8
Configuring Identix Biometric Authentication

This chapter describes how to configure Oracle8i for use with Identix biometric authentication, in the following sections:

Overview

The Biometric Authentication Service uses Identix Biometric Authentication to provide tamper-proof biometric authentication of users using secret-key MD5 hashing, centralized management of biometrically identified users, and centralized management of those database servers that authenticate biometrically identified users.

This section describes how the Biometric Authentication Service works in a client-server environment.

Figure 8-1 shows the configuration of the Biometric Authentication Service.

Figure 8-1 Typical Biometric Authentication Service Configuration

The Fingerprint Repository has an administrator who is responsible for enrolling multiple user fingerprint templates, and defining the default policy for all databases that subscribe to the fingerprint server for authentication.

The Fingerprint Security Service Administrator uses a desktop fingerprint scanner to read user fingerprints, convert them into fingerprint templates, and send them with measured accuracies to the Biometric Authentication Service. The Biometric Authentication Service stores the fingerprint templates in the Fingerprint Repository, an Oracle database. The measured accuracy of a fingerprint is an estimate of how reliable a comparison can be made between the stored fingerprint template and the user's fingerprint that is scanned later for authentication. The enrollment quality is expressed as a percent score between 0 and 100. For example, a user may have an enrollment quality of 72 percent.

The Fingerprint Security Service Administrator also defines one security policy named DEFAULT for all of the database servers that accept biometrically identified users. The security policy is enforced for all clients serviced by that database server. It contains a secret key and three types of threshold levels for fingerprints: verification, false finger, and high security.
At the client, before any authentication can occur, the Fingerprint Security Service Administrator stores the secret key in the fingerprint sensor for each client. The secret key stored in the fingerprint sensor is compared against the secret key stored in the security policy.
At the client, in response to a user authentication request, the database server enforces on the client the set of values that it obtains from the default security policy in its fingerprint server. The threshold levels (values) are:
- Verification threshold
- False finger threshold
- High security threshold
  
  See Also:
  Identix documentation for detailed information about the threshold levels
At the client, the biometric authentication service passes the user fingerprint template and the threshold values to the sensor. The user fingerprint is scanned and the verification result, fingerprint template, secret key, and threshold values are used to generate a hash total. The hash total is sent to the server-side adapter for comparison with the hash total generated by the server-side adapter.

Architecture of the Biometric Authentication Service

The Biometric Authentication Service consists of the following modules:

Biometric Manager (the manager)

The administrator uses this module to enter the security policy and fingerprints.

Biometric Authentication Server (authentication server)

A specially configured version of an Oracle database server, this module stores the security policies and fingerprint templates.

Identix Authentication Adapters

Identix authentication adapters are used on both the client and database servers to communicate biometric authentication data between the authentication server and client systems--to authenticate a database user.

Both the manager and the client-side adapter interface with the following Identix products:

TouchSafe II Software Libraries
TouchSafe II Hardware Interface
TouchSafe II Desktop Sensor
TouchSafe III software libraries
TouchSafe III Desktop Sensor

See Also:
Related Documents for a list of Identix documentation that describes these Identix products

Administration Architecture

The Fingerprint Security Server administrators use the manager to scan user fingerprints, measure the accuracy of the fingerprints, and establish security policies for database servers. The manager sends this information to the authentication server, which stores the data in the repository.

The administrator, or someone who can be trusted, uses the Identix TouchSafe II or TouchSafe III software to store the secret key on the TouchSafeII or TouchSafe III device. This key must match the key stored in the DEFAULT security policy before authentication can occur.

Authentication Architecture

Each user who wants to use the system must place a fingerprint on a TouchSafe II or TouchSafe II Desktop Sensor. The client-side adapter sends an authentication request to the server-side adapter which uses the previously enrolled fingerprint stored in the authentication server for comparison. For each authentication request from a client, the authentication server retrieves and sends the user's fingerprint and the database server's security policy back to the client-side adapter via the server-side adapter.

The user's authentication request causes the client-side Oracle Advanced Security Identix authentication adapter to send the request to the server side biometric authentication adapter. The adapter looks up the user's fingerprint in the authentication server, which returns the stored fingerprint and the associated security policy.

Using threshold level values from the associated security policy, the client-side adapter uses the TouchSafe II Software Libraries to set threshold values on the TouchSafe II Desktop Sensor. It then prompts the user to place a finger on the TouchSafe II Desktop Sensor. The adapters on the client and the database servers work together to compare the user's fingerprint, the secret key, and the threshold levels against the administrator-entered security policy stored in the authentication server repository. If this data matches, the user is authenticated.

Prerequisites

The Windows NT system that is to become the manager PC must be running Oracle Enterprise Manager 2.0 or later.
Each Windows NT or Windows 95/98 system that is to become a client PC must be running Net8.
The authentication server and each database server must be running Oracle8 release 8.0.3 or higher, or Oracle8i.
Ensure that each Windows NT and Windows 95/98 client has Net8 connectivity with its associated database server.

