7
Configuring Identix Biometric Authentication

This chapter contains information on how to configure Oracle for use with Identix Biometric authentication. It covers the following topics:

• Overview

• Architecture of the Biometric Authentication Service

• Prerequisites

• Enabling Biometric Authentication

• Administering the Biometric Authentication Service

• Authenticating Users With the Biometric Authentication Service

• Troubleshooting

Overview

The Biometric Authentication Service uses the Identix Biometric Authentication Adapter to provide tamper-proof biometric authentication of users using secret-key MD5 hashing, centralized management of biometrically identified users, and centralized management of those database servers that authenticate biometrically identified users.

This section describes how the Biometric Authentication Service works in a client-server environment.

Figure 7-1 Typical Biometric Authentication Service Configuration

Figure 7-1 presents the components and the configuration of the Biometric Authentication Service.

• The fingerprint repository has one administrator who is responsible for enrolling multiple users' fingerprint templates and defining the DEFAULT policy that will be in force for all databases that subscribe to the fingerprint server for authentication.

• The Fingerprint Security Service Administrator uses a desktop fingerprint scanner to read user fingerprints, convert them to templates, and send them with measured accuracies to the Biometric Authentication Service which stores them in the fingerprint repository: an Oracle database. The measured accuracy of a fingerprint is an estimate of how reliable a comparison can be made between the stored fingerprint template and the user's fingerprint that is scanned later for authentication. The enrollment quality is expressed as a percent score between 0 and 100. For example, a user may have an enrollment quality of 72%.

• The Fingerprint Security Service Administrator also defines one security policy named DEFAULT for all of the database servers that accept biometrically identified users. The security policy is enforced for all clients serviced by that database server. It contains a secret key and three types of threshold levels for fingerprints: verification, false finger, and high security.

• At the client, before any authentication can occur, the Fingerprint Security Service Administrator stores the secret key in the fingerprint sensor for each client. The secret key stored in the fingerprint sensor will be compared against the secret key stored in the security policy.

• At the client, in response to the user's request for authentication, the database server enforces on the client the set of values that it obtains from the DEFAULT security policy in its fingerprint server. The three threshold levels (values) are:
  • verification threshold

  • false finger threshold

  • high security threshold

  Please refer to the Identix documentation for detailed information on these threshold levels.

• At the client, the biometric authentication service passes the user's fingerprint template and the threshold values to the sensor. The user's fingerprint is then scanned and the verification result, fingerprint template, secret key, and threshold values are used to generate a hash. This hash is sent to the server side adapter for comparison with the hash generated by the server side adapter.

Architecture of the Biometric Authentication Service

The Biometric Authentication Service consists of the following modules:

• The Biometric Manager, which the administrator uses to enter the security policy and fingerprints. In the remainder of this document, the Biometric Manager will also be referred to as the manager.

• The Biometric Authentication Server (fingerprint repository), which stores the security policies and fingerprint templates, is a specially configured version of a production Oracle Database Server. In the remainder of this document, the Biometric Authentication Server will also be referred to as the authentication server.

• The Identix authentication adapters are used on both the clients and the database servers to communicate biometric authentication data between the authentication server and the clients in order to authenticate a database user.

Both the manager and the client-side adapter interface with Identix products: TouchNet II Software Libraries, the TouchNet II Hardware Interface, and the TouchNet II Desktop Sensor, TouchNet III software libraries, TouchNet III desktop sensor.

More Information: For a list of Identix documentation that describe these Identix products, see "Related Publications" in the Preface of this manual.

Administration Architecture

The Fingerprint Security Server Administrators use the manager to scan user fingerprints, measure the accuracy of the fingerprints, and establish security policies for database servers. The manager sends this information to the authentication server which stores the data in the repository.

The administrator, or someone who can be trusted, uses the Identix TouchNet II or TouchNet III Software to store the secret key on the TouchNet II or TouchNet III device. This key must match the key stored in the DEFAULT security policy before authentication can occur.

Authentication Architecture

Each user who wants to use the system must place a fingerprint on a TouchNet II or TouchNet II Desktop Sensor. The client-side adapter sends an authentication request to the server-side adapter which uses the previously enrolled fingerprint stored in the authentication server for comparison. For each authentication request from a client, the authentication server retrieves and sends the user's fingerprint and the database server's security policy back to the client-side adapter via the server-side adapter.

The user's authentication request causes the Oracle Advanced Security option Identix authentication adapter (client-side) to send the request to the biometric authentication adapter (server-side), which looks up the user's fingerprint in the authentication server, which returns the stored fingerprint and the associated security policy.

