When the required components have been installed, use the Configuration Wizard to complete the initial configuration. To launch the Configuration Wizard, click Run Configuration Wizard in the Select Components page of the OneSpan Authentication Server Setup Utility.
On some versions of Windows, the Configuration Wizard requires an administrative logon to the OneSpan Authentication Server host. Therefore you may be prompted to do one of the following:
Confirm that the application should be run as an administrator.
Enter valid administrator credentials for the OneSpan Authentication Server host.
The purpose of either prompt is to elevate your privileges to those required by the application you are attempting to run. If you cannot elevate your privileges, the application will run in a non-elevated state, which will likely result in unexpected behavior.
Before you begin
Ensure that you have successfully upgraded OneSpan Authentication Server (see Upgrading OneSpan Authentication Server).
Configuring OneSpan Authentication Server after upgrade
To configure OneSpan Authentication Server after a product upgrade
In the Start page of the Configuration Wizard, click Next to begin.
On the Update Schema page, click Next to update the database schema.
This page is displayed only if the schema has changed in the current version.
The database schema update cannot be reverted. After upgrading the database schema, you cannot use an older version of OneSpan Authentication Server.
For more information about schema updates, see ODBC database manual setup.
If required, configure OneSpan Authentication Server to use a valid license.
This step is optional and required only if your existing installation of OneSpan Authentication Server does not have a valid license.
If you need a new license, you must first download it from the OneSpan Customer Portal. If you have not already done that you can do it now by going to the specified website, or by clicking Request a License Key. You can click Copy URL to Clipboard to copy the URL to the clipboard; doing so allows you to download the license manually.
Copy URL to Clipboard is useful for servers that do not have a web browser installed, or if you wish to register for a license after the installation instead.
If you already have a license key file, click Browse and select the license key file. You can continue without loading a license key file, but you must load one before you can start to use OneSpan Authentication Server.
(OPTIONAL) Specify an administrative user ID for the upgrade. The user ID is required for the following purposes:
It is used to assign all new administrative privileges introduced in all versions since the version of OneSpan Authentication Server that is currently being upgraded.
It is used to schedule any key rotation task configured in the Storage Key page. This requires the Rotate Key privilege.
The user ID must exist in the master domain and already have the Administrative Logon privilege assigned.
If you do not want to assign any new administrative privileges to a specific user now, leave User ID blank and click Next to skip this step. To assign the new administrative privileges later, you need to use Rescue Administrator in the Maintenance Wizard.
If required, migrate to HSM.
If SSM is configured for this instance of OneSpan Authentication Server, and if an ODBC storage is used, the Configuration Wizard will display the HSM Migration page.
If you choose Migrate to Thales ProtectServer (formerly SafeNet) HSM:
Provide the location of the PKCS11 library file. This file is typically named cryptoki.dll. Click Next to continue.
Provide the storage key details in the HSM Storage Key page:
Storage Key Label: the name of the key used
Storage Key KCV: the key check value checksum
Slot ID: name of the slot where tokens and keys are stored
Token label
Token PIN
Use the HSM Sensitive Data Encryption Key page to provide the following:
Sensitive Data Key label
Sensitive Data Key KCV
Token Label
Token PIN
For more information about hardware security module setup, refer to Thales ProtectServer hardware security modules (HSM).
To effectively migrate to the HSM, start the rotation from SSM to HSM keys in the OneSpan Authentication Server Administration Web Interface. Only when the rotation is finished, will the migration from SSM to HSM be completed. The HSM keys need to be visible in the Administration Web Interface.
The migration from an SSM to an HSM deployment cannot be reverted. Migrating back to an SSM deployment is not possible.
Furthermore, it is not possible to switch from one HSM to another, for instance, from Thales ProtectServer 2 to Thales ProtectServer 3.
(OPTIONAL) Configure the Secure Auditing settings for the HSM, when migrating from SSM to HSM.
The OneSpan Authentication Server Configuration Wizard allows this configuration only if Secure Auditing was configured before migrating to an HSM. It is not possible to change configuration settings, e.g. epoch settings.
Existing audit data will not be migrated to the HSM.
Configure partitioning for the audit database tables.
This step is available only if you are using the embedded MariaDB database.
If you enable partitioning, audit data is split up into smaller subsets (partitions), instead of having all audit data in one big table. Each partition contains the data for one day. This can improve database performance for queries and delete operations.
If you select this option during upgrade, all historical audit data is split into respective partitions. If you already have a lot of audit data, this can take some time to complete. You can, however, enable audit partitioning at any time after the upgrade.
If required, schedule a key rotation for your storage data key on Storage Key page.
This page is displayed only if the current storage data key does not use the possible maximum key length of 256 bit and/or has been in use for more than one year.
In any case (except for replication), we strongly recommend that you create a new storage key value via this page.
You must not schedule a key rotation during an upgrade within a replicated environment via this page! You need to do a manual key rotation, once all instances were upgraded (see Post-upgrade tasks and considerations).
Select Yes, I want to schedule a key rotation to increase security and enter a new value for the storage data key. The key value is a 64-digit hexadecimal value, for ease of input, the value is split into two input values for 32 digits each. Alternatively, you can use the pre-filled random key value.
For security reasons, you won't be able to view the storage key value again. If you need the storage key value, for example, to upgrade additional instances, copy it while on this page and store it in a safe place.
A new storage data key will require a key rotation to re-encrypt all BLOB data in the OneSpan Authentication Server database. By default, a key rotation task will be scheduled to run right after the wizard completes, scheduled for the upgrade administrator specified in the Upgrade Administrator page. Depending on the number of authenticators, this can take a while. We recommend to schedule the key rotation process for an off-peak period or a designated maintenance window.
On the Confirmation page, review the configured settings and click Next to update the configuration.
On the Summary page, review the summary of all operations and errors that may have occurred, and click Next to continue.
Click Finish to close the Configuration Wizard.
You are now returned to the OneSpan Authentication Server Setup Utility.
Next steps
(OPTIONAL) Install IAS Web Administration Service.
If required, verify and perform any post-upgrade tasks necessary to complete the installation.