- 03 Oct 2024
- 18 Minutes to read
- DarkLight
Version 3.22 (October 2021)
- Updated on 03 Oct 2024
- 18 Minutes to read
- DarkLight
Release information
Supported operating systems
OneSpan Authentication Server 3.22 supports the following operating systems:
Microsoft Windows
Windows Server 2019
Windows Server 2019 is supported in deployments where OneSpan Authentication Server uses an ODBC data store (e.g. the embedded MariaDB database). Windows Server 2019 is currently not supported with Active Directory (AD) as data store.
Windows Server 2016
Windows Server 2012 R2 Essentials
Windows Server 2012 Essentials
Windows Server 2012 R2
Windows Server 2012
Linux
CentOS 7, 64-bit (version 7.8 and later)
CentOS 6, 64-bit (version 6.10 and later)
Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.8 and later)
Red Hat Enterprise Linux (RHEL) 6, 64-bit (version 6.10 and later)
Ubuntu Server 18.04 LTS, 64-bit
Ubuntu Server 16.04 LTS, 64-bit
Supported ODBC databases
MariaDB 10.2–10.4
OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.
Oracle Database 19c, 18c, and 12c
OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).
Microsoft SQL Server
Microsoft SQL Server 2019 [NEW]
Microsoft SQL Server 2017
Microsoft SQL Server 2016
Microsoft SQL Server 2014
Microsoft SQL Server 2012 Service Pack 4
OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2019, 2017, 2016, 2014, and 2012 Service Pack 4.
OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.
OneSpan Authentication Serversupports the following ODBC drivers:
Microsoft ODBC Driver 17 for SQL Server
Microsoft ODBC Driver 13.1 for SQL Server
Microsoft ODBC Driver 11 for SQL Server
Supported browsers (Administration Web Interface)
The Administration Web Interface supports the following browsers:
Google Chrome
Mozilla Firefox
Microsoft Edge
Internet Explorer
The Administration Web Interface supports all browser versions currently supported by the respective vendors.
Supported web servers (Administration Web Interface)
The Administration Web Interface can be run on these web application servers:
Apache Tomcat 9.0–9.0.48 [NEW]
Oracle Server Java Runtime Environment 8
Azul Zulu 8
IBM WebSphere Application Server 8.5.5
IBM WebSphere SDK Java Technology Edition 8.0
The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for IBM WebSphere EE for manual deployment.
Upgrade path
OneSpan Authentication Server supports direct upgrades from 3.18 or 3.21 to version 3.22 on the supported operating systems.
New features and enhancements
Authenticator type limit policy
OneSpan Authentication Server now allows you to restrict the maximum number of assigned authenticators per user for specific authenticator types. The new authenticator limit is configured via a new policy setting (DIGIPASS Assignment > DIGIPASS Type Limit). By default, no limit is set. For single-device licensing, it is possible to limit the number of assigned authenticators; for multi-device activation/multi-device licensing the setting limits the number of assigned authenticator licenses and activated authenticator instances.
If you need to have more than one authenticator provided to your users, you should still limit the number to avoid having too many authenticators (and/or instances) assigned or activated for single users.
Delete authenticators via Manage User page
You can now delete authenticators via the Manage User page of the Administration Web Interface. A new DELETE button has been added to the Assigned DIGIPASS tab, which can be useful in situations where you need to delete a user's authenticator but you do not know the serial number, e.g. when a user loses their authenticator.
Administrator levels shown in user lists (Administration Web Interface)
The administrator level of users is now included as a separate column in the User list and the Admin session list of the Administration Web Interface. In the Admin session list it indicates the administrator level of the user owning the respective administrator session. For regular users the respective value is left empty.
Schedulable task to remove finished tasks
A new command has been added to remove old finished tasks. This allows you to clean up the task list and remove completed tasks regularly to maintain clarity and avoid performance issues with the task management.
The command is available in the Administration Web Interface via SERVERS > Delete Finished Tasks. It takes the age in days of the finished tasks to be deleted as parameter. All finished tasks with an end date (completion) older or equal than this value will be deleted. The command schedules a server task itself that processes the server task table. If required, the cleanup task can be configured to recur on a daily or monthly basis.
Improved validation when deleting users
If you attempt to delete a user who owns any report, report file, or server task, or is the target of a pending operation, OneSpan Authentication Server refuses to delete it. The validation when deleting a user account has been improved. If you delete a user under the aforementioned conditions, you will receive an error message listing the number of connected objects. The respective SOAP operation now returns STAT_INUSE (–20) as status code. This information will also be shown by Web Administration Service.
