Version 3.28 (December 2025)

OneSpan Authentication Server 3.28 supports the following operating systems:

Microsoft Windows

• Windows Server 2025  NEW 

• Windows Server 2022

• Windows Server 2019

• Windows Server 2016

Linux

• Red Hat Enterprise Linux (RHEL) 9, 64-bit

• Red Hat Enterprise Linux (RHEL) 8, 64-bit

• Rocky Linux 9, 64-bit

• Rocky Linux 8, 64-bit

• Ubuntu Server 22.04 LTS, 64-bit

• Ubuntu Server 20.04 LTS, 64-bit

• MariaDB 10.11.5 (included as embedded database)

  If you install the embedded MariaDB database, the DBeaver 23.3.0 database tool is also installed.

  OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.

• Oracle Database 19c

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).

• Microsoft SQL Server

  • Microsoft SQL Server 2022

  • Microsoft SQL Server 2019

  • Microsoft SQL Server 2017

  • Microsoft SQL Server 2016

OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2022, 2019, 2017, and 2016.

OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.

OneSpan Authentication Server supports the following ODBC drivers:

• Microsoft ODBC Driver 18 for SQL Server

• Microsoft ODBC Driver 17 for SQL Server

• Microsoft ODBC Driver 13.1 for SQL Server

On Linux, OneSpan Authentication Server requires unixODBC to be installed and properly configured. It is your responsibility to install unixODBC and keep it up to date.

The Administration Web Interface supports the following browsers:

• Google Chrome

• Mozilla Firefox

• Microsoft Edge

The Administration Web Interface supports all browser versions currently supported by the respective vendors.

The Administration Web Interface can be run on these web application servers (based on the respective JRE):

• Apache Tomcat 10.1.48 (included)  NEW 

  • Oracle Server Java Runtime Environment 17

  • Azul Zulu 17 (17.62.17 included  NEW )

  Fixes: CVE-2025-48989, CVE-2025-48988, CVE-2025-31651, CVE-2025-31650, CVE-2025-24813

• Open Liberty (tested with 25.0.0.1-full-java17-openj9)

• WebSphere Liberty (tested with 25.0.0.1-full-java17-openj9-ubi)

The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for Open Liberty and WebSphere Liberty for manual deployment.

Software libraries

OneSpan Authentication Server 3.28 integrates and uses Authentication Suite Server SDK 4.0.1.1 (formerly OneSpan Authentication Server Framework).

This version is a major upgrade and introduces breaking changes. Once BLOB data is processed by this version, it cannot be processed by any version earlier than 3.27 anymore.

OneSpan Authentication Server supports direct upgrades from 3.24 or 3.27 to version 3.28 on the supported operating systems.

OneSpan Authentication Server now fully supports and uses 256-bit keys for storage data keys to encrypt sensitive data at rest. The Administration Web Interface now allows you to create and manage 256-bit keys.

When you upgrade an existing OneSpan Authentication Server deployment, the Configuration Wizard now verifies if the current storage key doesn’t use the possible maximum key length of 256 bit or if it has been in use for more than one year. If either is the case, it allows you to create a new storage key and schedule a key rotation task to re-encrypt all BLOB data in the OneSpan Authentication Server database. In any case, we strongly recommend that you create a new storage key value if suggested by the Configuration Wizard.

You must not schedule a key rotation during an upgrade within a replicated environment via the Configuration Wizard! You need to do a manual key rotation, once all instances were upgraded (see Pre-upgrade tasks and considerations).

You can now set up the Administration Web Interface to integrate with an OpenID Connect (OIDC) provider, such as Microsoft Entra ID, to use that as an external authentication method for single sign-on (SSO). This allows administrative users to authenticate and sign in to the Administration Web Interface via OIDC.

The reporting system has been enhanced in several ways:

• You can now natively create CSV reports for list analysis reports using a new built-in CSV report format. This new format is especially useful if you need create very large reports (1 GB or bigger). If you want to create CSV data for other report types or a different set of data, you can still create a custom report template and use XSLT transformation.

