BioPassportâ„¢ Enterprise Server J2EE - Administration Guide by bzs12927

VIEWS: 7 PAGES: 67

									                  BioPassport™ Enterprise Server J2EE – Administration Guide

Overview ............................................................................................................... 3
Requirements ....................................................................................................... 3
Installing BIOPASSPORT™ ENTERPRISE SERVER J2EE ................................ 4
  Installing a J2EE Application Server.................................................................. 4
     Installing JSDK 1.4 ........................................................................................ 4
     Installing JBoss 3.2.3 J2EE Application Server ............................................. 4
  Installing a Database Engine ............................................................................. 7
     Installing MSSQL 2000 Desktop engine ........................................................ 7
     Installing MSSQL Server 2000 Driver for JDBC............................................. 8
  Installing BioPassport™ Enterprise Server J2EE .............................................. 8
Activating BIOPASSPORT™ ENTERPRISE SERVER J2EE ............................. 14
Configuring BIOPASSPORT™ ENTERPRISE SERVER J2EE .......................... 15
  Changing the certificate of BIOPASSPORT™ ENTERPRISE SERVER J2EE 15
  Changing the pattern for automatic ID generation ........................................... 15
Uninstalling BIOPASSPORT™ ENTERPRISE SERVER (J2EE Edition) ............ 16
  Uninstalling BIOPASSPORT™ ENTERPRISE SERVER J2EE....................... 16
  Uninstalling the J2EE Application Server ........................................................ 16
     Uninstalling JBoss 3.2.3 J2EE Application Server ....................................... 16
     Uninstalling Java(TM) 2 SDK, Standard Edition 1.4.2_05 ........................... 16
  Uninstalling the Database Engine ................................................................... 16
     Uninstalling MSSQL 2000 Desktop engine .................................................. 16
     Uninstalling MSSQL Server 2000 Driver for JDBC ...................................... 16
Getting started BioPassport™ Server Administration J2EE ................................ 17
  Setting up a local PC windows user account for an Administrator of
  BIOPASSPORT™ ENTERPRISE SERVER J2EE .......................................... 17
  Setting up the Java Web Start Application Manager ....................................... 19
  Using BioPassport™ Server Administration J2EE........................................... 21
Managing native BIOPASSPORT™ ENTERPRISE SERVER J2EE user
accounts ............................................................................................................. 22
  Creating a typical “This Server” bp-user account ............................................ 23
  Adjusting the acceptance frame for pressure sensors..................................... 28
  Adding the facility to a user to manage his or her bio template ....................... 29
  Adding the facility to a user to manage his or her bp-user account ................. 32
  Adding the facility to a user to manage Secure Applications Profiles .............. 35
  Creating SA Profiles for a bp-user account ..................................................... 38
     Creating a new SA Dialog profile ................................................................. 40
     Creating a new SA URL profile .................................................................... 41
     Creating a new SA Combined profile ........................................................... 43
  Creating SA Credentials .................................................................................. 45
  Editing a list of email addresses of BioPassport™ Secure Communication .... 48
  Setting up a local PC windows user account ................................................... 49
Managing Domain bp-users accounts................................................................. 52
  Setting up a domain windows user accounts .................................................. 52
  Registering a BIOPASSPORT™ ENTERPRISE SERVER AD Domain with
  BIOPASSPORT™ ENTERPRISE SERVER J2EE .......................................... 54

                                                          -1-
            BioPassport™ Enterprise Server J2EE – Administration Guide

Creating a sub-administrator account for Domain ........................................... 58
Create a typical “ILBERLIN” bp-user account ................................................. 63




                                            -2-
                    BioPassport™ Enterprise Server J2EE – Administration Guide


Overview
BioPassport™ Enterprise Server J2EE (BIOPASSPORT™ ENTERPRISE
SERVER J2EE) is a Java 2 Enterprise application. BIOPASSPORT™
ENTERPRISE SERVER J2EE includes J2EE Application Server, Relational
Database Management System (RDBMS). J2EE Application Server runs
BIOPASSPORT™ ENTERPRISE SERVER J2EE components. RDBMS runs
BIOPASSPORT™ ENTERPRISE SERVER Database. The following drawing
shows the architecture of BioPassport™ Enterprise Server J2EE:
    General structure

     BPES J2EE               J2EE comply
      Program                 Application
     Components                 Server




                            Database Server
                               (RDBMS)




    BPES Database
       model                BPES Database


                               Customer’s
     IdentAlink’s
                             environment or
       product
                              requirements

Actually, what particular J2EE Application Server or RDBMS are used depends
on customers needs. We can provide the setups for various J2EE Application
Servers and RDBMS by request. This document describes only the
implementation for the following servers:
JBoss Application Server v.3.2.3 (www.jboss.com)
MS SQL Server 2000 (www.microsoft.com)

