Oracle Advanced Networking Option Administrator's Guide
Release 8.0

A58229-01

Library

Product

Contents

Index

Prev Next

6
Configuring and Using the Identix Biometric Authentication Adapter

This chapter contains information on how to configure Oracle for use with the Identix Biometric Authentication Adapter. The following topics are discussed:

6.1 Overview

The Oracle Biometric Authentication Service uses the Identix Biometric Authentication Adapter to provide tamper-proof biometric authentication of users using secret-key MD5 hashing, centralized management of biometrically identified users, and centralized management of those database servers that authenticate biometrically identified users.

Following is an overview of how the Oracle Biometric Authentication Service works in a client-server environment. Refer to Figure 6-1, "Typical Oracle Biometric Authentication Service Configuration" for an illustration of the components and the configuration of the Oracle Biometric Authentication Service.

6.2 Architecture of the Biometric Authentication Service

The Oracle Biometric Authentication Service consists of the following Oracle modules:

Both the manager and the client-side adapter interface with Identix products: TouchNet II Software Libraries, the TouchNet II Hardware Interface, and the TouchNet II Desktop Sensor. Please refer to "Related Publications" in the Preface of this manual for a list of Identix documentation that describe these Identix products.

6.2.1 Administration Architecture

The Fingerprint Security Server Administrators use the manager to scan user fingerprints, measure the accuracy of the fingerprints, and establish security policies for database servers. The manager sends this information to the authentication server which stores the data in the repository.

The administrator, or someone who can be trusted, uses the Identix TouchNet II Software to store the secret key in the client PC. This key must match the key stored in the DEFAULT security policy before authentication can occur.

6.2.2 Authentication Architecture

Each user who wants to use the system must place a fingerprint on a TouchNet II Desktop Sensor. The client-side adapter sends an authentication request to the server-side adapter which uses the previously enrolled fingerprint stored in the authentication server for comparison. For each authentication request from a client, the authentication server retrieves and sends the user's fingerprint and the database server's security policy back to the client-side adapter via the server-side adapter.

The user's authentication request causes the Oracle Advanced Networking Option Identix Authentication Adapter (client-side) to send the request to the Biometric Authentication Adapter (server-side), which looks up the user's fingerprint in the Authentication Server, which returns the stored fingerprint and the associated security policy.

Using threshold level values from the associated security policy, the adapter (client-side) uses the TouchNet II Software Libraries to set threshold values on the TouchNet II Desktop Sensor. It then prompts for the placing of the user's finger on the TouchNet II Desktop Sensor. The adapters on the client and the database server work together to compare the user's fingerprint, the secret key, and the threshold levels against the administrator-entered security policy stored in the authentication server repository. If this data matches, the user is then authenticated.

6.3 Prerequisites

6.3.1 Oracle Biometric Manager PC

The Oracle Biometric Manager installation process automatically installs the necessary TouchNet II software and automatically configures the device if requested. On the manager PC:

  1. Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices. See the Identix Readme file for additional information.
  2. Install and test the Identix TouchNet II (Encrypt) 1.5 from the Oracle Enterprise Manager disk. Please see your platform-specific installation documentation. Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. This demonstration program must work on the PC before any other Oracle products can be loaded onto the PC. Refer to the Identix Readme file for additional information.
  3. Install the Oracle Biometric Manager on top of the Oracle Enterprise Manager.

6.3.2 Client PC

On each client PC:

  1. Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices. Refer to the Identix Readme file for additional information.
  2. Install and test the Identix TouchNet II (Encrypt) 1.4 from the Oracle Enterprise Manager disk. Please see your platform-specific installation documentation. Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. This demonstration program must work on the PC before any other Oracle products can be loaded onto the PC.
  3. Install the Oracle Advanced Networking Option Identix Authentication Adapter following the instructions in your platform-specific documentation. Refer also to the Identix Readme file.

