Introduction
...
Click on the Access navigation tab.
Click on the User Access Groups, Floor Access Groups or Guest Access Groups link.
In the Actions bar, click on Add Access Group. The following screen is displayed:
Enter a Name and a Description.
Select the Risk Levels during which this group will have access: Low, Guarded, Elevated, High or Severe (the current risk level is always displayed at the top of the Primis screen)
For more information on Risk Levels see the Alert Level Managementsection.Select a Controlled Area for this group.
Select a Schedule for the Controlled Area. If that controlled area is not going to be accessed by that User Access Group, leave the schedule as Always Off.
If you need an additional line for extra Controlled Areas and/or Schedules, click the + button beside the current line. To delete a line, click the x button.
Click Save.
Global User Access Groups
...
Create a new Controlled Area with the elevator reader.
In the new Controlled Area’s Floor tab, select all the associated Floor Areas; specify the desired activation time and click +.
...
Create a Floor Access Group
...
Configure the firewall to allow incoming connections on port 31415.
Login to the Primis administration software using the system user. Call Identiv Support if you need the system password.
Click on the System navigation tab.
On the left, click on the Administration link.
Click on the System Parameters sub link.
Click on the siteEngine.ini file to edit it.
Edit the line that reads DBMode=single and change it to DBMode=master
Click Save.
Select and edit a different System Parameters file called start.ini
Edit the line that reads #sds.service=no and change it to sds.service=yes
Click Save and Reboot the server.
Once the system is rebooted, log back in with the system user and go to the System tab.
In the scope pane on the left, click on Utilities.
Click DB Replication. |
Fill in the text boxes on the screen.
Host Name: This is the IP address of the master server.
Sync Name: Name for the configuration. Enter something that will identify the master server. This field must be alpha-numeric.
Sync Protocol: Select http or https. In order to use https, additional configurations are required to install SSL certificate on the master and slave server.
Sync Port Number: Select the TCP port number that slave servers will be connecting to. The TCP port number selected must be configured in the firewall to allow incoming connection. The Primis server is preconfigured to support port 31415, additional configurations on the server are required if other port number is used.
Click the Save button. The master node configuration will be displayed in the Master Node section. The Delete button of the master node allows users to remove the master configuration from the server. It will be disabled if there are slave nodes attached to the master. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process. The Refresh Server Cache button allows users to refresh the Primis server cache to the slave nodes.
Configuring Slave Server
Login to the Primis administration software using the system user. Call Identiv Support if you need the system password.
Click on the System navigation tab.
On the left, click on the Administration link.
Click on the System Parameters sub link.
Click on the siteEngine.ini file to edit it.
Edit the line that reads DBMode=single and change it to DBMode=slave
Click Save.
Select and edit a different System Parameters file called start.ini
Edit the line that reads #sds.service=no and change it to Change to sds.service=yes
Click Save and Reboot the server.
Once the system is rebooted, log back in with the system user and go to the System tab.
In the scope pane on the left, click on Utilities.
Click DB Replication.
Fill in the text boxes on the screen.
Master Node Registration URL: The URL that the slave server will be connecting to for data replication. The URL should be set to the Sync URL configured on the master server.
Sync Name: Name for the configuration. Enter something that will identify the slave server. This field must be alpha-numeric.
Click the Attach button. The slave node configuration will be displayed in the Node section. The Detach button allows users to remove the node from the data replication. Detaching a slave node is a two steps process, refer to the Detaching Slave Server section below for details. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process.
To verify the slave server is configured properly, login to the master server and go to the System tab. Click on Utilities on the left and select DB Replication. The client node should be listed.
To verify that the configuration is good, add a controlled area on the master node and verify that it appears on the slave.
...
Logon to the slave server with the system user and go to the System tab.
In the scope pane on the left, click on Utilities.
Click DB Replication.
Click the Detach button to detach the node from the master.
Logon to the master server with the system user and go to the System tab.
In the scope pane on the left, click on Utilities.
Click DB Replication.
Find the client node and click the Delete button to detach the slave server.
Microsoft Microsoft Active Directory (AD) Integration
...
Login to Primis with the system account.
Click on the System navigation tab.
