6
Configuring and Using the Identix Biometric Authentication Adapter

This chapter contains information on how to configure Oracle for use with the Identix Biometric Authentication Adapter. The following topics are discussed:

6.1 Overview

The Oracle Biometric Authentication Service uses the Identix Biometric Authentication Adapter to provide tamper-proof biometric authentication of users using secret-key MD5 hashing, centralized management of biometrically identified users, and centralized management of those database servers that authenticate biometrically identified users.

Following is an overview of how the Oracle Biometric Authentication Service works in a client-server environment. Refer to Figure 6-1, "Typical Oracle Biometric Authentication Service Configuration" for an illustration of the components and the configuration of the Oracle Biometric Authentication Service.

The fingerprint repository has one administrator who is responsible for enrolling multiple users' fingerprints and defining the DEFAULT policy that will be in force for all databases that subscribe to the fingerprint server for authentication.
The Fingerprint Security Service Administrator uses a desktop fingerprint scanner to read user fingerprints and sends them with measured accuracies to the Oracle Biometric Authentication Service which stores them in the fingerprint repository: an Oracle database. The measured accuracy of a fingerprint is an estimate of how reliable a comparison can be made between the stored fingerprint and the user's fingerprint that is entered later for authentication. The enrollment quality is expressed as a percent score between 0 and 100. For example, a user may have an enrollment quality of 72%.
The Fingerprint Security Service Administrator also defines one security policy named DEFAULT for all of the database servers that accept biometrically identified users. The security policy is enforced for all clients serviced by that database server. It contains a secret key and three types of threshold levels for fingerprints: verification, false finger, and high security.
At the client, before any authentication can occur, the Fingerprint Security Service Administrator stores the secret key in the fingerprint sensor for each client. The secret key stored in the fingerprint sensor will be compared against the secret key stored in the security policy.
At the client, in response to the user's request for authentication, the database server enforces on the client the set of values that it obtains from the DEFAULT security policy in its fingerprint server. The three threshold levels (values) are:
- verification threshold
- false finger threshold
- high security threshold
Please refer to the Identix documentation for detailed information on these threshold levels.
At the client, the Oracle Biometric Authentication Service fulfills the request for authentication by "reading" the user's fingerprint, the three threshold values, and the secret key from the sensor and creating a hash from them. This hash is then compared with the hash constructed from the repository's copy of the secret key, threshold, and stored fingerprint in order to determine whether this user may access the system.
Figure 6-1 Typical Oracle Biometric Authentication Service Configuration

6.2 Architecture of the Biometric Authentication Service

The Oracle Biometric Authentication Service consists of the following Oracle modules:

The Oracle Biometric Manager, which the administrator uses to enter the security policy and fingerprints, is an Oracle Enterprise Manager Database tool based on and delivered with the Oracle Enterprise Manager. In the remainder of this document, the Oracle Biometric Manager will also be referred to as the manager.
The Oracle Biometric Authentication Server (fingerprint repository), which stores the security policies and fingerprints, is a specially configured version of a production Oracle Database Server. In the remainder of this document, the Oracle Biometric Authentication Server will also be referred to as the authentication server.
The Oracle Advanced Networking Option Identix Authentication Adapters are used on both the clients and the database servers to communicate biometric authentication data between the authentication server and the clients in order to authenticate a database user. In the remainder of this document, the Oracle Advanced Networking Option Identix Authentication Adapter will also be referred to as the adapter.

Both the manager and the client-side adapter interface with Identix products: TouchNet II Software Libraries, the TouchNet II Hardware Interface, and the TouchNet II Desktop Sensor. Please refer to "Related Publications" in the Preface of this manual for a list of Identix documentation that describe these Identix products.

6.2.1 Administration Architecture

The Fingerprint Security Server Administrators use the manager to scan user fingerprints, measure the accuracy of the fingerprints, and establish security policies for database servers. The manager sends this information to the authentication server which stores the data in the repository.

The administrator, or someone who can be trusted, uses the Identix TouchNet II Software to store the secret key in the client PC. This key must match the key stored in the DEFAULT security policy before authentication can occur.

6.2.2 Authentication Architecture

Each user who wants to use the system must place a fingerprint on a TouchNet II Desktop Sensor. The client-side adapter sends an authentication request to the server-side adapter which uses the previously enrolled fingerprint stored in the authentication server for comparison. For each authentication request from a client, the authentication server retrieves and sends the user's fingerprint and the database server's security policy back to the client-side adapter via the server-side adapter.

The user's authentication request causes the Oracle Advanced Networking Option Identix Authentication Adapter (client-side) to send the request to the Biometric Authentication Adapter (server-side), which looks up the user's fingerprint in the Authentication Server, which returns the stored fingerprint and the associated security policy.