Requirements
− Pentium III 500 MHz or above
− MS Windows 2000 (SP4) or XP (SP1)
− A valid license for BioPassport™ Enterprise Server J2EE
− Java 2 SDK - JSDK 1.4. You can download it for free from www.sun.com
− JBoss 3.2.3 Application Server. You can download it for free from
  www.jboss.com
− Microsoft SQL Server 2000 or Microsoft Data Engine (MSDE) 2000. You can
  download it for free from www.microsoft.com
− Microsoft SQL Server 2000 Driver for JDBC Service Pack 3. You can
  download it for free from www.microsoft.com


                                               -3-
             BioPassport™ Enterprise Server J2EE – Administration Guide

− The installation should be done with admin rights. This product does not work
  without activating it on IdentAlink web site with a valid license key. If you do
  not have one please contact IdentAlink GmbH to get it. The activation is PC-
  dependent. If you have a previous version of BIOPASSPORT™
  ENTERPRISE SERVER J2EE installed on the PC, uninstall it first before
  running this setup. Every new uninstall/install requires re-activation with the
  same license key.

Installing BIOPASSPORT™ ENTERPRISE SERVER J2EE
Installing a J2EE Application Server
Installing JSDK 1.4
Before installing JBoss 3.2.3 application server you need Java 2 SDK. Download
the J2SE v 1.4.2_05 SDK using this link:
http://java.sun.com/j2se/1.4.2/download.html
Run the setup and follow the prompts accepting the default options by clicking
“Next” on each page.

Installing JBoss 3.2.3 J2EE Application Server
Download JBoss 3.2.3 using this link:
http://www.jboss.org/downloads
Here is an example of a typical installation you can follow.
   1. Extract jboss-3.2.3.zip files into the folder C:\. It will create the subfolder
       C:\jboss-3.2.3.
   2. Check that you have created the proper directory structure. In our
       example it looks like this:




                                          -4-
        BioPassport™ Enterprise Server J2EE – Administration Guide




3. Add a System Variable JAVA_HOME with the value of Destination Folder
   for Java(TM) 2 SDK, Standard Edition 1.4.2_05. In our example:
   My Computer Properties:




                                   -5-
           BioPassport™ Enterprise Server J2EE – Administration Guide




Click on Environment Variables button:




                                      -6-
             BioPassport™ Enterprise Server J2EE – Administration Guide




Click on New button for system variables.




Type in the correct Details and click OK.

Installing a Database Engine
Installing MSSQL 2000 Desktop engine
Use this link to download MSDE2000A.exe file:
http://www.microsoft.com/downloads/details.aspx?FamilyID=413744d1-a0bc-479f-bafa-
e4b278eb9147&DisplayLang=en
Run MSDE2000A.exe and unpack it in a temp folder.
In the folder you have unpacked the MSDE2000 run the following command:
setup.exe SAPWD="AStrongPassword" SECURITYMODE=SQL
DISABLENETWORKPROTOCOLS=0
(replace “AStrongPassword” with a password of your choice)


                                           -7-
             BioPassport™ Enterprise Server J2EE – Administration Guide

These parameters will install MSDE with the following settings important for
BIOPASSPORT™ ENTERPRISE SERVER J2EE:
   1. Mixed authentication mode
   2. TCP/IP listener for database connections
NOTE. You must restart the PC after you have installed MSDE 2000. It does
not ask you to restart a PC if you install it from the command mode like in
our example. If you do not restart the PC the setup of BIOPASSPORT™
ENTERPRISE SERVER J2EE will fail, because it will not be able to connect
to MSDE in order to deploy BIOPASSPORT™ ENTERPRISE SERVER
database script.

Installing MSSQL Server 2000 Driver for JDBC
In addition to MS SQL 2000 or MSDE 2000 you need a JDBC driver for it.
Use this link to download MSQL JDBC Driver SP3:
http://www.microsoft.com/downloads/details.aspx?FamilyID=07287b11-0502-461a-b138-
2aa54bfdc03a&DisplayLang=
Run the setup and follow the prompts accepting the default options by clicking
“Next” on each page.

Installing BIOPASSPORT™ ENTERPRISE SERVER J2EE
To install BIOPASSPORT™ ENTERPRISE SERVER J2EE run
BIOPASSPORT™ ENTERPRISE SERVER J2EE setup and follow the prompts
accepting the default options by clicking Next on each page as follows:




                                          -8-
BioPassport™ Enterprise Server J2EE – Administration Guide




                           -9-
BioPassport™ Enterprise Server J2EE – Administration Guide




                          - 10 -
BioPassport™ Enterprise Server J2EE – Administration Guide




                          - 11 -
BioPassport™ Enterprise Server J2EE – Administration Guide




                          - 12 -
BioPassport™ Enterprise Server J2EE – Administration Guide




                          - 13 -
             BioPassport™ Enterprise Server J2EE – Administration Guide

Activating BIOPASSPORT™ ENTERPRISE SERVER
J2EE
After you have finished the installation, activate BIOPASSPORT™ ENTERPRISE
SERVER J2EE on our web site www.identalink.de. On the registration page, you
will see the status of the licenses of all BioPassport™ modules installed on your
computer. When you go there for the first time, it may ask you to accept the PKI
certificate of IdentAlink. Accept it, otherwise the activation will fail. The
registration page is a Java Applet, which can be run only with a Java Plug-In 1.3
and above from SUN. It works with the following Internet browsers: IE6, Mozilla,
Netscape. When it runs you will see similar to this:




Put in the license number to the BioPassport™ Enterprise Server J2EE fields
and click “Register” button. It may take a few moments to proceed.




