morphoaccess parameters guide

MorphoAccess Parameters Guide November 2009

SSE-0000062458-05

Produced by Sagem Scurit Copyright 2009 Sagem Scurit www.sagem-securite.com

MorphoAccess

Parameters Guide

2 Sagem Scurit document. Reproduction and disclosure forbidden SSE-0000062458-05

Table of Contents

REVISIONS HISTORY 5

SSCCOOPPEE OOFF TTHHEE DDOOCCUUMMEENNTT 6

CCOONNFFIIGGUURRAATTIIOONN FFIILLEE OORRGGAANNIIZZAATTIIOONN 8

PPAARRAAMMEETTEERR MMOODDIIFFIICCAATTIIOONN 9

NNOOTTAATTIIOONN 9

[[SSEECCTTIIOONN IINN CCOONNFFIIGGUURRAATTIIOONN FFIILLEE]] 9

SSSSLL SSEECCUURRIINNGG CCOONNFFIIGGUURRAATTIIOONN KKEEYYSS 9

WWII--FFII CCOONNFFIIGGUURRAATTIIOONN KKEEYYSS 10 DDEESSFFIIRREE CCOONNFFIIGGUURRAATTIIOONN KKEEYYSS 10

AAPPPPLLIICCAATTIIOONN FFIILLEE ((AAPPPP..CCFFGG)) 11

[[BBIIOO CCTTRRLL]] 11

[[CCOONNTTAACCTTLLEESSSS]] 15

[[RREELLAAYY]] 18

[[SSEENNDD IIDD UUDDPP]] 18

[[SSEENNDD IIDD EETTHHEERRNNEETT]] 18

[[TTAAMMPPEERR AALLAARRMM]] 20

[[SSEENNDD IIDD WWIIEEGGAANNDD]] 20

[[SSEENNDD IIDD DDAATTAACCLLOOCCKK]] 23

[[SSEENNDD IIDD SSEERRIIAALL]] 24

[[FFAAIILLUURREE IIDD]] 25

[[LLOOGG FFIILLEE]] 26

[[LLEEDD IINN]] 27

[[GG..UU..II]] 27

[[MMOODDEESS]] 28

[[DDAATTAACCLLOOCCKK IINN]] ((MMOORRPPHHOOAACCCCEESSSS 550000 SSEERRIIEESS OONNLLYY)) 30 [[WWIIEEGGAANNDD IINN]] ((MMOORRPPHHOOAACCCCEESSSS 550000 SSEERRIIEESS OONNLLYY)) 30 [[IINNFFOO]] 31

[[KKEEYYBBOOAARRDD]] ((MMOORRPPHHOOAACCCCEESSSS 550000 SSEERRIIEESS OONNLLYY)) 31

BBIIOOMMEETTRRIICC SSEENNSSOORR PPAARRAAMMEETTEERRSS ((BBIIOO..CCFFGG)) 33

[[BBIIOO CCTTRRLL]] 33

AADDMMIINNIISSTTRRAATTIIOONN SSEETTTTIINNGGSS ((AADDMM..CCFFGG)) 34

[[RREEMMOOTTEE MMAANNAAGGEEMMEENNTT TTCCPP]] 34

[[RREEMMOOTTEE MMAANNAAGGEEMMEENNTT SSEERRIIAALL]] ((MMOORRPPHHOOAACCCCEESSSS 550000 SSEERRIIEESS OONNLLYY)) 34 [[DDIISSTTAANNTT SSEESSSSIIOONN]] 35

SSE-0000062458-05 Sagem Scurit document. Reproduction and disclosure forbidden. 3

[[RREEMMOOTTEE MMAANNAAGGEEMMEENNTT SSSSLL]] 35

NNEETTWWOORRKK PPAARRAAMMEETTEERRSS ((NNEETT..CCFFGG)) 37

[[BBOOOOTT PPRROOTTOO]] 37

[[PPAARRAAMMEETTEERRSS]] 37

[[DDEEVVIICCEE]] 37

SSSSLL PPRROOFFIILLEESS ((SSSSLLPPRROOFFIILLEE..CCFFGG)) ((SSSSLL UUSSEE OONNLLYY)) 38

[[MMIISSCCEELLLLAANNEEOOUUSS]] 38

[[PPRROOFFIILLEE00]] 38

[[PPRROOFFIILLEE11]] 40

GG..UU..II.. FFIILLEE ((GGUUII..CCFFGG)) 42

[[KKEEYY SSCCRREEEENNSS]] ((MMOORRPPHHOOAACCCCEESSSS 550000 SSEERRIIEESS OONNLLYY))((OONNLLYY IINN EEXXTTEENNDDEEDD TTIIMMEE AANNDD AATTTTEENNDDAANNCCEE MMOODDEE)) 42

EEXXEE FFIILLEE ((EEXXEE..CCFFGG)) 44

[[IINNIITT SSTTAATTEE]] 44

[[SSWWIITTCCHH AAPPPP]] 44

WWII--FFII FFIILLEE ((WWIIFFII..CCFFGG)) ((WWII--FFII UUSSEE OONNLLYY)) 45

[[AACCCCEESSSS PPOOIINNTT:: XXXXXX]] 45

[[PPRROOFFIILLEE:: YYYYYY]] 46

[[PPRROOPPEERRTTIIEESS]] 47

EENNRROOLLMMEENNTT AAPPPPLLIICCAATTIIOONN ((EENNRR..CCFFGG)) 48

[[CCOONNTTAACCTTLLEESSSS]] 48

LLOOGGSS FFIILLEE ((LLOOGG..CCFFGG)) 49

[[LLOOGGPPAARRAAMM]] 49

[[SSYYNNCCHHRROO]] 50

RREEMMOOTTEE MMEESSSSAAGGEESS ((RREEMMOOTTEEMMSSGG..CCFFGG)) 51

[[IINNTTEERRFFAACCEESS]] 51


EEVVEENNTTSS ((EEVVEENNTTSS..CCFFGG)) 52

[[GGEENNEERRAALL]] 52

[[BBIIOO__CCHHGG]] 52

[[LLOOGG__FFUULLLL]] 53

SSUUPPPPOORRTT 54

CCUUSSTTOOMMEERR SSEERRVVIICCEE 54

HHOOTTLLIINNEE 54


RREEVVIISSIIOONNSS HHIISSTTOORRYY

Date Firmware Description

July 08 All Add bio\bio ctrl\FFD security level configuration key description (MA5x1 device only).

New description for app\failure ID\ configuration keys

2.07 Add SSL configuration keys

Add app\relay\external control by LED1 new configuration key

2.09 Add bio\bio ctrl\finger type new configuration key for compatibility with the juvenile option of MA2xx and MA3xx devices.

Add Idle mode configuration key.

Add app\modes\timeouts new configuration key

Add extended Time and Attendance feature configuration keys

Add app\keyboard\timeouts new configuration key

Add app\send ID Wiegand\built frame new configuration key

Add app\contactless\event on new configuration key

Add WiFi configuration keys

June 2009

2.10 Add MA 500+ Series and DESFireTM terminals

October 2009

2.11 Add events, logs, remotemsg files.

Add exe\init\startup configuration key

Add app\log\full handling configuration key

Add new Wi-Fi configuration keys


SSCCOOPPEE OOFF TTHHEE DDOOCCUUMMEENNTT

This guide relates to the use of MorphoAccess 500 and 100 Series terminals.

MorphoAccess 500 Series is a generic appellation which gathers MorphoAccess terminals belonging to MA 500+ Series, OMA 500 Series and MA 500 Series. Corresponding list of products is depicted in the table below.

Biometrics

Contactless Smartcard Reader

False Finger

Detection Outdoor

MIFARE DESFire

MA 500+ Series

MA 500+

MA 520+ D

MA 521+ D

OMA 500 Series

OMA 520 D

OMA 521 D

OMA 520

OMA 521

MA 500 Series

MA 500

MA 520

MA 521


MorphoAccess 100 Series is made up of following list of products.

