DigitalPersona for Temenos – Reference Guide · PDF fileDigitalPersona for Temenos@T24 • Provides T24 Transaction Authentication and T24 Customer Branch Authentication functionality

digitalPersona® for TEMENOS

Reference GuideDigitalPersona for Temenos Reference Guide

Copyright© 2014-2017 Crossmatch. All rights reserved. Specifications are subject to change without prior notice. The Crossmatch logo and Crossmatch® are trademarks or registered trademarks of Cross Match Technologies, Inc. in the United States and other countries. DigitalPersona® is a registered trademark of DigitalPersona, Inc., which is owned by the parent company of Cross Match Technologies, Inc. All other brand and product names are trademarks or registered trademarks of their respective owners.

Published/Revised: July 20, 2017 (Software version 3.1.0)

DigitalPersona for TEMENOS - Reference Guide 3

Table of Contents

OVERVIEW 5

Introduction ................................................................................................................................................... 5Purpose of this guide..................................................................................................................................... 5Hardware requirements ................................................................................................................................. 5Software requirements .................................................................................................................................. 5Solution Architecture ..................................................................................................................................... 6

DigitalPersona LDS (Lightweight Directory Service) Server ......................................................................6T24 Client@Bank branch ..........................................................................................................................7DigitalPersona Client and T24 Client@Bank branch .................................................................................7DigitalPersona Client @Bank branch ........................................................................................................7DigitalPersona for Temenos@BrowserWeb ..............................................................................................7DigitalPersona for Temenos@T24 .............................................................................................................7

DIGITALPERSONA SERVER SETUP 9

Introduction ................................................................................................................................................... 9Domain Controller Tasks ............................................................................................................................... 9

Set up AD Security Officers Groups .........................................................................................................9DigitalPersona Installation tasks.................................................................................................................. 10

Set up the DigitalPersona LDS Server ....................................................................................................10Set up the LDS Web Management Components ...................................................................................10Additional setup and configuration .........................................................................................................11Define Security Officer Roles ..................................................................................................................12Set up an administrative workstation .....................................................................................................15

Set up DigitalPersona Web Enrollment ..............................................................................................15Set up DigitalPersona Attended Enrollment .......................................................................................19

Smog test the DigitalPersona setup............................................................................................................ 19System administrator functions ..............................................................................................................19Customer Security Officer functions .......................................................................................................19Employee Security Officer functions .......................................................................................................20

T24 CLIENT SETUP 21

T24 Client@Bank branch on Windows ........................................................................................................ 21T24 Client@Bank branch on Linux (Ubuntu)................................................................................................ 21DigitalPersona Client and T24 Client@Bank branch on Windows............................................................... 21Additional steps for Internet Explorer 8 and 9............................................................................................. 21

EMPLOYEE LOGIN SETUP 24

Sign and deploy the DigitalPersona for Temenos Applet............................................................................ 24Set up the T24 Browser machine ................................................................................................................ 24STS configuration ........................................................................................................................................ 27Set up the Teller’s machine ......................................................................................................................... 30

ENROLL INITIAL DIGITALPERSONA ADMINISTRATOR 31

Overview...................................................................................................................................................... 31Enrollment.................................................................................................................................................... 31Testing biometric login ................................................................................................................................ 33


BIOMETRIC AUTHENTICATION SETUP 35

Overview...................................................................................................................................................... 35Configuration settings ................................................................................................................................. 35TAFC runtime............................................................................................................................................... 35

Set up a T24 server .................................................................................................................................35Determining the <DL.RESTORE> location ..............................................................................................38

TAFJ runtime ............................................................................................................................................... 39Set up a dedicated T24 server ................................................................................................................39

Set up the T24 Server (R15 Model Bank) .................................................................................................... 42Determining <DL.RESTORE> location ....................................................................................................43

Set up T24 Browser screens ....................................................................................................................... 46Set up local fields ....................................................................................................................................46Set up T24 Browser screens ...................................................................................................................55

Add menu items and links ........................................................................................................................... 62Menu item to call a version from the Teller home screen .......................................................................62Menu item to call a version from the Authoriser home screen ...............................................................63Add links for Biometric Funds Transfer ..................................................................................................64

Enrolling DigitalPersona Administrators for authentication ......................................................................... 65

AUTHENTICATION POLICIES 68

User authentication policies ........................................................................................................................ 68Department-level user authentication policy ..........................................................................................68User-level user authentication policy ......................................................................................................69

Customer authentication policies ................................................................................................................ 70Sector authentication policies ................................................................................................................71Customer authentication policies ...........................................................................................................71Customer enrollment policies .................................................................................................................71

SIGNATORY AUTHENTICATION 73

Set up mandates for a customer ................................................................................................................. 73Test mandates ............................................................................................................................................. 75Set up authentication for signatories........................................................................................................... 77

Set up local fields ....................................................................................................................................77Set up DigitalPersona for Temenos Browser screens ............................................................................83

Add Biometric signatory menu item on the Teller home screen ................................................................. 87Add a Biometric Signatory Transfer link...................................................................................................... 88

SET UP ONE-TOUCH PASSWORD FEATURE 89

Enabling One-Touch Password enrollment................................................................................................. 89Testing One-Touch Password enrollment ................................................................................................... 89

Enter or verify a customer phone number ..............................................................................................89Test automatic OTP enrollment ..............................................................................................................90

INDEX 92


1Overview

Introduction

Banks are demanding core banking systems that enable growth, manage cost and control risk. Positive identi-fication of employees and customers is a critical requirement for delivering on these success factors. DigitalP-ersona for Temenos provides “one touch” identification of both employees and customers, for any transaction in the Temenos T24 Core Banking platform.

This allows banks to cost-effectively launch new products, serve customers in emerging markets, decrease time with the teller for in-branch operations and meet regulatory compliance guidelines for multi-factor authentication.

DigitalPersona for Temenos provides banks with strong, usable security that natively integrates with your T24 system. Built on an enterprise framework, it offers a platform for future expansion of biometric identity man-agement within the bank, including single sign-on, and working with ATM and point of sale devices as well. The enterprise framework allows a single fingerprint enrollment to be shared across multiple functional areas.

DigitalPersona for Temenos enables:

• One touch login to T24 core banking

• Authentication of any transaction override, including cash withdrawal, funds transfer and multi-tenant accounts

• Customer authentication at the bank branch

• Mobile banking

Purpose of this guide

This guide will help system administrators to efficiently install and configure the Crossmatch DigitalPersona for Temenos module for the Temenos core banking system. The instructions cover steps for the most common deployment scenario and usually offer one option to accomplish a task, though there may be other ways to achieve the same thing.

An associated document, the DigitalPersona for Temenos User Guide, describes common tasks within the Temenos system that are changed due to integration with an installed DigitalPersona for Temenos module.

Procedures and examples are based on the R15 version of the Temenos Core Bank and may be different in later versions.

Hardware requirements

• Domain Controller - A server machine must be dedicated for a Domain controller if the bank is not already using Active Directory accounts for employee identities.

• DigitalPersona Server - A server machine must be dedicated for the DigitalPersona LDS Server.

• Administrative workstation - A machine must be dedicated for a DigitalPersona administrative workstation.

Software requirements

• Temenos Core Banking installed and configured and tested (R15 version or later)

• Crossmatch DigitalPersona for Temenos module (installation and setup steps are included in this guide.)


• SSL certificate - For production environments, a commercial SSL certificate must be obtained from a third-party certificate authority (CA). For test environments, you can use a self-signed certificate.

• (Windows) Google Chrome 16+, Firefox 11+ or Internet Explorer version 10+ supported. Previous versions are not supported due to CORS and HTTP to HTTPS requirements on the Windows platform.

• (Linux) Firefox 11+ on Ubuntu only.

• Active Directory is set up and configured on the Domain Controller to store employee identities

• AD LDS (Active Directory Lightweight Directory Services) must be added to Windows Server and config-ured for storing customer identities

• DigitalPersona LDS Web Management Components and T24 Browser Web must be in the same second level domain. For instance, digitalpersona.mylocalbank.com and t24-browser.mylocalbank.com.

• TAFJ runtime is the only runtime environment that is supported.

• For security reasons and to maintain compatibility with Internet Explorer 8/9 clients, T24 Browser Web must use https instead of http. For instance, Browser Web must be accessible by the following URL https://t24-browser.mylocalbank.com:9095/BrowserWeb/servlet/BrowserServlet.

Solution Architecture

This section provides an overview of the components comprising the DigitalPersona for Temenos solution.

DigitalPersona LDS (Lightweight Directory Service) Server

• Supports users with or without an AD account (employees, contractors, citizens or suppliers)

• Requires DigitalPersona LDS authentication server - minimum of two recommended for load balancing and redundancy

• Administration via AD administration tools, DigitalPersona LDS Administration Tools and scripts


• Scaling and load balancing configured during deployment; LDS includes built-in replication

• Employees with an Active Directory account

• Leverages existing IT infrastructure and AD administration tools

• Doesn't require extension of the AD database schema

• Requires minimal setup on the AD Domain Controller (DC)

T24 Client@Bank branch

• Provides DigitalPersona for Temenos functionality for T24

• Supports both Windows and Linux (Ubuntu)

• Supports single fingerprint reader only

• Requires DigitalPersona for Temenos devices to be installed

• Requires Java Runtime to be installed on Linux (Ubuntu)

• Chrome 16+, Firefox 11+, Internet Explorer 10+ are supported on Windows for T24 access

• Firefox 11+ is supported on Ubuntu for T24 access

DigitalPersona Client and T24 Client@Bank branch

• Provides DigitalPersona for Temenos functionalities for T24

• Provides DigitalPersona functionalities for business applications (non-T24)

• Supports Windows only

• Supports both 4-4-2 and single fingerprint readers

• Requires a DigitalPersona Client to be installed

• Must be joined to the Windows Domain Controller

• Chrome 16+, Firefox 11+, Internet Explorer 10+, and Microsoft Edge are supported on Windows for T24 access

• Serves as an enrollment workstation when the Attended Enrollment feature of a DigitalPersona Client is installed

DigitalPersona Client @Bank branch

• Provides DigitalPersona functionalities for business applications (non-T24)

• Supports both 4-4-2 and single fingerprint reader

• Supports Windows only

• Requires a DigitalPersona Client to be installed

• Must be joined to a Windows Domain Controller

• Serves as an Enrollment Workstation when the Attended Enrollment feature of a DigitalPersona Client is installed.