Installing the TouchSafe II Encrypt Device Driver for Windows NT

The Biometric Manager installation process automatically installs the necessary TouchSafe II software and automatically configures the device if requested.

During the installation of the Biometrics Manager, if you chose not to set up your Identix TouchSafe II Device Driver, you can configure it manually as follows.

Change directory to ORACLE_HOME\identix.
- If you are using the default IO port number 280 and the default Windows NT directory, go to Step 4.
- If you are not using the default IO port number 280, go to Step 2.
- If you are not using the default Windows NT directory c:\winnt35\sytem32\drivers, go to Step 3.
Modify the IoPortAddress parameter in etsiint.ini to the current TouchSafe II Encrypt I/O port setting.

For example:

IoPortAddress = REG_DWORD 0x00000360 for I/O port 0x360
Modify the Windows NT directory setting in etsiint.bat with the Windows NT directory.

For example:

copy etsiint.sys c:\winnt\system32\drivers

copy etsiint.sys path\drivers
Run the batch file etsiint.bat.
Use the SetKey utility in the Identix demo program to set a hash key in hexadecimal. Ensure that the hash key matches the one set in the default security policy.
Re-boot the system; the device driver should start.

To ensure that the device driver is running, check the Device Manager in Control Panel after re-boot; the device ETSIINT should be running.

Configuring the Biometric Manager PC

To configure the Biometric manager PC:

Install Oracle Enterprise Manager on both the Oracle database server and the Oracle client.
Install both the Identix hardware and driver firmware, and configure the Identix variables and devices.
Install and test Identix TouchSafe II (Encrypt) 2.0 or TouchSafe III.

See Also:
Installing the TouchSafe II Encrypt Device Driver for Windows NT , and the platform-specific installation documentation

Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. The demonstration program must work on the PC before any other Oracle products can be loaded onto the PC. See the Identix Readme file for additional information.

Configuring the Client PC

To configure each client PC system:

Install Oracle Enterprise Manager.
Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices. See the Identix Readme file for additional information.
Install and test the Identix TouchSafe II (Encrypt) 2.0 or TouchSafe III. Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. The demonstration program must work on the PC before any other Oracle products can be loaded onto the PC.

See Also:
Installing the TouchSafe II Encrypt Device Driver for Windows NT , and the platform-specific installation documentation
Install the Oracle Advanced Security Identix authentication adapter.

See Also:
Platform-specific documentation and the Identix Readme file

Configuring Each Database Server

The biometric authentication adapter must be installed on each database server that uses biometric services for its authentication. Install the biometric authentication adapter following the instructions in the operating system specific documentation.

Note:
Do not install the adapter on the database storing the fingerprint repository.

Enabling Biometric Authentication

The Biometric Authentication Service is a database that stores both the user and fingerprint information. The database can be any Oracle 8.0.3 or later production database. It should be installed on a secure system with strict security and access controls. The Identix adapter should not be installed on this database.

To configure the Biometric Authentication Service:

Task 1: Configure the Database Server

To configure the database server that is to become the Authentication Server:

Connect to the database server as SYSTEM/MANAGER (or whatever your system password is).
Test the connection by connecting as:

ofm_admin/ofm_admin

Task 2: Configure Identix Authentication

To configure Identix authentication:

Unless otherwise indicated, you can configure Identix authentication either by using the Net8 Assistant, or by modifying the sqlnet.ora file with any text editor.

Configure an Authentication Method and Fingerprint Server on the Client and Server Systems

Start Net8 Assistant:
- On UNIX, run netasst from $ORACLE_HOME/bin.
- On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.
In the Navigator window, expand Local > Profile.
From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security tabbed window appears:
Choose the Authentication tab.
From the Available Methods list, select IDENTIX.
Move IDENTIX to the Selected Methods list by choosing the right-arrow [>].
Arrange the selected methods in order of use. To do this, select a method in the Selected Methods list, and choose Promote or Demote to position it in the list.

For example, to select IDENTIX as the first service used, put it at the top of the list.
Choose the Other Params tab:
From the Authentication Service list, select IDENTIX.
In the Fingerprint Server Name box, enter the name of the fingerprint server.
Choose File > Save Network Configuration.

The sqlnet.ora file is updated with the following entries:

SQLNET.AUTHENTICATION_SERVICES=(IDENTIX)

SQLNET.IDENTIX_FINGERPRINT_DATABASE=SERVICE_NAME

Configure the User Name, Password, and Fingerprint Method

Use a text editor to set the following parameters in the sqlnet.ora file:

sqlnet.identix_fingerprint_database_user=ofm_client sqlnet.identix_fingerprint_database_password=password sqlnet.identix_fingerprint_method=oracle

where username is ofm_client, and password is ofm_client.

Note:

The samples directory contains a file that shows how to set these parameters.