Using threshold level values from the associated security policy, the adapter (client-side) uses the TouchNet II Software Libraries to set threshold values on the TouchNet II Desktop Sensor. It then prompts for the placing of the user's finger on the TouchNet II Desktop Sensor. The adapters on the client and the database server work together to compare the user's fingerprint, the secret key, and the threshold levels against the administrator-entered security policy stored in the authentication server repository. If this data matches, the user is then authenticated.

6.3 Prerequisites

The Windows NT machine that is to become the manager PC must be running the Oracle Enterprise Manager 1.3.5 or above.
Each Windows NT or Windows 95 machine that is to become a client PC must be running Net8.
The authentication server and each database server must be running Oracle8 Server Version 8.0.3 or higher.
Before proceeding with the installation of the Oracle Advanced Networking Option, you must make sure that each Windows NT and Windows 95 client has Net8 connectivity with its associated database server.

6.3.1 Oracle Biometric Manager PC

The Oracle Biometric Manager installation process automatically installs the necessary TouchNet II software and automatically configures the device if requested. On the manager PC:

Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices. See the Identix Readme file for additional information.
Install and test the Identix TouchNet II (Encrypt) 1.5 from the Oracle Enterprise Manager disk. Please see your platform-specific installation documentation. Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. This demonstration program must work on the PC before any other Oracle products can be loaded onto the PC. Refer to the Identix Readme file for additional information.
Install the Oracle Biometric Manager on top of the Oracle Enterprise Manager.

6.3.2 Client PC

On each client PC:

Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices. Refer to the Identix Readme file for additional information.
Install and test the Identix TouchNet II (Encrypt) 1.4 from the Oracle Enterprise Manager disk. Please see your platform-specific installation documentation. Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. This demonstration program must work on the PC before any other Oracle products can be loaded onto the PC.
Install the Oracle Advanced Networking Option Identix Authentication Adapter following the instructions in your platform-specific documentation. Refer also to the Identix Readme file.

6.3.3 Database Server

The Biometric authentication adapter must be installed on each production database that will use Biometric services for its authentication. Install the Biometric authentication adapter following the instructions in your platform-specific documentation. Do not install the adapter on the database housing the Biometric Authentication Service unless you want to have the Biometric Service Administrator authenticate using the adapter. Refer also to the Identix Readme file.

6.3.4 Biometric Authentication Service

The Biometric Authentication Service is the database that houses both the user and fingerprint information. This database can be any Oracle 8.0.3 or later production database. It should be on a secure, trusted system with strict security and access controls. The adapter should not be installed on this database.

6.4 Configuring the Biometric Authentication Service

Configure the Oracle Biometric Authentication Service by following these instructions:

Configure the database server that is to become the authentication server:
1. Connect to the database server as SYSTEM/MANAGER (or whatever your system password is).
2. Copy the naui...sql scripts from your Oracle Enterprise Manager install to the authentication server.
3. Test the connection by connecting as:
```
			ofm_admin/ofm_admin
```



In the database server's local profile (SQLNET.ORA), set the following parameters:

	sqlnet.identix_fingerprint_database= service_name

	sqlnet.identix_fingerprint_database_user= username

	sqlnet.identix_fingerprint_database_password= password

	sqlnet.identix_fingerprint_method= oracle

	sqlnet.authentication_services= (identix)





where




service_name is the name of your authentication server

username is the well-known username: ofm_client

password is the well-known password: ofm_client





Note:



The samples directory contains a file that show how to set these parameters.

  





Note:



The ofm_client username and password are set up by running NAUICAT.SQL. You should not change ofm_client.

  














In the database server's local initialization file (INIT.ORA), set the following parameters:

remote_os_authent = false
os_authent_prefix = ""





Note:



The local naming configuration file (TNSNAMES.ORA) on the database server should contain the service name of the fingerprint repository. If they are on the same database, use the following with the service name:


(security=(authentication_service=none))

Establish a service name and connect descriptor for the fingerprint repository server in the database server's local naming configuration file. The service name must be the same as that used in the local profile. Use the Oracle Net8 Assistant or the Service Names Wizard to construct this parameter.

service_name =(DESCRIPTION = 

                (ADDRESS_LIST =

                    (ADDRESS = 

                        . . .

Configure the adapter (client-side):

Verify that the address of the database server is accessible to the client, either through a local naming configuration file or a naming service. For more information, refer to the Oracle Net8 Administrator's Guide.
Modify the client's local profile, by adding identix to the list of authentication services:
```
			sqlnet.authentication_services = (identix)
```

Configure the manager PC by setting the local naming configuration file (TNSNAMES.ORA) to connect to the authentication server. Please refer to the Oracle Net8 Administrator's Guide .