6.3.3 Database Server

The Biometric authentication adapter must be installed on each production database that will use Biometric services for its authentication. Install the Biometric authentication adapter following the instructions in your platform-specific documentation. Do not install the adapter on the database housing the Biometric Authentication Service unless you want to have the Biometric Service Administrator authenticate using the adapter. Refer also to the Identix Readme file.

6.3.4 Biometric Authentication Service

The Biometric Authentication Service is the database that houses both the user and fingerprint information. This database can be any Oracle 8.0.3 or later production database. It should be on a secure, trusted system with strict security and access controls. The adapter should not be installed on this database.

6.4 Configuring the Biometric Authentication Service

Configure the Oracle Biometric Authentication Service by following these instructions:

  1. Configure the database server that is to become the authentication server:
    1. Connect to the database server as SYSTEM/MANAGER (or whatever your system password is).
    2. Copy the naui...sql scripts from your Oracle Enterprise Manager install to the authentication server.
    3. Test the connection by connecting as:
      			ofm_admin/ofm_admin
      


  • In the database server's local profile (SQLNET.ORA), set the following parameters:
    	sqlnet.identix_fingerprint_database= service_name
    sqlnet.identix_fingerprint_database_user= username
    sqlnet.identix_fingerprint_database_password= password
    sqlnet.identix_fingerprint_method= oracle
    sqlnet.authentication_services= (identix)

    where

    • service_name is the name of your authentication server
    • username is the well-known username: ofm_client
    • password is the well-known password: ofm_client


      Note:

      The samples directory contains a file that show how to set these parameters.

       

      Note:

      The ofm_client username and password are set up by running NAUICAT.SQL. You should not change ofm_client.

       

  • In the database server's local initialization file (INIT.ORA), set the following parameters:
    remote_os_authent = false
    os_authent_prefix = ""
    


    Note:

    The local naming configuration file (TNSNAMES.ORA) on the database server should contain the service name of the fingerprint repository. If they are on the same database, use the following with the service name:

    (security=(authentication_service=none))
    
     

    
    
  • Establish a service name and connect descriptor for the fingerprint repository server in the database server's local naming configuration file. The service name must be the same as that used in the local profile. Use the Oracle Net8 Assistant or the Service Names Wizard to construct this parameter.
    service_name =(DESCRIPTION = 
    (ADDRESS_LIST =
    (ADDRESS =
    . . .
  • Configure the adapter (client-side):
    1. Verify that the address of the database server is accessible to the client, either through a local naming configuration file or a naming service. For more information, refer to the Oracle Net8 Administrator's Guide.
    2. Modify the client's local profile, by adding identix to the list of authentication services:
      			sqlnet.authentication_services = (identix)
      
      
  • Configure the manager PC by setting the local naming configuration file (TNSNAMES.ORA) to connect to the authentication server. Please refer to the Oracle Net8 Administrator's Guide .

    6.5 Configuring the Oracle Biometric Authentication Service using the Oracle Net8 Assistant

    The following steps show you how to use the Net8 Assistant to configure the
    IDENTIX authentication adapter. Refer also to the Net8 Assistant online HELP
    system for instructions on how to configure the SECURID Authentication adapter.

    Configure Clients, and Servers, to use encryption as follows. Refer to Figure 6-2, "Oracle Net8 Assistant Profile Folder Encryption Tab".

    1. Click the Profile folder.
    2. Select Advanced Networking Options from the drop-down list box.
    3. Click the Encryption tab.
    4. Click the Encryption drop-down list box, and click CLIENT or SERVER.
    5. Click the Encryption Type drop-down list box, and click one of the following values: requested, required, accepted, rejected.
    6. Type between 10 and 70 random characters for the Encryption Seed.
    7. Move services to and from the Available Services and Selected Services lists by selecting a service and clicking the arrow keys.

      Figure 6-2 Oracle Net8 Assistant Profile Folder Encryption Tab

    Next, you must configure an authentication service on your network. Refer to Figure 6-3, "Oracle Net8 Assistant Profile Folder Authentication Tab".