Biometrics

Contactless Smartcard Reader

iClass MIFARE DESFire

MA 100 Series

MA 100

MA 110

MA 120

MA 120 D


CCOONNFFIIGGUURRAATTIIOONN FFIILLEE OORRGGAANNIIZZAATTIIOONN

This document gives an exhaustive description of the MorphoAccess 500 and 100 Series configuration parameters.

MorphoAccess parameters are stored into files organized into sections and values.

Each section corresponds to a given functionality described by various parameters.

For example a file named app.cfg contains all the parameters defining the main application settings.

[bio ctrl]

identification=1

nb attempts=2

[log file]

enabled=1

Each file is associated to a type file defining the parameters type.

[bio ctrl]

identification=bo(e)

nb attempts=in(1,2)

[log file]

enabled=bo(e)

NOTE: Since software version 2.00, some configuration keys have been renamed or moved.

When configuration comes from software updating the previous set key value is unchanged.


PPaarraammeetteerr mmooddiiffiiccaattiioonn

There are two main ways to modify a parameter.

For MorphoAccess 500 Series only, directly on the terminal using the Configuration Application. Please refer to Configuration Application User Guide for more information about this application.

[app]/send ID udp

host address

134.1.2.189

EDIT > EXIT

Remotely through IP or Serial link with a client application.

NNoottaattiioonn

The notation below is employed:

[[sseeccttiioonn iinn ccoonnffiigguurraattiioonn ffiillee]]

ppaarraammeetteerr nnaammee 11 ddeeffaauulltt vvaalluuee [[mmiinn__vvaalluuee--mmaaxx__vvaalluuee]]

Parameter details.

ppaarraammeetteerr nnaammee 22 ddeeffaauulltt vvaalluuee ((vvaalluuee__11,, vvaalluuee__22))

Parameter details.

SSSSLL sseeccuurriinngg ccoonnffiigguurraattiioonn kkeeyyss

Several keys let the administrator configuring the system to use SSL for remote connections. This feature is enabled for MorphoAccess 500 and 100 Series.

To secure using SSL, refer to the specific documentation MATM SSL Solution for MorphoAccess and use MATM Security Plugin.


Configuration keys marked SSL use only have not to be modified manually. They should be managed only with the MATM Security Plugin.

It is recommended to use Sagem Scurits Active MACI as remote SSL client communication layer and to configure SSL using MATM Security Plugin.

Do not configure SSL using another way.

WWII--FFII ccoonnffiigguurraattiioonn kkeeyyss

Several keys let the administrator configuring the terminal to use WI-FI USB adapter instead of the classical Ethernet cable.

To configure a WI-FI connection, please use the MATM WI-FI Wizard Plugin or use the Easy Setup assistant (on MorphoAccess 500 Series only)

Configuration keys marked Wi-Fi use only must not be modified manually. They should be managed only with the MATM WI-FI Wizard Plugin.

DDEESSFFiirree ccoonnffiigguurraattiioonn kkeeyyss

Special keys only appear on terminals that have a DESFire contactless smart card reader. In that case, these keys are marked as DESFire terminals only.


AAPPPPLLIICCAATTIIOONN FFIILLEE ((AAPPPP..CCFFGG))

[[bbiioo ccttrrll]]

iiddeennttiiffiiccaattiioonn 11 ((00,, 11)) ((ddeeffaauulltt mmooddee oonn MMoorrpphhooAAcccceessss 110000 aanndd

550000))

When activated the terminal works in identification mode: captured fingerprint is matched against the terminal database. The access is granted if the captured fingerprint matches with one of the templates stored in the database.

On terminals equipped with a contactless smartcard reader, identification is disabled by default.

iiddeennttiiffiiccaattiioonn ttiimmeeoouutt 55 [[11--6600]]

Time given to the user to present his finger after a first incorrect identification.

nnbb aatttteemmppttss 22 ((11,, 22))

A value of 2 means that after a first incorrect identification or authentication a second chance is given. Set this parameter to 1 to offer only one attempt.

bbyyppaassss aauutthheennttiiccaattiioonn 00 ((00,, 11))

If set to 1, the biometric check is disabled (this applies to authentication modes only).

aauutthheenntt ccaarrdd mmooddee 00 ((00,, 11)) ((oonnllyy oonn tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

If set to 1, the content of the "CARDMODE" tag of the contactless card specifies which optional checks have to be successful to allow the access: PIN check (yes or no) and Biometric check (yes or no).

Refer to MorphoAccess Contactless Card Specification for further information about the CARDMODE tag.

aauutthheenntt PPKK ccoonnttaaccttlleessss 11 ((00,, 11)) ((oonnllyy oonn tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

If set to 1, the access is granted if the captured fingerprint matches one of the templates read on the contactless card (tag "PK1" and PK2).


aauutthheenntt IIDD ccoonnttaaccttlleessss 00 ((00,, 11)) ((oonnllyy oonn tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

If set to 1, the access is granted if the captured fingerprint matches one of the templates stored in the terminal database, indexed by the content of the "ID" tag on the contactless card.

aauutthheenntt IIDD kkeeyybbooaarrdd 00 ((00,, 11)) ((oonnllyy iinn MMoorrpphhooAAcccceessss 550000 SSeerriieess))

If set to 1, the access is granted if the captured fingerprint matches one of the templates stored in the terminal database, indexed by the numeric value entered on the keyboard.

aauutthheenntt rreemmoottee IIDD ssoouurrccee 00 [[00--22]] ((oonnllyy iinn MMoorrpphhooAAcccceessss 550000 SSeerriieess))

Specified if the user ID has to be received on Wiegand/DataClock port, and if yes, in which format: either Wiegand frame or DataClock frame. This received user ID is used to retrieve the users templates in the database. The access is granted if the captured fingerprint matches one of the retrieved templates.

Value Description

0 Signals received from Wiegand/Dataclock port are ignored

1 The user ID is received within a Wiegand frame on Wiegand/DataClock

port. The Wiegand frame format to be received is described in [wiegand in] section.

2 The user ID is received within a DataClock frame on Wiegand/DataClock

port. The DataClock signal to be received is described in [dataclock in] section.

aauutthheenntt ttiimmeeoouutt 1100 [[11--6600]] ((oonnllyy iinn MMoorrpphhooAAcccceessss 550000 SSeerriieess,, aanndd MMoorrpphhooAAcccceessss 110000 SSeerriieess tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

Defines (in seconds) the delay given to the user to place a finger on the sensor, after user ID acquisition: read on users contactless card, seized on the keyboard (MorphoAccess 500 Series only), or received through Wiegand/DataClock port (MorphoAccess 500 Series only).

BBIIOOPPIINN eennaabblleedd 00 ((00,, 11)) ((oonnllyy iinn MMoorrpphhooAAcccceessss 550000 SSeerriieess eeqquuiippppeedd wwiitthh aa ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

This feature allows replacing normal biometric check, by a numeric code (BIOPIN) check. This is an option of authent PK contactless mode, and it requires that the contactless card contains a BIOPIN code (tag BIOPIN), and no templates (neither tag PK1, nor tag PK2).

As this check is an option, the key authent PK contactless must be set to 1.


ccoonnttrrooll PPIINN 00 ((00,, 11)) ((oonnllyy iinn MMoorrpphhooAAcccceessss 550000 SSeerriieess eeqquuiippppeedd wwiitthh aa ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

If no contactless authentication feature is enabled, the access is granted when the user enters a PIN code, using the keyboard, which matches the PIN code value read on the contactless card (tag PIN).

If one of the authent PK contactless or authent ID contactless feature is enabled (MorphoAccess that are able to encode cards only), the access is granted when the PIN check (as described above) and the biometric check are both successful.

