- 03 Oct 2024
- 9 Minutes to read
- DarkLight
Version 3.24 (July 2023)
- Updated on 03 Oct 2024
- 9 Minutes to read
- DarkLight
New features and enhancements
Grace period ends with MDL activation
In previous versions, the grace period of an authenticator instance ended automatically only if a successful OTP authentication happened.
Beginning with 3.24, the grace period also expires automatically after a successful multi-device licensing (MDL) activation, either using an OTP or a signature validation, since this indicates a properly working and activated authenticator as well.
Score-based responses with warnings are now rejected
In previous versions, OneSpan Authentication Server Appliance ignored scoring information in authenticator responses. That means that OTP values with score warning were gracefully accepted.
Beginning with 3.24, OneSpan Authentication Server Appliance evaluates scoring information in authenticator responses. If OneSpan Authentication Server Appliance detects a score warning, it will reject the OTP (even an otherwise valid one). You can detect such cases in the error stack information included in the respective audit message, e.g. "{Error Code: '(-140)' ; Error Message: 'Serial VDS1010000-1 Application APP 1 RO OTP Incorrect - Operation Successful with Platform & User Warning'}".
Multiple connections between OneSpan Authentication Server Appliance and MDC
In previous versions, OneSpan Authentication Server Appliance uses only one connection to the Message Delivery Component (MDC) service to submit message delivery requests. Each request is queued and processed one after another. This means that later requests can take quite long to be processed if the single connection is blocked by a previous request.
OneSpan Authentication Server Appliance now uses a connection pool, i.e. a number of concurrent connections to the Message Delivery Component (MDC) server. Each connection is used to handle one message delivery and will be closed when completed. If a message is taking longer to deliver, e.g. because the respective gateway is unresponsive, another connection is opened to process the next message, until all connections are in use.
Elapsed time information in audit messages
To make performance investigations easier and to help tracking issues, OneSpan Authentication Server Appliance captures the elapsed time of specific (SOAP) operations. The elapsed time is added to the audit message record of the respective operation. The Elapsed time audit message field is only visible in the Audit Viewer application.
Note that you do not need to enable performance monitoring to capture the elapsed time, but only the following audit messages will include it:
|
|
|
DNS caching
In previous versions of OneSpan Authentication Server Appliance, with Active Directory back-end authentication enabled, every authentication request would trigger a DNS lookup. For example, 10 authentications per second would lead to 10 DNS queries in the same period. This behavior caused unnecessary latency and was error-prone.
Starting with OneSpan Authentication Server Appliance 3.24, DNS responses are cached for 5 minutes, resulting in slightly faster authentication and more tolerance for DNS failures.
Time monitoring
For OTP-based authentications, clock synchronization is vitally important. An out-of-sync clock or a slowly drifting clock can cause widespread authentication failures.
OneSpan Authentication Server Appliance now has monitoring built in and will warn in case of clock synchronization issues. The time offset to the user-supplied NTP servers is checked once per hour. If no synchronization partner is found for 5 attempts in a row, or if all synchronization peers are off by more than 30 seconds, a warning is displayed on the dashboard.
Link from Administration Web Interface to Configuration Tool
In the Configuration Tool and the Administration Web Interface, there are now links in the top right corner to easily switch between both interfaces.
The link in the Administration Web Interface is only visible for administrators that have the Appliance Administration privilege. The link in the Configuration Tool is always visible.
If share IAS Web Administration Session is enabled (or a login is active), the link will redirect you to the home page of the other tool. If this feature is not enabled, the login page of the other tool will be displayed.
Fixes and other updates
Issues OAS-17565, OAS-350 (Support cases CS0105478, CS0009172, CS0002902): Outdated DNS/IP addresses used for SMS and push delivery
Description: The Message Delivery Component (MDC) default settings for the OneSpan gateways to relay SMS and push notifications are outdated. The respective DNS names will become unavailable in the future. Moreover, the documentation lists outdated or incorrect values in different sections.
Affects: OneSpan Authentication Server Appliance 3.17–3.23
Status: This issue has been fixed. The default values are now set correctly during initial setups and corrected during upgrades if required, respectively. The occurrences in the documentation have been updated.
Issue OAS-16908: SMTP line ending rules violated (Message Delivery Component)
Description: In some cases, the Message Delivery Component (MDC) attempts to send emails that violate SMTP line ending rules by using a bare line feed (LF). This behavior can cause SMTP gateways to reject such messages.
Status: This issue has been fixed. MDC now always uses CR/LF line ending for SMTP messages.
OAS-16649 (Support case CS0123143): Incorrect information about license-related limitations (Documentation)
Description: The following documents contain incorrect information about license-related CPU and memory limitations:
OneSpan Authentication Server Virtual Appliance VMware vSphere Guest Installation Guide
OneSpan Authentication Server Virtual Appliance Citrix XenServer Guest Installation Guide
The described limitations no longer exist.
Status: The documentation has been updated.
Issue OAS-16389, OAS-282 (Support case CS0116388, 182290, 179691): SSL required for Active Directory connections (Documentation)
Description: The documentation contains a warning note, which recommends that you set up SSL for connections between OneSpan Authentication Server Appliance and Active Directory back-end servers.
This recommendation is obsolete, since you need to set up and use SSL for connections between OneSpan Authentication Server Appliance and the Active Directory back-end server. Unencrypted connections to an Active Directory back-end server do not work reliably (if at all), unless you have a very old and specially configured version of Windows Server.
OneSpan Authentication Server Appliance does not officially support unencrypted connections to Active Directory via LDAP!
