Configuring the generic_plugin.properties Plug-In

Open the generic_plugin.properties file in your %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\ directory.

Update the piv.link attribute according to your directory type as indicated in the following table.

Important: If you have configured ActivID CMS to work with more than one type of directory, you may need to specify the directory type by adding a suffix with the directory short name to the piv.link attribute (for example, piv.link.msft-ad). For details about the directory short names, see Configuring the Generic Plugin.

The first attribute (uid/sAMAccountName/cn/uniqueID) is dependent on the directory that is used. This attribute must be the same directory attribute name that is configured in ActivID CMS for “userID”. The remaining attributes are the same for all directories.

‘piv.link’ Attribute Examples
Directory Type	Attributes
Microsoft^® Active Directory	sAMAccountName:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str
IBM^® Tivoli Directory Server / Novell^® eDirectory (UID) / Oracle^® Directory Server	uid:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str
Critical Path^® / Siemens^® DirX	cn:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str
Microsoft^® Lightweight Directory Services	uid:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str
Novell^® eDirectory (UniqueID)	uniqueID:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str
OpenLDAP	uid:str,card#cuid:str,policy#oncardkeys:str,policy#chuid:str,policy#fingerprints:str,policy#keyhistory:str,policy#facialimage:str,policy#printedinfo:str,policy#discoveryobject:str,content#DiscoveryObjectValue:str,policy#iris:str

Optionally, you can enable the biometric client generic plug-in.

By default, a biometric client generic plug-in is disabled and requires that a specific driver (Precise 200 or SecuGen driver) is installed on the client-side (as the biometric plug-in runs in the client browser).

Once it is enabled, the plug-in will run for all users of the workstation so biometric verification will be a required step for the relevant ActivID CMS operations.

To enable this plug-in, perform the following steps:
- Uncomment the plugin.client lines containing the BioMatch plugins by removing the pound sign (#) at the start of each line.
- Comment the blank plugin.client lines by adding a pound sign (#) at the start of each line

There are three PIV Personal Identity Verification (technical standard of "HSPD-12") BioMatch plugins available:

Required Biometric Verification – With Operator Assistance (FIPS 201-2):
- PIVOP_BioMatchOnServerSampleBIOReq
- PIVOP_BioMatchOffCardSampleBIOReq
- PIVOP_MatchBioPlugin_ANSI378_BIOreq.htm

Required Biometric Verification – Self Service Kiosk Without Operator Assistance (FIPS 201-2):
- PIV_BioMatchOnServerSampleBIOReq
- PIV_BioMatchOffCardSampleBIOReq
- PIV_MatchBioPlugin_ANSI378_BIOreq.htm

Optional Biometric Verification (legacy support):
- PIV_BioMatchOnServerSample
- PIV_BioMatchOffCardSample
- PIV_MatchBioPlugin_ANSI378.htm

By default, the following configuration can be found in the generic_plugin.properties (commented):

PIVOP_BioMatchOnServerSampleBIOReq	PIVOP_BioMatchOffCardSampleBIOReq
USER_INFO PERM_REPLACEMENT_USER_INFO TEMP_REPLACEMENT_USER_INFO EOL_REPLACEMENT_USER_INFO	DEVICE_POSTPOSSESS PERM_REPLACEMENT_POSTPROCESS EOL_REPLACEMENT_POSTPROCESS PINUNLOCK_CUSTOM
PIV_BioMatchOnServerSampleBIOReq	PIV_BioMatchOffCardSampleBIOReq
MDIDC_ISSUE_INFO MDIDC_PINUNLOCK_INFO	MDIDC_ISSUE_CUSTOM

PIVOP_BioMatchOnServerSampleBIOReq

PIVOP_BioMatchOffCardSampleBIOReq

USER_INFO

PERM_REPLACEMENT_USER_INFO

TEMP_REPLACEMENT_USER_INFO

EOL_REPLACEMENT_USER_INFO

DEVICE_POSTPOSSESS

PERM_REPLACEMENT_POSTPROCESS

EOL_REPLACEMENT_POSTPROCESS

PINUNLOCK_CUSTOM

PIV_BioMatchOnServerSampleBIOReq

PIV_BioMatchOffCardSampleBIOReq

MDIDC_ISSUE_INFO

MDIDC_PINUNLOCK_INFO

MDIDC_ISSUE_CUSTOM

Note:

For most workflows, the verification will be performed twice (once using PIV server data, and then again with data on the card at the end).
SecuGen fingerprint verifier is now the default biometric reader. If a SecuGen fingerprint verifier is not found, or if Java is not installed, then the Precise Biometrics reader will be used.

For more information, refer to About the Generic Plug-In SPI.