• You can now create any report in background regardless of the report format (previously only PDF).

• You can now download any report after it has been created regardless of the report format (previously only PDF).

• Report files now use correct file extensions depending on the used report format.

• Report files now use more meaningful file names, including a timestamp and a random suffix.

• To prevent large report files from freezing the browser tab, the Administration Web Interface now allows to open report files only if they do not exceed a certain size limit. This size limit can be configured via the web application configuration file.

• The download of report files has been improved to greatly minimize the memory overhead by streaming the report data.

Breaking change

These improvements require that you now have the View Task and the View Report File privileges (additionally to the Run Report privilege) to run a report immediately or with default values.

The system dashboard of the Administration Web Interface has been enhanced:

• It now includes a Transaction Count section that shows metrics for the number of transactions (including their completion status) grouped by transaction type. You can select the range to view, for example, to show only transactions from the last 24 hours.

• You can now expand and collapse each section of the system dashboard. The view state, including the time range selected for the transaction count, is stored in the browser’s local storage.

• The data of each section is now cached. Each section can be individually refreshed on demand without blocking the system dashboard.

The system dashboard is an experimental feature and subject to be changed and vastly extended and enhanced in upcoming releases.

A new cleanup strategy for the Bulk Cleanup DIGIPASS wizard has been added. The new Instances without PNID strategy deletes all authenticator instances that have no DIGIPASS Push Notification Identifier (PNID) assigned and were never used (last authentication time is not set). The PNID is implicitly set when an authenticator instance is bound to a mobile app. The last authentication time is initially set when the authenticator instance is effectively activated.

The Bulk Cleanup DIGIPASS wizard now allows to perform a test run. If selected, the command is executed but only searches for authenticators and authenticator instances that match the strategy without deleting any data.

An overview of the items that would be deleted is stored in the status information of the respective server task when completed. The server task also generates a CSV report to provide a complete and detailed summary of the items that would be deleted. That report can be downloaded via the Task Management page.

In previous versions, the start time and the expiration time of an authenticator license was only propagated to the linked authenticator instance once, specifically when you created a new instance via provisioning (multi-device licensing). If you changed the start time or the expiration time of an authenticator license explicitly, existing authenticator instances were not affected. Hence, such authenticator instances would remain valid, even if the respective authenticator license’s expiration time was set to an earlier date and had already passed.

The new global Propagate expiration time setting allows you to configure this behavior in general and determine whether the start time and the expiration time of the linked authenticator instances should also be updated when you update the start time and/or the expiration time an authenticator license in the authenticator properties or set them explicitly using Set Expiration.

The user interface to enter various encryption key values has been enhanced to improve usability. On the Upload File page of the Import DPX wizard, the transport key is now automatically formatted into groups of four characters to facilitate data entry. On the SERVERS > Create new key page, the Key Value field is also formatted into groups of four characters and restricted to the maximum key length permitted depending on the selected key usage. Furthermore, it provides an option to automatically generate a random key value of the maximum key length.

The Find/manage DIGIPASS page now allows to refine search queries and filter the results based on the last authentication time. The new Last Authenticated options allow to find all authenticators that where used after/before a specific time, respectively, or within a specific time range. You can also search for authenticators that where never used before at all (and have no last authentication time set).

The SOAP receive timeout defines (in seconds) how long the SOAP communicator should wait for data after an incoming RECEIVE request from a socket before declaring the request as failed due to inactivity (stall time). The higher this value, the longer connections will remain open.

In previous versions, the SOAP receive timeout was fixed and pre-defined as 5 seconds. Beginning with 3.28, you can now configure this value via the OneSpan Authentication Server configuration file (identikeyconfig.xml) by setting the SOAP-Receive-Timeout value. You can increase this value if you experience a lot of connection issues with SOAP clients, for example, Digipass Authentication for Windows Logon.