Note if that you get “Installed, not licensed” status in the registration page after
clicking on the Register button it means this key is already activated on some
other PC. You cannot use the same key on more them one PC.




                                        - 14 -
            BioPassport™ Enterprise Server J2EE – Administration Guide

Configuring BIOPASSPORT™ ENTERPRISE SERVER
J2EE
After you have installed BIOPASSPORT™ ENTERPRISE SERVER J2EE it has
a default certificate which is used for SSL connection with BioPassport™ client
modules and the default BPAdmin account with the password admin. Use this
account to connect to the server first time then change that password.

Changing the certificate of BIOPASSPORT™ ENTERPRISE
SERVER J2EE
The certificate is used for two purposes:
− To encrypt communications with the BioPassport™ client modules via SSL
− To sign biotickets during bio authentication. The bioticket proofs authenticity
    of a person after he or she is verified on BIOPASSPORT™ ENTERPRISE
    SERVER J2EE.
After installation of BIOPASSPORT™ ENTERPRISE SERVER J2EE is done it
has a default certificate and the secret key corresponding to the certificate. This
key is good only for evaluation purpose. In a real environment you should
generate your own key pair. For this follow this procedure:
Use any tool you have (Windows, Java) to generate and export RSA keys into
PKCS#12 format. When you export the certificate and the secret key, set up a
password for the secret key.
Put PKCS#12-file in a folder of your choice (BIOPASSPORT™ ENTERPRISE
SERVER J2EE must have an access to the file). The default certificate is stored
in %JBOSS%/BpServer.p12 (%JBOSS% is C:\jboss-3.2.3 in our example).
Open the file %JBOSS%\server\BioPassport™ Enterprise
Server\conf\bpserver.properties and edit the following parameters:
Parameter                                   Description
com.identalink.certificate.verify           Path to the PKCS#12 file
com.identalink.certificate.verify.passwd Password to open the secret key

Changing the pattern for automatic ID generation
When you create a bio template in BIOPASSPORT™ ENTERPRISE SERVER
J2EE it generates a random unique ID for the bio template.
com.identalink.biotemplateid.pattern property in
%JBOSS%\server\BioPassport™ Enterprise Server\conf\bpserver.properties file
defines a rule for ID generation as follows:

     d<length> - random decimal number where <length> is the
     length of the required number
     c’<length>’ – constant string
     For example c’SRV1-’d6 may generate the following IDs:
     SRV1-285632
     SRV1-009654


                                       - 15 -
            BioPassport™ Enterprise Server J2EE – Administration Guide


The default pattern is d15.

Uninstalling BIOPASSPORT™ ENTERPRISE SERVER
(J2EE Edition)
Follow these steps to completely uninstall BIOPASSPORT™ ENTERPRISE
SERVER J2EE and associated software.
    1. Uninstall BIOPASSPORT™ ENTERPRISE SERVER J2EE
    2. Uninstall the J2EE Application Server
    3. Uninstall the Database Engine

Uninstalling BIOPASSPORT™ ENTERPRISE SERVER J2EE
Use “Control Panel->Add/Remove Programs” to uninstall “BioPassport™
Enterprise Server J2EE Edition”.

Uninstalling the J2EE Application Server
Uninstalling JBoss 3.2.3 J2EE Application Server
Simply delete the folder where you have put on the JBoss files. In our example it
is C:\jboss-3.2.3 folder. From Environment variables delete JAVA_HOME
variable see Installing JBoss 3.2.3 J2EE Application Server for more details.

Uninstalling Java(TM) 2 SDK, Standard Edition 1.4.2_05
Use “Control Panel->Add/Remove Programs” to uninstall “Java 2 SDK Standard
Edition v.1.4.2_05”.
NOTE: you may have other programs on your computer that require Java 2 SDK
1.4.2, in this case you should not uninstall Java SDK.

Uninstalling the Database Engine
Uninstalling MSSQL 2000 Desktop engine
Use “Control Panel->Add/Remove Programs” to uninstall “Microsoft SQL Server
Desktop Engine”.

Uninstalling MSSQL Server 2000 Driver for JDBC
Use “Control Panel->Add/Remove Programs” to uninstall “Microsoft SQL Server
2000 Driver for JDBC Service Pack 3”.