DigitalPersona for Temenos@BrowserWeb

• Provides Logon functionality

• Requires the Biometrics filter to be installed into T24 BrowserWeb

DigitalPersona for Temenos@T24

• Provides T24 Transaction Authentication and T24 Customer Branch Authentication functionality


• Requires TAFJ runtime

• Requires the Biometrics Java packages to be installed into TAFJ

• Requires Biometrics jBase Basic routines to be installed into TAFJ

• Authentication behavior can be customized with jBase Basic routines to suit a bank's needs


2DigitalPersona Server Setup

Introduction

Prior to installing and setting up the DigitalPersona server, we recommend creating two AD groups on the domain controller which will be used specifically for the two types of DigitalPersona Security Officers - Employee Security Officers and Customer Security Officers.

Domain Controller Tasks

As a best practice, you should set up an AD group for Employee Security Officers, and another for Customer Security Officers to have authority and the appropriate permissions to enroll employees and customers respec-tively.

Set up AD Security Officers Groups

By default, all Windows users which belong to the Local Administrators group on the machine where Digi-talPersona LDS Server is installed have the Security Officers role assigned to them in the Microsoft Authori-zation Manager. Users in this group can enroll credentials for both employees and customers. Domain Administrators are also assigned this role automatically during the DigitalPersona LDS Server setup.

However, when using the DigitalPersona LDS Server with DigitalPersona for Temenos, the best practice is to create separate AD groups for those security officers responsible for enrolling employees, and those responsi-ble for enrolling customers (i.e. usually tellers). The actual names of these AD groups can be whatever works for your organization, although in the following content, we will refer to them as simply Employee Security Officers and Customer Security Officers.

• In ADUC, set up two AD groups. One for Customer Security Officers, and one for Employee Security Offi-cers.

After the DigitalPersona LDS Server has been installed, you will assign these two AD groups to correspond-ing roles in the Microsoft Authorization Manager.

Once the roles have been assigned to the desired AD groups, you can add AD Users to these AD groups at any future point and they will automatically have the permissions specified for the role that has been assigned to the group in the Authorization Manager.


For further details on the tasks and operations that may be assigned to a group in Authorization Manager, see the section on Authorization Manager in the DigitalPersona Composite Authentication LDS Administrator Guide.

DigitalPersona Installation tasks

The following DigitalPersona components are used to provide biometric functionality to T24.

• DigitalPersona LDS Server• DigitalPersona Web Management Components

• Web Access Management feature• STS (Secure Token Service) feature• Web Administration Console feature• Web Enrollment feature (optional)*

• Attended Enrollment feature from DigitalPersona LDS Workstation (optional)*

* Either Web Enrollment or Attended Enrollment must be installed for credential enrollment.

The selected components must all be installed on the same machine. They should not be installed on the domain controller.

Set up the DigitalPersona LDS Server

1. Ensure that the machine to be used for the DigitalPersona LDS Server meets the hardware and software requirements listed in the Solution Overview chapter of the DigitalPersona Composite Authentication LDS Administrator Guide.

2. Follow instructions for installation and setup of the DigitalPersona LDS Server, including the following high-level tasks.

Detailed steps for executing tasks a through c below are provided in the DigitalPersona LDS Server

Installation & Setup chapter of the DigitalPersona Composite Authentication LDS Administrator Guide.

Tasks d and k are described in the Web Management Components and DigitalPersona LDS Administration

Tools sections of the same chapter, and task l is described in the License Activation & Management

chapter.

a. Add specified Windows Server roles and features.

b. Add and configure a unique instance of Active Directory Lightweight Directory Services (AD LDS).

c. Install the DigitalPersona LDS Server.

Set up the LDS Web Management Components

3. Launch the LDS Web Management Components installer and follow the onscreen guidance in the installation wizard.

4. On the Setup Type page, choose Express Setup to install all components under one website or choose Advanced Setup to select which components to install, and to install each one to a separate website.

You must select at least the following components. For further details and instructions on configuring the components, see the DigitalPersona Composite Authentication Administrator Guide.

• Web Access Management• STS• Web Administration Console


• Web Enrollment (unless you are planning to use the Attended Enrollment feature from the Digi-talPersona LDS Workstation for credential enrollment.)

5. Confirm that the DP Web Authentication Service is running, by entering the following string in your browser address bar (where <computer-name or alias> is the name of the computer or its alias).

https://<computer-name or alias>/DPWebAUTH/DPWebAuthService.svc

Example:

https://digitalpersona.localbank.com/DPWebAUTH/DPWebAuthService.svc

Additional setup and configuration

6. Disable the customer identification feature by using regedit to set the DisableCustomersIdentification key REG_DWORD value to 1. The key is located at the following node:

HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\Policies\Default key

7. Restart the DPHost service by stopping (net stop DPHost) and starting (net start DPHost) the service.

8. Ensure that DPWebSecrets\Web.config points to the Web Management Components policy server accessible through https.

For example,

<add value=https://digitalpersona.mylocalbank.com/DPWebPolicies/DPWebPolicyService.svc key=”policyService”></add>

9. Export the Altus Server Certificate Authority certificate holding the public key for DigitalPersona token signature verification into digitalpersona.mylocalbank.com.altus.cer.

10. (Self-signed certificates only) Export the Altus Server Certificate Authority certificate, holding the public key for DigitalPersona token signature verification into digitalpersona.mylocalbank.com.altus.cer.

11. Define the authorization store name.

12. Install the DigitalPersona Administration Tools.

13. Activate DigitalPersona Premium Employee and DigitalPersona Customer Facing licenses.

14. Configure additional DigitalPersona LDS Servers (recommended, and as needed for load balancing and failover. See the topic Configure additional servers in the DigitalPersona LDS Installation & Setup chapter of the DigitalPersona Composite Authentication LDS Administrator Guide).

https://win-pkho62djhq3.uru.com/DPWebAUTH/DPWebAuthService.svc/Ping

https://win-pkho62djhq3.uru.com/DPWebAUTH/DPWebAuthService.svc/Ping


Define Security Officer Roles

Prerequisite: Creation of Customer Security Officer and Employee Security Officer groups in Active Direc-tory as described in the topic Set up AD Security Officers Groups on page 9.

1. On the machine where the DigitalPersona LDS Server is installed, open the Microsoft Authorization Manager and connect to the Altus Authorization Store.

2. Right-click Role Definitions and select New Role Definition.

3. In the New Role Definition dialog, type a Role Name (such as Employee Security Officer or Customer Security Officer). Optionally enter a description. Then click Add.

4. In the Add Definition dialog, select the Task tab, and check the Enroll Customers task. Then click OK to close the dialog.


5. Back in the main window of the Authorization Manager, right-click Role Assignments and select New Role Assignment.

6. In the Add Role dialog, select the role definition created in steps 2-4 above (such as Employee Security Officer or Customer Security Officer). Then click OK to close the dialog.

7. In the main window of Authorization Manager, right-click your newly created role assignment and select Assign Users and Groups from Windows then select From Active Directory.


8. In the Select Users, Computers or groups dialog, enter the object names to select (such as the Computer Security Officers group that we had previously created in Active Directory). Of course, you can also add individual users as well. Click OK to close the dialog.

9. Any user belonging to the defined Security Officers AD group can now enroll DigitalPersona users (T24 customers).

10. In the main window of Authorization Manager, select Task Definitions. Right-click Enroll Customers and select Properties,

11. On the Definition tab, click Add.

12. In the Add Definition dialog, select Reset user password and click OK. Click OK again to close the Enroll Customers Definition Properties dialog box.


13. Back in ADUC, any tellers responsible for enrolling customers can now be added to the Customer Security Officer group in Active Directory. Those responsible for enrolling employees should be added to the Employee Security Officer group.

Set up an administrative workstation

The DigitalPersona Administrative Station is used for enrolling credentials.

•Enrolling and deleting credentials for DigitalPersona AD User (employee) accounts

•Creating DigitalPersona Non AD User (customer) accounts

•Enrolling and deleting credentials for Non AD User (customer) accounts

The administrative station must be in the same domain as the DigitalPersona LDS Server.

The system can be configured to use either of the following applications for credential enrollment.

•DigitalPersona Web Enrollment (requires Altus 2.1 or DigitalPersona Composite Authentication 2.2 or later). See the following section for setup instructions.

•DigitalPersona Attended Enrollment, an optional feature of the DigitalPersona LDS Workstation. See instructions beginning on page 19.

Set up DigitalPersona Web Enrollment

1. Ensure that DigitalPersona Secure Token Service and DigitalPersona Web Administration Console (included in the DigitalPersona Web Management Components package) have been previously installed on the DigitalPersona LDS server. (Requires Altus 2.1 or DigitalPersona Composite Authentication 2.2 or later.)

2. Install DigitalPersona Web Enrollment by launching the following setup file.

C:\inetpub\wwwroot\DPEnrollment\Setup\DigitalPersona.Web.Enrollment.Setup.exe


3. Follow the onscreen instructions in the configuration wizard as shown below. You can accept all default values.

4. On the Welcome page, click Next.


5. On the Connect to ADFS page, accept the default value and click Next.

6. On the Specifying the signing STS certificate page, in most cases you can accept the default selection of automatic configuration.


7. On the Apply configuration page, verify the selected parameters and click Next.

8. On the final page, click Finish.


Set up DigitalPersona Attended Enrollment

1. Install the DigitalPersona LDS Workstation, selecting Custom as the Setup Type and checking the Attended Enrollment feature to add it to the installation. For additional details, see the DigitalPersona Client Guide.

2. Also, copy the file DigitalPersona.T24.Enrollment.exe from the Setup folder to the following folder on the administrative workstation - C:\Program Files\DigitalPersona\Bin.