<VASCO>
    <Communicators>
        <SoapCommunicator>
            <SOAP-Receive-Timeout type="unsigned" data="5"/>
            ...
        </SoapCommunicator>
    </Communicators>
</VASCO>

To help investigating issues with stale database connections, the OneSpan Authentication Server trace file now includes the number of used connectors as well as the total number of connectors when it attempts to establish a new ODBC connection. The number of used connectors are given for the current node, for example, ODBC, the total is the number of available connectors.

If a connection cannot be established and the number of used and total connectors are equal, then all configured connectors are valid and currently used. If a connection cannot be established, but the number of used connectors is lower than the total connectors, then some bad connectors exist that OneSpan Authentication Server cannot use.

If you deploy the Administration Web Interface via the provided setup package, the embedded Apache Tomcat web application server is now pre-configured to provide a health check endpoint:

https://was_host:was_port/health

This endpoint can also be used to respond to cloud orchestrator health checks.

If you deploy the Administration Web Interface manually, you need to configure the web application server accordingly to provide a health check if possible.

Description: In some environments, after an upgrade of an existing OneSpan Authentication Server deployment from version 3.26 to provisioning operations using DSAPP-SRP fail with "An operating system call failed" error message.

Affects: OneSpan Authentication Server 3.27.2

Status: This issue has been fixed.

Description: In some environments, after an upgrade of an existing OneSpan Authentication Server deployment from version 3.26 to 3.27, the LDAP authentication does no longer work. Administrative logons to are unsuccessful and indicated by a "Standard Template Library exception has occurred. Access Violation" error message in the trace file.

Affects: OneSpan Authentication Server 3.27.2

Status: This issue has been fixed.

Description: When the OneSpan Authentication Server service/daemon receives a burst of invalid TLS connection attempts from a client on the SOAP port (8888 by default), the service/daemon becomes unresponsive on all other SOAP connections. The SOAP clients receive a connection reset by peer error.

Affects: OneSpan Authentication Server 3.27.3

Status: This issue has been fixed.

Description: Several issues with the support of some RADIUS protocols have been identified:

• The MPPE send key length (MS-MPPE-Send-Key attribute) in response packets sent by OneSpan Authentication Server are incorrect.

• The server terminates unexpectedly in some cases during the authenticator response generation.

• The EAP message identifiers are set to random values instead of following the sequence requested by the RADIUS client.

• RADIUS packets include unnecessary empty Reply-Message attributes.

Furthermore, several issues with RADIUS fast reconnect (fast re-authentication) have been identified:

• The respective TLS sessions were incorrectly flagged as not resumable, effectively preventing RADIUS fast reconnect from working at all.

• The server terminates unexpectedly in some cases during the TLS session resumption approval.

• Changing the TLS session expiry policy parameters have no effect on the expiration of existing sessions.

• The TLS session lifetime parameter value is always subtracted by 60 seconds.

Affects: OneSpan Authentication Server 3.22–3.27

Status: The listed issues have been fixed. Additionally, the following improvements were implemented:

• Additional TLS session Id logging during fast reconnect was added.

• The thread safety of the TLS sessions cache was improved.

These fixes effectively enable RADIUS fast reconnect by default, which was not working before. Note that you cannot currently block fast reconnect for individual devices that have been stolen or compromised, and such devices continue to successfully perform fast reconnect even after the user credentials are changed. For more information about this security concern and how to mitigate it, see Fast reconnect.

Description: Under some circumstances, when the text file audit method is configured to separate audit data on a daily basis (for example, the file mask is {year}{month}{mday}.audit) and the Always keep file open option is disabled, the audit system does not always create a new audit file.

Affects: OneSpan Authentication Server 3.27.3

Status: This issue has been fixed.

Description: To reduce the amount of processed data and speed up the server data migration process after an upgrade, the data version is tracked for each database table individually. Under some circumstances, a database table that is already considered as being up-to-date may contain individual records that are not yet migrated. This can happen, for example, if replication is enabled and updates records with an older data schema version in an otherwise already migrated table (newer data schema version). Such records are ignored and not processed by the data migration task.