If maker–checker authorization is enabled, the validation is performed twice, once before the respective pending operation is scheduled and again when it is executed after approval.
Embedded JRE changed to OpenJDK (Web Administration Service)
The embedded Java Runtime Environment (JRE) deployed by the Web Administration Service setup packages has been replaced. Instead of Oracle Java, Web Administration Service now uses Azul Zulu (OpenJDK).
Fixes and other updates
Issue OAS-10513 (Support case CS0075857): SQLite performance issues (Replication)
Description: SQLite performance issues affect the replication between multiple OneSpan Authentication Server instances and increase the replication backlog.
Affects: OneSpan Authentication Server 3.21
Status: This issue has been fixed.
Issue OAS-10200 (Support case CS0073104): Inaccurate description of Max Days Between Authentications (Documentation)
Description: According to the OneSpan Authentication Server Administrator Reference and the Administration Web Interface Help, an administrator account expires by default after 90 days of inactivity. This information is misleading because the default setting of 90 days applies to all user accounts (not only administrator accounts).
Affects: OneSpan Authentication Server 3.17–3.21
Status: The documentation has been updated.
Issue OAS-9928 (Support case CS0070255): High memory usage when using LDAP Synchronization Tool
Description: A potential memory issue affecting administrative operations has been identified. In some environments this can lead to growing memory usage.
Especially in scenarios that involve LDAP user synchronization, OneSpan Authentication Server memory usage can grow rapidly. The consumed memory is not released after synchronization has completed.
Affects: OneSpan Authentication Server 3.17–3.21 (with LDAP Synchronization Tool)
Status: This issue has been fixed.
Issue OAS-9907 (Support case CS0061817): Upgrade issue when existing database column types differ from National Language Support (NLS) parameter
Description: When upgrading an existing deployment using Oracle Database, the ODBC Database Command-Line Utility (dpdbadmin) evaluates the value of NLS_CHARACTERSET. If this parameter is set to AL32UTF8, new text columns will be created as VARCHAR2 or CLOB (depending on the column size). This can lead to issues during upgrades if the existing text table columns were created as NVARCHAR2 or NCLOB. This issue is indicated by error messages such as "ORA-02267: column type incompatible with referenced column type" in the trace file.
Usually, this is only the case if the initial database has been created using the NVARCHAR2 type and NLS_CHARACTERSET was changed later to AL32UTF8.
Affects: OneSpan Authentication Server 3.10–3.21
Status: This issue has been fixed. The dpdbadmin command now verifies whether a value for string_type is set in the vdsControl table (cf. Issues OAS‑336, 95862 (Support case PS‑203002): Performance issues during Oracle Database queries). This value is set by the dpdbadmin command itself if it does not already exist based on NLS_CHARACTERSET. If it is already set, it will be used regardless of the value of NLS_CHARACTERSET.
If you want to upgrade an existing deployment that uses NVARCHAR2 columns, but NLS_CHARACTERSET is set to use VARCHAR2, you can manually set vdsControl.string_type to wchar to force NVARCHAR2 for new columns before you upgrade to OneSpan Authentication Server 3.22.
If string_type is set to wchar, the dpdbadmin addschema command automatically converts all existing columns from VARCHAR2 to NVARCHAR2 and from CLOB to NCLOB, respectively. This conversion cannot be reverted! Do not set string_type manually, unless you need to do so as described!
Issue OAS-9476 (Support case CS0063329): Push notifications are rejected for linked users
Description: When a user attempts an authentication via push notification (push and login) with a user account that is linked to another account, the push notification is correctly sent. Since the user and domain information in the notification is different, the request is rejected by the mobile app and the authentication process fails.
Affects: OneSpan Authentication Server 3.12–3.21 (Mobile app on Android devices)
Status: This issue has been fixed.
Issue OAS-9297 (Support case CS0064510): Assign authenticator fails with certain serial number range parameters (Administration)
Description: When you attempt to assign an authenticator you can specify a range of serial numbers to automatically pick an authenticator from that range. However, the serial number range is incorrectly evaluated if any of the range parameters specifies either a serial number that contains alphabetic character prefixes, e.g. VDS0000001, or a number larger than 2147483648. In either case, the first authenticator found in the database is used for assignment, regardless of its serial number.
Affects: OneSpan Authentication Server 3.12–3.21
Status: This issue has been fixed.