On the left, click on the Active Directory link.
Options | Description |
Connection Timeout | The connection timeout in seconds to the active directory. |
Audit Data Enabled | When this is enabled all changes made through the active directory integrations will be logged in the Audit logs. Enabling this option will dramatically increase the number of logs. The minimum hard disk space recommended is 500 GB when this feature is enabled. |
Web Login Enabled | Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration. It is recommended that for these types of accounts you name them differently than your standard user base to support the integration. |
User Sync Start Time | The start time of the synchronization on users, organizational units, and groups from LDAP connections. Multiple synchronization can be scheduled to run at different time of the day. |
User Sync Read Timeout | The timeout in seconds before the query issued by user sync is aborted. |
Force Update Enabled | This will force user updates from the active directory structure. |
Live Update Enabled | This feature enables an OU, Group, and Access Group attribute check against active directory on every card scan. If disabled it will rely on the data from the scheduled synchronization. |
Live Update Read Timeout | The timeout in seconds before the query issued by live update is aborted. |
Live Update On Imported LDAP Connection | This setting is only applicable when multiple LDAP connections are configured. When enabled, if the PIN/carddata is already imported to Primis, Live Update will be first performed on the LDAP connection where the PIN/carddata is imported from in order to speed up the Live Update process. |
...
On the Active Directory Configuration page, click the Add LDAP Connection button.
On the LDAP Connection page, enter the connection information of the LDAP Server.
Options | Description |
Name | The name of the LDAP connection. |
Server URL | The URL of the LDAP server. |
Search Base | Using the query structure, this is the search base for all queries. |
Domain | The DNS name of the domain that you would like to connect to. |
Username (User ID) | This is a user that has permissions to query the active directory domain defined. |
Password | Password of the active directory user. |
...
From the search index provided in the setup, the import screen populates with the Groups and Organizational Units (OUs). When selected, it will filter and only pull the select users into the Primis System to manage.
...
On the LDAP Connection page, click the Import Users button.
Click the AD Users Import/Sync tab.
On the Import Users page: To import all users, check the Import All Users box. To import users from Groups and OUs, click the entry in the Available box to move it to the Selected box. To search users in nested Active Directory groups, select the Nested Group Search checkbox.
...
There are two types of fields to map in the User Attributes Mapping tab. Fields that are automatically mapped and user-selected fields.
On the Import Users page, click the User Attributes Mapping tab.
Automatically Mapped Fields
...
To further refine the import criteria on for importing users, you can use create exclusion filters based on the value of the user’s AD attributes.
On the Import Users page, click the AD Users Import Filters tab.
There are two ways to specify the user import filter. By selecting the Attribute Exclusion Filter option, you can define filters to exclude certain users from importing to Primis. Alternatively, you can select the Advanced LDAP Filter option to specify the actual import filter query for importing users to Primis.
Define Attribute Exclusion Filter
Define LDAP filter query
Click Save button to save the configuration.
...
Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration. It is recommended that for these types of accounts, you name them differently than your standard user base to support the integration.
For this section to allow the login from this group, you must have the Web Login Enabled box checked on the configuration page.
...
Mapping Access Group Field to Physical Access Group
The Primis system will pull into the attribute list a list of all possible attributes that are currently loaded within the active directory. On every card scan, Primis will ask the active directory if the user has the variable that is selected.
...
Umbrella Company Management: By Company name for contractors, and employees, you can grant access to areas between time frames.
Business Specific Attributes: Every business have has attributes that can drive access to physical areas:
...
Geographic Association: Allowing anyone from the state to have general access to your front door and lobby area.
Clearance Levels: Clearance in AD allows for internal controls on physical area areas the same way you would allow AD.
Personal Identity Verification
When equipped with FICAM-capable readers, Primis can perform real-time PKI verifications during PIV card access.
...
VeriCert is a desktop application that registers PIV credentials into Primis PACS and Validation System. With VeriCert’s intuitive design, a PIV cardholder’s credential can be fully authenticated, validated, registered, and provisioned within seconds, allowing the cardholder access to a specified set of doors.
...
On the menu bar, click on Settings, and select Application Settings…
From the Enrollment Reader dropdown list, select the USB smartcard reader detected by the software. To detect a newly installed reader, click the Refresh button to update the dropdown list.