3. Run the installer from an elevated command prompt as follows.

Execute "c:\Program Files\DigitalPersona\Bin\DigitalPersona.T24.Enrollment.exe" -install

Smog test the DigitalPersona setup

Use the DPWebDemo application, included in the DP Access Management API 2.1.0, to make sure that the DigitalPersona software has been installed properly and is functioning correctly. You can find the application in the following directory within the SDK package.

DP Access Mgmt API 2.1.0\DP Web SDK Samples\DPWebDemo\Bin

System administrator functions

Test that the DigitalPersona system administrator can

• Create DigitalPersona AD User accounts

• Enroll and delete credentials for DigitalPersona AD User accounts

• Store secrets for DigitalPersona AD User accounts

• Create DigitalPersona Non AD User user accounts

• Enroll and delete credentials for DigitalPersona Non AD User accounts

Customer Security Officer functions

Test that the Customer Security Officer can

• Create DigitalPersona Non AD User (customer) accounts

• Enroll and delete credentials for DigitalPersona Non AD User (customer) accounts


Employee Security Officer functions

Test that the Employee Security Officer can

• Enroll and delete credentials for DigitalPersona AD User (employee) accounts.


3T24 Client Setup

T24 Client@Bank branch on Windows

Depending on the web browser you will be using to access the T24 Client, follow step 1 or 2 below to set up a T24 Client@Branch on supported Windows platforms.

1. For Internet Explorer 10+, FireFox 11+ or Chrome 16+, install the DigitalPersona Lite Client (see the DigitalPersona Client Guide for requirements and installation details).

2. For Internet Explorer 8 or 9

a. Install the DigitalPersona U.are.U for Windows RTE 2.2.3 - included with the DigitalPersona for Temenos product package.

b. Install the Oracle JRE (Java Runtime Environment) version 7u80.

In the Java Control Panel, the Perform signed code certificate revocation check on setting MUST be set to Do not check for environments where clients will not be connected to the internet.

c. Also see the topic Additional steps for Internet Explorer 8 and 9 on page 21 below.

T24 Client@Bank branch on Linux (Ubuntu)

Follow these steps to set up a T24 Client@Branch on supported Linux platforms (currently Ubuntu only).

1. Install the U.are.U for Linux RTE 2.2.1 - included with the DigitalPersona for Temenos product package.

2. Install the Oracle JRE (Java Runtime Environment) version 7u80.

In the Java Control Panel, the Perform signed code certificate revocation check on setting MUST be set to Do not check for environments where clients will not be connected to the internet.

3. Install Firefox for access to T24.

DigitalPersona Client and T24 Client@Bank branch on Windows

1. Prior to installation, the computer must be joined to the domain.

2. In order to enroll credentials for T24 users and customers, the Employee Security Officer must be currently logged on the machine.

3. Install the DigitalPersona LDS Workstation. For Setup Type, select Custom. Then select the Attended Enrollment feature.

4. Install the DigitalPersona for Temenos Browser Client - included with the DigitalPersona for Temenos product package.

5. Install either Internet Explorer 10+, Firefox11+, Google Chrome 16+, or Microsoft Edge for access to T24.

NOTE: Internet Explorer 8 and 9 are not supported in this configuration.

Additional steps for Internet Explorer 8 and 9

1. T24 Web server (JBOSS in Model Bank) should be set to work via https, configure HTTPS connector in D:\Temenos\ModelBank-R15-TAFJ\Infra\JBoss\server\default\deploy\jbossweb.sar\server.xml for JBOSS. See JBOSS documentation for more details.


2. The T24 Web server (JBOSS in Model Bank) and the DigitalPersona LDS Server machines must be in the same second level domain, at least from client's point of view. For example, if your DigitalPersona Server is digitalpersona.mylocalbank.com, your T24 server should be t24-browser.mylocalbank.com.

• For a test environment, it is enough to set the T24 Web Server’s host name in the client's host file (C:\Windows\System32\drivers\etc\host).

• For a production environment, the DNS must be configured properly.

3. The DigitalPersona for Temenos Applet must be configured to be loaded from T24 Web server host (t24-browser.mylocalbank.com). See Sign and deploy the DigitalPersona for Temenos Applet on page 24.

4. Enable cross-domain data access for Internet security zone.

a. You need to know the Internet security zone assigned to the T24 Web Server by Internet Explorer.

To ascertain the Internet security zone, navigate to the T24 Login page, right click on the page and select Properties.

b. If you are setting up a single client machine:

• Open Internet Explorer on the client machine.

• From the menu, select Tools, Internet Options.

• Choose the Security tab, select the assigned zone (as described in step a. above), and click Custom level.


• Under Miscellaneous, Access data sources across domains, select Enable.

c. If you are setting up all clients joined to the domain controller then you need to set a Group Policy Object (GPO).

• Run the Group Policy Management Editor (gpme.msc) on the DigitalPersona Server machine.

• Navigate to User Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel, Security Page, <zone identified in step a. above>, and set the Access data sourced across domain item to Enable.

• Run the gpupdate /force command on all client machines.


4Employee Login Setup

This chapter describes the steps necessary to set up the T24 Browser machine and the Teller machine.

Sign and deploy the DigitalPersona for Temenos Applet

1. Copy the unsigned Biometric Applet from the build package "\Setup\DigitalPersona for Temenos Applet\BiometricsApplet_unsigned.jar" into \release\DigitalPersona for Temenos Applet\BiometricsApplet_unsigned.zip.

2. Open the file BiometricsApplet_unsigned.zip in File Explorer.

3. Open BiometricsApplet_unsigned.zip\META-INF\MANIFEST.MF with a text editor.

• Replace the Caller-Allowable-Codebase, Application-Library-Allowable-Codebase and Codebase attributes with the host name used to access the T24 Browser from the teller machines.

For example, if the URL used to access the T24 Browser is

http:// t24.bank.com:9095/BrowserWeb/servlet/BrowserServlet

then you would enter t24.bank.com for the host name.

• Save MANIFEST.MF to the desktop.

• Copy MANIFEST.MF from the desktop into BiometricsApplet_unsigned.zip\META-INF\MANIFEST.MF.

• Select overwrite.

• Rename \release\DigitalPersona for Temenos Applet\BiometricsApplet_unsigned.zip into BiometricsAppletUnsigned.jar.

4. From an elevated command line prompt -

• Run this command, replacing %1 with the full path to my.pfx.

call “%JAVA_HOME%\bin\keytool.exe" -list -v -storetype pkcs12 -keystore "%1" > keytool.txt

• When prompted to do so, enter the password protecting the private key in my.pfx.

5. Open the keytool.txt file generated above and find the Alias name: entry. Note this value (for example, pvktmp:486a101a-1fc7-412c-a30d-c30defbd5221).

6. Run the following command, replacing %1 with the full path to BiometricsAppletUnsigned.jar, %2 with the full path to my.pfx and %3 with the value for the Alias name as noted in the above step.

call "%JAVA_HOME%\bin\jarsigner.exe" -signedjar .\BiometricsApplet.jar -storetype pkcs12 -keystore "%2" "%1" %3

7. When prompted to do so, enter the password protecting the private key in my.pfx.

8. Copy .\BiometricsApplet.jar into altus-biometricsweb-3.1.03.1.0-SNAPSHOT-R15.war\static\biometrics\BiometricsApplet.jar.

Set up the T24 Browser machine

To set up the T24 Browser machine

1. Ensure that the DigitalPersona Web Components are accessible from the T24 Browser machine.

a. Enter this URL into your web browser.


https://digitalpersona.mylocalbank.com/DPWebAUTH/DPWebAuthService.svc

b. The following page should appear.

2. Specify the DigitalPersona Web Components base URL as the value in the altusBaseUrl context-param tag in the web.xml file located at altus-browserweb-3.1.0-SNAPSHOT-R15.war\WEB-INF.

Example<context-param>

<param-name>altusBaseUrl</param-name><param-value>https://digitalpersona.mylocalbank.com

</param-value></context-param>

3. Configure the following settings: doTrace, enrollCredentialsUrl, deviceIntegration. See descriptions of these settings in the following files.

BiometricsWeb.war\WEB-INF\web.xmlBrowserWeb.war\WEB-INF\web.xml

4. Deploy altus-browserweb-3.1.0-SNAPSHOT-R15.war into d:\Temenos\ModelBank-R15-TAFJ\Infra\JBoss\server\default\deploy\BrowserWeb.war.

Use a comparison tool to see the difference between the original R15 model bank web.xml and the web.xml supplied with altus-browserweb-3.1.0-SNAPSHOT-R15.war. You will need to merge that difference into the web.xml that is to be deployed.

5. Specify the DigitalPersona Web Components base URL as the value in the altusBaseUrl context-param tag in the web.xml file located at altus-biometricsweb-3.1.0-SNAPSHOT-R15.war\WEB-INF.

Example<context-param>

<param-name>altusBaseUrl</param-name><param-value>https://digitalpersona.mylocalbank.com

</param-value></context-param>

6. Deploy altus-biometricsweb-3.1.0-SNAPSHOT-R15.war into

d:\Temenos\ModelBank-R15-TAFJ\Infra\JBoss\server\default\deploy\.


7. Install the Altus Server Certificate Authority certificate holding the public key for DigitalPersona token signature verification into the trusted certificate store of JBOSS JRE. Note that keytool will ask for the password to the trusted certificate store and whether to trust the certificate. Press "y" to accept. The default password is changeit.

Example

The following command is used for the R15 model bank.

d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\bin\keytool.exe -importcert -alias altusserverca -file C:\Users\Test\Desktop\Certificates\digitalpersona.mylocalbank.com.altus.cer -destkeystore d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\lib\security\cacerts

Note that it is important to get the alias name correct, as this is used to locate and refer to the certificate in later steps.

Upon successful import, the output of the command will be:

8. If using a self-signed SSL certificate, skip to step 11.

9. Verify that the Altus Server Certificate Authority certificate is actually in the trusted certificate store. Again, keytool will ask for the password to the trusted certificate store (the default password is "changeit") and whether to trust the certificate - press "y" to accept.

Example for MB R15

d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\bin\keytool.exe -list -v -keystore d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\lib\security\cacerts > c:\dptrace\list-R15.txt

Keytool will output a list of trusted certificates into c:\dptrace\list-R15.txt. You should be able find the altusserverca certificate information in the file.