6.5 Configuring the Oracle Biometric Authentication Service using the Oracle Net8 Assistant

The following steps show you how to use the Net8 Assistant to configure the
IDENTIX authentication adapter. Refer also to the Net8 Assistant online HELP
system for instructions on how to configure the SECURID Authentication adapter.

Configure Clients, and Servers, to use encryption as follows. Refer to Figure 6-2, "Oracle Net8 Assistant Profile Folder Encryption Tab".

Click the Profile folder.
Select Advanced Networking Options from the drop-down list box.
Click the Encryption tab.
Click the Encryption drop-down list box, and click CLIENT or SERVER.
Click the Encryption Type drop-down list box, and click one of the following values: requested, required, accepted, rejected.
Type between 10 and 70 random characters for the Encryption Seed.
Move services to and from the Available Services and Selected Services lists by selecting a service and clicking the arrow keys.
Figure 6-2 Oracle Net8 Assistant Profile Folder Encryption Tab

Next, you must configure an authentication service on your network. Refer to Figure 6-3, "Oracle Net8 Assistant Profile Folder Authentication Tab".

Click the Profile folder.
Click the Authentication tab.
Click to select the authentication service you want from the Available Services list.
Click the [<] button to move the service over to the Selected Services list.
Repeat steps 4 and 5, above, until you have selected all of your required authentication services.
Arrange the selected services in order of desired use. Click on a service to select it, then click [Promote] or [Demote] to arrange the services in the list. For example, put IDENTIX at the top of the list if you want that service to be the first one used.
Figure 6-3 Oracle Net8 Assistant Profile Folder Authentication Tab

You now must configure the authentication parameters. Refer to Figure , "".

Click the Profile folder.
Click the Parameter tab.
Click the Authentication Service drop-down list box, and select IDENTIX.
Type the name of the fingerprint server you want to use.

Figure 6-4 Oracle Net8 Assistant Profile Folder Parameter Tab

6.6 Administering the Oracle Biometric Authentication Service

Add a security policy called "DEFAULT" to the manager using the Biometric Manager on the Oracle Enterprise Manager. Refer to Oracle Biometric Manager online Help for task oriented procedures.

6.6.1 Create a Hashkey on each of the Clients

Use the Identix Setkey utility to configure a hexadecimal hashkey on each of the clients: e.g., FF30EE. This key must be the same for each client and must match the DEFAULT Policy hashkey. This key can range from 1 to 32 hexadecimal digits.

6.6.2 Create Users for the Biometric Authentication Adapter

To create a user for the adapter, execute the following steps:

On the client use the Windows NT User Manager to create a username. (This username must match the username used in the next step.)
On the database server, restart the database and create an Oracle Server account for the user. Use SVRMGRL if using the Oracle Enterprise Manager or Server Manager connected as a user with the create user database role. Use the following syntax to create an account:
```
	SVRMGRL> connect system/manager
	SVRMGRL> create user os_authent_prefix username identified externally;
```

The os_authent_prefix is an Oracle Server initialization parameter. The default value for os_authent_prefix is OPS$. The username in this step should match the username created at the client. If you reset os_authent_prefix, you must stop and restart your database.

Note:

Oracle user names are limited to 30 characters and user names can be long, so it is strongly recommended that os_authent_prefix be set to a null value:

os_authent_prefix=""

Note:

An Oracle user with username should not yet exist.

Example: If you create the user "king," and set os_authent_prefix to a null value (""), you should create an Oracle user account using the following syntax:
```
	SQLDBA> create user king identified externally;
```
At the minimum, you should give the user the "create session" privilege:
```
	SQLDBA> grant create session to king;
```
Use the manager to enroll the user in the Oracle Biometric Authentication Service.
The user "king" can now be biometrically authenticated to Oracle.

For information on how to log on to a database server once the adapter has been installed and configured, see Section 6.7, "Authenticating Users With the Oracle Biometric Authentication Service". Store the secret key in the client according to the directions in the Identix documentation.

6.7 Authenticating Users With the Oracle Biometric Authentication Service

To authenticate a user, first make sure that the Biometric Authentication Service has been installed and configured and the steps in Section 6.6, "Administering the Oracle Biometric Authentication Service" have been executed.

The user should follow these instructions:

Log on as the username assigned by the database administrator.
Set the System Environment Variable. The following variable is based on the 10 port setting on your TouchNet II firmware.
```
	ETSII_IOPORT = 0X280
```
Double click Svrmgr 2.3. (Authentication is not limited to Svrmgr, but may be implemented through other front ends.)
Type the name of your database server when Svrmgr displays the prompt:
```
	Svrmgr>connect /@service_name
```
where, service_name is the name of the database server.
Wait for the beep that announces the SQL*Net Native Authentication dialog box.