    1. Click the Profile folder.
    2. Click the Authentication tab.
    3. Click to select the authentication service you want from the Available Services list.
    4. Click the [<] button to move the service over to the Selected Services list.
    5. Repeat steps 4 and 5, above, until you have selected all of your required authentication services.
    6. Arrange the selected services in order of desired use. Click on a service to select it, then click [Promote] or [Demote] to arrange the services in the list. For example, put IDENTIX at the top of the list if you want that service to be the first one used.

      Figure 6-3 Oracle Net8 Assistant Profile Folder Authentication Tab

    You now must configure the authentication parameters. Refer to Figure , "".

    1. Click the Profile folder.
    2. Click the Parameter tab.
    3. Click the Authentication Service drop-down list box, and select IDENTIX.
    4. Type the name of the fingerprint server you want to use.

    Figure 6-4 Oracle Net8 Assistant Profile Folder Parameter Tab

    6.6 Administering the Oracle Biometric Authentication Service

    Add a security policy called "DEFAULT" to the manager using the Biometric Manager on the Oracle Enterprise Manager. Refer to Oracle Biometric Manager online Help for task oriented procedures.

    6.6.1 Create a Hashkey on each of the Clients

    Use the Identix Setkey utility to configure a hexadecimal hashkey on each of the clients: e.g., FF30EE. This key must be the same for each client and must match the DEFAULT Policy hashkey. This key can range from 1 to 32 hexadecimal digits.

    6.6.2 Create Users for the Biometric Authentication Adapter

    To create a user for the adapter, execute the following steps:

    1. On the client use the Windows NT User Manager to create a username. (This username must match the username used in the next step.)
    2. On the database server, restart the database and create an Oracle Server account for the user. Use SVRMGRL if using the Oracle Enterprise Manager or Server Manager connected as a user with the create user database role. Use the following syntax to create an account:
      	SVRMGRL> connect system/manager
      	SVRMGRL> create user os_authent_prefix username identified externally;
      
      
    3. The os_authent_prefix is an Oracle Server initialization parameter. The default value for os_authent_prefix is OPS$. The username in this step should match the username created at the client. If you reset os_authent_prefix, you must stop and restart your database.


      Note:

      Oracle user names are limited to 30 characters and user names can be long, so it is strongly recommended that os_authent_prefix be set to a null value:

      	os_authent_prefix=""
      
       

      Note:

      An Oracle user with username should not yet exist.

       

    4. Example: If you create the user "king," and set os_authent_prefix to a null value (""), you should create an Oracle user account using the following syntax:
      	SQLDBA> create user king identified externally;
      
      
    5. At the minimum, you should give the user the "create session" privilege:
      	SQLDBA> grant create session to king;
      
      
    6. Use the manager to enroll the user in the Oracle Biometric Authentication Service.
    7. The user "king" can now be biometrically authenticated to Oracle.

    For information on how to log on to a database server once the adapter has been installed and configured, see Section 6.7, "Authenticating Users With the Oracle Biometric Authentication Service". Store the secret key in the client according to the directions in the Identix documentation.

    6.7 Authenticating Users With the Oracle Biometric Authentication Service

    To authenticate a user, first make sure that the Biometric Authentication Service has been installed and configured and the steps in Section 6.6, "Administering the Oracle Biometric Authentication Service" have been executed.

    The user should follow these instructions:

    1. Log on as the username assigned by the database administrator.
    2. Set the System Environment Variable. The following variable is based on the 10 port setting on your TouchNet II firmware.
      	ETSII_IOPORT = 0X280
      
      
    3. Double click Svrmgr 2.3. (Authentication is not limited to Svrmgr, but may be implemented through other front ends.)
    4. Type the name of your database server when Svrmgr displays the prompt:
      	Svrmgr>connect /@service_name
      
      

      where, service_name is the name of the database server.

    5. Wait for the beep that announces the SQL*Net Native Authentication dialog box.


      Note:

      On some systems the dialog box is displayed behind the current window. The beep alerts you when it is displayed.

       

    6. Click OK in the SQL*Net Native Authentication dialog box.
    7. When a message appears telling you to place your finger on the desktop fingerprint sensor, use the same finger as you and the administrator entered into the authentication server repository.
    8. Remove your finger at the prompt. Another prompt tells you whether you've been authenticated or not.