10. This completes setup of the T24 Browser machine when using an Altus Server Certificate Authority certificate. Skip the remaining steps in this section and continue to the Set up the Teller’s machine topic.

11. (For self-signed SSL only) Install the DigitalPersona Web Components SSL certificate into the trusted certificate store of JBOSS JRE. Keytool will ask for the password to the trusted certificate store (the default password is "changeit") and then ask whether to trust the certificate. Press "y" to accept.

Example

The following command is used for the R15 model bank:

d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\bin\keytool.exe -importcert -alias win-je24ttb0q9g -file C:\Users\Test\Desktop\Certificates\digitalpersona.mylocalbank.com.cer -destkeystore d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\lib\security\cacerts


Upon successful import, the output of the command will be:

12. (For self-signed SSL only) Verify that the DigitalPersona Web Components SSL certificate is in the trusted certificate store. Keytool will ask for the password to the trusted certificate store (the default password is "changeit") and then ask whether to trust the certificate. Press "y" to accept.

Example for MB R15

d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\bin\keytool.exe -list -v -keystore d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\lib\security\cacerts > c:\dptrace\list-R15.txt

Upon running, keytool will output a list of trusted certificates into c:\dptrace\list-R15.txt. You should be able find the win-je24ttb0q9g certificate information in the file.

13. This completes setup of the T24 Browser machine.

STS configuration

Optional - Implement only if using STS.

1. In the BiometricsWeb.war\WEB-INF\web.xml file, set the following values.

<context-param><param-name>logonMethod</param-name><param-value>STS</param-value>

</context-param>

<context-param><param-name>stsBaseUrl</param-name><param-value>https://altus.mylocalbank.com/dppassivests</param-value>

<context-param>

<context-param> <param-name>stsRedirectSecTimeout</param-name> <param-value>3 </param-value>

</context-param>

<context-param> <param-name>stsRealm</param-name> <param-value>urn:TemenosLogin</param-value>

</context-param>

2. Also, uncomment the following elements.

<filter>

<filter-name>BioStsLoginFilter</filter-name><description>Bio Sts Login Filter</description><filter-class>com.digitalpersona.browserweb.filter.BioStsLoginFilter</filter-class>


</filter> . . .

<filter>

<filter-name>BioStsSignOutFilter</filter-name><description>Bio Sts SignOut Filter</description><filter-class>com.digitalpersona.browserweb.filter.BioStsSignOutFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>BioStsLoginFilter</filter-name><url-pattern>/servlet/BrowserLoginServlet</url-pattern>

</filter-mapping> . . .

<filter-mapping>

<filter-name>BioStsSignOutFilter</filter-name><url-pattern>/servlet/BrowserServlet</url-pattern>

</filter-mapping>

3. In the BrowserWeb.war\WEB-INF\web.xml file, set the following values.

<context-param><param-name>stsBaseUrl</param-name><param-value>https://altus.mylocalbank.com/dppassivests</param-value>

</context-param>

<context-param><param-name>stsRealm</param-name><param-value>urn:TemenosLogin</param-value>

</context-param>

4. On the computer where the DPCA Server is located, add the following lines under the <RelyingParties> section of this file.

C:\Program Files\DigitalPersona\Web Management Components\DP STS\DPPassiveSTS\web.config

<add Realm="urn:TemenosLogin" DisplayName="TemenosLogin" ReplyUrl="http://t24-browser:9095/BrowserWeb/servlet/BrowserLoginServlet" TokenType="urn:oasis:names:tc:SAML:2.0:assertion">

<ClaimMappings><add key="sub" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" /><add key="name" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" /><add key="amr" value="http://schemas.microsoft.com/claims/authnmethodsreferences" /><add key="dom" value="http://www.crossmatch.com/altus/claims/user_domain" /><add key="uid" value="http://www.crossmatch.com/altus/claims/original_id" /><add key="http://www.crossmatch.com/altus/claims/web_auth_jwt" /><add key="http://www.crossmatch.com/altus/claims/auth_policy" /><add key="wan" value="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" />


<add key="group" value="http://schemas.xmlsoap.org/claims/Group" /><add key="upn" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" /><add key="role" value="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" /><add key="oper" value="http://www.crossmatch.com/altus/claims/operation" /><add key="ad_guid" value="http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID" />

</ClaimMappings></add>


Set up the Teller’s machine

1. Ensure that DigitalPersona Web Components is accessible from the Teller's Machine.

a. In your web browser, navigate to https://digitalpersona.mylocalbank.com/DPWebAUTH/DPWebAuthService.svc.

b. The following page displays.

2. If using a self-signed SSL certificate, install the DigitalPersona Web Components SSL certificate into the trusted certificate store on the Teller's machine. Note that the Firefox browser uses its own certificate store instead of the Windows certificate store.


5Enroll initial DigitalPersona administrator

Overview

This chapter covers enrolling the fingerprints of the initial DigitalPersona administrator and testing the suc-cess of the enrollment.

The following steps will enable a DigitalPersona administrator to log on to the T24 Login page, but does not give them the necessary permissions to authenticate transactions. Additional steps required to enable authenti-cating transactions are listed in the section Enrolling DigitalPersona Administrators for authentication on page 65. However, those additional steps will not work until the other tasks in the Biometric Authentication Setup chapter have been completed.

Enrollment

1. On the administrative workstation, open DigitalPersona Attended Enrollment and enroll the fingerprints for a DigitalPersona AD User who has previously been designated as a member of the DigitalPersona Security Officer group (see page 9 and following pages).

a. Select the DigitalPersona AD User that you want to enroll and click OK.

b. Have the user enter their Windows password.


c. On the Credential Manager page, select Add under the Fingerprints tile, and then follow the onscreen instructions to enroll the user’s fingerprints credential.

d. Click Complete Enrollment.

On the DigitalPersona Server machine

2. Open ADSI Edit on the DigitalPersona Server machine.

3. Under DigitalPersona AD Users, right-click on the user you want to enroll and select Properties.

4. Set the value of the dpt24Name attribute to the desired T24 user Id - INPUTTER.

5. At the command prompt, enter

a. iisreset /stop to stop IIS.

b. net stop DPHost to stop the DPHost service.

c. net start DPHost to start the DPHost service.

d. iisreset to restart IIS.

6. The new DigitalPersona administrator will now be able to log in to T24 with their fingerprints. To enable the DigitalPersona administrator to use Biometric authentication for transactions in T24, complete the tasks in the Biometric Authentication Setup chapter.


Testing biometric login

To test the biometric logon for a T24 enrolled user

1. Navigate to the T24 login page.

2. Scan the T24 user's fingerprint, or select the DigitalPersona password tile and enter their Active Directory credentials.

3. DigitalPersona for Temenos will also ask for the user’s T24 credentials the first time logging in using Biometrics. Login with the user’s T24 Username and Password.

4. Upon successful login, the user’s home screen will display. On the Home screen, click Sign Off.


5. Scan the T24 user’s fingerprint again, or enter their DigitalPersona (Active Directory) credentials on the Login page.

6. A successful login completes this test of the biometric login.


6Biometric Authentication Setup

Overview

Prior to implementing the following procedures to set up biometric authentication for inputting and validating transactions, all steps in the previous chapters must be completed.

Note these default values and naming conventions.

• By default, biometric authentication for a customer is required if the transaction amount is equal to or greater than $200.

• By default, biometric authentication for an employee is required if transaction amount is equal to or greater than $300.

• Sample biometric versions for cash withdrawal and funds transfer are created in three flavors.

• Versions ending with BIO (for example: FUNDS.TRANSFER,ACTR.SCV.BIO) require authentication for both customer and inputter, depending on the amounts entered.

• Versions ending with BIO.CUST (for example: FUNDS.TRANSFER,ACTR.SCV.BIO.CUST) require authentication for a customer only, depending on the amounts entered.

• Versions ending with BIO.USER (for example: FUNDS.TRANSFER,ACTR.SCV.BIO.USER) require authentication for an employee only, depending on the amounts entered.

T24 offers two deployment options for the core banking runtime: TAFC and TAFJ. Both environments are supported by DigitalPersona for Temenos.

Configuration settings

Configure the following settings: altusBaseUrl, doTrace, enrollCredentialsUrl, deviceIntegration. See descrip-tions of the settings in the following files.

BiometricsWeb.war\WEB-INF\web.xmlBrowserWeb.war\WEB-INF\web.xml

TAFC runtime

Set up a T24 server

1. Determine the location of JRE by inspecting a batch file (c:\Temenos\ModelBank-R12\BATfiles\basevars.bat in Model Bank R12) being used to run jAgent for JAVA_HOME variable (For instance, JAVA_HOME is set to %TOOLS%\jdk1.6.0_30 appears in batch file for R12 model bank, that translates into c:\Temenos\ModelBank-R12\3rdParty\jdk1.6.0_30\jre).


2. Use keytool to install an Altus Server Certificate Authority certificate holding the public key for DigitalPersona token signature verification into the trusted certificate store of T24 Java JRE.

Example

c:\Temenos\ModelBank-R12\3rdParty\jdk1.6.0_30\jre\keytool.exe -importcert -alias altusserverca -file C:\Users\Test\Desktop\Certificates\altus.mylocalbank.com.altus.cer -destkeystore c:\Temenos\ModelBank-R12\3rdParty\jdk1.6.0_30\jre\lib\security\cacerts

• Keytool will ask for the password to the trusted certificate store and whether to trust the certificate. Press “y” to accept. (The default password is changeit.)

• Upon successful import, the message Certificate was added to keystore displays.

3. Verify that the Altus Server Certificate Authority certificate is in the trusted certificate store.

Example

c:\Temenos\ModelBank-R12\3rdParty\jdk1.6.0_30\jre\bin\keytool.exe -list -v -keystore c:\Temenos\ModelBank-R12\3rdParty\jdk1.6.0_30\jre\lib\ security\cacerts > c:\dptrace\list-R15.txt

• Keytool will ask for the password to the trusted certificate store and whether to trust the certificate. Press “y” to accept. (The default password is changeit.)

• Keytool will output a list of trusted certificates into c:\dptrace\list-R15.txt. You should be able to find the altusserverca certificate information in the file.