AACC__IIDD FFIINNGGEERR;;CCAARRDDDDAATTAA;;KKBBDD;;WWGGDDTTCCLLKK;;

This key specifies on which kind of identifier the access rights are assigned. Indirectly it defines the actions which are allowed to start an access control process (access request).

This key also specifies the priority level of each kind of identifier when several identifiers are acquired: the highest priority is assigned to the first identifier specified in the configuration key (default: FINGER), and the lowest priority to the last identifier (default: WGDTCLK). For now, this priority feature is limited to contactless card authentication modes only.

Identifier type Description

FINGER The access request starts when a fingerprint is detected on the sensor. The fingerprint enables to retrieve the Users Identifier stored in local database.

This identifier type is ignored when the identification mode is not activated.

If this identifier type is missing in the configuration key, then the identification mode is automatically out of order.

CARDDATA The access request starts when a users identifier is read in the contactless card data (either a TLV formatted data, or a binary data according to the app/contactless/data format configuration key).

This identifier type is ignored when none of the contactless card authentication modes is activated.

This identifier type is ignored if the 2 bit flag value is not included in the app/contactless/event on configuration key.

If this identifier type and CARDSN type are missing in the configuration key, then all the contactless card authentication modes are automatically out of order.

KBD [MorphoAccess 500 Series only]

The access request starts when a users identifier is seized on the keyboard.

If this identifier type is missing, the access control by authentication mode activated by the app/bio ctrl/authent ID keyboard configuration key is disabled.


Identifier type Description

WGDTCLK [MorphoAccess 500 Series only]

The access request starts when a users identifier is received from the Wiegand/DataClock port.

If this identifier type is missing, the access control by authentication mode activated by the app/bio ctrl/authent ID source configuration key is disabled.

CARDSN:STD [Only for terminals equipped with a contactless smartcard reader]

This mode can not be used when card profile reading is configured.

The access request starts when an ISO14443 type A card serial number is read. The users identifier is the ISO14443 type A card serial number, in standard format (Card UID bytes are read in normal order).

It means that the hexadecimal card UID 0xFEA7B152 value gives a users identifier equal to 4272402770.

This identifier type is ignored when none of the contactless card authentication modes is activated.

The identifier type is ignored when the 1 bit flag value is not included in the app/contactless/event on configuration key.

If this identifier type and CARDATA type are missing in the configuration key, then all the contactless card authentication modes are automatically out of order.

CARDSN:REV [Only for terminals equipped with a contactless smartcard reader]


Same as CARDSN:STD except that the Card UID bytes are read in reverse order.

It means that the hexadecimal card UID 0xFEA7B152 value gives a users identifier equal to 1387374590.

NOTE: Identifiers must be separated by a ; character, and the final ; character is mandatory.

Priority example:

On a MorphoAccess 520, the key AC_ID is set to:

FINGER;CARDDATA;CARDSN:STD;KBD;WGDTCLK;

The user presents a MIFARE card containing two templates and a user ID stored in TLV format. It is assumed that the MorphoAccess 520 has the relevant MIFARE authentication keys (it means that the data stored on the card can be read by the terminal):


the CARDDATA condition is satisfied because there is a user ID stored in the contactless card, and its value can be read by the terminal,

the CARDSN:STD condition is also satisfied because the Card UID is available from any ISO14443 type A card, such a MIFARE

card,

but finally, the access control process uses the User ID (CARDDATA identifier type) because the CARDDATA; identifier type is before the CARDSN:STD; identifier type, in the AC_ID configuration key.

Now the user presents a virgin MIFARE card:

the CARDDATA condition is not satisfied, as there is none data stored on the card,

the CARDSN:STD condition is satisfied, because the Card UID is available from any ISO14443 type A card, such a MIFARE card,

so, the access control process uses the Card UID (bytes read in direct order) because the CARDSN:STD is the only one condition satisfied.

[[ccoonnttaaccttlleessss]]

This section applies only to MorphoAccess equipped with a contactless smart card reader.

CC 11 ((11,, 22,, 33))

1: Key A then B are presented to read a MIFARE card.

2: Key A only.

3: Key B only.

BB 44 [[00--221155]]

First block read on MIFARE cards.

ddaattaa ffoorrmmaatt 00 ((00,, 11))

When this feature is activated, the identifier is read at a given offset (defined by data offset) on the card and is supposed to be binary.


ddaattaa ooffffsseett 00..00 [[nnuummbbeerr ooff bbyytteess]]..[[aaddddiittiioonnaall bbiittss]]

Defines the offset in the read block defined by B.

ddaattaa lleennggtthh 88..00 [[nnuummbbeerr ooff bbyytteess]]..[[aaddddiittiioonnaall bbiittss]]

ID size in bytes, with possible additional bits.


ddaattaa ttyyppee 00..11 [[ffoorrmmaatt]]..[[ddiirreeccttiioonn]]

0.1 (binary data, MSB first)

0.0 (binary data, LSB first RFU)

HHIIDD kkeeyy vvaalliidd 11 ((00,,11)) ((oonnllyy ffoorr tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa iiCCllaassss ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

1 means iClass security keys are valid

0 means the key is not valid. Default key will be restored.

HHIIDD ssttaarrtt ppaaggee 11 [[11 55]] ((oonnllyy ffoorr tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa iiCCllaassss ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

First page read on iClass 16K16 cards.

HHIIDD ssttaarrtt bblloocckk 1199 [[1199 117777]] ((oonnllyy ffoorr tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa iiCCllaassss ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

First block read on iClass 16K2 cards.

HHIIDD mmooddee 22 ((oonnllyy ffoorr tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa iiCCllaassss ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

Do not edit this value.

eevveenntt oonn 22 ((00 -- 6655553355))

This bit field mask specifies which kind of contactless data are available for the future access control request.

Value Identifier on which is based the access control process

0 None.

This value disables all authentication modes based on a contactless card (all contactless cards are ignored).

1 ISO 14443 type A Card UID (Unique IDentifier)

The MorphoAccess can use only the ISO 14443 type A Card UID for the access control request, even if more contactless data were read.

2 Card data: data read on the card (default value).

The MorphoAccess can use only Card data for the access control request, even if the Card UID was read.

Either a TLV formatted data (usually the User Identifier) or a binary formatted data (such as a serial number), as specified by the app/contactless/data format configuration key.

3 The MorphoAccess can use both ISO 14443 type A Card UID and Card data, if it can read the Card data.

This configuration key is used in combination with the app/bio ctrl/AC_ID configuration key.


eennaabblleedd pprrooffiilleess ((oonnllyy ffoorr tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa DDEESSFFiirree ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

It is possible to enable card reading for:

- DESFire cards only,

- MIFARE cards only,

- DESFire and MIFARE cards.

The key enables cards reading profiles. This key is a bit field:

Value Enabled profiles

0 No profile is enabled.

If card reading is set by the standard existing registry keys (see above). MIFARE card reading is enabled.

1 DESFire card profile enabled.

Terminal will only accept DESFire cards. The profile can be customized by /app/contactless/desfire params key.

2 MIFARE card profile enabled.

The parameters are set in the standard existing registry keys (see above).

3 Both DESFire card profile and MIFARE card profile are enabled.

If one DESFire card and one MIFARE card are presented at the same time, DESFire card will be read.

Default value on DESFire terminals: 0x03 (DESFire and MIFARE card).

ddeessffiirree ppaarraammss ((oonnllyy ffoorr tteerrmmiinnaallss eeqquuiippppeedd wwiitthh aa DDEESSFFiirree ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr))

This is a bit field to enable/disable DESFire card profiles features.

Value Enabled features

0 All following features are enabled.

1 Do not format card before writing it (for encoding only).

Default: the card is formatted.