    If the authentication fails, and the message, "Access Denied," appears, try one of the following recovery methods:

    6.8 Using the Biometric Manager

    The Oracle Biometric Authentication Service is administered using the Biometric Manager which is based on the Oracle Enterprise Manager. It provides a graphical user interface (GUI) which enables the administrator to:

    Refer to Oracle Biometric Manager online Help for task oriented procedures.


    Note:

    Once the Biometric Manager has been installed, the first action taken must be that of adding a security policy called "DEFAULT" to the database.

     

    6.8.1 Logging On

    Figure 6-5, "Login Information Window", appears after you click on the Oracle Biometric Manager icon in the Oracle Enterprise Manager window.

    Figure 6-5 Login Information Window

    1. Type, or select, the following information to log on to the Oracle Biometric Manager.
      • username
      • password
      • service_name
        where service_name is the name of the authentication server
      • Connect As
        leave this field blank
    2. Click [OK] to continue, click [Cancel] to return to the Oracle Enterprise Manager, or click [Help] for Oracle Enterprise Manager help.
    3. Figure 6-6, "Indentix User Registration Window", appears after you click [OK].

      Figure 6-6 Indentix User Registration Window

    6.8.2 Displaying Oracle Biometric Authentication Service Data

    The Oracle Enterprise Manager displays the Oracle Biometric Authentication Service database schema in two windows: the Object Tree window and the Properties window.

    6.8.2.1 The Object Tree Window

    The object tree window is located on the left side of the screen. It displays the Oracle Biometric Authentication Service database schema in a tree-like structure. This tree-like structure is composed of a series of folders that contain objects. These objects, in turn, may also contain folders that contain additional objects. See Figure 6-7, "Identix User Registration Window with Expanded Object Tree".

    Figure 6-7 Identix User Registration Window with Expanded Object Tree

    Double-click the identix_scan folder to expand the object tree. Two folders will appear under the Identix_scan folder: Users and Security Policies. You can expand or contract the object tree or any of its folders by clicking the [+] or [-] boxes, respectively.

    6.8.2.2 The Properties Window

    The Properties window is located on the right side of the screen. It initially displays a graphic along with application and user information. The contents of this window will change depending on what you select on the object tree. The Properties window can display summary or detail information on a folder's contents when you click on a folder in the Object Tree window. See Figure 6-8, "Properties Window with Summary Information", or Figure 6-9, "Properties Window with Detail Information".

    Figure 6-8 Properties Window with Summary Information

    6.8.2.2.1 Sorting Summary Data in the Properties Window

    The Properties window with summary information contains a list of items that can be sorted by clicking on each column heading. For example:

    6.9 Troubleshooting

    Check the following if you encounter any problems while installing or using the Biometric Authentication Adapter.

    1. Ensure that the Identix Set Key utility hash key exactly matches the Biometric manager DEFAULT Policy hash key.
    2. The NT user name must exactly match the externally defined user name in the database server and the user name used when adding the user with the Biometric Manager.
    3. Domain naming must be consistent. For example, if the local naming configuration (TNSNAMES.ORA) uses .world as an appendix to the service name, then the profile (SQLNET.ORA) must reflect this naming convention for the service name. For example:
      TNSNAMES.ORA
      biometrics.world = (DESCRIPTION =
                          (ADDRESS_LIST =
                           (ADDRESS =
                             ...
      SQLNET.ORA
      sqlnet.identix_fingerprint_database=biometrics.world
      
      
    4. It is possible to use one database for both the biometric authentication service and the production database; however, this is not recommended. If you do this, add the following line of code to the local naming configuration fiel (TNSNAMES.ORA) on the server and on each PC client.
      (security = (Authentication_service = NONE))
      
      
      
      
      



  • Prev

    Next
    Oracle
    Copyright © 1997 Oracle Corporation.

    All Rights Reserved.

    Library

    Product

    Contents

    Index