4. Determine the location of the bnk.run folder by inspecting the batch file being used to run jAgent for the HOME variable. For instance, set HOME=%ROOT%\Temenos\bnk\bnk.run appears in the batch file for R12 model bank, which translates into c:\Temenos\ModelBank-R12\Temenos\bnk\bnk.run.

5. Deploy "Setup\DigitalPersona for Temenos Browser R12\TAFC\gson-2.5.jar" into <bnk.run>\jars\biometrics\ folder.

Add a path to the deployed jar file into the CLASSPATH variable of the batch file being used to run jAgent (c:\Temenos\ModelBank-R12\BATfiles\basevars.bat in Model Bank R12).

Example

set CLASSPATH=%CLASSPATH%;%HOME%\jars\biometrics\gson-2.5.jar

6. Deploy "Setup\DigitalPersona for Temenos Browser R12\TAFC\altus-jwt-3.1.0-SNAPSHOT-R12.jar" into <bnk.run>\jars\biometrics\ folder(c:\Temenos\ModelBank-R12\Temenos\bnk\bnk.run\jars in Model Bank R12).

Add a path to deployed jar file into the CLASSPATH variable of the batch file (c:\Temenos\ModelBank-R12\BATfiles\basevars.bat in Model Bank R12) being used to run jAgent.

Example


set CLASSPATH=%CLASSPATH%;%HOME%\jars\biometrics\altus-jwt-3.1.0-SNAPSHOT-R12.jar

7. Deploy "Setup\DigitalPersona for Temenos Browser R12\TAFC\altus-tafcroutines-3.1.0-SNAPSHOT-R12.jar" into <bnk.run>\jars\biometrics\ folder.

Add a path to deployed jar file into the CLASSPATH variable of the batch file (c:\Temenos\ModelBank-R12\BATfiles\basevars.bat in Model Bank R12) being used to run jAgent.

Example

set CLASSPATH=%CLASSPATH%;%HOME%\jars\biometrics\altus-tafcroutines-3.1.0-SNAPSHOT-R12.jar

8. If there is no arcmobileUtilities.jar on the CLASSPATH, then deploy "Setup\DigitalPersona for Temenos Browser R12\TAFC\log4j-1.2.9.jar" into <bnk.run>\jars\biometrics\ folder.

Add a path to the deployed jar file into the CLASSPATH variable of the batch file (c:\Temenos\ModelBank-R12\BATfiles\basevars.bat in Model Bank R12) being used to run jAgent.

Example

set CLASSPATH=%CLASSPATH%;%HOME%\jars\biometrics\log4j-1.2.9.jar

9. Open jShell as an administrator. Change the current directory to the location of the setup files. For example, \Setup\DigitalPersona for Temenos Browser R12\TAFC.

10. Run "jsh-install.bat" and wait for the installation to complete.

11. Review the installation test results by opening .\target\jsh-test.log. For example, \Setup\DigitalPersona for Temenos Browser R12\TAFC\target\jsh-test.log).

• Note that additional log files, .\target\jsh-routines-install.log, .\target\jsh-test-install.log and .\target\jsh-test-uninstall.log have also been created.

• You can run the tests again by executing the command: "./target/jsh-test.bat > ./target/jsh-test.log"

• You can uninstall both routines and tests by executing "jsh-uninstall.bat"

Determining the <DL.RESTORE> location

The <DL.RESTORE> directory is the location where DL.DEFINE packages for T24 screens and fields will be copied for restoring into the T24 system.

1. Determine the TAFC location by finding the TAFC folder on the disk. For example, the following directory is used for TAFC in the R12 Model Bank.

c:\Temenos\ModelBank-R12\Temenos\TAFC

2. Open the SPF record in model bank and scroll to the Run Acc Name (RUN.ACC.NAME) field. This field points to the bnk.run directory relative to the TAFC location. For example, this field contains the value "../bnk.run" in the R12 model bank.

3. Create the full path for the bnk.run directory from the paths determined in Steps 1 and 2. For xample, in R12, combining "c:\Temenos\ModelBank-R12\Temenos\TAFC" and "../bnk.run" gives the full path of “c:\Temenos\ModelBank-R12\Temenos\bnk\bnk.run”


4. Open DL.PARAMETER SYSTEM and locate the value in the From File field (FROM.FILE).

5. Obtain <DL.RESTORE> by combining the full path for bnk.run obtained in Step 3, and the relative path obtained in Step 4 above.

Example

In R12 Model Bank, <DL.RESTORE> will be obtained by combining "c:\Temenos\ModelBank-R12\Temenos\bnk\bnk.run" and "../F.DL.DATA/DL.RESTORE".

Therefore <DL.RESTORE> =

"c:\Temenos\ModelBank-R12\Temenos\bnk\F.DL.DATA\DL.RESTORE"

TAFJ runtime

Set up a dedicated T24 server

The following procedure is for setting up a dedicated T24 server. For instructions on setting up a T24 server for use with the Model Bank, see the next section beginning on page 42.

1. Install an Altus Server Certificate Authority certificate holding the public key for DigitalPersona token signature verification into the trusted certificate store of T24 Java JRE.

Example

d:\Temenos\T24\Java\jre\bin\keytool.exe -importcert -alias altusserverca -file C:\Users\Test\Desktop\Certificates\digitalpersona.mylocalbank.com.altus.cer -destkeystore d:\Temenos\T24\Java\jre\lib\security\cacerts


• Note that keytool will ask for the password to the trusted certificate store and whether to trust the certificate. Press “y” to accept. The default password is "changeit".

• Upon successful import, the following message displays: Certificate was added to keystore.

2. Verify that the Altus Server Certificate Authority certificate is in the trusted certificate store.

Example

d:\Temenos\T24\Java\jre\bin\keytool.exe -list -v -keystore d:\Temenos\T24\Java\jre\lib\ security\cacerts > c:\dptrace\list-R15.txt

Keytool will output a list of trusted certificates into c:\dptrace\list-R15.txt. You should be able to find the altusserverca certificate information in the file.

3. Deploy "Setup\DigitalPersona for Temenos Browser R15\altus-browserweb-3.1.0-SNAPSHOT-R15.war\WEB-INF\lib\gson-2.5.jar" into d:\Temenos\T24\Programs\TAFJ\TAFJ-MB\ext.

4. Deploy "Setup\DigitalPersona for Temenos Browser R15\TAFJ\altus-jwt-3.1.0-SNAPSHOT-R15.jar" into d:\Temenos\T24\Programs\TAFJ\TAFJ-MB\ext.

5. Deploy "Setup\DigitalPersona for Temenos Browser R15\TAFJ\altus-tafjvalidators-3.1.0-SNAPSHOT-R15.jar" into d:\Temenos\T24\Programs\TAFJ\TAFJ-MB\ext.

6. Deploy "Setup\DigitalPersona for Temenos Browser R15\TAFJ\altus-tafjroutines-3.1.0-SNAPSHOT-R15.jar" into d:\Temenos\T24\Programs\TAFJ\TAFJ-MB\ext.

7. Restart the T24 server.

8. Ensure that the following deployed basic routines are visible in the T24 environment.

a. Navigate to http://T24-browser.mylocalbank.com:9095/TAFJEE/tShow.

b. Enter a deployed routine name and click Submit.

For example BIO.TELLER.INPUT.CUSTOMER.AUTH.

BIO.FT.AMOUNT.VALID BIO.TELLER.AMOUNT.VALID,

BIO.FT.INPUT.AUTH BIO.TELLER.INPUT.AUTH,

BIO.FT.INPUT.CUSTOMER.AUTH BIO.TELLER.INPUT.CUSTOMER.AUTH

BIO.FT.INPUT.USER.AUTH BIO.TELLER.INPUT.USER.AUTH

BIO.TELLER.ACCOUNT.VALID


c. Routine information is displayed if the routine was properly deployed in the T24 server.

d. The following screen will be shown if a routine was not compiled properly.


Set up the T24 Server (R15 Model Bank)

The following procedure is only for setting up a T24 Server for the Model Bank. See the previous procedure when setting up a dedicated T24 server.

1. Install a Altus Server Certificate Authority certificate holding the public key for DigitalPersona token signature verification into the trusted certificate store of T24 Java JRE.

Example

d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\bin\keytool.exe -importcert -alias altusserverca -file C:\Users\Test\Desktop\Certificates\WIN-JE24TTB0Q9G.digitalpersona.mylocalbank.com.altus.cer -destkeystore d:\Temenos\ModelBank-R15-TAFJ\Infra\Java\jre\lib\security\cacerts

• Note that keytool will ask for the password to the trusted certificate store and whether to trust the certificate. Press “y” to accept. The default password is "changeit".

• Upon successful import, the following message displays: Certificate was added to keystore.

2. Verify that the Altus Server Certificate Authority certificate is in the trusted certificate store. Note that keytool will ask for the password to the trusted certificate store (the default password is "changeit") and also ask whether to trust the certificate. Press "y" to accept.

Example

d:\Temenos\T24\Java\jre\bin\keytool.exe -list -v -keystore d:\Temenos\T24\Java\jre\lib\security\cacerts > c:\dptrace\list-R15.txt

Keytool will output a list of trusted certificates into c:\dptrace\list-R15.txt. You should be able to find the altusserverca certificate information in the file.

3. Deploy "Setup\DigitalPersona for Temenos Browser R15\altus-browserweb-3.1.0-SNAPSHOT-R15.war\WEB-INF\lib\gson-2.5.jar" into d:\Temenos\ModelBank-R15-TAFJ\T24\Programs\TAFJ\TAFJ-MB\ext.

4. Deploy "Setup\DigitalPersona for Temenos Browser R15\TAFJ\altus-jwt-3.1.0-SNAPSHOT-R15.jar" into d:\Temenos\ModelBank-R15-TAFJ\T24\Programs\TAFJ\TAFJ-MB\ext.

5. Deploy "Setup\DigitalPersona for Temenos Browser R15\TAFJ\altus-tafjvalidators-3.1.0-SNAPSHOT-R15.jar" into d:\Temenos\ModelBank-R15-TAFJ\T24\Programs\TAFJ\TAFJ-MB\ext.