2 Do not enable key rotation on the fly.

Default: the key rotation is disabled.


16 Do not diversify cards Master PICC key.

Default: Master PICC key is diversified with the Sagem Scurit diversification algorithm.

All the other bits are reserved for a future use.

Default value is 2 (do not enable key rotation on the fly).

See MorphoAccess Users Guide for details about these features.

[[rreellaayy]]

aappeerrttuurree ttiimmee iinn 1100mmss 330000 [[5500--6600000000]]

The relay aperture time can be defined with this parameter.

eennaabblleedd 11 ((00,, 11))

Activates the relay after a successful control during the previous time.

rreellaayy ddeeffaauulltt ssttaattee 00 ((00,, 11))

Defines the relay default state (when access is not authorized).

eexxtteerrnnaall ccoonnttrrooll bbyy LLEEDD11 00 ((00,,11))

The relay is switched during the previous time, when LED1 is set to the ground, otherwise it remains in the default state. (This functionality is not compatible with the LED IN functionality)

[[sseenndd IIDD UUDDPP]]

hhoosstt nnaammee 113344..11..22..118899 ((IIPP aaddddrreessss oonnllyy))

Defines the IP address of the host that will receive the user ID messages.

hhoosstt ppoorrtt 1111002200 [[00--6655553355]]

Defines the host port on which the user ID messages are sent.


Activates the sending of user ID messages (access control check result), thought IP link, using UDP protocol.

[[sseenndd IIDD eetthheerrnneett]]

ccoonnnneecctt ttiimmeeoouutt 22000000 (([[11--6655000000]]

Timeout used for connection, reading and writing data (at TCP/UDP level) to/from the remote controller. This timeout is a multiple of 10 ms (2000 means 20 seconds).


ccoonnttrroolllleerr 11 ppoorrtt 1111002200 [[00--6655000000]]

Defines the controllers port on the network.

ccoonnttrroolllleerr 11 IIPP 113344..11..22..118899 ((IIPP aaddddrreessss oonnllyy))

Defines the controllers IP on the network.

ccoonnttrroolllleerr 22 ppoorrtt 1111002200 [[00--6655000000]]

Defines the alternative controllers port on the network.

ccoonnttrroolllleerr 22 IIPP 113344..11..22..118899 ((IIPP aaddddrreessss oonnllyy))

Defines an alternative destination controllers IP on the network.

mmooddee 00 [[00 -- 44]]

Value Description

0 Default value: ID messages sending disabled.

1 ID messages sending enabled, UDP protocol used.

2 ID messages sending enabled, TCP protocol used.

3 Same as 2, but in case of failure the terminal automatically switches to mode 1 (protocol UDP).

4 Not used.

ttiimmeeoouutt bbaacckk ttoo ccoonnttrroolllleerr 11 33660000 [[00--77220000]]

When alternative controller is activated (mode 2), on connection to default controller failure, the terminal switches to alternative controller.

While the duration of timeout back to controller 1 timeout, the MorphoAccess tries first to connect to the alternative controller, before switching back to the default controller in case of error.

When timeout elapsed, the terminal automatically tries to connect first to controller 1.

Value of 0 means that default controller is always reached before the alternative controller.

ccoonnttrroolllleerr oonn nnoo rreessppoonnssee [[00--11]]

If enabled (default), the terminal is able to grant access in case of communication failure. If disabled, the terminal will always deny access on communication failure.

profile id [0-1] (SSL use only)

Do not change this key manually. Please read section SSL securing configuration keys at the beginning of this document.

Indicates the SSL profile (index in configuration file sslprofile.cfg) used by the send ID Ethernet feature when SSL is enabled.


SSL enabled [0-1] (SSL use only)


If enabled, the terminal will try to connect to the remote controller using SSL. Note that both the terminal and the controller must be able to communicate and authenticate themselves (requires certificates).

[[ttaammppeerr aallaarrmm]]

lleevveell 00 ((00,, 11,, 22))

Value Description

0 Default value: back cover removal detection disabled.

1 Sends alarm in case of back cover removal.

2 Sends alarm and activates buzzer in case of back cover removal.

iinntteerrvvaall 11550000 [[00--33000000]]

It defines the time (in 10ms) interval between two alarm messages sending (reboot is mandatory).

[[sseenndd IIDD wwiieeggaanndd]]

vvaalliidd ffoorrmmaatt 11 ((00,,11)) ((rreeaadd oonnllyy))

The frame format, as specified by the configuration keys below, is valid.

ccuussttoomm ffoorrmmaatt 00..00 ((ddoo nnoott eeddiitt))

Reserved for Sagem Scurit custom protocols.

IIDD ffoorrmmaatt 99..1166 ((nn..mm))

Inserts m bits of ID value at offset n (first bit is n=0, m 64).

ssiittee ffoorrmmaatt 11..88 ((nn..mm))

Inserts m bits of site value at offset n (first bit is n=0, m 64).

ssttoopp ffoorrmmaatt 33..1122 ((00..00,, 11..00,, 22..nn,, 33..nn,, 44..00))

Defines the stop control bit format. Refer to MorphoAccess Remote Messages Specification document.

ssttaarrtt ffoorrmmaatt 22..1122 ((00..00,,11..00,, 22..nn,, 33..nn,, 44..00))

Defines the start control bit format. Refer to MorphoAccess Remote Messages Specification document.


ffrraammee lleennggtthh 2266 [[11 -- 112288]]

Defines the total number of bits of the frame.

HHIIDD ccoonnvveerrssiioonn 00 ((00,, 11))

Allows the User ID read on a HID contactless card to be process as a raw Wiegand frame to be sent without being formatted (used on terminals equipped with an iClass contactless smartcard reader).

ssiittee ccooddee 77 [[00--6655553355]]

Terminal site code value.


Allows the sending of the User ID message (result of access control check) using Wiegand protocol (the Send ID DataClock feature must be disabled).

built frame

Activates the enhanced Wiegand sending. By using that key, the user can send the AC_ID (refer to /app/bio ctrl/AC_ID key), the alarm ID (refer to app/failure ID/alarm ID key), or the ISO14443 type A contactless card UID.

That key acts as a complement of the previous keys. It means that every data needed by that key are additional data. But in some cases those data can replace the previous data, such as ID format for example.

Set this value to AC_ID:X.Y; to insert Y bits of AC_ID at offset X.

Set this value to ALARM_ID:X.Y; to insert Y bits of alarm ID (if enabled) at offset X, in case of alarm.

Set this value to CARDSN:X.Y; to insert Y bits of ISO14443 type A contactless card UID (if captured) at offset X. Note that the card UID is in binary format.

NOTE: Values are separated by a ;. The final ; is mandatory.


Example:

The administrator wants the MorphoAccess to match the MIFARE contactless card UID and send it using the Wiegand output with no site code, no start bit, and no stop bit. He also wants to send an alarm ID in case of back cover removal.

The key /app/bio ctrl/AC_ID is configured to match the contactless card UID.

Alarm keys are correctly configured.


Wiegand configuration keys are configured as following:

- enabled 1 Enable the Wiegand sending feature,

- frame length 32 MIFARE contactless card UID is 4 bytes,

- start format 4.0 No start bit,

- stop format 4.0 No stop bit,

- ID format 0.0 No classical ID,

- site format 0.0 No site code,

- built frame ALARM:0.32;AC_ID:0.32; In case of alarm, insert 32 bits of ALARM ID at offset 0. Else, insert 32 bits of the AC_ID at offset 0 (first bit), if AC_ID is captured.

[[sseenndd IIDD ddaattaacclloocckk]]

ddaattaa iinnvveerrtteedd 00 ((00,, 11))

Data level is inverted.

cclloocckk iinnvveerrtteedd 00 ((00,, 11))

Clock level is inverted.