If the smartcard reader has a built-on keypad:
Check Use Reader’s Keypad to Enter PIN to use the smartcard reader’s keypad to enter PIN.
Uncheck Use Reader’s Keypad to Enter PIN to use the Workstation’s keyboard to enter PIN.
From the Printed Name Pattern dropdown list, select the name pattern that will be used to parse the printed name on a PIV credential. The user is able to test the selected pattern by clicking the Test button to test if the pattern can produce the expected result.
Click Save to update the Application settings.
Other Application Settings
Proxy server – the URL of the proxy server through which the OCSP server can be accessed.
FICAM Compliance – this setting allows VeriCert to omit PKI validation during registration. This setting should always be checked during normal operation.
Match Cardholder Fingerprint – the setting tells VeriCert to find a finger print fingerprint match during registration. If this setting is enabled but no matching fingerprint is obtained; VeriCert will fail registration.
Additional Validation Details – this setting lets VeriCert to record additional certificate details during validation and is useful for troubleshoottroubleshooting.
Site ID’s – this settings setting allows VeriCert to restrict the set of Access Groups that cardholders can be assigned to. By default, this field is empty meaning cardholders can be assigned to Access Groups from all sites.
...
On the menu bar, click on Settings, and select Connection Settings…
In the Protocol field, select the Primis API protocol. Default is HTTP.
In the Server Address field, enter the IP Address of the Primis API Server. Default is 192.168.123.101.
In the Port field, enter the port of the Primis API Server. Default is 9000.
In the Username field, enter a Primis Admin User’s Username. Default is primis.
In the Password field, enter a Primis Admin User’s Password. Default is Identiv.
Click on the Test Connection button to ensure that VeriCert can contact the Primis API using the given settings. A Connection Successful notification will be shown if settings are correct.
Click Save to update settings.
...
Note that when a redundant certificate is being added, Primis will ignore the new entry. A redundant entry means that the Issuer name and serial number of the certificate already exists exist in the store.
Certificate Policies
...
Go to System -> PIV -> Certificate Policies.
Click the tab that represents the certificate type of interest.
Enter the OID string (e.g. 2.16.840.1.101.3.2.1.48.11), enter the description text (optional), and click the + button.
To remove a Certificate Policy OID:
Click theX button next to the OID.
...
Extended Key Usage Extensions
...
Go to System -> PIV -> Ext. Key Usage.
Click the tab that represent represents the certificate type of interest.
Enter the OID string (e.g. 2.16.840.1.101.3.2.1.48.13), enter the description (optional) and click the + button.
To remove an extended key usage extension constraint:
Click the X button next to the OID.
...
PKI Fault Options
...
Go to System -> PIV -> PKI Fault Options.
Check or Uncheck fault options.
Click Save to update.
CRL Summary
Primis downloads CRL information for all cardholders in the database periodically. It provides a summary of the number of revoked certificates under each relevant issuer. See System -> PIV -> CRL Summary:
...
Enroll a PIV cardholder into Primis by VeriCert.
Go to Users, and edit the user profile.
Enable Admin function to the user.
Enter the logon User ID, password and appropriate privileges.
Click Save.
Add the PIV card's Root Certificate in System -> PIV -> Certificate Manager.
Restart Primis server (System -> Utilities -> Reboot).
In Windows, make sure “Certificate Propagation Service” is enabled and started.
Insert PIV card into reader.
In Chrome browser, go to https://<PrimisServerIP>:8443/
Select the PIV Authentication Certificate for the card.
Enter PIN.
Once PIN is validated, the browse will log in to Primis Admin.
...
Select the Controlled Area
Click the Geo Location tab.
For GPS based access, select GPS radio button.
Enter Latitude, Longitude, radius, and the unit (e.g. Feet or Meter) which that best cover the entrance area.
Click Enabled to activate Geo Location access for this area.
For Beacon based access, repeat steps 1 – 2 and click Beacon radio button instead.
Select the Unique ID from the Beacon dropdown list. For details on allocating Beacons in Primis, see the next section Configuring Beacon Access.