Issue OAS-9102 (Support cases CS0058750, CS0058489): Connection issue due to certificate error (Web Administration Service)
Description: If Web Administration Service attempts to connect to OneSpan Authentication Server via the FQDN, but the TLS/SSL certificate for SOAP connections is issued for the IP address only (or vice versa), the connection cannot be established. You will receive an error that the certificate does not match the common name of the certificate subject.
Affects: OneSpan Authentication Server 3.21
Status: In version 3.21, the certificate handling has been improved, the host name specified in the TLS/SSL certificate is now correctly verified by Web Administration Service. The server address used to connect to the OneSpan Authentication Server instance (either IP address or FQDN) must match the common name or the subject alternative name (SAN) in the TLS/SSL certificate for SOAP connections.
The self-signed TLS/SSL certificates created by the OneSpan Authentication Server Configuration Wizard contain only the IP address in the subject alternative name (SAN). If you need to use the FQDN when establishing the connection, you have to create a certificate that contains the FQDN in the SAN.
The user documentation has been extended to explain this now correct behavior.
Issue OAS-8967 (Support case CS0062858): Incorrect scheduling of tasks with daily recurrence (Task scheduling)
Description: When you create a task that should run with a daily recurrence on only one particular day of the week, the time of the next execution run is incorrectly calculated. This miscalculation causes the task to run every minute on the particular day of the week.
Status: This issue has been fixed.
Issues OAS-8877, OAS-8180: New dialog boxes in the Administration Web Interface
Description: Dialog boxes in the Administration Web Interface are no longer opened in a separate browser window but are now displayed as an overlay on the same browser page (lightbox pop-up). Issues with pop-up blocker software will no longer occur.
Issue OAS-8812 (Support case CS0058873): Authenticator description not populated from DIGIPASS import file
Description: When you import authenticators from a DIGIPASS import file (.csv) the value of the description column is ignored and not written to the description of the authenticator record in the database.
Affects: OneSpan Authentication Server 3.21
Status: This issue has been fixed.
Issue OAS-8491 (Support case CS0058243): Mandatory options for odbc.ini not documented (Documentation)
Description: The instructions to create an ODBC data source name for MariaDB in the OneSpan Authentication Server Installation Guide for Linux are incomplete. OPTIONS=2 is a mandatory option to be added to odbc.ini, but it is not documented.
Affects: OneSpan Authentication Server 3.12–3.21
Status: The documentation has been updated.
Issue OAS-8397 (Support case CS0058121): OU administrator cannot move user account to child OU
Description: When an organizational unit (OU) administrator attempts to move a user account from the same OU to a child OU, the command fails. An error message in the trace file incorrectly indicates that the administrator does not have access to the top-level domain, which is not required in this case anyway.
Status: This issue has been fixed.
Issues OAS‑8380, OAS‑5374 (Support cases CS0042637, CS0038304): Message Delivery Component (MDC) cannot send notifications via SMTP over SSL
Description: The Message Delivery Component (MDC) service cannot send one-time password (OTP) notifications via an SMTP host that requires SSL encryption. Attempts to do so will fail. This issue is indicated by messages like "A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision." in the trace file. This issue occurs on Windows only, the Linux version of MDC is not affected.
Affects: OneSpan Authentication Server 3.19–3.20 (on Windows)
Status: This issue has been fixed.
Issue OAS-8249 (Support case CS0056576): Incorrect authenticators selected for auto-assignment
Description: In environments with user accounts and authenticators in different organizational units (OU), provisioning using auto-assignment can fail. OneSpan Authentication Server attempts to assign the first authenticator based on the alphabetically sorted serial number, independent of the authenticator's location. If that authenticator is in an organizational unit inaccessible to the user, the assignment process will fail, although a valid authenticator is present in an accessible OU.
Affects: OneSpan Authentication Server 3.16–3.21
Status: This issue has been fixed.
Issue OAS-8248 (Support case CS0057547): Set Authentication Policy Overrides privilege not always effective
Description: The Set Authentication Policy Overrides administrative privilege is not correctly evaluated for global administrators in some circumstances. This allows global administrators without that specific administrative privilege to modify user-specific settings and override the effective client policy settings via the USERS > Policy Overrides tab.
Affects: OneSpan Authentication Server 3.12–3.21
Status: This issue has been fixed.
Issue OAS-8184: New DIGIPASS import file examples
Description: As of OneSpan Authentication Server 3.21 it is possible to upload and process a DIGIPASS import file (CSV) via the Administration Web Interface directly. To help administrators to inspect the file structure and prepare such files themselves more easily, a couple of sample files are now included on the product CD.