Allows the sending of the User ID message (result of access control check) using DataClock protocol (the Send ID Wiegand feature must be disabled).

ccaarrdd pprreesseenntt ssiiggnnaall 00 ((00,, 11)) ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

Activates the card present signal. The card present pin is set to 5V when the ID is sent on the dataclock pins, and reset to 0V when the transmission is finished. It is useful for some dataclock controllers.

NOTE: At the terminals startup, the signal is set to 5V during less than 1s then it is set to 0V.


[[sseenndd IIDD sseerriiaall]]

mmooddee 448855 ((442222,, 448855))

Defines the serial protocol to use.

Value Description

485 Default value: RS485 protocol.

422 RS422 protocol (available on MorphoAccess 500 series only).

Other values are ignored.

tteerrmmiinnaall iiddeennttiiffiieerr tteerrmmiinnaall ddeeppeennddeenntt vvaalluuee [[00 225555]]

Defines the terminal on a RS485 network.

ppaarriittyy 00 ((00,, 11,, 22))

0 No, 1 Odd, 2 Even.

ssttooppbbiittss 11 ((11,, 22))

1 or 2 stop bits.

ddaattaabbiittss 88 ((77,, 88))

7 or 8 bits for data.

ssppeeeedd 111155220000 ((330000,,11220000,,22440000,,44880000,,99660000,,1199220000,,3388440000,,5577660000,,111155220000))

Serial port speed in bps.


Activates the sending of User ID message, using RS485 or RS422 protocol, depending of the mode key value.

wait reply 0 (0, 1)

When the control succeeds and the ID is sent using RS422, the terminal is able to wait for a reply from a controller on RS422.

display duration 3 [0-3600]

Corresponds to the display duration of the message sent by a controller to the terminal. The key wait reply must be set to 1

reply timeout 5 [0-3600]

Corresponds to the time (in seconds) the terminal waits for a controller to reply. The key wait reply must be set at 1.


[[ffaaiilluurree IIDD]]

sseenndd IIDD mmaasskk 225555 [[00--225555]] ((oonnllyy ffoorr sseenndd IIDD EEtthheerrnneett mmooddeess))

This bit field mask defines which kind of ID messages are sent, when one of the send ID Ethernet modes is enabled

Value Description

255 Default value: all types of message are sent.

1 Access granted message sending allowed

2 Access denied, user not recognized or not authorized message sending allowed

4 Access denied, user not in time message sending allowed (Time mask feature)

8 Access denied, timeout occurs during access control check message sending allowed.

16 Access denied, FFD message sending allowed (MorphoAccess equipped with fake finger detection only)

128 Tamper alarm message allowed

For example to send only the user ID message when the user is authorized and when user is not recognized, set this key to 3, which means 1 (User authorized message) + 2 ( User not recognized or not authorized message).

The configurations keys listed below, apply only to the Send ID Wiegand and to the Send ID DataClock features. These keys specify the value to send for each case of access denied reason.

nnoott oonn ttiimmee IIDD 6655553355 [[00--6655553355]]

Value to send if the access is denied during the current time area (Time Mask feature).

ttiimmeeoouutt IIDD 6655553355 [[00--6655553355]]

Value to send if the access is denied because timeout occurs during access control check.

nnoott iinn DDBB IIDD 6655553355 [[00--6655553355]]

Value to send if the access is denied because no record can be found in the database for the specified user ID (i.e. no biometric operation can be performed).

nnoott rreeccooggnniizzeedd IIDD 6655553355 [[00--6655553355]]

Value to send if the access is denied because the user is not identified (i.e. a biometric operation has failed).


ggeenneerriicc eerrrroorr IIDD 6655553355 [[00--6655553355]]

Value to send as user ID if the access is denied because an unexpected error occurs.

FFFFDD IIDD 6655553355 [[00--6655553355]] ((oonnllyy oonn tteerrmmiinnaallss ccaappaabbllee ttoo ddeetteecctt ffaallssee ffiinnggeerrss))

Value to send if the access is denied because FFD check fails (not a valid finger).


Enables the sending of a ID message when access is denied to the user, or when the alarm is triggered.

aallaarrmm IIDD 6655553355 [[00--6655553355]]

Value to send when the tamper alarm feature is enabled, and when the MorphoAccess 100 or 500 Series is opened. This is not an access control error code, but it is send through the same channel, using the same format.

[[lloogg ffiillee]]


When set to 1, the key activates the recording of each access control request in the internal log file.

ffuullll hhaannddlliinngg 0000000000000000

This string represents a bit field. It defines the actions to perform when the access control logs are full in a MorphoAccess terminal. To enable an action, set the corresponding bit to 1 in value of the configuration key.

Value Description

00000000 Nothing is performed

00000001 A warning message is displayed on the MorphoAccess screen (if equipped).

00000002 A message is sent to a distant host using a defined interface (cf. remotemsg.cfg file).

00000004 The log file is erased then current control result is written

The actions can be combined by combining the value. For example, set the value to 00000003 to display a warning message and send a message to a distant computer.


[[lleedd IINN]]

ccoonnttrroolllleerr aacckk ttiimmeeoouutt 330000 [[00--33000000]]

LED IN acknowledgement timeout in 10 ms. If no signal is detected (from LED1 or LED2) within the specified time, the terminal denies the access to the user.


When set to 1, the terminal wait for a signal on LED1 (access granted) or on LED2 (access denied), to return the final result of access control request to the user.

[[GG..UU..II]]

ddaattaabbaassee ccoonnvveerrssiioonn 550000 [[330000,, 550000]] ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

300: 16 databases mode (for MA300 compatibility).

500: 5 databases mode.

ddiissppllaayy uusseerr iinnffoo 22 [[00 22]] ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

2: if database contains additional fields FNAME and NAME user name and first name are displayed on successful recognition.

1: user identifier is displayed on successful recognition.

0: no personal information is displayed on successful recognition.

ddeeffaauulltt llaanngguuaaggee 00 [[00--55]] ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

Defines the user interface language. 0 for English.

vvoolluummee 1100 [[00--1100]]

0: The buzzer is off.

[1-10]: The volume is set to the corresponding value. 10 is the maximum volume.

lleedd oouutt ssiiggnnaall 00 ((00,, 11)) ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

Activates the led out signal. The led out pin is the copy of the multicolour LED in case of positive match. It means that signal is set to 5V when the led is on and set to 0V the rest of the time.

NOTE: At the startup of the terminal, the signal is set to 5V during a very short period of time then it is set to 0V.

ddiissppllaayy hhoouurr 00 ((00,, 11)) ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

Displays hour and date on the main screen.


ttiimmee aatttteennddaannccee iiccoonnss 11 ((11,, 22)) ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

Changes the icon set of the time and attendance mode.

1: MorphoAccess 500 Series icons

2: MorphoAccess 200/300 Series icons (with text)

wwaallllppaappeerr FFIILLEE::ddeeffaauulltt..bbmmpp;;((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy)) ((EExxtteennddeedd TTiimmee aanndd AAtttteennddaannccee oonnllyy))

Defines the bitmap to be displayed on screen when extended time and attendance is used.

This configuration key has the following format:

FILE:;

Example: FILE:default.bmp;

NOTE: If the key is badly formatted, extended time and attendance is cancelled. The final ; is mandatory.

[[mmooddeess]]

ttiimmee aanndd aatttteennddaannccee 00 ((00,, 11,, 22,, 33)) ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

Time and attendance mode can be activated with 2 (option 1) or 4 buttons (option 2).

When the value is set to 3, the extended time and attendance is activated: each numeric key of the keyboard is associated to one of the time and attendance function (described in the app/keyboard/mapping configuration key), and a customer designed bitmap picture is displayed on the terminals screen. Usually, this picture indicates the assignation of each key.