Status: The documentation has been updated. The note text has been rephrased to explicitly require SSL for Active Directory connections. The option to disable SSL for Active Directory back-end connections is deprecated and will be removed in a future version of OneSpan Authentication Server Appliance.
Issue OAS-16342 (Support case CS0115832): High processor load with enabled replication
Description: In environments where offline authentications are handled and OneSpan Authentication Server Appliance replication is enabled, the memory and CPU load can increase tremendously under certain circumstances. Authentication requests are properly processed and the replication connections remain active, but replication is not processed fast enough and the replication queue keeps increasing.
Status: This issue has been fixed.
Issue OAS-15457 (Support case CS0107435): Provisioning fails with correct password and OTP
Description: In environments where Stored Password Proxy is set to No and Back-End Authentication is set to Always in the effective policy, provisioning fails even with correct credentials. In such scenarios, the static password and a valid one-time password (OTP) are required as a combined input for the password field. Although the OTP is verified successfully, the static password is not correctly extracted from the combined input. The subsequent back-end authentication fails.
Affects: OneSpan Authentication Server Appliance 3.23
Status: This issue has been fixed.
Issue OAS-15824 (Support case CS0110765): Database connection issue when sending push notifications
Description: Sometimes, when the Message Delivery Component (MDC) service attempts to send a message via a push notification gateway, that external gateway can take long to respond (up to several minutes). During this period, OneSpan Authentication Server keeps the related connection to the database alive, thus blocking valuable resources. Under some circumstances, this behavior can yield issues when the database connections are released later.
Affects: OneSpan Authentication Server Appliance 3.18–3.23
Status: This issue has been fixed. The storage subsystem handling has been improved to allow more efficient resource usage. The request-related database connections are released and become available for other threads, while push notifications are being sent.
Issues OAS-13240 (Support case CS0089370): Performance loss due to LDAP connection issue
Description: In some circumstances, the performance can decrease drastically when OneSpan Authentication Server has connection issues with a slow LDAP back-end server and the number of transactions is still increasing. Because resource sharing between threads is handled incorrectly in this case, all threads used for LDAP back-end communication get blocked. In the worst case, this can lead to authentication failures.
Affects: OneSpan Authentication Server Appliance 3.18–3.23
Status: This issue has been fixed.
Issue #143779: Some local time zones do not observe daylight saving time
Description: Some local time zones, e.g. Cairo time, do not observe daylight saving time.
Status: This issue has been fixed. Time zone data has been updated, and time zones will be correctly observed for a little while longer.
Issue 143086: Time-out when OneSpan Authentication Server settings are changed
Description: OneSpan Authentication Server settings (e.g. tracing or provisioning settings) are usually updated without restarting the IDENTIKEY Authentication Server service. However, for systems that are continually very busy, these configuration requests can take a very long time. This might cause the browser to time out, which makes it impossible to change the settings.
Affects: OneSpan Authentication Server Appliance environments that continuously experience high load, and where OneSpan Authentication Server settings are changed.
Status: This issue has been fixed. If OneSpan Authentication Server settings are updated and the IDENTIKEY Authentication Server service has not processed the request for 20 seconds, the service will be restarted. With this, it is always possible to update OneSpan Authentication Server settings also on high-load systems.
Issue #140896: SSL cipher suites documentation out of date (Documentation)
Description: The OneSpan Authentication Server Appliance Administrator Reference contains incorrect information about the supported SSL cipher suites.
Status: The documentation has been updated.
Issue #138951: Audit copy is slow
Description: By default, OneSpan Authentication Server Appliance scans for new audit logs once per minute. A maximum number of 1000 logs are copied per attempt.If a large backlog of audit messages is found, fast-copy mode is triggered to synchronize both OneSpan Authentication Server Appliance instances as fast as possible without causing performance issues.
Due to a bug, fast-copy is not always activated. For customers with a great number of logs, a brief outage would result in an unsurmountable backlog that would take days or weeks to sync.
Status: This issue has been fixed. The fast-copy mode is now triggered correctly, and audit copying will replicate messages as fast as the system alows.
Issue #136998: Incorrect administrator level values in documentation (Documentation)
Description: According to the OneSpan Authentication Server Appliance documentation, the highest administrator level is 255. For OneSpan Authentication Server Appliance, administrator levels above 100 are reserved, with 100 being the highest administrator level that a customer can assign.
Status: The documentation has been updated.
Installation guides for OneSpan Authentication Server Virtual Appliance updated (Documentation)
Description: The following documents have been updated and rebranded:
OneSpan Authentication Server Virtual Appliance Microsoft Hyper-V Guest Installation Guide
OneSpan Authentication Server Virtual Appliance VMware Workstation Guest Installation Guide
OneSpan Authentication Server Virtual Appliance VMware vSphere Guest Installation Guide
OneSpan Authentication Server Virtual Appliance Citrix XenServer Guest Installation Guide
Deprecated components and features
Active Directory data stores (Deprecated)
Using Active Directory as the data store is deprecated. Beginning with version 3.24, you can only upgrade existing deployments with Active Directory as data store, but you can no longer select this option for new installations.
There are no plans to further enhance this feature or fix any related issues. The possibility to use AD as data store will be completely removed in a future release of OneSpan Authentication Server (currently planned for 3.25).
You will still be able to use Active Directory for other supported purposes, such as back-end authentication or password and data synchronization.
If you are using AD as data store, we strongly recommend to migrate to an ODBC-based data store to allow future upgrades. For more information, refer to the OneSpan Authentication Server Data Migration Guide.
Supported platforms, data management systems, and other third-party products
OneSpan Authentication Server Appliance no longer supports the following products:
Web servers (Web Administration Service)
IBM WebSphere 8.5.5