                                      - 16 -
           BioPassport™ Enterprise Server J2EE – Administration Guide

Getting started BioPassport™ Server Administration
J2EE
Setting up a local PC windows user account for an Administrator
of BIOPASSPORT™ ENTERPRISE SERVER J2EE
When a user logs on to BIOPASSPORT™ ENTERPRISE SERVER J2EE
BioPassport™ client software it takes the logon and other parameters such as
from BioPassport™ settings of a windows user account. Depending on what
windows user account the user logged on with, BioPassport™ settings are
stored:
• In Local Registry – for local windows user accounts
• In Active Directory – for domain windows user accounts
Only the administrator of a Local PC or Domain can manage BioPassport™
settings. The following steps explain how to set up a local PC windows user
account.
    1. Run the Computer Management console. You can do it by clicking the
       right mouse button on My Computer and selecting “Manage”:




   2. Go to the “Local Users and Groups” folder. Select the user account you
      want to set up. Open up the dialog with user’s Properties. In our example
      we use “Administrator” account:




                                     - 17 -
       BioPassport™ Enterprise Server J2EE – Administration Guide




3. Enter a URL to connect to BIOPASSPORT™ ENTERPRISE SERVER
   J2EE, Login Name of your BP user account. In our example we use
   default bpadmin account and IdentAlink’s BIOPASSPORT™
   ENTERPRISE SERVER J2EE:




                                 - 18 -
           BioPassport™ Enterprise Server J2EE – Administration Guide

   The other options of this dialog do not apply to Administration of
   BIOPASSPORT™ ENTERPRISE SERVER J2EE and will be discussed later
   in this document.
   If you connect to BIOPASSPORT™ ENTERPRISE SERVER J2EE via a
   proxy server set up settings for proxy. Here are some examples with proxy
   settings
   For SOCKS Version 5:




   For HTTP Proxy:




   The URL in BioPassport Enterprise Server J2EE settings to use it with HTTP
   Proxy must comply with this format:
   http://<hostname>:<port>/invoker/JNDIFactory
   Default http port for BIOPASSPORT™ ENTERPRISE SERVER J2EE is
   8080.
   In our example:
   For IdentAlink’s Internet BIOPASSPORT™ ENTERPRISE SERVER J2EE
   server use this URL http://www.biometrics-r-us.com/invoker/JNDIFactory

Setting up the Java Web Start Application Manager
BioPassport™ Server Administration J2EE is a Java Web Start application.
Before you start it we recommend that you open Java Web Start console to tune
some settings.
   1. Open Java Web Start Application Manager. You can find it on the desktop
      or Start->Programs->Java Web Start folder. And click File->Preferences
      as follows:


                                     - 19 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




2. In the Preferences dialog go to the Shortcuts tab-page and choose this
   option:




3. Confirm the changes and close the Java Web Start Application Manager.


                                  - 20 -
            BioPassport™ Enterprise Server J2EE – Administration Guide

Using BioPassport™ Server Administration J2EE
To start BioPassport™ Server Administration J2EE click on the BP Server
Administration link in the Start-Programs-IdentAlink folder as follows:




Because it is a Java Web Start application when you start it connects to
IdentAlink www.biometrics-r-us.com web server to download latest version of the
application. You have to wait until this process has finished:




After download is finished you will be prompted to accept starting the application.
You have to click Start.




                                       - 21 -
            BioPassport™ Enterprise Server J2EE – Administration Guide




After you click the Start button the application is run and you will see the main
window of BIOPASSPORT™ ENTERPRISE SERVER Administration J2EE:




Managing native BIOPASSPORT™ ENTERPRISE
SERVER J2EE user accounts
There are two types of user accounts on BIOPASSPORT™ ENTERPRISE
SERVER J2EE server:
   1. “This server” BioPassport™ accounts (native user accounts)

                                       - 22 -
           BioPassport™ Enterprise Server J2EE – Administration Guide

    2. Domain BioPassport™ accounts (Windows Domain user accounts)
The difference between these two types of accounts is in their purposes. You
create “This server” BioPassport™ accounts for users who log on to their PCs
with local windows accounts. For users who log on to a domain you create
Domain BioPassport™ accounts. A “This server” BioPassport™ account is
represented in BIOPASSPORT™ ENTERPRISE SERVER J2EE by its login
name, bio template, password and type of authentication. A Domain
BioPassport™ account is originated from a Windows Domain with
BIOPASSPORT™ ENTERPRISE SERVER AD installed. A domain user account
is represented in BIOPASSPORT™ ENTERPRISE SERVER J2EE by its
windows domain login name. Primary authentication of domain accounts is done
in a Windows domain controller with BIOPASSPORT™ ENTERPRISE SERVER
AD installed. Second authentication happens when the domain users establish a
connection to BIOPASSPORT™ ENTERPRISE SERVER J2EE. They present
the BioPassport™ tickets signed by the secret key of BIOPASSPORT™
ENTERPRISE SERVER AD corresponding to the X.509 certificate which is
registered in BIOPASSPORT™ ENTERPRISE SERVER J2EE for the Windows
Domain.
You manage BioPassport™ user accounts in BioPassport™ Server
Administration J2EE.