TT&&AA ooppeerraattiioonn ttiimmeeoouutt 2200 ((00--6655553355)) ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

This value specifies the Time and Attendance timeout (value is in seconds). This is the timeout after which the operation in progress is cancelled and the MorphoAccess comes back to the Time and Attendance main screen.

ttiimmee mmaasskk 00 ((00,, 11))

This mode enables the access according to its time mask. Time mask is defined by slots of 15 minutes over a week. Database must contain an additional field TMSK.


iiddllee ppeerriipphheerraallss 33 ((00,, 225555))

This value specifies the features to deactivate after a customizable period of time (idle mode). This value is a mask, several features can be deactivated at the same time.

1: to deactivate the screen and keyboard backlight only

2: to deactivate the biometric sensor only

To deactivate both backlight and biometric sensor, set this value to 3.

Set this value to 255 to deactivate every feature. For the moment, those features are backlight and biometric sensor.

iiddllee ttiimmeeoouutt 00 ((00--6655553355))

This value specifies the Idle timeout (value is in minutes).This is the inactivity time that triggers the idle mode.


[[ddaattaacclloocckk iinn]] ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

ddaattaa iinnvveerrtteedd 00 ((00,, 11))

Set to 1 to expect an inverted Data signal.

cclloocckk iinnvveerrtteedd 00 ((00,, 11))

Set to 1 to expect an inverted Clock signal.

[[wwiieeggaanndd iinn]] ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

ccuussttoomm ffoorrmmaatt 00..00 ((ddoo nnoott eeddiitt))

Reserved for Sagem Scurit custom protocols.

IIDD ffoorrmmaatt 99..1166 ((nn..mm))

Inserts m bits of ID value at offset n (first bit is n=0, m 64).

ssiittee ffoorrmmaatt 11..88 ((nn..mm))

Inserts m bits of site value at offset n (first bit is n=0, m 64).

ssttoopp ffoorrmmaatt 33..1122 ((00..00 11..00 22..nn 33..nn 44..00))

Defines the stop control bit. Refer to MorphoAccess Remote Messages Specification.

ssttaarrtt ffoorrmmaatt 22..1122 ((00..00 11..00 22..nn 33..nn 44..00))

Defines the start control bit. Refer to MorphoAccess Remote Messages Specification.

ffrraammee lleennggtthh 2266 [[11--112288]]

Defines the number of bits of the frame.

ssiittee ccooddee 77 [[00--6655553355]]

Terminal site code.

cchheecckk SSiittee CCooddee 11 ((00,, 11))

To check the frame site code.


[[iinnffoo]]

ttyyppee ((rreeaadd oonnllyy))

Terminal type (MA100, MA110, )

rreelleeaassee AA ((rreeaadd oonnllyy))

For internal use only.

mmiinnoorr YY ((rreeaadd oonnllyy))

Minor software revision.

mmaajjoorr XX ((rreeaadd oonnllyy))

Major software revision.

[[kkeeyybbooaarrdd]] ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

ttiimmeeoouuttss PPIINN::2200;;

This value specifies several timeouts (PIN and BIOPIN keyboarding time for the moment).

Set this value to PIN:XX; to change the PIN and BIOPIN timeout (value is in seconds). This is the timeout after which the keyboarding is cancelled.

NOTE: Final ; is mandatory. If the string is badly formatted, the timeout is considered to be the default value (20).

mmaappppiinngg 11::11;;22::55;;33::22;;44::55;;55::55;;66::55;;77::33;;88::55;;99::44;; ((EExxtteennddeedd TTiimmee aanndd AAtttteennddaannccee oonnllyy))..

Defines the keyboard keys associated to a set of time and attendance functions when extended time and attendance is used.

This configuration key has the following format:

:;

Example: 1:1;2:2;3:3;4:4;5:5;6:5;

NOTE: If the configuration key is badly formatted, extended time and attendance is cancelled. The final ; character is mandatory.


Key codes are defined as follows (decimal value of the corresponding ASCII numeric character):

KKeeyy CCooddee

'1' 1

'2' 2

'3' 3

'4' 4

'5' 5

'6' 6

'7' 7

'8' 8

'9' 9

Functions codes are defined as follows:

FFuunnccttiioonn CCooddee

In 1

Out 2

Temporary In 3

Temporary Out 4

Key code 5

The four first functions are identical to the one supported by the 4 buttons Time and Attendance mode (activated when the app/modes/time and attendance key is equal to 2).

The key code function is specific to the extended Time and Attendance mode: in the access check result message sent through IP, the letter which identifies the In/Out function is replaced by corresponding digit of the pressed function key (if the 3 key is pressed, then the message contains 3 in Time and Attendance field).


BBIIOOMMEETTRRIICC SSEENNSSOORR PPAARRAAMMEETTEERRSS ((BBIIOO..CCFFGG))

[[bbiioo ccttrrll]]

mmaattcchhiinngg tthh 33 [[11--1100]]

Defines the terminal matching threshold (as described in User Guide).

FFFFDD sseeccuurriittyy lleevveell 11 ((00,, 11,, 22))

Defines the control level of the FFD feature of the MorphoAccess equipped with fake finger detection: 0 is the lowest and 2 the highest.

ffiinnggeerr ttyyppee 00 ((00,, 11))

Select the fingerprint coder option to be used during fingerprint acquisition.

This configuration key is equivalent to the /cfg/Maccess/bio/juvenile configuration key of MA200 and MA300 Series.

Value Description

0 Default value: standard biometric coder option (recommended)

1 Juvenile option activated for all fingerprint acquisitions. This option provides a better enrolment quality with thin fingers (but a little lower for normal finger). When this option is activated, the fingerprint acquisition process duration requires around 400ms extra-time.

Following keys are strictly reserved for Sagem Scurit use only.

Please do not change their values, the actual values are tuned to obtain the best results:

uniformity correction 0

image contrast 0

image size 0

sensor sensibility 1

1st try strategy 0

2nd try strategy 1

presence detection 0


AADDMMIINNIISSTTRRAATTIIOONN SSEETTTTIINNGGSS ((AADDMM..CCFFGG))

[[rreemmoottee mmaannaaggeemmeenntt TTCCPP]]

llaatteennccyy ttiimmeeoouutt 33660000 [[00--660000000000]]

This value defines the delay (in seconds) allowed between two TCP packets when a fragment of command is received (reboot is mandatory).

iinnaaccttiivviittyy ttiimmeeoouutt 660000000000 [[00--660000000000]]

Do not change this parameter (reboot is mandatory).

ppoorrtt 1111001100 [[00--6655553355]]

Defines the terminal server port (reboot is mandatory).

eennaabblleedd 11 ((00,,11))

Enabled the administration through the TCP link (reboot is mandatory).

[[rreemmoottee mmaannaaggeemmeenntt sseerriiaall]] ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))

CCOOMM nnuummbbeerr 22 [[00--22]]

Do not edit this value.

ppaarriittyy 00 ((00,, 11,, 22))

0 No, 1 Odd, 2 Even.

ssttooppbbiittss 11 ((11,, 22))

1 or 2 stop bits.

ddaattaabbiittss 88 [[55--88]]

5 to 8 databits.

bbaauuddrraattee 111155220000 ((330000,, 11220000,, 22440000,, 44880000,, 99660000,, 1199220000,, 3388440000,, 5577660000,, 111155220000))

Link speed in bps.

eennaabbllee 00 ((00,, 11))

Enables remote management using serial link (reboot is mandatory)


ffllooww ccoonnttrrooll 00 ((00,, 11))

Flow control:

0: no flow control.

1: flow control via RTS/CTS management.

[[ddiissttaanntt sseessssiioonn]]

inactivity timeout 6000 [0-6000]

Duration let to a remote host to send another following command before reactivating the terminals default running state (as biometric sensor for identification).

Please do not change this value, the actual value is tuned to obtain the best result.