6. Deploy "Setup\DigitalPersona for Temenos Browser R15\TAFJ\altus-tafjroutines-3.1.0-SNAPSHOT-R15.jar" into d:\Temenos\ModelBank-R15-TAFJ\T24\Programs\TAFJ\TAFJ-MB\ext.

7. Restart the T24 server.

8. Ensure that the following deployed basic routines are visible in the T24 environment.

BIO.FT.AMOUNT.VALID BIO.TELLER.AMOUNT.VALID,

BIO.FT.INPUT.AUTH BIO.TELLER.INPUT.AUTH,

BIO.FT.INPUT.CUSTOMER.AUTH BIO.TELLER.INPUT.CUSTOMER.AUTH

BIO.FT.INPUT.USER.AUTH BIO.TELLER.INPUT.USER.AUTH


a. Navigate to http://T24-browser.mylocalbank.com:9095/TAFJEE/tShow,

b. Enter a deployed routine name and click Submit.

For example BIO.TELLER.INPUT.CUSTOMER.AUTH.

c. Routine information is displayed if the routine was properly deployed in the T24 server.

d. The following screen will be shown if a routine was not compiled properly.

Determining <DL.RESTORE> location

Before starting installation, you will need to locate the TAFJ runtime current directory. The current TAFJ runtime properties file name will be stored in the <tafj.home>\conf\.default file.

BIO.TELLER.ACCOUNT.VALID


Example

D:\Temenos\ModelBank-R15-TAFJ\T24\Programs\TAFJ\TAFJ-MB\conf\.default in MB R15

Sample content is shown in the image below.

1. Open the file <tafj.home>\conf\MB.properties in MB R15 with a text editor.

2. Locate the temn.tafj.runtime.directory.current property. For example, in MB R15, the path corresponds to d:\Temenos\ModelBank-R15-TAFJ\T24\Env\MB\Data\UD.


3. Open DL.PARAMETER SYSTEM and locate the value in the From File field (FROM.FILE).

4. Obtain <DL.RESTORE> by combining the full path for temn.tafj.runtime.directory.current obtained in step 2 and the relative path obtained from step 3.

Example

In R15 Model Bank, <DL.RESTORE> will be obtained by combining

"d:\Temenos\ModelBank-R15-TAFJ\T24\Env\MB\Data\UD"

and

"./F.DL.DATA/DL.RESTORE".

Therefore <DL.RESTORE> =

"d:\Temenos\ModelBank-R15-TAFJ\T24\Env\MB\Data\UD\F.DL.DATA\DL.RESTORE"

5. You will be extracting the DL.DEFINE packages into the <DL.RESTORE> directory.


Set up T24 Browser screens

Set up local fields

Biometric fields, errors and versions are included in the DL.DEFINE packages packed in this file.

altus-t24-3.1.0-SNAPSHOT-R15.jar.

1. Login into the T24 Browser with the Authoriser account

2. Extract altus-24-3.0.1-SNAPSHOT-R15.jar\F.DL.DATA\TMNS000-LOCAL.TABLE folder into the <DL.RESTORE>\LOCAL.TABLE folder.

Example for MB 15

d:\Temenos\ModelBank-R15-TAFJ\T24\Env\MB\Data\UD\F.DL.DATA\DL.RESTORE

3. Commit the DL.PARAMETER record.

4. Open the DL.PARAMETER application.

5. Type SYSTEM for the record ID and press the Perform an action on the contract button.


6. Verify the DL.PARAMETER record by pressing the Play button. This will restore DL.DEFINE record for TMNS000-LOCAL.TABLE.

7. Verify the restored DL.DEFINE record.

a. Type ‘DL.DEFINE’ and then click the checkmark next to the command box to open the DL.DEFINE application.


b. Enter the restored record id - TMNS000-LOCAL.TABLE and click the Perform an action on the contract button.

c. Verify the restored DL.DEFINE record by clicking the Play button.

d. The Biometric local reference fields from TMNS000-LOCAL.TABLE are restored with an IHLD status.

8. Amend each of the following restored records. (For the Model Bank, you may want to use the self-authorising (comma) version of LOCAL.TABLE).

BIO.CUST BIO.USER

BIO.CUST.AUDIT BIO.USER.AUDIT

BIO.CUST.NAME BIO.USER.NAME

BIO.CUST.TOKEN BIO.USER.TOKEN

BIO.CUST.AUTPOL BIO.USER.AUTOPOL

BIO.CUST.AUTAMO BIO.CUST.AUTAMO

BIO.ENRL.ALTUS

BIO.ENRL.AUDIT


a. For example, amend the BIO.CUST by entering the record ID and clicking the Edit button.

b. Then commit the record by clicking the checkmark button.

BIO.ENRL.TOKEN

BIO.ENRL.UATOPOL

BIO.ENRL.POL


9. Review the live records for LOCAL.TABLE.

10. The final result should display as follows.


11. Create LOCAL.REF.TABLE record for TELLER application, using self-authorising version. Warning - These changes cannot be undone. You have only one attempt. Add new fields at the end of existing fields.

Add these fields at the end of existing fields.

12. Ensure that fields appear on STANDARD.SELECTION TELLER.

LOCAL TABLE NO. SUB ASSOC CODE

BIO.CUST

BIO.CUST.AUDIT Xx.

BIO.CUST.AUTPOL

BIO.CUST.NAME

BIO.CUST.TOKEN Xx.

BIO.USER

BIO.USER.AUDIT Xx.

BIO.USER.AUTPOL

BIO.USER.NAME

BIO.USER.TOKEN Xx.


13. Create the LOCAL.REF.TABLE record for the FUNDS.TRANSFER application, using the self-authorising version. Warning - These changes cannot be undone. You have only one attempt. Add new fields at the end of existing fields.

Add these fields at the end of existing fields.

14. Create LOCAL.REF.TABLE record for the SECTOR application, using the self-authorising version. Warning - These changes cannot be undone. You have only one attempt. Add new fields at the end of existing fields.

Add the following fields at the end of existing fields.

15. Ensure that these fields appear on the STANDARD.SELECTION for SECTOR.


BIO.CUST

BIO.CUST.AUDIT Xx.

BIO.CUST.AUTPOL

BIO.CUST.NAME

BIO.CUST.TOKEN Xx.

BIO.USER

BIO.USER.AUDIT Xx.

BIO.USER.AUTPOL

BIO.USER.NAME

BIO.USER.TOKEN Xx.


BIO.CUST.AUTPOL

BIO.CUST.AUTAMO


16. Create the LOCAL.REF.TABLE record for the CUSTOMER application, using the self-authorising version. Warning - These changes cannot be undone. You have only one attempt. Add new fields at the end of existing fields.

Add the following fields at the end of existing fields

17. Ensure that these fields appear on the STANDARD.SELECTION for CUSTOMER.

18. Create a LOCAL.REF.TABLE record for the DEPT.ACCT.OFFICER application, using the self-authorising version. Warning - These changes cannot be undone. You have only one attempt. Add new fields at the end of existing fields.


19. Ensure that these fields appear on the STANDARD.SELECTION for DEPT.ACCT.OFFICER.

20. Create a LOCAL.REF.TABLE record for the USER application, using the self-authorising version. Warning - These changes cannot be undone. You have only one attempt. Add new fields at the end of existing fields.



BIO.CUST.AUTPOL

BIO.CUST.AUTAMO

BIO.ENRL.AUTPOL

BIO.ENRL.POL

BIO.ENRL.ALTUS

BIO.ENRL.TOKEN Xx.

BIO.ENRL.AUDIT Xx.

BIO.USER

BIO.USER.AUDIT Xx.

BIO.USER.NAME

BIO.USER.TOKEN Xx.


BIO.USER.AUTPOL

BIO.USER.AUTAMO


BIO.USER.AUTPOL

BIO.USER.AUTAMO

BIO.ENRL.AUTPOL

BIO.ENRL.ALTUS

BIO.ENRL.TOKEN Xx.

BIO.ENRL.AUDIT Xx.

BIO.USER

BIO.USER.AUDIT Xx.

BIO.USER.NAME

BIO.USER.TOKEN Xx.


21. Ensure that these fields appear on the STANDARD.SELECTION for USER.

22. Log off and restart JBOSS.


Set up T24 Browser screens

1. Extract altus-t24-3.0.1-SNAPSHOT-R15.jar\F.DL.DATA\TMNS000-EB.API folder into the <DL.RESTORE> folder

Example for MB R15


2. Restore the biometric API registration using DL.PARAMETER, DL.DEFINE and VERSION, similar to steps 8 through 20 above).

On Hold records, restored by DL.DEFINE.

Restored DL.DEFINE record


Result after amending and committing.

3. Extract altus-t24-3.1.0-SNAPSHOT-R15.jar\F.DL.DATA\TMNS000-PGM.FILE folder into the <DATA\DL.RESTORE> folder

Example for MB R15


4. Restore the biometric PGM file records using DL.PARAMETER, DL.DEFINE and PGM.FILE, similar to steps 8 through 20 above).



5. Amend and commit the restored records (For the Model Bank, you may want to use the self-authorising (comma) version of PGM.FILE).

6. Extract altus-t24-3.0.1-SNAPSHOT-R15.jar\F.DL.DATA\TMNS000-ASSOC.VERSION folder into the <DL.RESTORE> folder.

Example for MB 15


7. Restore biometric versions using DL.PARAMETER, DL.DEFINE and VERSION, similar to steps 8 through 20 above).

Result after amending and committing



8. Amend and commit restored records (For the Model Bank, you may want to use the self-authorising (comma) version of VERSION).

Result after amending and committing

9. Extract the altus-t24-3.0.1-SNAPSHOT-R15.jar\F.DL.DATA\TMNS000-VERSION folder into the <DL.RESTORE> folder.

Example for MB 15

d:\Temenos\ModelBank-R15-TAFJ\T24\Env\MB\Data\UD\F.DL.DATA\DL.RESTORE, in MB R15


10. Restore biometric versions using DL.PARAMETER, DL.DEFINE and VERSION, similar to steps 8 through 20 above).


11. Amend and commit restored records (For the Model Bank, you may want to use the self-authorising (comma) version of VERSION).


If you didn’t restore TMNS000-ASSOC.VERSION, an error message displays as shown below.