Creating a typical “This Server” bp-user account
In our example of creating a new “This Server” user account named “Steven” we
use the following facilities:
        • User will be authenticated by fingerprint
        • User can manage his bio template (update biometrics)
        • User can manage his bp-user account
        • User can register Secure Application profiles on his bp-user account
            and use them with SA on his PC
        • User can generate Secure Communication Key pair and use it with SC
            on his PC

Follow these steps to create a new This Server bp-user account:
    1. Start BioPassport™ Server Administration J2EE and go to the Users tab-
       page.




                                     - 23 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




2. Click on          to open the new user dialog.
3. In the dialog appeared select “This Server” in the domain combo-box.
   Type in the user name. Select BPUser in the role combo-box.




                                  - 24 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




4. Then click on               to register a new bio template.
5. In the dialog appeared select generate id automatically option and type in
   the name of a person who is about to be enrolled.




                                   - 25 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




6. Click on             to enrol the bio template of this user. In the new
   appeared dialogappeared, select what biometrics you want this user to
   enrol. (in this case Finger)
6.7.       Select your Finger scanner in the dropdown menu. Click on the

   preferred Finger which should be enrolled and click               to start
   enrolment. Follow the instructions in the text field.




                                   - 26 -
            BioPassport™ Enterprise Server J2EE – Administration Guide




If you have a Pressure Finger Scanner like UFIS 210 of ABS or BACU 100 of
BMF/Hitachi you need to adjust the finger acceptance frame in the registration
dialog. Please read the next chapter on how to do this.

   7.8.     After enrolment is done for one finger enrol any others by your
      choice.

   8.9.     After you have enrolled the fingerprints click               to finish
      enrolment and close this dialog.

   9.10.     In the Bio Template registration dialog click                 to
      finish managing and save the bio template in the database.
   10.11.    In the User details dialog select the authentication type (Finger in

      our example) and click on                 to save new “This Server”
      “Steven” account.


                                      - 27 -
             BioPassport™ Enterprise Server J2EE – Administration Guide




Adjusting the acceptance frame for pressure sensors
The following procedure is a common way to make the adjustment for acceptable
pressure level for UFIS 210 of ABS or BACU 100 scanners.
   1. Move the left triangle to the left until it stops moving.
   2. Move the right triangle to the right until it stops moving.
   3. Press on a sensor with your right or left index finger with a comfortable
       level of pressure and memorise the position of the pressure bar.
   4. Now set up the left and right triangles in positions where your memorised
       point is in the middle of the green line. The length of the green line should
       accommodate approx. 1/4 … 1/3 of the entire line.
   5. Now try your other fingers with a comfortable level of pressure. The
       pressure bar should get to the green line. If it is not, adjust the positions of
       the triangles.




                                        - 28 -
            BioPassport™ Enterprise Server J2EE – Administration Guide




Important note:
You do not need to register all of your fingers. Actually it is good enough that you
can register and verify 4 of your fingers with the comfortable level of pressure
and the green line does not exceed ½ of the entire line. Quality of the finger
recognition engine very depends on the wide of the finger acceptance frame (the
length of the green line) actually – the quality of fingers images. We have found
out that for better performance the length of the green line should not exceed ½
of the entire line.

Adding the facility to a user to manage his or her bio template
   1. Go to the tab “Bio templates permissions” and click on Select button to
      select the bio template that this user can manage - register and update
      biometrics.




                                       - 29 -
         BioPassport™ Enterprise Server J2EE – Administration Guide




2. Insert “Steven” into the name field and click on the little magnifying glass
   on the right to find all bio templates in the database which have the word
   “Steven” in “name” field. Defining the search criteria dramatically
   decreases the time of finding the bio template you need in a huge
   BIOPASSPORT™ ENTERPRISE SERVER database.




                                    - 30 -
         BioPassport™ Enterprise Server J2EE – Administration Guide




3. After “Select bio template” dialog displays the found records, click on the
   “Steven” record with finger as registered biometrics to highlight it and then
   click on “Select” button.




                                    - 31 -
          BioPassport™ Enterprise Server J2EE – Administration Guide




Adding the facility to a user to manage his or her bp-user
account
  1. Go to “User-permissions” tab. Choose “other users whose account can be
     managed” from the dropdown menu, and then click on “Select” button to
     select the bp-user accounts that Steven can manage




                                    - 32 -
         BioPassport™ Enterprise Server J2EE – Administration Guide




2. In the “BioPassport Enterprise Users” dialog, insert “Steven” into the
   “name” field and click on the little magnifying glass button on the right to
   find all bp users in the database which have the word “Steven” in the
   name.
3. After the dialog displays the found records, click on the “Steven” record to
   highlight it and then click on select button.