Affects: OneSpan Authentication Server 3.23–3.27

Status: This issue has been fixed. If the server detects data records that are not migrated yet, although the table data version indicates it, the stored table data version is ignored and the records are properly processed.

Description: When you deploy a basic installation with the embedded MariaDB DBMS and the included ODBC driver, the setup uses TLS by default. However, the respective ODBC parameter in the Windows registry is not explicitly set, i.e., HKLM\SOFTWARE\ODBC\ODBC.ini\IAS embedded database\forceTLS. This allows administrators to inadvertently set this value when they update the system DNS settings, in the worst case effectively disabling TLS for database connections. This leads to connection failures and, in case of an upgrade, to errors when the database schema is verified.

Affects: OneSpan Authentication Server 3.22–3.27 (on Windows with embedded MariaDB)

Status: This issue has been fixed. The respective ODBC setting is now explicitly set to enforce TLS on Windows (in the Windows registry) and on Linux (in the ODBC.ini file).

Description: Some fields on the Create New Client page and the Create New Back-End Server page are not properly verified and can be potentially exploited for cross-site scripting (XSS) attacks.

Affects: OneSpan Authentication Server 3.22–3.27

Status: This issue has been fixed.

Description: The ODBC database command-line utility (dpdbadmin) does not differentiate between certain common database connection issues, therefore not displaying a proper error message. For instance, if dpdbadmin cannot connect to the database, because the specified DSN is not configured, it misleadingly displays (and returns the respective exit code) that the database authentication failed.

This issue also affects the setup when upgrading an existing installation, which implicitly runs dpdbadmin to test whether the data migration has been completed.

Affects: OneSpan Authentication Server 3.22–3.27

Status: This issue has been fixed. The database connection error handling was improved, the ODBC database command-line utility now provides more accurate error messages in case of database (connection) issues. It now also returns two new dedicated exit codes to indicate that the configured database is either unavailable or the connection timed out (18) or that the specified DSN is invalid or not configured (19).

The setup evaluates the new exit codes and present a more meaningful error message.

Description: When you attempt to upload a custom report format template to an existing report via the REPORTS page in the Administration Web Interface, you receive an error message that you need to specify a valid file to upload. However, uploading a custom report format template during the creation of a report with the Define Report wizard works.

Affects: OneSpan Authentication Server 3.27

Status: This issue has been fixed.

Description: When you configure an HTTP gateway for SMS delivery to use JSON content type and attempt to test it, the MDC Configuration Utility sends the payload as plain text, resulting in an error from the HTTP gateway.

Affects: OneSpan Authentication Server 3.27

Status: This issue has been fixed. The MDC Configuration Utility now correctly encodes messages with the configured content type when testing HTTP gateways.

Description: When you attempt to update the settings for an authenticator, for example, setting a grace period, and the last authentication time value of that authenticator is already set, the operation fails with a "Cannot Validate -Field is not an input for this command. <object:command><Digipass:3>, field<name:type><Last Authentication Time:DATETIME>" error message. This issue only occurs if you use the Administration Web Interface for the update.

Affects: OneSpan Authentication Server 3.27.2

Status: This issue has been fixed.

Description: Several issues with the support of some RADIUS protocols have been identified:

• OneSpan Authentication Server responds with invalid Microsoft Point-to-Point Encryption (MPPE) keys to EAP-TTLS/PAP and PEAP/EAP-MSCHAPv2 access requests.

• OneSpan Authentication Server responds with invalid authenticator response content to PEAP/EAP-MSCHAPv2 access requests.

• OneSpan Authentication Server does not respond or terminates unexpectedly when receiving EAP-TTLS/PAP and PEAP/EAP-MSCHAPv2 access requests.

• OneSpan Authentication Server is unable to authenticate users with passwords that contain Unicode characters using PEAP/EAP-MSCHAPv2. Note that MSCHAPv2 only supports passwords representable by the UCS-2 encoding, i.e. the Basic Multilingual Plane (BMP) code point set.