Using threshold level values from the associated security policy, the adapter (client-side) uses the TouchNet II Software Libraries to set threshold values on the TouchNet II Desktop Sensor. It then prompts for the placing of the user's finger on the TouchNet II Desktop Sensor. The adapters on the client and the database server work together to compare the user's fingerprint, the secret key, and the threshold levels against the administrator-entered security policy stored in the authentication server repository. If this data matches, the user is then authenticated.

Prerequisites

• The Windows NT machine that is to become the manager PC must be running the Oracle Enterprise Manager 2.0 or above.

• Each Windows NT or Windows 95 machine that is to become a client PC must be running Net8.

• The authentication server and each database server must be running Oracle8 release 8.0.3 or higher or Oracle8i.

• Before proceeding with the installation of the Oracle Advanced Security option, you must make sure that each Windows NT and Windows 95 client has Net8 connectivity with its associated database server.

Installing the TouchSAFE II Encrypt Device Driver for Windows NT

The Biometric Manager installation process automatically installs the necessary TouchNet II software and automatically configures the device if requested.

If during the installation of the Biometrics Manager, you chose not to allow the installer to set up your Identix TouchSafe II Device Driver, you can configure it manually as follows.

1. Change directory to $ORACLE_HOME\IDENTIX
   • If you are using the default IO port number 280 and the default Windows NT directory, go to Step 4.

   • If you are not using the default IO port number 280, go to Step 2.

   • If you are not using the default Windows NT directory C:\WINNT35\SYSTEM32\DRIVERS, go to Step 3.

2. Modify the IoPortAddress parameter in ETSIINT.INI to the current TouchSafe II Encrypt I/O port setting. For example:

   IoPortAddress = REG_DWORD 0x00000360  for I/O port 0x360 
   

3. Modify the Windows NT directory setting in ETSIINT.BAT with your Windows NT directory.

   For example:

   copy etsiint.sys c:\winnt\system32\drivers   
   -> copy etsiint.sys path\drivers 
   

4. Run the batch file ETSIINT.BAT.

5. Use the SetKey utility in the Identix demo program to set a hash key in Hex. Set the key to C001BABY for example (do not use this value!). Make sure the hash key matches exactly the one set in the DEFAULT Security policy.

6. Re-boot the system, and the device driver will start to work.

7. To make sure the device driver is running, check the Device Control Panel after re-boot. The device ETSIINT should be started already.

Biometric Manager PC

On the manager PC:

1. Install Oracle Enterprise Manager on both the Oracle server and the Oracle client.

2. Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices.

   More Information: See the Identix Readme file

3. Install and test the Identix TouchNet II (Encrypt) 2.0 or TouchNet III.

   More Information: See "Installing the TouchSAFE II Encrypt Device Driver for Windows NT" and your platform-specific installation documentation.

   Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. This demonstration program must work on the PC before any other Oracle products can be loaded onto the PC. Refer to the Identix Readme file for additional information.

Client PC

On each client PC:

1. Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices. Refer to the Identix Readme file for additional information.

2. Install and test the Identix TouchNet II (Encrypt) 2.0 or TouchNet III. Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. This demonstration program must work on the PC before any other Oracle products can be loaded onto the PC.

   More Information: See "Installing the TouchSAFE II Encrypt Device Driver for Windows NT" and your platform-specific installation documentation.

3. Install the Oracle Advanced Security option Identix authentication adapter.

   More Information: See your platform-specific documentation. Refer also to the Identix Readme file.

Database Server

The biometric authentication adapter must be installed on each production database that will use biometric services for its authentication. Install the biometric authentication adapter following the instructions in your platform-specific documentation.

Note: Do not install the adapter on the database storing the fingerprint repository.

Biometric Authentication Service

The Biometric Authentication Service is the database that houses both the user and fingerprint information. This database can be any Oracle 8.0.3 or later production database. It should be on a secure, trusted system with strict security and access controls. The adapter should not be installed on this database.

Enabling Biometric Authentication

To configure the Biometric Authentication Service, you perform the following tasks, each of which is described in the next few pages.

Step 1: Configure the database server that is to become the authentication server

Step 2: Configure Identix authentication

Step 3: Establish a net service name for the fingerprint repository server

Step 4: Verify that the address of the database server is accessible to the client

Step 5: Configure the manager PC

Step 1: Configure the database server that is to become the authentication server

1. Connect to the database server as SYSTEM/MANAGER (or whatever your system password is).

2. Test the connection by connecting as:

   ofm_admin/ofm_admin
   

Step 2: Configure Identix authentication

To configure Identix authentication you perform the tasks in the following list. Each task is described below.