                                   - 33 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




4. The changes will apply to the database and you will get the updated
   information:




                                  - 34 -
          BioPassport™ Enterprise Server J2EE – Administration Guide




Adding the facility to a user to manage Secure Applications
Profiles
  1. Go to “SA Dependencies” tab. Choose “other users whose SA Profiles can
     be used” in the dropdown menu, and then click on “Select” button to select
     the bp-user accounts.




                                    - 35 -
BioPassport™ Enterprise Server J2EE – Administration Guide




                          - 36 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




2. Find the user “Steven” using Search criteria as it was already explained in
   the previous chapter and click on Select button. The result will be this:




                                   - 37 -
           BioPassport™ Enterprise Server J2EE – Administration Guide




Creating SA Profiles for a bp-user account
This chapter describes how to manage SA profiles stored in BIOPASSPORT™
ENTERPRISE SERVER J2EE. The purpose of SA Profiles is to learn
“something” about password based applications and web login pages a user logs
on to. This “learned” information is used by BioPassport™ Secure Application
service to recognize an application or web login page when a user opens it. You
manage SA profiles in the SA Profiles tab-page of the User details dialog.




                                     - 38 -
            BioPassport™ Enterprise Server J2EE – Administration Guide




   •                 adds a new SA Dialog profile which protects password
       based applications.

   •                  adds a new SA URL profile which protects access to web
       login pages in the Microsoft Internet Explorer.

   •                   adds a new SA Combined profile which protects password
        applications that have more than one Login Dialogs and/or web login
        pages.
In our following example we will register two SA profiles:
    − SA Dialog profile to protect access to MSN Messenger account
    − SA URL profile to protect access to the MSN Hotmail web portal




                                      - 39 -
            BioPassport™ Enterprise Server J2EE – Administration Guide

Creating a new SA Dialog profile
When you create a new SA Dialog profile, it brings up the registration dialog to
the right top corner of the screen. Now you have to run your application and open
its login dialog in front of all other windows like in this example:

   1. Click on           to open the registration dialog.
   2. Run MSN Messenger and make it display the Login Dialog:




   3. Click on “Start” button in the dialog the right-upper corner of your screen:




   4. It will highlight the names of the elements of the login dialog you have to
      click on. When you move the mouse pointer over the login dialog, the
      screen elements are highlighted in a rectangle to help you navigate on
      them. There are rare applications whose login dialog elements are not
      highlighted. Do not feel confused they are different but ok and can be
      registered. Just make clicks on them as requested.
   5. After you have finished the login dialog registration the Add new login
      dialog appears. Type in “MSN Messenger” name for this SA Profile and
      click OK to save it.



                                       - 40 -
            BioPassport™ Enterprise Server J2EE – Administration Guide




If “Autologon” option is turned on, after the login dialog pops up, Secure
Application service instantly forces user verification then it fills in the required
fields with credentials and proceeds with the application’s logon. If the option is
turned off Secure Application acts only after a user presses the Ok button in the
login dialog. In most cases this option should be turned on, but in some cases
when the login dialog has more than just the user name and password fields you
might decide that BPSA comes in play when a user has entered all the required
additional fields (e.g. domain name).

Creating a new SA URL profile
When you create a new SA Dialog profile, it brings up the registration dialog to
the right top corner of the screen. Then you have to navigate to the login page of
a web site you want to register and Internet Explorer must be in front of all other
windows like in this example:

   1. Click on                 to open the registration dialog.
   2. Open hotmail.com in your web browser
   3. Click on “Start” button in the dialog the right-upper corner of your screen :




                                       - 41 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




4. It will highlight the names of the elements of the web page you have to
   click on. When you move the mouse pointer over the web page, the
   screen elements are highlighted in a rectangle to help you navigate on
   them.
5. After you have finished the login dialog registration the Add new URL
   pattern dialog appears. Type in “Hotmail” name for this SA Profile and
   click OK to save it :




                                  - 42 -
            BioPassport™ Enterprise Server J2EE – Administration Guide




If “Autologon” option is turned on, after the web page is loaded, Secure
Application service instantly forces user verification, completes the required fields
with credentials and proceeds with the logon. If this option is turned off Secure
Application comes in play after a user has pressed the Login button on the web
page.

Creating a new SA Combined profile
You create a new SA Combined profile if one Dialog or URL profile does not
cover the needs of your application. Here are some such cases:
− The Application has more then one login dialog or login web page.
− If you use more then one application and/or web login page with the same
    user name and password to connect to.
In our example we have created a user account steven_7799@hotmail.com
and use it with two applications. For this purpose we have created two SA
Profiles:
    1. SA Dialog profile - Sign in to MSN Messenger
    2. SA URL profile - Hotmail
Because all these application for their logon procedure use the same
Passport.NET user account we will create a new SA Combined profile
Passport.NET which includes two mentioned profiles. Follow these steps to
create a new SA Combined profile:

   1. Click on              .
   2. In the appeared dialog enter the name of the profile




                                        - 43 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




3. Click select button to open up the Select SA profile dialog. Highlight two
   profiles – Hotmail and MSN Messenger and click Select button.




