Using the Biometric Manager
This guide describes the Biometric Authentication Service and includes sections that cover:
Overview of the Biometric Authentication Service
The Biometric Authentication Service provides:
- tamper-proof biometric authentication of users, using secret-key MD5 hashing
- centralized management of biometrically identified users
- centralized management of those database servers that authenticate biometrically identified users
The following numbered paragraphs provide an overview of the administration and authentication processes as shown in Figure 8 - 1:
3. At the client, before any authentication can occur, the administrator (not shown) stores the secret key in the fingerprint sensor for each client. The secret key stored in the fingerprint sensor will be compared against the secret key stored in the security policy.
4. At the client, in response to the user's request for authentication, the Biometric Authentication Service stores the three threshold levels in the client's fingerprint sensor and uses them to evaluate the user-entered fingerprint for authentication:
- the false finger threshold helps reject false fingers
- the high security threshold helps check for materials from which false fingers are made
For more detailed information on the threshold levels, please refer to the Identix documentation.
Figure 8 - 1. Typical Configuration of Clients and Servers in the Oracle Biometric Authentication Service.
Architecture of the Biometric Authentication Service
The Biometric Authentication Service consists of the following Oracle modules:
- The Oracle Biometric Authentication Server, which stores the security policies and fingerprints, is a specially configured version of a production Oracle Database Server. In the remainder of this document, the Oracle Biometric Authentication Server will also be referred to as the authentication server.
- The Oracle Biometric Authentication Adapters (not shown) are used on both the clients and the database servers to help communicate biometric authentication data between the authentication server and the clients. In the remainder of this document, the Oracle Biometric Authentication Adapter will also be referred to as the adapter.
Both the manager and the client-side adapter interface with Identix products: TouchNet II Software Libraries, the TouchNet II Hardware Interface, and the TouchNet II Desktop Sensor. Please refer to Identix documentation for a description of these Identix products.
Administration Architecture
Administrators use the manager to scan user fingerprints, measure the accuracy of the fingerprints, and establish security policies for database servers. The manager sends this information to the authentication server, which stores the data in the repository.
The administrator or someone who can be trusted uses the Identix TouchNet II Software Libraries to store the secret key in the client PC. This key must match the key stored in the security policy before authentication can occur.
Figure 8 - 2 shows that administrators enter fingerprints and security policies into the Oracle Biometric Manager, which stores them in the Oracle Biometric Authentication Server.
Figure 8 - 2. Administration Procedures
Authentication Architecture
Each user who wishes to use the system must place a fingerprint on a TouchNet II Desktop Sensor as shown in Figure 8 - 3. The client-side adapter sends an authentication request to the server-side adapter, which then forwards the request on to the authentication server. For each authentication request from a client, the authentication server retrieves and sends the user's fingerprint and the database server's security policy back to the client-side adapter via the server-side adapter.
Figure 8 - 3. Authentication Procedures
The user's authentication request causes the Biometric Authentication Adapter (client-side) to send the request to the Biometric Authentication Adapter (server-side), which sends the request to the Oracle Biometric Authentication Server, which returns the stored fingerprint and the associated security policy.
Using threshold level values from the associated security policy, the adapter (client-side) uses the TouchNet II Software Libraries to set threshold values on the TouchNet II Desktop Sensor. It then prompts for the placing of the user's finger on the TouchNet II Desktop Sensor. The adapters on the client and the database server work together to compare the user's fingerprint, the secret key, and the threshold levels against the administrator-entered security policy stored in the authentication server repository. If this data matches, then the user is authenticated.
The server-side adapter and the authentication server can reside on separate nodes as demonstrated in Figure 8 - 3, or they can both reside on the same node.
The manager and the client-side adapter must each reside on a separate Windows NT-based PC.
The Windows NT machine that is to become the manager PC must be running the Oracle Enterprise Manager 1.1 or above.
Each Windows NT machine that is to become a client PC must be running SQL*Net 2.3.3 or above.
The authentication server and each database server must be running Oracle7 Server Version 7.3.3 or higher.
Before proceeding with the installation, you must make sure that each NT client has SQL*Net connectivity with its associated database server.
Oracle Biometric Manager PC
On the manager PC:
1. Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices. See the Identix documentation for instructions.
2. Install and test the Identix TouchNet II (Encrypt) 1.4.. Please see your platform-specific installation documentation. Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. This demonstration program must work on the PC before any other Oracle products can be loaded onto the PC.
3. The Oracle Biometric Manager must be installed on top of the Oracle Enterprise Manager.
Client PC
On each client PC:
1. Install the Identix hardware and the Identix driver firmware and configure the Identix variables and devices. See the Identix documentation for instructions.