[[rreemmoottee mmaannaaggeemmeenntt SSSSLL]]

command write timeout [20] (SSL use only)


Duration let to SSL server to send command frames (in case of big frames).


command read timeout [20] (SSL use only)


Duration let to SSL server to receive command frames (in case of big frames).


profile id [0-1] (SSL use only)


Indicates the SSL profile (index in configuration file sslprofile.cfg) used to administrate the MorphoAccess using SSL.

peer authentication enabled [0-1] (SSL use only)


If enabled (default and only available value), mutual authentication will be done. Must not be disabled.


session cache enabled [0-1] (SSL use only)


If enabled (default and only available value), session cache will be used. Must not be disabled.

port 11010 [0-65535] (SSL use only)


Defines the terminal server port. (reboot is mandatory)

enabled [0-1] (SSL use only)


If enabled, SSL server will start then wait for commands. If TCP server and SSL server are enabled with same listening port, priority will be given to TCP. It is recommended to use Sagem Scurits Active MACI as remote SSL client communication layer.


NNEETTWWOORRKK PPAARRAAMMEETTEERRSS ((NNEETT..CCFFGG))

[[bboooott pprroottoo]]

DDHHCCPP aaccttiivvaatteedd 00 ((00,,11))

0: static IP address (reboot is mandatory).

1: the terminal starts using DHCP boot mode1 (reboot is mandatory).

[[ppaarraammeetteerrss]]

nneettwwoorrkk mmaasskk 225555..225555..224400..00

Static network mask (reboot is mandatory).

ddeeffaauulltt ggaatteewwaayy 113344..11..66..2200

Static default gateway (reboot is mandatory).

nneettwwoorrkk aaddddrreessss 113344..11..3322..221144

Static IP address (reboot is mandatory).

hhoosstt nnaammee MMAA006611111100000088

Hostname for DHCP (reboot is mandatory).

[[ddeevviiccee]]

ssppeeeedd 1100 ((1100,, 110000))

Ethernet device speed (Mbits/s) (reboot is mandatory).

1


SSSSLL PPRROOFFIILLEESS ((SSSSLLPPRROOFFIILLEE..CCFFGG)) ((SSSSLL UUSSEE OONNLLYY))

[[mmiisscceellllaanneeoouuss]]

number of profile [2]

Read only value that sets the number of existing profiles.

[[pprrooffiillee00]]

This section is commonly used to define the SSL profile for the SSL server (refer the ADM / Remote management SSL).

retry connection timeout [1]


Internal value. Must not be modified. Modifying this could turn the terminal in a non working state.

connection timeout [0]



write timeout [50]



read timeout [50]



retry init timeout [1]



init timeout [0]




list name


Reserved for a future use

list type


Reserved for a future use

ca peer certificates


List of peer certificates for authentication, separated by semi-colons.

own certificate


PKCS#12 file filename of the terminal.

passphrase id [2]


Reference to the passphrase used to protect access to PKCS#12 file. Other values are reserved for a future use.

strength level [000000FF]


Algorithm strength level. Other values are reserved for a future use.

supported cipher [00250021]


Supported cipher mask. Other values are reserved for a future use.

protocol version[2]


Value 2 means SSL version 3. Other values are reserved for a future use.

Name


Information name (not used by terminal).


[[pprrooffiillee11]]

This section is commonly used to define the SSL profile for the SSL client (refer the APP / Send ID Ethernet).

retry connection timeout [1]



connection timeout [0]



write timeout [50]



read timeout [50]



retry init timeout [1]



init timeout [0]



list name


Reserved for a future use.

list type



Reserved for a future use.

ca peer certificates


List of peer certificates for authentication, separated by semi-colons.

own certificate


PKCS#12 file filename of the terminal.

passphrase id [2]


Reference to the passphrase used to protect access to PKCS#12 file. Other values are reserved for a future use.

strength level [000000FF]


Algorithm strength level. Other values are reserved for a future use.

supported cipher [00250021]


Supported cipher mask. Other values are reserved for a future use.

protocol version [2]


Value 2 means SSL version 3. Other values are reserved for a future use.

name


Information name (not used by terminal).


GG..UU..II.. FFIILLEE ((GGUUII..CCFFGG))

[[kkeeyy ssccrreeeennss]] ((MMoorrpphhooAAcccceessss 550000 SSeerriieess oonnllyy))((oonnllyy iinn eexxtteennddeedd ttiimmee aanndd aatttteennddaannccee mmooddee))

nb key screens 0 (0, 9)

This configuration key defines the number of confirmation screens available in the terminal. If the value is 0, then it is possible that the key_screen_i configuration keys do not exist. Please refer to the section below.

key_screen_ i from 1 to nb key screens

These configuration keys define the confirmation screen, to be displayed immediately after a specific numeric key is pressed (to require a Time and Attendance function). The assignation of a confirmation screen to a numeric key is optional.

The configuration key value includes the numeric key code, the text of the message to be displayed (30 Latin characters maximum, on the second line of the screen), and the automatic confirmation time-out value.

This configuration key value has the following format:

KEY:;TEXT1:;TIMEOUT:;

Example: KEY:49;TEXT1:Key 1 selected;TIMEOUT:3;

Key codes are defined in [keyboard\mapping] section of application file.

Note: If the key is badly formatted, extended time and attendance is cancelled. The final ; character is mandatory.

These configuration keys are ignored when the extended time and attendance mode is not activated.

While the confirmation screen is displayed, if the user:

presses the Cancel Key (Red function key), the terminal return to Time and Attendance main screen (key selection),

presses the Validation Key (Green function key), the terminal goes immediately to next step (usually biometric check),

presses any other key: the terminal ignores it;

does not press any key: when the time-out value is reached, the terminal goes automatically to next step (same as Validation Key pressure).


[[MMMMII ddeeffiinniittiioonn]]

buzzer 0;0;0;0;0;0

Strictly reserved for Sagem Scurit use only.

led 0;0;0;0

Strictly reserved for Sagem Scurit use only

priority 200


number 3



EEXXEE FFIILLEE ((EEXXEE..CCFFGG))

[[iinniitt ssttaattee]]

assistant 0


startup 0 (0,1) (reboot is mandatory)

This key defines which application the terminal launches after a reboot.

Value Description

0 Start in Application selection menu

1 MACCESS application

2 Enrolment application

[[sswwiittcchh aapppp]]

app. number 1



WWII--FFII FFIILLEE ((WWIIFFII..CCFFGG)) ((WWII--FFII UUSSEE OONNLLYY))

[[aacccceessss ppooiinntt:: XXXXXX]]

This section is commonly used to define a reachable access point.

MAC

Do not change this key manually. Please read section WI-FI configuration keys at the beginning of this document.

MAC address of the defined access point (XXX)

algo

Do not change this key manually. Please read section Wi-Fi configuration keys at the beginning of this document.

Security algorithm used:

- 0 for none

- 1 for WEP64

- 2 for WEP128

authentication method

Do not change this key manually. Please read section Wi-Fi configuration keys at the beginning of this document.

Authentication type (WEP connections only):

- 0 for Open authentication

- 1 for Shared authentication

channel


signal strength

Do not change this key.

Indicates the strength of the access point signal.

signal quality

Do not change this key.

Indicates the quality of the access point signal.

add profile


Add a profile corresponding to that access point.


[[pprrooffiillee:: YYYYYY]]

This section is commonly used to define a profile corresponding to a valid and reachable access point.

SSID


Wireless network name (SSID) of the corresponding access point.

MAC


MAC address of the corresponding access point

algo


Security algorithm of the corresponding access point

authentication method


Authentication type of the corresponding access point (WEP connections only).

channel


key


Security key to communicate with the corresponding access point

remove profile


Removes this profile in the configuration file.


[[pprrooppeerrttiieess]]

active profile


Sets the profile used by the terminal

boot proto


Sets the protocol used to obtain an IP address.