Affects: OneSpan Authentication Server 3.22–3.27.2

Status: This issue has been fixed.

Description: In some circumstances, if you attempt to upgrade an existing basic OneSpan Authentication Server deployment, the setup can terminate unexpectedly when it processes and tries to upgrade the embedded MariaDB. This issue can occur if an older MariaDB folder exists. In that case, the data folder parameter in the MariaDB configuration file (my.ini) is not handled correctly.

Affects: OneSpan Authentication Server 3.26–3.27.2 (on Windows with embedded MariaDB)

Status: This issue has been fixed.

Description: In some environments with a lot of concurrent, inactive connections (open, but not sending data), the OneSpan Authentication Server service/daemon does not detect pending data. This can impede other, also active, connections and lead to longer response times in general.

Affects: OneSpan Authentication Server 3.22–3.27.2 (on Windows)

Status: This issue has been fixed.

Description: After upgrading a deployment of Web Administration Service that has a OneSpan Authentication Server instance configured using the FQDN, the setup adds another server entry for the same instance but with the resolved IP address. This is caused by the setup, which runs admintool autoadd to configure the server instance and automatically retrieve and add the respective server certificates to the trust store. The command always uses the IP address.

Affects: OneSpan Authentication Server 3.22–3.27

Status: This issue has been fixed. During an upgrade the setup now runs admintool autoadd only if no configuration file (admintool.properties) exists or if the configuration file does not contain a respective server entry.

Description: An issue has been identified that can happen in environments where Windows user name translation is enabled and the case conversion for user IDs and domains is set to Convert to lowercase (ODBC settings). If a user authenticates with a user account that is stored in uppercase in Active Directory, the user ID is correctly converted to lowercase and the authentication succeeds. However, the user ID is incorrectly written to the audit log in uppercase.

This behavior does not impact user authentication functionally, but because the user ID in the audit messages use an incorrect character casing, user authentication operations are not included in the recent activity of the affected users (User Dashboard).

Affects: OneSpan Authentication Server 3.22–3.27

Status: This issue has been fixed.

Description: When you attempt to overwrite the SNMP configuration with invalid server settings, for example, an invalid IP address, the Configuration Utility cannot restart the SNMP service, but only shows a generic error message.

Affects: OneSpan Authentication Server 3.22–3.27 (on Windows)

Status: This issue has been fixed. The validation of the IP address and port of the SNMP service has been improved, and the Configuration Utility now also shows a specific error message if it cannot restart the SNMP service.

Furthermore, the documentation was extended and now explicitly explains that the location of the SNMP service to configure with the Configuration Utility is usually the same as the OneSpan Authentication Server host.

Description: The secure audit configuration pages can disappear from the Configuration Wizard, when you click Back in the SOAP SSL Certificate page, before you finish the wizard. The settings that were previously set in the secure audit configuration pages are written to the XML configuration file. This issue occurs only if you perform an advanced installation and configure secure audit in the Configuration Wizard.

Affects: OneSpan Authentication Server 3.22–3.27

Status: This issue has been fixed.

Description: When running a list report that includes authenticators and users as data source, for example, the DP per User report, and in the unlikely case that an authenticator and a user have the same identifier, the OneSpan Authentication Server service/daemon can terminate unexpectedly due to a memory access violation while processing the data group levels.

Affects: OneSpan Authentication Server 3.22–3.27

Status: This issue has been fixed.

Description: Two problems with the user selection when doing a manual assignment were reported:

1. When you search for users in a particular domain who do not have an authenticator assigned via the Find/Manage User page, and then manually assign an authenticator to a user, you are automatically redirected back to the User list after completing the assignment. However, the User list now incorrectly indicates one selected user, although no user is selected (since the originally selected user has now an authenticator assigned).

2. The second problem occurs if you continue after the first problem: if you now attempt to do another assignment, the Assign DIGIPASS wizard will list authenticators from all domains, not only from the originally selected one.

Affects: OneSpan Authentication Server 3.22–3.27

Status: This issue has been fixed.