2. Install and test the Identix TouchNet II (Encrypt) 1.4. Please see your platform-specific installation documentation. Follow the instructions in the Identix manual to verify that the module works with the Identix demonstration program. This demonstration program must work on the PC before any other Oracle products can be loaded onto the PC.
3. Install the Biometric authentication adapter, following the instructions in your platform-specific documentation.
Database Server
The Biometric authentication adapter must be installed on each production database that will use Biometric services for its authentication. Install the Biometric authentication adapter following the instructions in your platform-specific documentation.
Configuring the Biometric Authentication Service
Configure the Oracle Biometric Authentication Service by following these instructions:
1. Configure the database server that is to become the authentication server:
- Connect to the database server as SYSTEM/MANAGER.
- Run a PL/SQL script against the database server. Using the Server Manager, type:
SVRMGR> @nauicat
- Test the connection by connecting as:
ofm_adm/ofm_adm
2. Configure the server-side adapter so that it can access the authentication server:
sqlnet.identix_fingerprint_database= service_name
sqlnet.identix_fingerprint_database_user= username
sqlnet.identix_fingerprint_database_password= password
sqlnet.identix_fingerprint_method= oracle
sqlnet.authentication_services= (beq,identix)
where,
- service_name is the name of your authentication server
- username is the well-known username: ofm_client
- password is the well-known password: ofm_client
Note: The samples directory contains a file that show how to set these parameters.
Note: The ofm_client username and password are set up by running the nautical script. You can alter the password if required. However, this user only has view permissions.
- In the database server's local INIT.ORA file, set the following parameters:
remote_os_authent = false
os_authent_prefix = ""
service_name =(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS =
. . .
Note: The ORACLE_SID and service name are the same as those of the authentication server.
1. Configure the adapter (client-side):
- Verify that the address of the database server is accessible to the client, either through a TNSNAMES.ORA file or a naming service. Please refer to SQL*Net documentation.
sqlnet.authentication_services = (identix)
Administering the Oracle Biometric Authentication Service
Add a security policy called "DEFAULT" to the manager, using the Biometric Mmanager on the Oracle Enterprise Manager. See Add Policy.
Creating Users for the Biometric Authentication Adapter
To create a user for the adapter, execute the following steps:
1. On the client, using the NT User Manager, create a username. (This username must match the username used in the next step).
SQLDBA> connect system/manager
SQLDBA> create user os_authent_prefix username identified externally;
The os_authent_prefix is an Oracle Server initialization parameter (for example, in INIT.ORA). The default value for os_authent_prefix is OPS$. The username in this step should match the username created at the client.
Note: Because Oracle user names are limited to 30 characters and user names can be long, it is strongly recommended that os_authent_prefix be set to a null value:
os_authent_prefix=""
Note: An Oracle user with username should not yet exist.
SQLDBA> create user king identified externally;
At the minimum, you should give the user the "create session" privilege:
SQLDBA> grant create session to king;
The user "king" can now be biometrically authenticated to Oracle.
3. Use the manager to enroll the user in the Oracle Biometric Authentication Service. See Add New User.
Authenticating Users With the Oracle Biometric Authentication Service
To authenticate any user, first make sure that The Biometric Authentication Service has been installed and configured, and the steps in Administering the Oracle Biometric Authentication Service have been executed.
Then follow these instructions:
1. Log on as the username assigned by the database administrator. (Remember that Windows NT is case sensitive.)
USERNAME = username
ETSII_IOPORT = 0X280
3. Double click Svrmgr 2.3. (Authentication is not limited to Svrmgr, but may be implemented through other front ends.)
4. Type the name of your database server when Svrmgr displays the prompt:
Svrmgr>connect /@service_name
where, service_name is the name of the database server.
5. Wait for the beep that announces the SQL*Net Native Authentication dialog box.
Note: On some systems the dialog box is displayed behind the current window. The beep alerts you when it is displayed.
8. Remove your finger at the prompt. Another prompt tells you whether you've been authenticated or not.
If Authentication Fails
If the message, "Access Denied, " appears, try one of the following recovery methods:
- Lower the threshold value to 80.
- Reenroll the user. See Enroll User (Add/Modify Fingerprint).
Using the Biometric Manager
The Oracle Biometric Authentication Service is administered using the Biometric Manager, which is based on the Oracle Enterprise Manager and which provides a graphical user interface (GUI) that enables the administrator to:
- browse the Oracle Biometric Authentication Service data for current users and security policies
- add/delete a user to the database
- create/modify a user's fingerprint
Note: Once the Biometric Manager has been installed, the first action taken must be that of adding a security policy called "DEFAULT" to the database.
Logging On
Logging on to the Biometric Manager requires the administrator to enter:
where service_name is the name of the authentication server.
