: This issue has been fixed. ldapsync is reconfigured after setting up replication.

Description: It is not possible to enable/disable the report scenario from the UI.

Affects: OneSpan Authentication Server Appliance 3.20 and earlier

Status: This issue has been fixed.

Description: For some operations, when the UI loses connection to the server, an unclear error message is displayed.

Affects: OneSpan Authentication Server Appliance 3.20 and earlier

Status: This issue has been fixed. The error message now provides more useful information.

Description: Certain database errors are badly handled, causing an invalid page counter to be returned to the UI. This invalid page counter error is  not useful for reporting the underlying problem.

Affects: OneSpan Authentication Server Appliance 3.17–3.20

Status: This issue has been fixed. Database errors are now correctly handled and displayed.

Description: When (re-)creating the audit database and the OneSpan Authentication Server database already exists, no indexes are created. This results in poor performance of OneSpan Authentication Server Appliance. This situation does not normally occur and has only been observed after support interventions.

Affects: OneSpan Authentication Server Appliance 3.20 and earlier

Status: This issue has been fixed.

Digipass Authentication for Steel-Belted RADIUS Server has reached end of life and is no longer shipped with OneSpan Authentication Server Appliance.

OneSpan Authentication Server Appliance continues to support previous versions of Digipass Authentication for Steel-Belted RADIUS Server.

Digipass Authentication for Epic Hyperspace has reached end of life and is no longer shipped with OneSpan Authentication Server Appliance.

OneSpan Authentication Server Appliance continues to support previous versions of Digipass Authentication for Epic Hyperspace.