Description: OneSpan User Websites can be configured to use additional, optional client components—for example, UWS MDL Provisioning—to allow different policies to be applied depending on the management operation. However, if you create and edit such client components in the Administration Web Interface, they incorrectly show a License tab, although they neither require nor allow licenses to be applied.

Affects: OneSpan Authentication Server 3.22–3.27

Status: This issue has been fixed. Optional client components for OneSpan User Websites no longer show a License tab. Furthermore, to simplify the configuration, you can now select them as pre-defined client components in the Client > Client Type list.

EMV-CAP is no longer supported. Its functionality and any references to EMV-CAP in the code base, UI, and documentation have been completely removed.

The Configuration Wizard does no longer allow to enter a custom storage data key or load such a key from a file during an initial setup (via the Custom Data Encryption page). If you want to specify a custom storage data key, you can still do so after the installation with the Administration Web Interface.

The PDF documentation has been completely removed from the OneSpan Authentication Server product deliverable. You can view the OneSpan Authentication Server user documentation exclusively online on the OneSpan documentation portal, available at https://docs.onespan.com/sec/docs/onespan-authentication-server.

Description: If you upgrade an existing deployment of OneSpan Authentication Server 3.27.3, the setup does not correctly detect the products that are already installed. For example, it does not detect whether an external DBMS, such as Oracle or Microsoft SQL Server, is used and indicates that installing/upgrading the embedded MariaDB database is required. It also does not detect whether the Web Administration Service package is already installed.

Affects: Upgrades from OneSpan Authentication Server 3.27.3 to 3.28 (on Windows)

Status: No fix available. To circumvent this non-critical issue, skip the upgrade of the embedded database if an external DBMS is used (do not click Embedded MariaDB 10.11.5 on the Select Components page). The setup will continue with the Configuration Wizard and complete the upgrade successfully. The Web Administration Service should be upgraded if installed.

Description: It is not possible to switch from one hardware security module (HSM) to another, for instance, from Thales ProtectServer 2 to Thales ProtectServer 3.

The Configuration Wizard does not provide an option to switch the hardware security module (HSM) and cannot configure the new HSM properly.

Status: No fix or workaround available.

Description: When you uninstall the embedded MariaDB database on Microsoft Windows 2016, the MariaDB setup leaves a registry subtree behind. Since the OneSpan Authentication Server Setup Utility uses that registry subtree to detect an existing MariaDB deployment, it will incorrectly indicate an external installation of MariaDB if you attempt to reinstall OneSpan Authentication Server afterward.

Affects: OneSpan Authentication Server 3.19 and later on Windows Server 2016

Status: No fix available. Delete the following registry subtree manually after you uninstalled the embedded MariaDB database:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MariaDB 10.6 (x64)]

Description: Chinese characters are not correctly displayed in XML and PDF reports.

Affects: OneSpan Authentication Server 3.12 and later

Status: This issue has been fixed for XML reports in OneSpan Authentication Server 3.21. The issue can still occur in PDF reports in case they contain characters that are not defined in the used PDF font. Workaround for PDF reports: Generate an HTML report and print it to PDF.

Description: The Assign DIGIPASS wizard allows you to assign authenticators to users. Although you can select multiple authenticators and multiple users, you can only assign exactly one authenticator to one user at a time. For instance, if you select two authenticators in the wizard, you need to specify two different user accounts, one user to assign each one authenticator.

Affects: OneSpan Authentication Server 3.21 and later

Status: No fix available. To assign additional authenticators to a user, you need to run the Assign DIGIPASS wizard again.

Description: The Assign DIGIPASS wizard allows you to explicitly select the authenticators to assign to multiple users (by selecting Search now to select DIGIPASS to assign in the Search DIGIPASS page). However, the Select DIGIPASS page may also show authenticators that are actually inaccessible to assign to the respective users, because they are in another domain than the users. If you select such an authenticator and continue, you will receive a "Failed to find available token for assignment." error.