• Configure the authentication method on the Oracle server and the Oracle client

• Configure the fingerprint server name on the client and the server

• Configure the user name, password, and fingerprint method

• Configure the INIT.ORA file

• Configure the ORACLE.INI file

Unless otherwise indicated, you can configure Identix authentication either by using the Net8 Assistant, or by modifying the file sqlnet.ora with any text editor.

Using Net8 Assistant

This graphical interface tool makes it easy to set parameters in the sqlnet.ora file and other Oracle8i configuration files.

To launch Net8 Assistant:

• On UNIX, run the script netasst at $ORACLE_HOME/bin.

• On Windows platforms, click the Start button > Programs > Oracle for Windows NT--HOME_NAME > Net8 Assistant.

To begin configuring the Oracle Advanced Security option using Net8 Assistant:

In the Net8 Assistant's left pane, click the Profile folder. Then go to the drop down list box at the top of the right pane, and select Advanced Security Option. The tabbed pages for the Oracle Advanced Security option appear.

To save changes with Net8 Assistant:

Go to the menu bar and click File > Save Network Configuration.

Configure the authentication method on the Oracle server and the Oracle client

Do this by setting the SQLNET.AUTHENTICATION_SERVICES parameter.

Figure 7-2 Using Net8 Assistant to Configure Authentication

Use the Net8 Assistant...

...or modify SQLNET.ORA

Refer to Figure 7-2. Select the Authentication tab. In the Available Methods list, select Identix. Click the [>] button to move the method over to the Selected Methods list. Move any other methods you want to use in the same way. Arrange the selected methods in order of desired use. To do this, select a method in the list, then click [Promote] or [Demote] to position it in the list. For example, put Identix at the top of the list if you want that method to be the first one used.

Set the following parameter: SQLNET.AUTHENTICATION_SERVICES= (IDENTIX)

Configure the fingerprint server name on the client and the server

Do this by setting the SQLNET.IDENTIX_FINGERPRINT_DATABASE parameter.

Figure 7-3 Using Net8 Assistant to Configure the Fingerprint Server Name

Use the Net8 Assistant...	...or modify SQLNET.ORA
Refer to Figure 7-3. Select the Other Params tab. Click the Authentication Service drop-down list box, and select IDENTIX. In the Fingerprint Server Name box, type the name of the fingerprint server you want to use.	Set the following parameter: SQLNET.IDENTIX_FINGERPRINT_ DATABASE= service_name where service_name is the name of your authentication server.

Configure the user name, password, and fingerprint method

Use a text editor to set the following parameters in the file sqlnet.ora:

sqlnet.identix_fingerprint_database_user= ofm_client

sqlnet.identix_fingerprint_database_password= ofm_client

sqlnet.identix_fingerprint_method= oracle

where username is the well-known user name: ofm_client, and password is the well-known password: ofm_client

Note: The samples directory contains a file that shows how to set these parameters.

Note: The ofm_client user name and password are set up by running NAUICAT.SQL. You should not change ofm_client.

Configure the INIT.ORA file

Use a text editor to set the following parameters in the initialization file (init.ora):

REMOTE_OS_AUTHENT = false
OS_AUTHENT_PREFIX = ""

Note: The local naming configuration file (tnsnames.ora) on the database server should contain the service name of the fingerprint repository. If they are on the same database, use the following with the service name: (security=(authentication_service=none))

Configure the ORACLE.INI file

In the Oracle section of the oracle.ini file, use a text editor to specify the USERNAME parameter. This parameter sets the name of the database user with which the client connects to the database.

Step 3: Establish a net service name for the fingerprint repository server

More Information: See the Net8 Administrator's Guide.

Step 4: Verify that the address of the database server is accessible to the client

More Information: See the Net8 Administrator's Guide.

Step 5: Configure the manager PC

Configure the manager PC with a net service name to connect to the authentication server.

More Information: See Net8 Administrator's Guide

Administering the Biometric Authentication Service

You administer the Biometric Authentication Service by using the Biometric Manager.

More Information: See your Identix documentation.

To create a hashkey on each of the clients:

Use the Identix Setkey utility to configure a hexadecimal hashkey on each of the clients: e.g., FF30EE. This key must be the same for each client and must match the DEFAULT Policy hashkey. This key can range from one to thirty-two hexadecimal digits.