After amending and committing, the screen will be similar to the one shown in the image below.

12. Extract the altus-t24-3.0.1-SNAPSHOT-R15.jar\F.DL.DATA\TMNS000-EB.ERROR folder into the <DL.RESTORE> folder.

Example for MB 15



13. Restore biometric errors using DL.PARAMETER, DL.DEFINE and EB.ERROR, similar to steps 8 through 20 above. The final result should look like the following image, showing 29 error records.

14. Extract the altus-t24-3.1.0-SNAPSHOT-R15.jar\F.DL.DATA\ TMNS000-HELPTEXT.MENU folder into the <DL.RESTORE> folder.

Example for MB 15


15. Restore the biometric menus using DL.PARAMETER, DL.DEFINE and HELPTEXT.MENU,SETUP, similar to steps 8 through 20 above.The final result should look like the following image.

16. Restart JBOSS.


Add menu items and links

Menu item to call a version from the Teller home screen

1. Commit BROWSER.PREFERENCES TELLER.1.

2. Note the value of MAIN.SCREEN, for instance the value is TELLER.

3. Commit EB.COMPOSITE.SCREEN TELLER.

4. Note the value of CONTENT-5 of CONTENT.TYPE-5 (Menu), for instance TELLER.HP.MENU.

5. Commit HELPTEXT.MENU,SETUP TELLER.HP.MENU.

6. Add biometric menus.

7. Commit and authorise the record.

8. Login as TELLER1, and the added Biometric menus will appear on the home screen.

9. Repeat steps 1 through 8 for the authoriser, for instance HEADTELLER1.

ID.OF.HELP.MENU.X GB Descript.

BIO.ENROLLMENT.TELLER Biometric enrollment

BIO.AUTHENTICATION Biometric transactions


Menu item to call a version from the Authoriser home screen

1. Commit HELPTEXT.MAINMENU,SETUP.

2. Enter 1 for the Authoriser menu.

3. Add BIO.POLICIES and BIO.ENROLLMENT and corresponding localizable labels.

4. Authorize changes for record 1. The final result should be similar to the following image.


BIO.POLICIES Biometric authentication

BIO.ENROLLMENT Biometric enrollment


Add links for Biometric Funds Transfer

1. Open ENQUIRY, OUTWARD.REMITTANCES.SCV.

2. Add the following entries to create links for the biometric versions of Funds Transfer payment types.

FUNDS.TRANSFER,ACTR.SCV.BIOFUNDS.TRANSFER,ACTR.SCV.BIO.USERFUNDS.TRANSFER,ACTR.SCV.BIO.CUST

3. Commit the record.

4. This will add links to biometric versions into the Choose Payment Type screen.

Enquiry Name. Label Field. GB Nxt Desc.

FUNDS.TRANSFER,ACTR.SCV.BIO I F3 USER.PROMPT 1 Biometric User Account Transfer

FUNDS.TRANSFER,ACTR.SCV.BIO.USER I F3 USER.PROMPT 1 Biometric User Account Transfer

FUNDS.TRANSFER,ACTR.SCV.BIO.CUST I F3 USER.PROMPT 1 Biometric Customer Account Transfer


Enrolling DigitalPersona Administrators for authentication

Ensure that the DigitalPersona administrator has previously been enrolled (see page 31) before performing the following steps.

1. Run the self-authorising version of the USER application the T24 user to be enrolled for authentication as a DigitalPersona administrator.

2. Enter the DigitalPersona administrator’s SAM name into the Biometric Name field and commit the record.


3. The AUTHORISER may now login to T24 with their DigitalPersona credentials (either fingerprint or DigitalPersona AD username and password) and enroll other T24 users.

4. The first time that fingerprints are used to log in to the system, the user’s T24 credentials will also be required. Thereafter, additional credentials will not be required.

5. Run USER,MAINTAIN.BIO application.

6. Follow the normal procedure to enroll a user, as described in the topic Enrolling a DigitalPersona AD user in the DigitalPersona for Temenos User Guide.



7Authentication policies

This chapter provides instructions on the use of authentication policies used by DigitalPersona for Temenos.

User authentication policies

User authentication policies can be set at the per user level or at the per department level. If there are no poli-cies set for either user or department then the default value hardcoded in the jBase BASIC routine is applied. The precedence is shown below.

Department-level user authentication policy

The department number can be found on the USER record.

Field Description Value Hardcoded default

BIO.USER.AUTOPOL Authentication method to be used

[None] User parent policy FINGERPRINT

FINGERPRINT Fingerprint authentication required

PASSWORD Password authentication required

DISABLED No authentication required

BIO.USER.AUTAMO Minimum amount in local currency requiring authentication

[Empty value] Use parent policy 0

>=0 Authentication required for any transaction in local currency greater than or equal to the amount specified


Setting department authentication policies requires authorisation of inputted changes.

This department policy displayed above is requiring fingerprint authentication for transaction amounts greater than or equal to 200.00 in local currency.

User-level user authentication policy

Setting user-level user authentication requires authorisation of inputted changes.

The user policy displayed above is requiring department 31 authentication method (FINGERPRINT - seen on the department screen) for transactions amounts greater than or equal to 0 in local currency (meaning any amount).


Customer authentication policies

Customer authentication policies can be set at the per customer level or at the per sector level. If there are no policies set for either customer or sector, then the default value hardcoded in the jBase BASIC routine is applied.

The sector can be found from the CUSTOMER record, as shown below.

Field Description Value Hardcoded default

BIO.CUST.AUTOPOL Authentication method to be used

[None] User parent policy FINGERPRINT

FINGERPRINT Fingerprint authentication required

PASSWORD Password authentication required

DISABLED No authentication required

BIO.CUST.AUTAMO Minimum amount in local currency requiring authentication

[Empty value] Use parent policy 0

>=0 Authentication required for any transaction in local currency greater than or equal to the amount specified


Sector authentication policies

Setting sector authentication requires authorisation of inputted changes.

The sector policy displayed above is requiring fingerprint authentication for transaction amounts greater than or equal to 150.00 in local currency.

Customer authentication policies

Setting customer authentication requires authorisation of inputted changes.

The Customer policy displayed above is requiring sector (1001) authentication method (FINGERPRINT - seen on the sector screen) for transactions amounts greater than or equal to 0 in local currency (meaning any amounts).

Customer enrollment policies

Using the Enrolled credentials field, the system administrator can specify which credentials will be enrolled for the customer automatically. Possible values are:

Onetimepassword - The first customer phone number specified in SMS.1 will be enrolled for receiving one-time passwords (OTP) during authentication. The OTP is valid for 30 seconds only.


Randompassword - A random password will be created for the customer and a Customer Security officer (Customer Service agent) will need to use the desktop Attended Enrollment application tool to enroll the cus-tomer's credentials.

[None] - default, the same as Onetimepassword.


8Signatory authentication

This chapter provides instructions on the process of setting up and testing signatory authentication using Dig-italPersona for Temenos.

Set up mandates for a customer

For additional details, see the following topic in the Temenos product documentation.

Temenos Product Documentation Centre Retail>Retail Accounts>Retail Accounts Deal Processing>Mandates

You can find this topic on your local drive after installation at

file://[installation directory]/ R15AMR_CD_V1/R15AMR.htm#../Subsystems/R15RID/Content/Retail Accounts/Deal Processing/Mandates.htm?Highlight=EB.MANDATE.PARAMETER

1. Set up EB.MANDATE.PARAMETER for FUNDS.TRANSFER.

2. Setup EB.SIGNATORY.GROUP for 100384 - 100384.GUARDIAN


3. Setup EB.MANDATE for 100384.20150324-1

4. Setup mandate for CUSTOMER 100384. Enter mandate application FUNDS.TRANSFER and mandate record 100384.20150324-1.


Test mandates

Prerequisite: Set up mandates for a customer on page 73.

1. After setting up mandates, run funds transfer from an account belonging to a customer (100384 in the following example with account 77771).

2. Enter a customer number and click Search Customer. Then click the Single Customer View button.

3. On the Products tab, click Payments/Transfers for an account.

4. In the Payment Types window, click Account Transfer.

5. Fill in the transfer and click the Commit icon.

6. Once the minimum signatory requirement override has been generated, you can accept the override by clicking Accept Overrides, or you can add a signatory.


(The only signatory in the signatory group is 100410. To review available signatories, run “EB.SIGNATORY.GROUP,100384,Guardian”).

7. Then click the Commit icon (item 2 in the above image).

8. A message displays indicating that the transfer has been completed successfully.


Set up authentication for signatories

Set up local fields

1. Extract altus-t24-3.0.1-SNAPSHOT-R15.jar\F.DL.DATA\SIGNATORY\TMNS000-SIG.LOCAL.TABLE folder into the <DL.RESTORE>\TMNS000-SIG.LOCAL.TABLE folder.

Example for MB 15


2. Commit the DL.PARAMETER record.

3. Open the DL.PARAMETER application.

4. Type SYSTEM for the record Id and press the Perform an action on the contract button.


5. Verify the DL.PARAMETER record by pressing the Play button. This will restore DL.DEFINE record for TMNS000-SIG.LOCAL.TABLE.

6. Verify the restored DL.DEFINE record.

a. Open the DL.DEFINE application.

b. Enter the restored record id, TMNS000-SIG.LOCAL.TABLE, and click the Perform an action on the contract button.

c. Verify the restored DL.DEFINE record by clicking the Play button.


7. The Biometric local reference fields from TMNS000-SIG.LOCAL.TABLE are restored with an IHLD status.

8. Amend and commit the BIO.SIG record (For the Model Bank, you may want to use the self-authorising (comma) version of LOCAL.TABLE).

9. Repeat the above steps for all the restored records.

BIO.SIG BIO.SIG2.AUDIT BIO.SIG4.AUDIT

BIO.SIG.AUTPOL BIO.SIG2.TOKEN BIO.SIG4.TOKEN

BIO.SIG.NAME BIO.SIG3.AUDIT BIO.SIG5.AUDIT

BIO.SIG1.AUDIT BIO.SIG3.TOKEN BIO.SIG5.TOKEN

BIO.SIG1.TOKEN


10. Review live records for LOCAL.TABLE.

11. The final result will be similar to the following images.

12. Create the LOCAL.REF.TABLE record for the TELLER application. (For the Model Bank, you may want to use the self-authorising (comma) version of LOCAL.REF.TABLE).

