Oracle Advanced Security Administrator's Guide
Release 8.1.6
A76932-01

Library
Product
Contents
Index

Prev Next

8
Configuring Identix Biometric Authentication

This chapter contains information on how to configure Oracle for use with Identix biometric authentication. It covers the following topics:

Overview

The Biometric Authentication Service uses Identix Biometric Authentication to provide tamper-proof biometric authentication of users using secret-key MD5 hashing, centralized management of biometrically identified users, and centralized management of those database servers that authenticate biometrically identified users.

This section describes how the Biometric Authentication Service works in a client-server environment.

Figure 8-1 shows the components and the configuration of the Biometric Authentication Service.

Figure 8-1 Typical Biometric Authentication Service Configuration


The Fingerprint Repository has one administrator who is responsible for enrolling multiple users' fingerprint templates and defining the DEFAULT policy that is in force for all databases that subscribe to the fingerprint server for authentication.

The Fingerprint Security Service Administrator uses a desktop fingerprint scanner to read user fingerprints, convert them into fingerprint templates, and send them with measured accuracies to the Biometric Authentication Service. The Biometric Authentication Service stores the fingerprint templates in the Fingerprint Repository, an Oracle database. The measured accuracy of a fingerprint is an estimate of how reliable a comparison can be made between the stored fingerprint template and the user's fingerprint that is scanned later for authentication. The enrollment quality is expressed as a percent score between 0 and 100. For example, a user may have an enrollment quality of 72 percent.

Architecture of the Biometric Authentication Service

The Biometric Authentication Service consists of the following modules:

Both the manager and the client-side adapter interface with Identix products: TouchSafe II Software Libraries, TouchSafe II Hardware Interface, TouchSafe II Desktop Sensor, TouchSafe III software libraries, and TouchSafe III desktop sensor.

More Information:

For a list of Identix documentation that describes these Identix products, see "Related Publications" in the Preface. 

Administration Architecture

The Fingerprint Security Server Administrators use the manager to scan user fingerprints, measure the accuracy of the fingerprints, and establish security policies for database servers. The manager sends this information to the authentication server, which stores the data in the repository.

The administrator, or someone who can be trusted, uses the Identix TouchSafe II or TouchSafe III software to store the secret key on the TouchSafeII or TouchSafe III device. This key must match the key stored in the DEFAULT security policy before authentication can occur.

Authentication Architecture

Each user who wants to use the system must place a fingerprint on a TouchSafe II or TouchSafe II Desktop Sensor. The client-side adapter sends an authentication request to the server-side adapter which uses the previously enrolled fingerprint stored in the authentication server for comparison. For each authentication request from a client, the authentication server retrieves and sends the user's fingerprint and the database server's security policy back to the client-side adapter via the server-side adapter.

The user's authentication request causes the client-side Oracle Advanced Security Identix authentication adapter to send the request to the server side biometric authentication adapter, which looks up the user's fingerprint in the authentication server, which returns the stored fingerprint and the associated security policy.

Using threshold level values from the associated security policy, the client side adapter uses the TouchSafe II Software Libraries to set threshold values on the TouchSafe II Desktop Sensor. It then prompts for the placing of the user's finger on the TouchSafe II Desktop Sensor. The adapters on the client and the database server work together to compare the user's fingerprint, the secret key, and the threshold levels against the administrator-entered security policy stored in the authentication server repository. If this data matches, the user is authenticated.

Prerequisites

Installing the TouchSafe II Encrypt Device Driver for Windows NT

The Biometric Manager installation process automatically installs the necessary TouchSafe II software and automatically configures the device if requested.

If during the installation of the Biometrics Manager, you chose not to allow the installer to set up your Identix TouchSafe II Device Driver, you can configure it manually as follows.

  1. Change directory to ORACLE_HOME\identix.

    • If you are using the default IO port number 280 and the default Windows NT directory, go to Step 4.

    • If you are not using the default IO port number 280, go to Step 2.

    • If you are not using the default Windows NT directory c:\winnt35\sytem32\drivers, go to Step 3.

  2. Modify the IoPortAddress parameter in etsiint.ini to the current TouchSafe II Encrypt I/O port setting. For example: 

    IoPortAddress = REG_DWORD 0x00000360  for I/O port 0x360
  3. Modify the Windows NT directory setting in etsiint.bat with the Windows NT directory. For example: 

    copy etsiint.sys c:\winnt\system32\drivers
 -> copy etsiint.sys path\drivers
  4. Run the batch file etsiint.bat.