Click Enabled to activate Beacon access for the area.
...
5. Click Sync checkbox to enable periodic update updates to Beacon status information. Default The default behavior is every two hours.
...
Mobile Device Registration
...
Go to System -> Mobile.
Click Email Config.
Enter the email server’s address and the sender address of the registration email.
Configuring the registration Email Template
Go to System -> Mobile.
Click menu item Mobile Onboard Email Template.
Enter Mail Subject Text, e.g. Mobile App Registration.
Enter Mail Content that shall contain links to download Mobile App, user password and any information that is valuable to the registration process.
A reserved token USER_PASSWORD can be embedded in the mail content which will then be replaced by the user password assigned during the registration process.
Managing Enterphone MESH Panels
...
Click on the Events navigation tab.
Select a range of dates in the From and To Dates. Note that the maximum number of days is 31.
Click Search
Download the search result in CSV Format.
...
AMS-Lite supports the ability to monitor the system without maps. The purpose of this mode is that if the end user chooses not to use the mapping of devices, that there is a clear way to list and report on the status of all of the devices.
...
With this version of Primis there were many enhancements to the ability quick search, and apply actions to the controlled areas. Including the ability to acknowledge and clear the alarms listed.
...
Number Of Pending Alarms
A Live Alarm List Count displays on the alarm icon on all screens and will indicate if there is an alarm on the sites that you have access to see.
...
In the center panel of the alarm monitor tab, you will see the alarm data come into the system. This is for the primary system.
...
When a system is acknowledged and cleared, the documentation and notes of the operator show on the alarm monitor report. The following is showed on shown in the report:
...
Navigation: Monitor With Maps And Video
This section does not cover how to setup set up and configure video services. Instead, this covers only the over view overview of how to navigate using the video services.
...
Navigation Overview: Controlled Area Icon Supported Actions
...
Clicking on the alarm in the bottom alarm tray will snap to the alarm, and pull the alarm video associated with the alarm on the right-hand video alarm panel:
Rick clicking the controlled area will give you the option to change the state of the controlled area, acknowledge and clear the alarms.
...
While the bridge is connected the reader shows a dark black. If the reader is offline it show shows a grey.
...
If the camera is online it shows black. If the camera is disconnected it will show a grey with a line thorough through it.
...
Live Video For Mapped Cameras
Scrolling over the event video shows the video screen as shown below.
...
Select the [Export View] Icon at the top right of the screen. This is know known as the Export Video button which is covered later in this chapter. This does not export video, however, it exports the video to b monitor from a separate window.
...
Export Video
Create a name and enter it into the system:
Select Save
Navigation Overview: Event Video
...
In the Controlled Areas navigation tab, click on the Maps link. The following screen is displayed:
Current maps are listed on the left and the controlled areas are listed on the right. Click on a map to view it; click on the edit edit button to change the file associated with this map.
To add a new map, click on the +Add Map button. The following screen is displayed:
Enter Name and a Description for the map.
Click the [Choose file] button beside Map Image to import the map file image.
Click the [SAVE] button.
...
Click on the Controlled Areas navigation tab.
On the left, click on the Maps link. The following screen appears:
Drag and drop controlled areas onto the point.
Place Video Icon On Map
To setup set up the video portion of the system with video you must login as the system administrator account and ensure that the video is enabled. If the video is not enabled, after turning this setting on, then you may need to check your server activation and ensure you have NVR Video licensing enabled.
...
This will allow the mapping of the camera as an individual device. To attach a video feed to a controlled area, you must navigate to Controlled Area, select the controlled area, and select the Cameras tab. This will then show the video icon attached to the controlled area:
Mapping Icons
Scrolling over an icon will show the name , and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:
...
Scrolling over an icon will show the name , and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:
...
Icons can be added to a map to indicate whether a controlled are area is Closed, Open, or in Lockdown. Primis comes with three standard icons. Images of these icons can be changed in on the Icons page.
To change a controlled area map icon:
In the Controlled Areas navigation tab, click on the Icons link. The following screen is displayed:
Click the [Choose file] button beside the icon to change and navigate to the new icon image and click Open.
The selected file name is displayed. Click the [Update] button to replace the icon image with this new image.
...