When the required components have been upgraded, the Configuration Wizard is started to complete the upgrade configuration.
Before you begin
Ensure that you have successfully upgraded OneSpan Authentication Server (see Upgrading OneSpan Authentication Server).
If you want to license OneSpan Authentication Server during initial configuration, obtain and prepare an appropriate license file (see Finalizing pre-installation). Alternatively, you can apply a valid license file after installation via the Administration Web Interface.
Configuring OneSpan Authentication Server
To configure OneSpan Authentication Server (upgrade)
In the Welcome page, select Next.
If required, confirm that you want to update the database schema.
This step is only required if the schema has changed in the current version.
The database schema update cannot be reverted. After updating the database schema, you cannot use an older version of OneSpan Authentication Server.
For more information about schema updates, see ODBC database manual setup.
If required, configure OneSpan Authentication Server to use a valid license.
Open a new command window. From there, copy the license file to /opt/vasco/ias.
Return to the Configuration Wizard and type the location and file name of the license file.
(OPTIONAL) Specify an administrative user ID for the upgrade. The user ID is required for the following purposes:
It is used to assign all new administrative privileges introduced in all versions since the version of OneSpan Authentication Server that is currently being upgraded.
It is used to schedule any key rotation task configured in the Storage Key page. This requires the Rotate Key privilege.
The user ID must exist in the master domain and already have the Administrative Logon privilege assigned.
If you do not want to assign any new administrative privileges to a specific user now, leave User ID blank and click Next to skip this step. To assign the new administrative privileges later, you need to use Rescue Administrator in the Maintenance Wizard.
If required, migrate to HSM.
If SSM is configured for this instance of OneSpan Authentication Server, the Configuration Wizard will display the HSM Migration page.
Select Migrate to Thales ProtectServer (formerly SafeNet) HSM to use and configure a Thales ProtectServer HSM.
Specify the location of the PKCS#11 library file. The file is typically named libcryptoki.so.
Specify the HSM storage data key details: storage key label, storage key KCV (key check value checksum), slot ID, token label, and token PIN.
Specify the HSM sensitive data key details: sensitive data key, sensitive data key KCV, token label, and token PIN.
For more information about setting up a Thales ProtectServer HSM, see Thales ProtectServer hardware security modules (HSM).
Select Migrate to Entrust nShield (formerly nCipher) HSM to use and configure an Entrust nShieldHSM.
Note that you need to install and configure the Entrust nShield Hardserver to successfully connect to the HSM.
Provide all the required information:
Specify the HSM storage key label.
Specify the file name of the sensitive data key BLOB file (see Creating a sensitive data key (Entrust nShield)).
Specify the key hash (see Creating a sensitive data key (Entrust nShield)).
For more information about setting up an Entrust nShield HSM, see Entrust nShield hardware security modules (HSM).
Passwords used for hardware security module setup must comply with the default password rules:
At least 7 characters long
Contains at least 1 lowercase character
Contains at least 1 uppercase character
Contains at least 1 numeric character
For more information, refer to the OneSpan Authentication Server Administrator Guide.
To effectively migrate to HSM, start rotation from SSM to HSM keys in the OneSpan Authentication Server Administration Web Interface. Only when the rotation is finished will the migration from SSM to HSM be completed. The HSM keys need to be visible in the Administration Web Interface.
The migration from an SSM to an HSM deployment cannot be reverted. Migrating back to an SSM deployment is not possible.
Furthermore, it is not possible to switch from one HSM to another, for instance, from Thales ProtectServer 2 to Thales ProtectServer 3.
(OPTIONAL) Configure the Secure Auditing settings for the HSM, when migrating from SSM to HSM.
The OneSpan Authentication Server Configuration Wizard allows this configuration only if Secure Auditing was configured before migrating to an HSM. It is not possible to change configuration settings, e.g. epoch settings.
Existing audit data will not be migrated to the HSM.
Configure partitioning for the audit database tables.
This step is available only if you are using the embedded MariaDB database.
If you enable partitioning, audit data is split up into smaller subsets (partitions), instead of having all audit data in one big table. Each partition contains the data for one day. This can improve database performance for queries and delete operations.
If you select this option during upgrade, all historical audit data is split into respective partitions. If you already have a lot of audit data, this can take some time to complete. You can, however, enable audit partitioning at any time after the upgrade.
If required, schedule a key rotation for your storage data key on Storage Key page.
This page is displayed only if the current storage data key does not use the possible maximum key length of 256 bit and/or has been in use for more than one year.
In any case (except for replication), we strongly recommend that you create a new storage key value via this page.
You must not schedule a key rotation during an upgrade within a replicated environment via this page! You need to do a manual key rotation, once all instances were upgraded (see Post-upgrade tasks and considerations).
When asked if you want to schedule a key rotation, select Yes. Enter a new value for the storage data key. The key value is a 64-digit hexadecimal value, for ease of input, the value is split into two input values for 32 digits each. Alternatively, you can use the pre-filled random key value.
For security reasons, you won't be able to view the storage key value again. If you need the storage key value, for example, to upgrade additional instances, copy it while on this page and store it in a safe place.
A new storage data key will require a key rotation to re-encrypt all BLOB data in the OneSpan Authentication Server database. By default, a key rotation task will be scheduled to run right after the wizard completes, scheduled for the upgrade administrator specified in the Upgrade Administrator page. Depending on the number of authenticators, this can take a while. We recommend to schedule the key rotation process for an off-peak period or a designated maintenance window.
Select Proceed.
The configured settings are being applied. OneSpan Authentication Server will be configured and all respective daemons are started.
Select Finish to close the Configuration Wizard.
The Configuration Wizard applies the configuration to the upgraded OneSpan Authentication Server.
Additional considerations
The Installation Wizard creates a trace file to log the configuration process in the following location:
/var/log/vasco/identikey/ikconfigwizardconsole.trace
If the Configuration Wizard is canceled during the installation or upgrade of OneSpan Authentication Server, the Web Administration Service will not be installed automatically. You can manually initiate the Web Administration Service installation at any time. For instructions, see Installing OneSpan Authentication Server Web Administration Service).
Next steps
(OPTIONAL) Install OneSpan Authentication Server Administration Web Interface.
If required, verify and perform any post-upgrade tasks necessary to complete the upgrade.