Displaying Oracle Biometric Authentication Service Data
The Oracle Enterprise Manager displays the Oracle Biometric Authentication Service database schema in two windows: the Object Tree window and the Properties window.
The Object Tree Window
The object tree window on the left side of the screen displays the Oracle Biometric Authentication Service database schema in a tree-like structure, for example:
Each level in the tree may be used to:
- Display the Properties window, by clicking the object name
- Expand the object tree, by either clicking the "+" box that precedes the object name or by double clicking the object name
- Contract the expanded object tree, by clicking the "+" box that precedes the object name or by double clicking the object name
The Properties window on the right side of the screen shows the detailed information for a selected object and/or displays the data needed to implement different commands.
Sorting the Data in the Properties Window
A Properties window contains a list of items that can be sorted by clicking on the heading of the column of data.
- Clicking on User Names sorts the items alphabetically by name.
- Clicking on Enrollment sorts the items alphabetically by Yes/No.
Traversing the Object Tree
Double clicking the top level (Biometric) of the Oracle Biometric Authentication Service object tree displays Users and Policies.
The commands executable from this display and the Properties windows available at this display are listed under Executable Commands and Properties Windows, respectively.
Executable Commands: None
Properties Windows:
Traversing the Users Branch
Click the "+" box for Users to display a list of all the users.
Executable Commands:
- Enroll User (Add or Modify Fingerprint)
Properties Windows:
Traversing the Policies Branch
Click the "+" box for Policies to display a list of all the policies:
Executable Commands:
Properties Windows:
Biometric Manager Commands
Tool Bar Commands
The Tool bar contains the following tools:
- Change Database Connection
Create and Remove can be used to add and delete users and security policies.
The symbols on the Tool bar appear in color whenever they can be applied to the currently selected item.
The following tools are displayed, but not yet implemented:
Menu Commands
The following commands can be activated from the menus:
- File: Change Data Base Connection and Exit
- View: Refresh, Expand One Level, Collapse One Level, Collapse All, Tool Bar, and Status Bar.
- Refresh redisplays the screen.
- Expand One Level and Collapse One Level expand and collapse the selected level of the object tree.
- Collapse All returns the tree to a state in which only the first two levels are displayed.
- Tool Bar and Status Bar are toggles that cause the Tool bar and the Status bar to be displayed or not.
The following commands are displayed on the menus, but are not yet available for use:
- Help: Content, Search for Help, Using Help, About Identix User Registration
Add New User
To add a new user:
2. Click the [+] (called the Create button) on the Tool bar.
The dialog box appears.
3. Tab to or click the user name box.
Scanning the Fingerprint
Read the following instructions through carefully before clicking [Enroll...].
a. Click [Enroll...]
b. "place finger" appears immediately in the Enrollment Progress Section of the Properties window. Lower your finger directly onto the surface of the platen (the clear glass area on top of the Desktop Sensor) and apply enough pressure to make the skin of your finger slightly white. Do not slide your finger across the platen, but lower it directly from above.
c. Use this component, num:levels:alpha, when you want to move to a second numbering level.
d. The message, "remove finger" appears about 5 seconds later. Lift your finger from the platen.
e. A wait of approximately 30 seconds occurs.
The next two steps are repeated four times for a total of five fingerprint scans.
f. The message, "place finger" appears almost immediately. Place your finger.
g. The message, "remove finger" appears almost immediately. Lift your finger.
If the scan completes successfully
The status (ENROLLED), quality (1-100), and rating (Poor, Fair, Good, Excellent) appear in the dialog box.
- Otherwise, if this is the first scan or if this is a better scan than the previous scan, click [Apply].
A mathematical representation, not an image, of parts of the fingerprint is stored in the authentication server. This file is in binary format and contains 1200 bytes.
If enrollment fails
If the message, "Enrollment problem, " appears:
- Restart the enrollment process by clicking [Enroll...] again.
- Avoid moving your finger in any way at all, especially during the first scan.
- Avoid excessive pressure on the platen as pressing too hard distorts the fingerprint.
- If your finger is damaged or the skin is too dry, try another finger.
Delete User
To delete a user:
2. Click the user's name.
3. Click the [X] sign on the Tool bar.
4. Click [Yes] when the verification dialog box appears.
Enroll User (Add/Modify Fingerprint)
To add or modify a user's fingerprint:
2. Click the user's name.
The dialog box appears.
3. Before clicking [Enroll...] in the dialog box, read the entire section about Fingerprint Scanning.
To add a new policy:
2. Click the [+] sign (called the Create button) on the Tool bar.
The dialog box appears.
3. Tab to or click the boxes in which the data is to be entered.
5. Click the [Create] box.
Delete Policy
To delete a policy:
2. Click the policy's name in the Properties window.
3. Click the [X] on the Tools bar.
4. Click [Yes] when the verification dialog box appears.