Oracle Advanced Networking Option Administrator's Guide Go to Product Documentation Library
Library
Go to books for this product
Product
Go to Contents for this book
Contents
Go to Index
Index



Go to previous file in sequence Go to next file in sequence

CHAPTER 8. Configuring and Using the Biometric Authentication Adapter


This guide describes the Biometric Authentication Service and includes sections that cover:

Overview of the Biometric Authentication Service

The Biometric Authentication Service provides:

The following numbered paragraphs provide an overview of the administration and authentication processes as shown in Figure 8 - 1:

Figure 8 - 1. Typical Configuration of Clients and Servers in the Oracle Biometric Authentication Service.

Architecture of the Biometric Authentication Service

The Biometric Authentication Service consists of the following Oracle modules:

Both the manager and the client-side adapter interface with Identix products: TouchNet II Software Libraries, the TouchNet II Hardware Interface, and the TouchNet II Desktop Sensor. Please refer to Identix documentation for a description of these Identix products.

Administration Architecture

Administrators use the manager to scan user fingerprints, measure the accuracy of the fingerprints, and establish security policies for database servers. The manager sends this information to the authentication server, which stores the data in the repository.

The administrator or someone who can be trusted uses the Identix TouchNet II Software Libraries to store the secret key in the client PC. This key must match the key stored in the security policy before authentication can occur.

Figure 8 - 2 shows that administrators enter fingerprints and security policies into the Oracle Biometric Manager, which stores them in the Oracle Biometric Authentication Server.

Figure 8 - 2. Administration Procedures

Authentication Architecture

Each user who wishes to use the system must place a fingerprint on a TouchNet II Desktop Sensor as shown in Figure 8 - 3. The client-side adapter sends an authentication request to the server-side adapter, which then forwards the request on to the authentication server. For each authentication request from a client, the authentication server retrieves and sends the user's fingerprint and the database server's security policy back to the client-side adapter via the server-side adapter.

Figure 8 - 3. Authentication Procedures

The user's authentication request causes the Biometric Authentication Adapter (client-side) to send the request to the Biometric Authentication Adapter (server-side), which sends the request to the Oracle Biometric Authentication Server, which returns the stored fingerprint and the associated security policy.

Using threshold level values from the associated security policy, the adapter (client-side) uses the TouchNet II Software Libraries to set threshold values on the TouchNet II Desktop Sensor. It then prompts for the placing of the user's finger on the TouchNet II Desktop Sensor. The adapters on the client and the database server work together to compare the user's fingerprint, the secret key, and the threshold levels against the administrator-entered security policy stored in the authentication server repository. If this data matches, then the user is authenticated.

Prerequisites

The server-side adapter and the authentication server can reside on separate nodes as demonstrated in Figure 8 - 3, or they can both reside on the same node.

The manager and the client-side adapter must each reside on a separate Windows NT-based PC.

The Windows NT machine that is to become the manager PC must be running the Oracle Enterprise Manager 1.1 or above.

Each Windows NT machine that is to become a client PC must be running SQL*Net 2.3.3 or above.

The authentication server and each database server must be running Oracle7 Server Version 7.3.3 or higher.

Before proceeding with the installation, you must make sure that each NT client has SQL*Net connectivity with its associated database server.

Oracle Biometric Manager PC

On the manager PC:

Client PC

On each client PC:

Database Server

The Biometric authentication adapter must be installed on each production database that will use Biometric services for its authentication. Install the Biometric authentication adapter following the instructions in your platform-specific documentation.

Configuring the Biometric Authentication Service

Configure the Oracle Biometric Authentication Service by following these instructions:

			SVRMGR> @nauicat

			ofm_adm/ofm_adm

	sqlnet.identix_fingerprint_database= service_name
	sqlnet.identix_fingerprint_database_user= username
	sqlnet.identix_fingerprint_database_password= password
	sqlnet.identix_fingerprint_method= oracle
	sqlnet.authentication_services= (beq,identix)

where,

Note: The samples directory contains a file that show how to set these parameters.

Note: The ofm_client username and password are set up by running the nautical script. You can alter the password if required. However, this user only has view permissions.

			remote_os_authent = false
			os_authent_prefix = ""

service_name =(DESCRIPTION = 
                (ADDRESS_LIST =
                    (ADDRESS = 
                        . . . 

Note: The ORACLE_SID and service name are the same as those of the authentication server.

			sqlnet.authentication_services = (identix)

Administering the Oracle Biometric Authentication Service

Add a security policy called "DEFAULT" to the manager, using the Biometric Mmanager on the Oracle Enterprise Manager. See Add Policy.