The ofm_client user name and password are set up by running nauicat.sql. Do not change ofm_client.

Configure the Initialization Parameter File

Add the following parameters to the initialization parameters file:

REMOTE_OS_AUTHENT = false

OS_AUTHENT_PREFIX = ""

Note:
The local naming configuration file on the database server (tnsnames.ora) contains the service name of the fingerprint repository. If they are on the same database, enter the following with the service name:
(security=(authentication_service=none))

Configure the oracle.ini File

Set the USERNAME parameter in the Oracle section of the oracle.ini file. This parameter sets the name of the database user with which the client connects to the database.

Task 3: Establish a Net Service Name

Establish a net service name for the fingerprint repository server.

See Also:
Net8 Administrator's Guide for information about net service names

Task 4: Verify the Database Server Address

Verify that the address of the database server is accessible to the client.

See Also:
Net8 Administrator's Guide for information about verifying the address of the database server

Task 5: Configure the Biometric Manager PC

Configure the manager PC with a net service name to connect to the authentication server.

See Also:
Net8 Administrator's Guide for information about net service name configuration

Administering the Biometric Authentication Service

Perform the following tasks to administer the Biometric Authentication Service using the Biometric Manager.

See Also:
Identix documentation

Create a Hashkey on Each of the Clients

Use the Identix Setkey utility to configure a hexadecimal hashkey on each of the client systems. The key must be the same for each client and must match the default policy hashkey. This key can range from one to thirty-two hexadecimal digits.

Create a user for Biometric Authentication

Use the Windows NT User Manager to create a user name on the client.

On the database server, restart the database and create an Oracle database server account for the user.

Use SQL*Plus if using the Oracle Enterprise Manager, or SQL*Plus connected as a user with the CREATE USER database privilege.

To create an account, enter the following:

SQL> CONNECT system/manager

SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY;

SQL> GRANT CREATE SESSION TO username;

OS_AUTHENT_PREFIX is an Oracle database server initialization parameter. The default value for OS_AUTHENT_PREFIX is OPS$. The user name in this step should match the user name created on the client.

If you reset the OS_AUTHENT_PREFIX parameter, you must restart the database.

Note:
Oracle user names are limited to 30 characters and user names can be long, so Oracle Corporation strongly recommends that OS_AUTHENT_PREFIX be set to a null value, as follows:
OS_AUTHENT_PREFIX=""

For example:

If you create the user king on the client, and set OS_AUTHENT_PREFIX to a null value (""), use SQL*Plus to create an Oracle user account as follows:

SQL> CREATE USER king IDENTIFIED EXTERNALLY;

At a minimum, grant the user the CREATE SESSION privilege as follows:

SQL> GRANT CREATE SESSION TO king;

Use the Biometric Manager to enroll the user in the Biometric Authentication Service.

The user king can now be biometrically authenticated to Oracle8i.

See Also:

Oracle8i Administrator's Guide and Oracle8i Distributed Database Systems, for information about creating users identified externally

Identix documentation, for information about the Biometric Authentication Service, and storing the secret key on the client

Authenticating Users with a Biometric Authentication Service

Before you authenticate a user, ensure that the Biometric Authentication Service has been installed and configured and the steps described in Administering the Biometric Authentication Service have been executed.

To authenticate users with a Biometric Authentication Service:

Log on as the user assigned by the database administrator.
If you are using TouchSafe II, set the system environment variable. The setting in the following example is based on the 10 port setting on the TouchSafe II firmware:

ETSII_IOPORT = 0X280
Note:
The TouchSafe III device does not use the ETSII_IOPORT environment variable. Instead, it uses the tn3com.ini file to set the port and baud rate.
Enter the following to launch SQL*Plus:

sqlplus
Enter the name of the database server at the SQL*Plus prompt:

SQL>connect/@net_service_name
where net_service_name is the Net8 net service name.
The Net8 Native Authentication dialog box appears; choose OK.

Note:
On some systems, this dialog box is displayed behind the current window.
When a message appears telling you to place your finger on the desktop fingerprint sensor, use the same finger that you entered into the authentication server repository; remove your finger at the prompt. Another prompt tells you whether you have been authenticated.
If authentication fails and the message Access Denied appears, try one of the following recovery methods:
- Restart the authentication process.
- Request the security administrator to lower the threshold value to 80.
- Request the security administrator to re-enroll you.
  
  See Also:
  Biometric Manager online help for task oriented procedures

Troubleshooting

Check the following if you encounter any problems installing or using Identix biometric authentication:

The Identix Set Key utility hash key must match the Biometric Manager default policy hash key.
The NT user name must match the externally defined user name in the database server and the user name added to the Biometric Manager.

Domain naming must be consistent. For example, if the local naming configuration file (tnsnames.ora) uses .world as an appendix to the service name, the profile (sqlnet.ora) must reflect this naming convention for the service name.