  5. Use the SetKey utility in the Identix demo program to set a hash key in Hex. Set the key to 7GF87SRG for example (do not use this value). Ensure that the hash key matches exactly the one set in the DEFAULT Security policy.

  6. Re-boot the system, and the device driver will start to work.

  7. To make sure the device driver is running, check the Device Control Panel after re-boot. The device ETSIINT should be started already.

Biometric Manager PC

Perform the following steps on the manager PC:

  1. Install Oracle Enterprise Manager on both the Oracle server and the Oracle client.

  2. Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices.

    More Information:

    See the Identix Readme file. 

  3. Install and test the Identix TouchSafe II (Encrypt) 2.0 or TouchSafe III.

    More Information:

    See "Installing the TouchSafe II Encrypt Device Driver for Windows NT"in this chapter and the platform-specific installation documentation. 

    Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. The demonstration program must work on the PC before any other Oracle products can be loaded onto the PC. See the Identix Readme file for additional information.

Client PC

Perform the following steps on each client PC:

  1. Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices. See the Identix Readme file for additional information.

  2. Install and test the Identix TouchSafe II (Encrypt) 2.0 or TouchSafe III. Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. The demonstration program must work on the PC before any other Oracle products can be loaded onto the PC.

    More Information:

    See "Installing the TouchSafe II Encrypt Device Driver for Windows NT" in this chapter and the platform-specific installation documentation. 

  3. Install the Oracle Advanced Security Identix authentication adapter.

    More Information:

    See the platform-specific documentation. See also the Identix Readme file. 

Database Server

The biometric authentication adapter must be installed on each database that uses biometric services for its authentication. Install the biometric authentication adapter following the instructions in the platform-specific documentation.

Note:

Do not install the adapter on the database storing the fingerprint repository. 

Biometric Authentication Service

The Biometric Authentication Service is the database that stores both the user and fingerprint information. The database can be any Oracle 8.0.3 or later production database. It should be on a secure, trusted system with strict security and access controls. The Identix adapter should not be installed on this database.

Enabling Biometric Authentication

To configure the Biometric Authentication Service, perform the following tasks.

Task 1: Configure the Database Server that is to become the Authentication Server

Perform the following steps to configure the database server:

  1. Connect to the database server as SYSTEM/MANAGER (or whatever your system password is).

  2. Test the connection by connecting as: 

    ofm_admin/ofm_admin

Task 2: Configure Identix Authentication

Perform the following tasks to configure Identix authentication:

Unless otherwise indicated, you can configure Identix authentication either by using the Net8 Assistant, or by modifying the sqlnet.ora file with any text editor.

Configure an Authentication Method and Fingerprint Server on the Client and Server

  1. Start Net8 Assistant:

    • On UNIX, run netasst from $ORACLE_HOME/bin.

    • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

  2. In the navigator's pane, expand Local > Profile.

  3. From the list in the right pane, select Oracle Advanced Security.

    The Oracle Advanced Security tabbed pages appear.

  4. Click the Authentication tab.


  5. From the Available Methods list, select IDENTIX.

  6. Move IDENTIX to the Selected Methods list by clicking the right-arrow button [>].

  7. Arrange the selected methods in order of use. To do this, select a method in the Selected Methods list, then click Promote or Demote to position it in the list. For example, if you want IDENTIX to be the first service used, put it at the top of the list.

  8. Click the Other Params tab.


  9. From the Authentication Service list, select IDENTIX.

  10. In the Fingerprint Server Name box, enter the name of the fingerprint server you want to use.

  11. Choose File > Save Network Configuration.

    The sqlnet.ora file updates with the following entries: 

    SQLNET.AUTHENTICATION_SERVICES=(IDENTIX)
SQLNET.IDENTIX_FINGERPRINT_DATABASE=SERVICE_NAME

Configure the User Name, Password, and Fingerprint Method

Use a text editor to set the following parameters in the sqlnet.ora file, 

sqlnet.identix_fingerprint_database_user=ofm_client

sqlnet.identix_fingerprint_database_password=password

sqlnet.identix_fingerprint_method=oracle

where username is the well-known user name ofm_client, and password is the well-known password ofm_client.

Note:

The samples directory contains a file that shows how to set these parameters. 

Note:

The ofm_client user name and password are set up by running nauicat.sql. You should not change ofm_client

Configure the Initialization Parameter File

Add the following parameters to the initialization parameters file: 

REMOTE_OS_AUTHENT = false
OS_AUTHENT_PREFIX = ""

Note:

The local naming configuration file (tnsnames.ora) on the database server should contain the service name of the fingerprint repository. If they are on the same database, use the following with the service name: 

(security=(authentication_service=none))
 

Configure the oracle.ini File

Set the USERNAME parameter in the Oracle section of the oracle.ini file. This parameter sets the name of the database user with which the client connects to the database.