4. Click Save button to commit changes to BIOPASSPORT™ ENTERPRISE
   SERVER J2EE




                                   - 44 -
            BioPassport™ Enterprise Server J2EE – Administration Guide




Creating SA Credentials
The purpose of SA Credentials is to store the login credentials of protected
applications such as user names and passwords. The credentials are needed for
BPSA to fill in the fields in the login dialogs and web pages. Follow these steps to
register SA Credentials:
   1. Choose “SA Credentials” on the top panel of the User details dialog and
       click on “New” to create a new SA Login:




                                       - 45 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




2. Highlight the Passport.NET SA Profile (on which you are creating the
   Login) and click on “Select” button:




                                  - 46 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




3. In Add new SA login dialog type in the exact login name and password the
   user uses to logon to the application (or web site). Enter the password
   again in the Confirm field and click OK button. The option Password
   should be set up to enter.




                                  - 47 -
            BioPassport™ Enterprise Server J2EE – Administration Guide

Editing a list of email addresses of BioPassport™ Secure
Communication
When a user uses BioPassport™ Secure Communication to encrypt, sign emails
or files he or she uses BioPassport™ PKI certificates stored on
BIOPASSPORT™ ENTERPRISE SERVER J2EE. Each BioPassport™ certificate
has a list of email addresses with which it can be used. You edit the email
addresses list in Secure Communications tab-page as it is shown:




To register an email address for user’s BioPassport™ Secure Communication
click on New button. In the appeared dialog enter the email address and click
Save button.




                                      - 48 -
            BioPassport™ Enterprise Server J2EE – Administration Guide




                                                      :
Important note:
The BioPassport™ PKI certificate must be registered by a user not by an
administrator! On how the user registers his or her certificate please read
BioPassport™ Secure Communication Users Guide.

Setting up a local PC windows user account
As it was already explained in the Setting up a windows user account for an
Administrator of BIOPASSPORT™ ENTERPRISE SERVER J2EE chapter it is
necessary to set up windows user account on a PC where the user will connect
to BIOPASSPORT™ ENTERPRISE SERVER J2EE in order to use any
BioPassport™ Client Modules. The following steps explain how to set up a local
PC windows user account.
    1. Run the Computer Management console on the user’s PC as follows:




   2. Go to the “Local Users and Groups” folder. Select the user account you
      want to set up. Open up the dialog with user’s Properties. In our example
      we use “Steven” account:




                                       - 49 -
         BioPassport™ Enterprise Server J2EE – Administration Guide




3. Go to BP Modules tab-page.
4. In the BioPassport Secure Applications Settings group-box choose
   Data is stored on BioPassport® Enterprise Server J2EE. Also Tick
   on/off the „Single Sign On“ option by your choice. If Single Sign On is
   turned on, you will be prompted for verification only once – the first time
   you use any function of BPSA.
5. In the BioPassport Secure Communication tick on/off the „Single Sign
   On“ option by your choice. If Single Sign On is turned on, you will be
   prompted for verification only once – the first time you use any function of
   BPSA.
6. Enter a URL to connect to BIOPASSPORT™ ENTERPRISE SERVER
   J2EE, Login Name of a BP user account.
For our exam0ple we have set up the following settings:




                                   - 50 -
           BioPassport™ Enterprise Server J2EE – Administration Guide




If a user connects to BIOPASSPORT™ ENTERPRISE SERVER J2EE via a
proxy server set up settings for proxy. Here are some examples with proxy
settings
For SOCKS Version 5:




For HTTP Proxy:




                                     - 51 -
           BioPassport™ Enterprise Server J2EE – Administration Guide




The URL in BioPassport Enterprise Server J2EE settings to use it with HTTP
Proxy must comply with this format:
http://<hostname>:<port>/invoker/JNDIFactory
Default http port for BIOPASSPORT™ ENTERPRISE SERVER J2EE is 8080.
In our example:
For IdentAlink’s Internet BIOPASSPORT™ ENTERPRISE SERVER J2EE server
use this URL http://www.biometrics-r-us.com/invoker/JNDIFactory

Managing Domain bp-users accounts
Setting up a domain windows user accounts
When a user logs on to BIOPASSPORT™ ENTERPRISE SERVER J2EE being
currently logged on to a domain, BioPassport™ client software takes the logon
and other parameters from AD. Before you use BIOPASSPORT™ ENTERPRISE
SERVER J2EE for domain users you have to set up setting for domain and for
users in AD. There are two dialogs where you do it for domain users:




                                     - 52 -
BioPassport™ Enterprise Server J2EE – Administration Guide




                          - 53 -
          BioPassport™ Enterprise Server J2EE – Administration Guide



Please read BIOPASSPORT™ ENTERPRISE SERVER AD Administration
Guide on how to do it.