Issue OAS-8068 (Support case CS0053630): Server policy is changed to default policy during upgrade
Description: When OneSpan Authentication Server is upgraded to a newer product version, the server policy is changed to Identikey Administration Logon.
Affects: OneSpan Authentication Server 3.20–3.21.x
Status: This issue has been fixed.
Issue OAS-7712 (Support case CS0054596): Different database settings after MariaDB upgrade
Description: If upgrading OneSpan Authentication Server involves an upgrade of the embedded MariaDB database server, the database settings for the upgraded system may be different from the previous installation. This is due to multiple my.ini files after a MariaDB upgrade. OneSpan Authentication Server uses the settings from the old installation.
Affects: OneSpan Authentication Server 3.20–3.21.x
Status: This issue has been fixed. OneSpan Authentication Server now uses the my.ini file of the new product version. In addition, the OneSpan Authentication Server Installation Guide for Windows has been updated and now includes instructions to verify and adapt the MariaDB custom settings in my.ini after each upgrade.
Issue OAS-7408 (Support case CS0051603): Log rotation settings configured in Configuration Utility are not available in Web Administration Service
Description: Log rotation that has been configured using the OneSpan Authentication Server Configuration Utility cannot be maintained in the Administration Web Interface. Opening the log rotation settings in the Administration Web Interface (SYSTEM > Server Configuration > Edit) results in an exception.
Affects: OneSpan Authentication Server 3.20–3.21
Status: This issue has been fixed.
Issue OAS-7306 (Support case CS0052437): Filtering by date results in error (Audit Viewer)
Description: When creating a new date filter in Audit Viewer, an error message is displayed which indicates that the date format is not correct. The error message does not contain information about the supported date format.
Affects: OneSpan Authentication Server 3.20-3.21
Status: This issue has been fixed. Audit Viewer and OneSpan Authentication Server only accept dates in the format YYYY-MM-DD. The error message has been updated to provide information about the supported date format.
Issue OAS-6848 (Support cases CS0053447, CS0049052): Assign authenticator fails with invalid serial number range (Administration)
Description: When you attempt to assign an authenticator you can specify a range of serial numbers. If maker–checker authorization is enabled and the range of serial numbers contains non-existent authenticators, you get an error message that a foreign key constraint is violated. No pending operation is scheduled. A workaround is to specify a valid serial number range containing existent authenticators or to use the Search now to select DIGIPASS to assign option in the Assign DIGIPASS wizard.
Affects: OneSpan Authentication Server 3.12–3.21
Status: This issue has been fixed.
Issue OAS-6598 (Support case CS0044946): Service does not recover from ODBC connection failure
Description: In some circumstances, the OneSpan Authentication Server service cannot properly recover if the connection to the ODBC database is lost and the service attempts to reconnect bad nodes. This issue is indicated by an info message in the trace file: "Not attempting a reconnect, next try allowed earliest at 1969-12-31 23:59:59"
Affects: OneSpan Authentication Server 3.18–3.21
Status: This issue has been fixed.
Issue OAS‑6446 (Support case CS0046669): Unclear information regarding OneSpan Mobile Authenticator setups (Documentation)
Description: The Push Notification Getting Started Guide contains unclear information about the steps which are required to set up deployments that target the OneSpan Mobile Authenticator app. This also includes misleading information about the DIGIPASS Gateway API keys, how to configure your firewall, and which OneSpan Authentication Server client components to use.
Status: The documentation has been updated.
Issue OAS-5264: Incorrect report sorting results (Web Administration Service)
Description: Sorting in the Reports list does not work correctly. If you select to sort by report name, the report list is actually sorted by the internal report ID instead of the displayed report name. Sorting by any column does not take letter casing into consideration. Both can lead to incorrect and unexpected sorting results.
Status: This issue has been fixed. The Reports list is now correctly sorted by the report name and casing is handled correctly.
Issue OAS-4354 (Support case PS‑CS0028491): Log rotation not working with log size greater than 1 GB
Description: If the log size is set to a value greater than 1 GB, log rotation will not work properly.
Affects: OneSpan Authentication Server 3.17–3.21
Status: This issue has been fixed.