Task 3: Establish a Net Service Name for the Fingerprint Repository Server

Establish a net service name for the fingerprint repository server.

More Information:

See the Net8 Administrator's Guide for information on net service names 

Task 4: Verify that the Address of the Database Server is Accessible to the Client

Verify that the address of the database server is accessible to the client.

More Information:

See the Net8 Administrator's Guide for information on verifying the address of the database server. 

Task 5: Configure the Biometric Manager PC

Configure the manager PC with a net service name to connect to the authentication server.

More Information:

See Net8 Administrator's Guide for information on net service name configuration 

Administering the Biometric Authentication Service

Perform the following tasks to administer the Biometric Authentication Service using the Biometric Manager.

More Information:

See the Identix documentation. 

Create a Hashkey on Each of the Clients:

Use the Identix Setkey utility to configure a hexadecimal hashkey on each of the clients, such as FF30EE. The key must be the same for each client and must match the DEFAULT Policy hashkey. This key can range from one to thirty-two hexadecimal digits.

Create a User for Biometric Authentication:
  1. Use the Windows NT User Manager to create a user name on the client.

    The user name must match the name used in the next step.

  2. On the database server, restart the database and create an Oracle server account for the user. Use SQL*Plus if using the Oracle Enterprise Manager or SQL*Plus connected as a user with the CREAT USER database privilege.

    Enter the following to create an account: 

    SQL> CONNECT system/manager
SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO username;
;
  3. OS_AUTHENT_PREFIX is an Oracle server initialization parameter. The default value for OS_AUTHENT_PREFIX is OPS$. The user name in this step should match the user name created at the client. If you reset OS_AUTHENT_PREFIX parameter, you must stop and restart the database.

    Note:

    Oracle user names are limited to 30 characters and user names can be long, so Oracle Corporation strongly recommends that OS_AUTHENT_PREFIX be set to a null value as follows:

    OS_AUTHENT_PREFIX="" 

    Note:

    An Oracle user with a user name should not yet exist. 

    For example, if you create the user king, and set OS_AUTHENT_PREFIX to a null value (""), use SQL*Plus to create an Oracle user account using the following syntax: 

    SQL> CREATE USER king IDENTIFIED EXTERNALLY;

    At the minimum, grant the user the CREATE SESSION privilege as follows: 

    SQL> GRANT CREATE SESSION TO king;

    Use the Biometric Manager to enroll the user in the Biometric Authentication Service.

    The user king can now be biometrically authenticated to Oracle.

    More Information:

    For information on creating users identified externally, see Oracle8i Administrator's Guide and Oracle8i Distributed Database Systems.

    For information on the Biometric Authentication Service and on storing the secret key in the client, see the Identix documentation. 

Authenticating Users with a Biometric Authentication Service

Before you authenticate a user, ensure that the Biometric Authentication Service has been installed and configured and the steps in "Administering the Biometric Authentication Service" in this chapter have been executed.

Perform the following steps to authenticate users with a Biometric Authentication Service:

  1. Log on as the user assigned by the database administrator.

  2. If you are using TouchSafe II, set the system environment variable. The following variable is based on the 10 port setting on the TouchSafe II firmware: 

    ETSII_IOPORT = 0X280

    Note:

    The TouchSafe III device does not use the ETSII_IOPORT environment variable. Instead, it uses the tn3com.ini file to set the port and baud rate. 


  3. Enter the following to launch SQL*Plus: 

    sqlplus
  4. Enter the name of the database server at the SQL*Plus prompt: 

    SQL>connect /@net_service_name

    where net_service_name is Net8 net service name.

  5. The Net8 Native Authentication dialog box appears followed by a beep sound.

    Note:

    On some systems, this dialog box is displayed behind the current window. The beep alerts you when it is displayed. 

  6. Click OK in the Net8 Native Authentication dialog box.

  7. When a message appears telling you to place your finger on the desktop fingerprint sensor, use the same finger that you and the administrator entered into the authentication server repository.

  8. Remove your finger at the prompt. Another prompt tells you whether you have been authenticated.

  9. If authentication fails and the message, "Access Denied," appears try one of the following recovery methods:

Troubleshooting

Check the following if you encounter any problems installing or using Identix biometric authentication.

Prev Next
Oracle
Copyright © 1999 Oracle Corporation.
All Rights Reserved.

Library
Product
Contents
Index