Registering a BIOPASSPORT™ ENTERPRISE SERVER AD
Domain with BIOPASSPORT™ ENTERPRISE SERVER J2EE
  1. Export the domain certificate which you have set up for BioTicket Issuer
     property of the domain. For this use mmc.exe and Certificates plug-in as
     it is explained in BIOPASSPORT™ ENTERPRISE SERVER AD
     Administration Guide. The export file must be in Base-64 encoded X.509
     format.
  2. Run BioPassport™ Administration J2EE Server, go to the “Domains”, click
     “Add” button




  3. In the dialog’s Label field, enter the name of your domain (pre-Windows
     2000):




                                    - 54 -
           BioPassport™ Enterprise Server J2EE – Administration Guide




You can find your domain name in “Control Panel”->”Administrative Tools”-
>”Active Directory Users and Computers” in the properties of a domain:




                                     - 55 -
         BioPassport™ Enterprise Server J2EE – Administration Guide




4. Click on “Import” button and select a file with the X509 (Base 64)
   certificate.




                                   - 56 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




5. Then click Save to save the changes:




                                  - 57 -
           BioPassport™ Enterprise Server J2EE – Administration Guide




Creating a sub-administrator account for Domain
After you have registered Domain in BIOPASSPORT™ ENTERPRISE SERVER
J2EE you have to register the associated windows user accounts. One of these
accounts is the administrator of the windows domain. This chapter explains how
to register the Domain bp-user account in BIOPASSPORT™ ENTERPRISE
SERVER J2EE with sub-admin rights. In our following example we are creating a
sub-administrator bp-user account for the domain ILBERLIN. With this account
the administrator of a windows domain will be able to manage BIOPASSPORT™
ENTERPRISE SERVER J2EE bp-users accounts of the ILBERLIN Domain.
    1. Run BP Server Administration J2EE and logon as an administrator of
       BIOPASSPORT™ ENTERPRISE SERVER J2EE
    2. Select “Users” item and choose the Domain in which you want to add a
       User and click on the Add button.




                                     - 58 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




3. You have to know the windows domain login name of a user for whom you
   are creating a sub-admin account (Small and Capital letters matter!). In
   our example it is StevenAdmin (you can see it in “Active Directory Users
   and Computers”). The role for this user must be “BPuser”.




                                  - 59 -
BioPassport™ Enterprise Server J2EE – Administration Guide




                          - 60 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




4. Click on the Save button. Then go to the “Users Permissions” tab-page
   select “Domains from which this User can register BP Accounts” from the
   dropdown menu:




                                  - 61 -
        BioPassport™ Enterprise Server J2EE – Administration Guide




5. Click on the “Select” button, choose the specified Domain in the next
   window and click select again:




                                  - 62 -
            BioPassport™ Enterprise Server J2EE – Administration Guide




   6. In the following dialog enter the max limit of bp-users accounts that can be
      created by BIOPASSPORT™ ENTERPRISE SERVER AD administrator,
      in our example it is 100. It has to be >= amount of Windows Domain users
      registered in Windows Domain. Then click OK to save the settings.




   7. Close user registration dialog.

Create a typical “ILBERLIN” bp-user account
If you now log on to ILBERLIN windows domain with StevenAdmin user name
and then run BP Administration J2EE you will be logged on automatically to
BIOPASSPORT™ ENTERPRISE SERVER J2EE as ILBERLIN:StevenAdmin.


                                        - 63 -
        BioPassport™ Enterprise Server J2EE – Administration Guide

1. Go to Users tab-page, select ILBELIN domain and click on the button with
   a magnifying glass as follows:




2. Now click on Add button to create a new bp-user for the corresponding
   “StevenUser” windows domain account. In the new bp-user dialog, fill in
   the fields as follows:




                                  - 64 -
           BioPassport™ Enterprise Server J2EE – Administration Guide




The user name “StevenUser” we get from the Account Properties of a user in the
list of Windows Domain Users in “Active Directory Users and Computers” as
follows:




                                     - 65 -
BioPassport™ Enterprise Server J2EE – Administration Guide




                          - 66 -
         BioPassport™ Enterprise Server J2EE – Administration Guide




3. Save „StevenUser“ bp-user account by clicking on „Save“ button.
4. From this point to finish setting up this account follow the instructions of
   these chapters:
   • Adding the facility to a user to manage his or her bio template
   • Adding the facility to a user to manage his or her bp-user account
   • Adding the facility to a user to manage Secure Applications Profiles
   • Creating SA Profiles for a bp-user account
   • Creating SA Credentials
   • Editing a list of email addresses of BioPassport™ Secure
      Communication




                                    - 67 -

								
To top