Warning - These changes cannot be undone. You have only one attempt. Add new fields at the end of existing fields


a. Add the following fields at the END and commit the deal.

b. Make sure that the fields are displayed for STANDARD.SELECTION TELLER.

Local Table No. Sub Assoc Code. Local Table No. Sub Assoc Code.

BIO.SIG Xx. BIO.SIG3.AUDIT Xx.

BIO.SIG.AUTPOL Xx. BIO.SIG3.TOKEN Xx.

BIO.SIG.NAME Xx. BIO.SIG4.AUDIT Xx.

BIO.SIG1.AUDIT Xx. BIO.SIG4.TOKEN Xx.

BIO.SIG1.TOKEN Xx. BIO.SIG5.AUDIT Xx.


BIO.SIG2.TOKEN Xx.


13. Create LOCAL.REF.TABLE record for FUNDS.TRANSFER application. (For the Model Bank, you may want to use the self-authorising (comma) version of LOCAL.REF.TABLE). Warning - These changes cannot be undone. You have only one attempt. Add new fields at the end of existing fields.

a. Add the following fields at the END and commit the deal.

14. Logoff and restart JBOSS.

Local Table No. Sub Assoc Code. Local Table No. Sub Assoc Code.

BIO.SIG Xx. BIO.SIG3.AUDIT Xx.

BIO.SIG.AUTPOL Xx. BIO.SIG3.TOKEN Xx.

BIO.SIG.NAME Xx. BIO.SIG4.AUDIT Xx.


BIO.SIG1.TOKEN Xx. BIO.SIG5.AUDIT Xx.


BIO.SIG2.TOKEN Xx.


Set up DigitalPersona for Temenos Browser screens

1. Extract altus-t24-3.0.1-SNAPSHOT-R15.jar\F.DL.DATA\SIGNATORY\TMNS000-SIG.ASSOC.VERSION folder into the <DL.RESTORE> folder.

Example for MB R15


2. Restore biometric versions using DL.PARAMETER, DL.DEFINE and VERSION, similar to steps 2 -15.

3. Restored the DL.DEFINE record.


4. Amend and commit the restored records (For the Model Bank, you may want to use the self-authorising (comma) version of VERSION). Make sure that the restored records are live.

5. Extract altus-t24-3.0.1-SNAPSHOT-R15.jar\F.DL.DATA\SIGNATORY\TMNS000-SIG.VERSION folder into the <DL.RESTORE> folder.

Example for MB R15


6. Restore biometric versions using DL.PARAMETER, DL.DEFINE and VERSION, similar to steps 2 -15.


The restored DL.DEFINE record will be similar to the image below.

7. Amend and commit the restored records (For the Model Bank, you may want to use the self-authorising (comma) version of VERSION).

Note: If TMNS000-SIG.ASSOC.VERSION was not restored, you will see the following screen.

8. Make sure that the restored records are live.

9. Extract altus-t24-3.0.1-SNAPSHOT-R15.jar\F.DL.DATA\SIGNATORY\TMNS000-SIG.HELPTEXT.MENU folder into the <DL.RESTORE> folder

Example in MB R15



10. Restore biometric menus using DL.PARAMETER, DL.DEFINE and HELPTEXT.MENU,SETUP, similar to steps 2 - 9 in the topic Set up local fields on page 77. The final result will be similar to the following images.

11. Restart JBOSS


Add Biometric signatory menu item on the Teller home screen

1. Commit BROWSER.PREFERENCES TELLER.1.

2. Remember the value of MAIN.SCREEN, for instance the value is TELLER.

3. Commit EB.COMPOSITE.SCREEN TELLER.

4. Remember the value of CONTENT-5 of CONTENT.TYPE-5(Menu), for instance TELLER.HP.MENU.

5. Commit HELPTEXT.MENU,SETUP TELLER.HP.MENU.

6. Add biometric menus.

7. Commit and authorise the record.

8. Login as TELLER1. The Biometric menus will appear on the home screen.

9. Repeat steps 1 through 8 for the authoriser, for instance HEADTELLER1.


BIO.SIGNATORY Biometric signatory transactions


Add a Biometric Signatory Transfer link

The following procedure adds a Biometric Signatory Transfer link to the Choose Payment Type screen.

1. Open ENQUIRY, OUTWARD.REMITTANCES.SCV.

2. Add the following entries for FT biometric versions: FUNDS.TRANSFER,ACTR.SCV.BIO.SIG


4. Restart JBOSS.

5. This will add links to the biometric signatory version on the Choose Payment Type screen.

Enquiry Name. Label Field. GB Nxt Desc.

FUNDS.TRANSFER,ACTR.SCV.BIO.SIG I F3 USER.PROMPT 1 Biometric Signatory Transfer


9Set up One-Touch Password

featureThis chapter provides instructions on setting up and testing the One-Touch Password enrollment and authenti-cation feature provided with the DigitalPersona for Temenos module.

Enabling One-Touch Password enrollment

Enrollment of the SMS delivery feature requires that a DigitalPersona administrator has previously created a Nexmo (https://www.nexmo.com) account for the company and entered Nexmo account information into the OTP Group Policy Object (GPO) setting on the DigitalPersona Server. The required settings are: the Nexmo API Key, Nexmo API Server and Nexmo Sender Address. The Custom SMS Message setting is optional.

For further information see the DigitalPersona Client section, Policies and Settings chapter in the DigitalPer-sona Composite Authentication Administrator Guide.

1. Using DL.DEFINE, apply altus-t24-3.1.0-SNAPSHOT-R15.jar\F.DL.DATA\TMNS000-ENQUIRY.

2. Ensure that you can run BIO.CUSTOMER.OTPPHONE enquiry by running "ENQ BIO.CUSTOMER.OTPPHONE" in Model Bank's command.

3. Edit BiometricsWeb.war\src\main\webapp\WEB-INF\web.xml.

Set enrollCustomerOtp to true. The One-Touch Password will not be enrolled if enrollCustomerOtp has been set to false.



<context-param>

<param-name>enrollCustomerOtp</param-name>

<param-value>true</param-value>

</context-param>

Testing One-Touch Password enrollment

The customer record must include a mobile device phone number capable of receiving and responding to the One-Touch Password sent through SMS.

Enter or verify a customer phone number

1. Login as Headteller.

2. Locate a customer, open single customer view and select the Address tab.

3. Verify that the Mobile Phone Number 1 is capable of receiving and responding to SMS messages. Enter a different number if necessary.

In the Mobile Phone Number.1 field, enter the phone number (+CC-XXX-XXX-XXXX) that will receive the One-Time Password).



5. Sign off.

Test automatic OTP enrollment

1. Sign in as a teller.

2. Open customer enrollment for a customer that has not previously been enrolled in DigitalPersona for Temenos. Ensure that the corresponding DigitalPersona user hasn’t already been enrolled (i.e.doesn’t exist).

3. Authenticate as the Inputter.

4. Click Enroll. (If customer already exists, an error message is displayed.)


5. Click Enroll Credentials.

6. DigitalPersona Web Enrollment opens.

7. Authenticate as a Customer Security Officer.

8. Review customer enrollment. Note that the customer’s password has been randomized and the One-Time Password credential has been enrolled (as indicated by the label Change at the bottom of the credential tile, shown in the image above).

9. For details on how customer authentication by OTP works during Fingerprint Enrollment, see the Customer Enrollment chapter in the DigitalPersona for Temenos Reference Guide.


Index

A

Active Directory Lightweight Directory Services 6instance 10

AD LDS 6AD Security Officers Groups 9Add Biometric signatory menu item on the Teller home screen 87

Add links for Biometric Funds Transfer 64Adding a Biometric Signatory Transfer link 88Adding menu items and links 62ADSI Edit 32altusBaseUrl 35Authentication policies 68authorization store name 11

B

Biometric Authentication Setup 35Biometric signatory menu item on the Teller home screen, adding 87

Biometric Signatory Transfer link, adding 88

C

Credential Manager page 32Customer authentication policies 70, 71Customer Security Officers 9

D

Department-level user authentication policy 68deviceIntegration 35DigitalPersona Attended Enrollment 31DigitalPersona Client and T24 Client@Bank 21DigitalPersona LDS Server 10DigitalPersona Server Setup 9DigitalPersona Web Components 10DisableCustomersIdentification 11Domain Controller 6

Tasks 9doTrace 35DP Web Authentication Service 11DPHost service 11dpt24Name attribute 32

E

Employee Security Officers 9Enroll initial DigitalPersona administrator 31enrollCredentialsUrl 35Enrolling the initial DigitalPersona Administrator 65

F

Fingerprints tile 32Firefox version 5

H

Hardware requirements 5

I

Install DigitalPersona Server certificate 26, 39, 42Install the DigitalPersona Web Components certificate 26Internet Explorer version 6Introduction 5

L

Local Administrators group 9

M

mandatessettingup 73testing 75

Menu itemto call a version from the Authoriser home screen 63to call a version from the Teller home screen 62

Microsoft Authorization Manager 9

O

Overview 5

R

RequirementsHardware 5Software 5

S

Sector authentication policies 71Set up

a dedicated T24 server 35, 39authentication for signatories 77DigitalPersona LDS Server 10mandates for a customer 73, 89T24 Browser screens 83Teller machine 30

Sett uplocal fields 77

Setting up local fields 43Setting up T24 Browser screens 55Setup DigitalPersona LDS Server 10Signatory authentication 73, 89

-


Software requirements 5SSL certificate 6

T

T24 Client Setup 21T24 Client@Bank branch

Linux 21Windows 21

T24 login page 33Testing biometric login 33Testing mandates 75

U

Ubuntu 21user authentication

user-level 69User authentication policies 68user authentication policy

department-level 68User-level user authentication policy 69

W

web.xml 35

Documents

DigitalPersona for Temenos – Reference Guide · PDF fileDigitalPersona for Temenos@T24 • Provides T24 Transaction Authentication and T24 Customer Branch Authentication functionality