Issue OAS‑3897 (Support cases CS0045397, CS0024776, CS0024325, CS0022985): Finished scheduled tasks result in performance issues (Task management)
Description: Scheduled tasks are not removed from the database when they are completed. This can lead to a large number of finished tasks if they are scheduled but not removed regularly. However, OneSpan Authentication Server queries the tasks once a minute to update their progress and state information. In some environments this can yield higher resource consumption after some time and lead to delayed response times, in the worst case to replication failures.
Affects: OneSpan Authentication Server 3.15–3.21
Status: This area of issues has been improved in several steps:
In OneSpan Authentication Server 3.22, a new command has been added to remove old finished tasks. This allows you to clean up the task list and remove completed tasks regularly to maintain clarity and avoid performance issues with the task management.
In OneSpan Authentication Server 3.21, the Task Management page of the Administration Web Interface has been improved to filter the task list based on search criteria for most columns and sort it by different columns.
In OneSpan Authentication Server 3.20, the affected queries have been optimized.
Issue OAS-345 (Support case CS0001464): Missing information about deleting administrators who are report owners (Documentation)
Description: Deleting an administrative user account is not possible if the user is a report owner. The ownership of any affected reports needs to be changed before an administrator can be deleted. This information is missing in the OneSpan Authentication Server Administrator Guide.
Affects: OneSpan Authentication Server 3.12–3.21
Status: The documentation has been updated.
Issues OAS‑336, 95862 (Support case PS‑203002): Performance issues during Oracle Database queries
Description: In deployments where OneSpan Authentication Server uses Oracle Database as data store together with Oracle Database Client version 12.2.0.1 and later, the Administration Web Interface performance is significantly reduced during database queries. This issue is caused by a change in how the Oracle ODBC driver handles string conversion when binding strings to SQL queries. As a result, database indexes become unusable, which leads to full table scans during SQL queries.
Affects: OneSpan Authentication Server 3.12–3.21
Status: This issue has been fixed. The dpdbadmin command now verifies the SQL string types of the existing database columns to determine the data type used for SQL string binding. If it detects mixed column types it issues an appropriate warning. Instructions how to correct mismatching SQL string types and prevent performance issues were added to the user documentation.
Issue OAS-326 (Support case PS-200108, PS-202468): Misleading error message during upgrade (Setup)
Description: When permission issues occur during an OneSpan Authentication Server upgrade on Linux installations, the upgrade process is canceled and an incorrect error message is displayed ("Installation cancelled - data migration from previous upgrade is incomplete.").
Affects: OneSpan Authentication Server 3.10–3.21 (Linux only)
Status: This issue has been fixed. A new error message for permission issues has been introduced.
Issue OAS-265 (Support case PS‑176974): Service stops when importing invalid user import file
Description: When attempting to import user accounts via a user import file that contains lines longer than 1023 characters, the OneSpan Authentication Server service/daemon terminates ungracefully.
Affects: OneSpan Authentication Server 3.12–3.21
Status: This issue has been fixed.
Issue OAS-242 (Support case PS‑166604): No audit data displayed on User Dashboard (Web Administration Service)
Description: The User Dashboard of the Administration Web Interface does not display audit data for a user. OneSpan Authentication Server cannot connect to the audit database.
Affects: OneSpan Authentication Server with PostgreSQL
Status: This issue has been fixed. Support for PostgreSQL was dropped in OneSpan Authentication Server 3.15.
Deprecated components and features
Digipass Authentication for Windows Logon 1.x
OneSpan Authentication Server no longer supports Digipass Authentication for Windows Logon 1.x. The related features, e.g. Dynamic Component Registration (DCR) and the Identikey Windows Logon Client client component, have been removed.
OneSpan Authentication Server continues to support Digipass Authentication for Windows Logon 2.0 and later.
Supported platforms, data management systems, and other third-party products
OneSpan Authentication Server no longer supports the following products:
Web servers (Web Administration Service)
Apache Tomcat 8.x
Future platform support changes
This section summarizes planned and upcoming changes of supported platforms and other third-party products that will become effective in future versions. You are highly encouraged to plan and modify your deployments accordingly to allow future upgrades.
Version 3.23
OneSpan Authentication Server 3.23 will no longer support the following products:
Operating systems
Ubuntu Server 16.04 LTS, 64-bit
Red Hat Enterprise Linux line 6
CentOS line 6
No support is planned for CentOS line 8/Stream 8.
Data management systems
Oracle 12c
Microsoft SQL Server 2012
Web browsers
Internet Explorer
Version 3.24
OneSpan Authentication Server 3.24 will no longer support the following products:
Data stores
Active Directory