To create a user for biometric authentication:

1. On the client use the Windows NT User Manager to create a user name. (This user name must match the user name used in the next step.)

2. On the database server, restart the database and create an Oracle Server account for the user. Use SQL*Plus if using the Oracle Enterprise Manager or SQL*Plus connected as a user with the create user database role. Use the following syntax to create an account:

   SQL> CONNECT system/manager
   SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY;
   SQL> GRANT CREATE SESSION TO username
   
   
   

3. The OS_AUTHENT_PREFIX is an Oracle Server initialization parameter. The default value for OS_AUTHENT_PREFIX is OPS$. The user name in this step should match the user name created at the client. If you reset os_authent_prefix, you must stop and restart your database.

   Note: Oracle user names are limited to 30 characters and user names can be long, so it is strongly recommended that os_authent_prefix be set to a null value: OS_AUTHENT_PREFIX=""

   Note: An Oracle user with user name should not yet exist.

Example

If you create the user "king," and set OS_AUTHENT_PREFIX to a null value (""), you should use SQL*Plus to create an Oracle user account using the following syntax:

SQL> CREATE USER king IDENTIFIED EXTERNALLY;

At the minimum, you should give the user the "create session" privilege:

SQL> GRANT CREATE SESSION TO king;

Use the Biometric Manager to enroll the user in the Biometric Authentication Service.

The user "king" can now be biometrically authenticated to Oracle.

More Information: For information on creating users identified externally, see Oracle8i Administrator's Guide and Oracle8i Distributed Database Systems. For information on logging in to a database server once biometric authentication has been installed and configured, see "Authenticating Users With the Biometric Authentication Service". For information on storing the secret key in the client, see your Identix documentation.

Authenticating Users With the Biometric Authentication Service

Before you authenticate a user, make sure that the Biometric Authentication Service has been installed and configured and the steps in "Administering the Biometric Authentication Service" have been executed.

To authenticate users with the Biometric Authentication Service:

1. Log on as the user name assigned by the database administrator.

2. If you are using TouchNet II, set the system environment variable. The following variable is based on the 10 port setting on your TouchNet II firmware.

   ETSII_IOPORT = 0X280
   

   Note: The TouchNet III device does not use the ETSII_IOPORT environment variable. Instead, it uses the file tn3com.ini to set the port and baud rate.

   
   
3. Launch SQL*Plus.

4. Type the name of your database server when SQL*Plus displays the prompt:

   SQL>connect /@net_service_name
   
   

   where, net_service_name is the name of the database server.

5. Wait for the beep that announces the Net8 Native Authentication dialog box.

   Note: On some systems the dialog box is displayed behind the current window. The beep alerts you when it is displayed.

6. Click OK in the Net8 Native Authentication dialog box.

7. When a message appears telling you to place your finger on the desktop fingerprint sensor, use the same finger that you and the administrator entered into the authentication server repository.

8. Remove your finger at the prompt. Another prompt tells you whether you have been authenticated.

If the authentication fails, and the message, "Access Denied," appears:

Try one of the following recovery methods:

• Restart the authentication process.

  More Information: See "Authenticating Users With the Biometric Authentication Service".

• Have the security administrator lower the threshold value to 80.

• Have the security administrator re-enroll you.

  More Information: See the Biometric Manager online Help for task oriented procedures.

Troubleshooting

Check the following if you encounter any problems while installing or using Biometric Authentication.

• Ensure that the Identix Set Key utility hash key exactly matches the Biometric Manager DEFAULT Policy hash key.

• The NT user name must exactly match the externally defined user name in the database server and the user name used when adding the user with the Biometric Manager.

• Domain naming must be consistent. For example, if the local naming configuration (tnsnames.ora) uses .world as an appendix to the service name, then the profile (sqlnet.ora) must reflect this naming convention for the service name. For example:

  TNSNAMES.ORA
  biometrics.world = (DESCRIPTION =
                      (ADDRESS_LIST =
                       (ADDRESS =
                         ...
  SQLNET.ORA
  sqlnet.identix_fingerprint_database=biometrics.world
  
  
  

• It is possible to use one database for both the biometric authentication service and the production database; however, this is not recommended. If you do this, add the following line of code to the local naming configuration field (TNSNAMES.ORA) on the server and on each PC client.

  (connect_data =
      (service_name = service_name)
      (security = (Authentication_service = NONE))
  

---