Configuring the generic_plugin.properties Plug-In
-
Open the generic_plugin.properties file in your %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\ directory.
-
Update the piv.link attribute according to your directory type as indicated in the following table.
The first attribute (uid/sAMAccountName/cn/uniqueID) is dependent on the directory that is used. This attribute must be the same directory attribute name that is configured in ActivID CMS for “userID”. The remaining attributes are the same for all directories.
Directory Type |
Attributes |
---|---|
Microsoft® Active Directory |
sAMAccountName:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str |
IBM® Tivoli Directory Server / Novell® eDirectory (UID) / Oracle® Directory Server |
uid:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str |
Critical Path® / Siemens® DirX |
cn:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str |
Microsoft® Lightweight Directory Services |
uid:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str |
Novell® eDirectory (UniqueID) |
uniqueID:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str |
OpenLDAP |
uid:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str |
-
Optionally, you can enable the biometric client generic plug-in.
By default, a biometric client generic plug-in is disabled and requires that a specific driver (Precise 200 or SecuGen driver) is installed on the client-side (as the biometric plug-in runs in the client browser).
Once it is enabled, the plug-in will run for all users of the workstation so biometric verification will be a required step for the relevant ActivID CMS operations.
To enable this plug-in, perform the following steps:
-
Uncomment the plugin.client lines containing the BioMatch plugins by removing the pound sign (#) at the start of each line.
-
Comment the blank plugin.client lines by adding a pound sign (#) at the start of each line
-
There are three PIV Personal Identity Verification (technical standard of "HSPD-12") BioMatch plugins available:
-
Required Biometric Verification – With Operator Assistance (FIPS 201-2):
-
PIVOP_BioMatchOnServerSampleBIOReq
-
PIVOP_BioMatchOffCardSampleBIOReq
-
PIVOP_MatchBioPlugin_ANSI378_BIOreq.htm
-
-
Required Biometric Verification – Self Service Kiosk Without Operator Assistance (FIPS 201-2):
-
PIV_BioMatchOnServerSampleBIOReq
-
PIV_BioMatchOffCardSampleBIOReq
-
PIV_MatchBioPlugin_ANSI378_BIOreq.htm
-
-
Optional Biometric Verification (legacy support):
-
PIV_BioMatchOnServerSample
-
PIV_BioMatchOffCardSample
-
PIV_MatchBioPlugin_ANSI378.htm
-
By default, the following configuration can be found in the generic_plugin.properties (commented):
PIVOP_BioMatchOnServerSampleBIOReq |
PIVOP_BioMatchOffCardSampleBIOReq |
---|---|
USER_INFO PERM_REPLACEMENT_USER_INFO TEMP_REPLACEMENT_USER_INFO EOL_REPLACEMENT_USER_INFO |
DEVICE_POSTPOSSESS PERM_REPLACEMENT_POSTPROCESS EOL_REPLACEMENT_POSTPROCESS PINUNLOCK_CUSTOM |
PIV_BioMatchOnServerSampleBIOReq |
PIV_BioMatchOffCardSampleBIOReq |
MDIDC_ISSUE_INFO MDIDC_PINUNLOCK_INFO |
MDIDC_ISSUE_CUSTOM |
-
For most workflows, the verification will be performed twice (once using PIV server data, and then again with data on the card at the end).
-
SecuGen fingerprint verifier is now the default biometric reader. If a SecuGen fingerprint verifier is not found, or if Java is not installed, then the Precise Biometrics reader will be used.
For more information, refer to About the Generic Plug-In SPI.