Note:

On some systems the dialog box is displayed behind the current window. The beep alerts you when it is displayed.
Click OK in the SQL*Net Native Authentication dialog box.
When a message appears telling you to place your finger on the desktop fingerprint sensor, use the same finger as you and the administrator entered into the authentication server repository.
Remove your finger at the prompt. Another prompt tells you whether you've been authenticated or not.

If the authentication fails, and the message, "Access Denied," appears, try one of the following recovery methods:

Restart the authentication process. See Section 6.7, "Authenticating Users With the Oracle Biometric Authentication Service".
Have the security administrator lower the threshold value to 80.
Have the security administrator reenroll you. Refer to Oracle Biometric Manager online Help for task oriented procedures.

6.8 Using the Biometric Manager

The Oracle Biometric Authentication Service is administered using the Biometric Manager which is based on the Oracle Enterprise Manager. It provides a graphical user interface (GUI) which enables the administrator to:

log on to the Fingerprint Authentication Server
browse the Oracle Biometric Authentication Service data for current users and security policies
enroll/delete a user to/from the database
create/modify a user's fingerprint
add/delete the default security policy to/from the database

Refer to Oracle Biometric Manager online Help for task oriented procedures.

Note:

Once the Biometric Manager has been installed, the first action taken must be that of adding a security policy called "DEFAULT" to the database.

6.8.1 Logging On

Figure 6-5, "Login Information Window", appears after you click on the Oracle Biometric Manager icon in the Oracle Enterprise Manager window.

Figure 6-5 Login Information Window

Type, or select, the following information to log on to the Oracle Biometric Manager.
- username
- password
- service_name
  where service_name is the name of the authentication server
- Connect As
  leave this field blank
Click [OK] to continue, click [Cancel] to return to the Oracle Enterprise Manager, or click [Help] for Oracle Enterprise Manager help.
Figure 6-6, "Indentix User Registration Window", appears after you click [OK].
Figure 6-6 Indentix User Registration Window

6.8.2 Displaying Oracle Biometric Authentication Service Data

The Oracle Enterprise Manager displays the Oracle Biometric Authentication Service database schema in two windows: the Object Tree window and the Properties window.

6.8.2.1 The Object Tree Window

The object tree window is located on the left side of the screen. It displays the Oracle Biometric Authentication Service database schema in a tree-like structure. This tree-like structure is composed of a series of folders that contain objects. These objects, in turn, may also contain folders that contain additional objects. See Figure 6-7, "Identix User Registration Window with Expanded Object Tree".

Figure 6-7 Identix User Registration Window with Expanded Object Tree

Double-click the identix_scan folder to expand the object tree. Two folders will appear under the Identix_scan folder: Users and Security Policies. You can expand or contract the object tree or any of its folders by clicking the [+] or [-] boxes, respectively.

6.8.2.2 The Properties Window

The Properties window is located on the right side of the screen. It initially displays a graphic along with application and user information. The contents of this window will change depending on what you select on the object tree. The Properties window can display summary or detail information on a folder's contents when you click on a folder in the Object Tree window. See Figure 6-8, "Properties Window with Summary Information", or Figure 6-9, "Properties Window with Detail Information".

Figure 6-8 Properties Window with Summary Information

6.8.2.2.1 Sorting Summary Data in the Properties Window

The Properties window with summary information contains a list of items that can be sorted by clicking on each column heading. For example:

Click User Names to sort the items alphabetically by name
Click Enrolled ? to sort the items alphabetically by Yes/No
Click Enrollment Accuracy (fingerprint accuracy) to sort the items numerically by number
Figure 6-9 Properties Window with Detail Information

6.9 Troubleshooting

Check the following if you encounter any problems while installing or using the Biometric Authentication Adapter.

Ensure that the Identix Set Key utility hash key exactly matches the Biometric manager DEFAULT Policy hash key.
The NT user name must exactly match the externally defined user name in the database server and the user name used when adding the user with the Biometric Manager.

Domain naming must be consistent. For example, if the local naming configuration (TNSNAMES.ORA) uses .world as an appendix to the service name, then the profile (SQLNET.ORA) must reflect this naming convention for the service name. For example:

TNSNAMES.ORA
biometrics.world = (DESCRIPTION =
                    (ADDRESS_LIST =
                     (ADDRESS =
                       ...
SQLNET.ORA
sqlnet.identix_fingerprint_database=biometrics.world

It is possible to use one database for both the biometric authentication service and the production database; however, this is not recommended. If you do this, add the following line of code to the local naming configuration fiel (TNSNAMES.ORA) on the server and on each PC client.
```
(security = (Authentication_service = NONE))
```

6Configuring and Using the Identix Biometric Authentication Adapter