Creating Users for the Biometric Authentication Adapter

To create a user for the adapter, execute the following steps:

	SQLDBA> connect system/manager
	SQLDBA> create user os_authent_prefix username identified externally;

Note: Because Oracle user names are limited to 30 characters and user names can be long, it is strongly recommended that os_authent_prefix be set to a null value:

		 os_authent_prefix=""

Note: An Oracle user with username should not yet exist.

	SQLDBA> create user king identified externally;

	SQLDBA> grant create session to king;

Authenticating Users With the Oracle Biometric Authentication Service

To authenticate any user, first make sure that The Biometric Authentication Service has been installed and configured, and the steps in Administering the Oracle Biometric Authentication Service have been executed.

Then follow these instructions:

	USERNAME = username

	ETSII_IOPORT = 0X280

	Svrmgr>connect /@service_name

Note: On some systems the dialog box is displayed behind the current window. The beep alerts you when it is displayed.

If Authentication Fails

If the message, "Access Denied, " appears, try one of the following recovery methods:

Using the Biometric Manager

The Oracle Biometric Authentication Service is administered using the Biometric Manager, which is based on the Oracle Enterprise Manager and which provides a graphical user interface (GUI) that enables the administrator to:

Note: Once the Biometric Manager has been installed, the first action taken must be that of adding a security policy called "DEFAULT" to the database.

Logging On

Logging on to the Biometric Manager requires the administrator to enter:

where service_name is the name of the authentication server.

Displaying Oracle Biometric Authentication Service Data

The Oracle Enterprise Manager displays the Oracle Biometric Authentication Service database schema in two windows: the Object Tree window and the Properties window.

The Object Tree Window

The object tree window on the left side of the screen displays the Oracle Biometric Authentication Service database schema in a tree-like structure, for example:

Each level in the tree may be used to:

The Properties Window

The Properties window on the right side of the screen shows the detailed information for a selected object and/or displays the data needed to implement different commands.

Sorting the Data in the Properties Window A Properties window contains a list of items that can be sorted by clicking on the heading of the column of data.

Traversing the Object Tree

Double clicking the top level (Biometric) of the Oracle Biometric Authentication Service object tree displays Users and Policies.

The commands executable from this display and the Properties windows available at this display are listed under Executable Commands and Properties Windows, respectively.

Executable Commands: None

Properties Windows:

Traversing the Users Branch Click the "+" box for Users to display a list of all the users.

Executable Commands:

Properties Windows:

Traversing the Policies Branch Click the "+" box for Policies to display a list of all the policies:

Executable Commands:

Properties Windows:

Biometric Manager Commands

Tool Bar Commands

The Tool bar contains the following tools:

Create and Remove can be used to add and delete users and security policies.

The symbols on the Tool bar appear in color whenever they can be applied to the currently selected item.

The following tools are displayed, but not yet implemented:

Menu Commands

The following commands can be activated from the menus:

The following commands are displayed on the menus, but are not yet available for use:

Add New User

To add a new user:

Scanning the Fingerprint a. Click [Enroll...]

b. "place finger" appears immediately in the Enrollment Progress Section of the Properties window. Lower your finger directly onto the surface of the platen (the clear glass area on top of the Desktop Sensor) and apply enough pressure to make the skin of your finger slightly white. Do not slide your finger across the platen, but lower it directly from above.

c. Use this component, num:levels:alpha, when you want to move to a second numbering level.

d. The message, "remove finger" appears about 5 seconds later. Lift your finger from the platen.

e. A wait of approximately 30 seconds occurs.

f. The message, "place finger" appears almost immediately. Place your finger.

g. The message, "remove finger" appears almost immediately. Lift your finger.

If the scan completes successfully The status (ENROLLED), quality (1-100), and rating (Poor, Fair, Good, Excellent) appear in the dialog box.

A mathematical representation, not an image, of parts of the fingerprint is stored in the authentication server. This file is in binary format and contains 1200 bytes.

If enrollment fails If the message, "Enrollment problem, " appears:

Delete User

To delete a user:

Enroll User (Add/Modify Fingerprint)

To add or modify a user's fingerprint:

Add Policy

To add a new policy:

Delete Policy

To delete a policy:




Go to previous file in sequence Go to next file in sequence
Prev Next
Oracle
Copyright © 1996 Oracle Corporation.
All Rights Reserved.
Go to Product Documentation Library
Library
Go to books for this product
Product
Go to Contents for this book
Contents
Go to Index
Index