This issue does not occur if you only select one user to assign an authenticator. In this case, the Select DIGIPASS page correctly shows only authenticators in the same domain as the user account.

Affects: OneSpan Authentication Server 3.21 and later

Status: No fix available. Ensure to explicitly select only authenticators that are in the same domain as the users you selected to assign an authenticator.

Description: When you open a text audit file in Audit Viewer, the application loads and processes the complete text audit file in batches that are continuously added to the audit message list. Each batch takes a while to process, but there is no indication whether loading the complete audit file has been finished yet.

If you deselect and select the Auto Scroll Down box, while the file is still being processed, you may receive a "No more new messages to display" error message.

Affects: OneSpan Authentication Server 3.22 and later

Status: No fix or workaround available.

Description: When integrating a hardware security module (HSM) with OneSpan Authentication Server, you will need to configure the HSM driver before you install OneSpan Authentication Server. On all Linux distributions using the UNIX System V operating system, the HSM driver must be configured for communication with OneSpan Authentication Server because the script created upon driver installation does not automatically start the system service.

Affects: OneSpan Authentication Server 3.6 and later

Status: No fix available. Workaround: replace the init.d file created during driver installation with the system.d file in the corresponding link. For more information, see OneSpan Authentication Server Installation Guide for Linux.

Description: When the Timeshift feature of Mobile Authenticator Studio is used, it causes the offline data to become invalid. The option to set a timeshift for Mobile Authenticator Studio authenticators is no longer supported. This feature is outdated and has become obsolete because mobile devices are now correctly synchronized with OneSpan Authentication Server at shorter intervals.

Affects: OneSpan Authentication Server 3.6 and later

Status: Do not use the Mobile Authenticator Studio Timeshift feature to avoid the offline data to become invalid.

Description: OneSpan Authentication Server allows for the configuration of two RADIUS authentication ports and two RADIUS accounting ports. By default, one authentication and one accounting port is specified, the second ports can only be edited in the configuration file of OneSpan Authentication Server , not directly in the Administration Web Interface.

Affects: OneSpan Authentication Server 3.5 and later

Status: If a second authentication and/or a second accounting port for the RADIUS Communicator will be used, the port specifications need to be edited in the identikeyconfig.xml file.

Description: Deployments of OneSpan Authentication Server with Thales ProtectServer HSM only support HSMs that run in Normal mode. If the HSM is run in High Availability or Workload Distribution mode, the installation of OneSpan Authentication Server fails.

Affects: OneSpan Authentication Server 3.6 and later

Status: The Thales ProtectServer HSM must be run in Normal mode, i.e. ET_PTKC_GENERAL_LIBRARY_MODE must be set to NORMAL.

Description: The OneSpan Authentication Server SNMP agent cannot store its persistent data (e.g. EngineBoots, EngineID), as the default persistent directory is not created by the installation script. By default, the SNMP agent stores its persistent data in the /var/net-snmp directory.

Affects: OneSpan Authentication Server on Ubuntu Server with the vasco-netsnmp package installed.

Status: A /var/net-snmp directory must be created and the vasco-ias user must have write access to this directory. If this directory does not exist and/or the vasco-ias user does not have write access to it, the EngineID and related information used by the OneSpan Authentication Server SNMP agent will not be persistent. This may result in issues on the machine that receives SNMP TRAPv3 traps from OneSpan Authentication Server.

Description: When trying to configure email delivery with SSL/TLS using a self-signed certificate created using Microsoft Internet Information Services (IIS) and converted to PEM format using OpenSSL, MDC cannot recognize a valid self-signed certificate and displays an error message. This is caused by the OpenSSL library. In some circumstances, the OpenSSL application itself may display an "Unable to get local issuer certificate (20)" error message.

Affects: All platforms.

Status: No fix available. This is a compatibility issue between OpenSSL and Microsoft IIS. Do not use self-signed certificates generated using Microsoft IIS.

Description: A Windows installation will fail if the TEMP environmental variable is undefined or empty.

Affects: All Windows platforms.

Status: No fix available.