Value Description

0 The address is obtained from a DHCP server

1 The address is given by the administrator

network address


Indicates the IP address of the Wi-Fi interface (IP address obtained from the DHCP server, if DHCP mode is enabled).

network mask


Static network mask.

default gateway


Static default gateway

host name


Hostname for DHCP mode.

MAC address (read only)

MAC address of the Wi-Fi USB adapter.


EENNRROOLLMMEENNTT AAPPPPLLIICCAATTIIOONN ((EENNRR..CCFFGG))

This section is used to parameter the Enrolment application on the MorphoAccess 500 Series terminals equipped with a contactless smartcard reader.

[[ccoonnttaaccttlleessss]]

eennccooddee ttyyppee ((TTeerrmmiinnaallss eeqquuiippppeedd wwiitthh aa DDEESSFFiirree ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddeerr oonnllyy))

This key let the user select the type of card he can encode using the enrolment application.

Value Encode cards:

1 DESFire

2 MIFARE

3 Both DESFire and MIFARE at the same time (auto recognition of the card type)

See MorphoAccess 500 Series Enrolment application User Guide for details.


LLOOGGSS FFIILLEE ((LLOOGG..CCFFGG))

[[LLooggPPaarraamm]]

This section is used to parameter the Enrolment application on the MorphoAccess 500 Series for the biometric database synchronization feature (cf. MA500 Series Enrolment Application User Guide).

LogFile DefLogFile

Name of the file in which the changes made on the biometric database, using the enrolment application, are written.

LogFileSize 524288 (1-2097152)

Max size in bytes of the previous file. Should be a multiple of 512.

LogMask 00000000

This string key is a bit field that selects what kind of changes are written in the file.

Value Description

00000001 Log when a user is added to a biometric database successfully.

00000002 Log when a user is modified successfully.

00000004 Log when a user is removed from a biometric database successfully.

00000008 Log when a contactless card is encoded successfully.

00000010 Log when a biometric database is created successfully.

00000020 Log when a biometric database is exported successfully.

00000040 Log when a biometric database is imported successfully.

00000080 Log when contactless keys are generated successfully.

00000100 Log when an admin contactless card is created successfully.

00000200 Log when contactless keys are imported successfully.


[[SSyynncchhrroo]]

SynchroKey

Do not change this key manually.

This configuration key is used to perform the biometric databases synchronization.


RREEMMOOTTEE MMEESSSSAAGGEESS ((RREEMMOOTTEEMMSSGG..CCFFGG))

[[iinntteerrffaacceess]]

This section describes the interfaces that the terminal can use to send a message to a distant host.

nb interfaces 0 (0-255)

Defines the number of different interfaces to create.

intX

That key is created only if the nb interfaces key is more than 0.

It defines one interface. An interface is defined by its type, and some parameters depending of the type.

Available types

IP

Type Parameters

IP Protocol, only TCP for the moment

Distant host IP address

Distant host port number

Sending timeout in seconds

Receiving timeout in seconds

The configuration key value has the following format:

;;

Each parameter is separated by a ;. The final ; is mandatory.

Example:

IP;TCP;10.126.59.45;11020;10;20;

It means that the interface is used to contact host 10.126.59.45 on port 11020 using TCP protocol. The sendings timeout is 10s, and the receiving timeout is 20s.


EEVVEENNTTSS ((EEVVEENNTTSS..CCFFGG))

[[ggeenneerraall]]

active FFFFFFFF

This string key is used as a bit field that defines the events that can generate a message sending.

Value Description

00000001 Send a message on biometric databases changes (need an administrator action)

00000002 Send a message when access control log file is full

[[bbiioo__cchhgg]]

That section is available only if the active key allows it.

nb sending 0 (0-255)

This key defines the number of sending performed when the administrator decides to signal biometric databases changes to a distant host.

sendX

That configuration key is created only if nb sending is more than 0.

It defines one sending. A sending is defined by the number of attempts, the attempt interval, a response needed flag, and an interface (cf. [interfaces])


;;;;

Each parameter is separated by a ;, and the final ; is mandatory.

Example:

3;5;1;int1;

It means that the sending has 3 5s spaced attempts, a response message is awaited, and the interfaces int1 from the remotemsg file will be used.


Please refer to MA500 Series Enrolment Application User Guide to know how the administrator activates this message, and MA500 Series User Guide to know about the messages format.

[[lloogg__ffuullll]]

That section is available only if the active key allows it.

nb sending 0 (0-255)

This key defines the number of sending performed when the access control log file is full.

sendX

That configuration key is created only if nb sending is more than 0.

It defines one sending. A sending is defined by the number of attempts, the attempt interval, a response needed flag, and an interface (cf. [interfaces])


;;;;

Each parameter is separated by a ;, and the final ; is mandatory.

Example:

3;5;0;int2;

It means that the sending has 3 5s spaced attempts, no response message is awaited, and the interfaces int2 from the remotemsg file will be used.

Please refer to MA500 Series User Guide and MA100 Series User Guide to know about the messages format.


SSUUPPPPOORRTT

CCuussttoommeerr sseerrvviiccee

Sagem Scurit

SAV Terminaux Biomtriques

Boulevard Lnine - BP428

76805 Saint Etienne du Rouvray

FRANCE

Phone: +33 2 35 64 55 05

HHoottlliinnee

Sagem Scurit

Support Terminaux Biomtriques

18, Chausse Jules Csar

95520 Osny

FRANCE

[email protected]

Phone: +33 1 58 11 39 19

http://www.biometric-terminals.com/

Copyright 2009 Sagem Scurit

http://www.sagem-securite.com/

Head office : Le Ponant de Paris

27, rue Leblanc - 75512 PARIS CEDEX 15 - FRANCE

Table of ContentsREVISIONS HISTORYSCOPE OF THE DOCUMENTConfiguration file organizationParameter modificationNotation[section in configuration file]parameter name 1 default value [min_value-max_value]parameter name 2 default value (value_1, value_2)

SSL securing configuration keysWI-FI configuration keysDESFire configuration keys

application file (app.cfg)[bio ctrl]identification 1 (0, 1) (default mode on MorphoAccess 100 and 500)identification timeout 5 [1-60]nb attempts 2 (1, 2)bypass authentication 0 (0, 1)authent card mode 0 (0, 1) (only on terminals equipped with a contactless smartcard reader)authent PK contactless 1 (0, 1) (only on terminals equipped with a contactless smartcard reader)authent ID contactless 0 (0, 1) (only on terminals equipped with a contactless smartcard reader)authent ID keyboard 0 (0, 1) (only in MorphoAccess 500 Series)authent remote ID source 0 [0-2] (only in MorphoAccess 500 Series)authent timeout 10 [1-60] (only in MorphoAccess 500 Series, and MorphoAccess 100 Series terminals equipped with a contactless smartcard reader)BIOPIN enabled 0 (0, 1) (only in MorphoAccess 500 Series equipped with a contactless smartcard reader)control PIN 0 (0, 1) (only in MorphoAccess 500 Series equipped with a contactless smartcard reader)AC_ID FINGER;CARDDATA;KBD;WGDTCLK;

[contactless]C 1 (1, 2, 3)B 4 [0-215]data format 0 (0, 1)data offset 0.0 [number of bytes].[additional bits]data length 8.0 [number of bytes].[additional bits]data type 0.1 [format].[direction]HID key valid 1 (0,1) (only for terminals equipped with a iClass contactless smartcard reader)HID start page 1 [1 5] (only for terminals equipped with a iClass contactless smartcard reader)HID start block 19 [19 177] (only for terminals equipped with a iClass contactless smartcard reader)HID mode 2 (only for terminals equipped with a iClass contactless smartcard reader)event on 2 (0 - 65535)enabled profiles (only for terminals equipped with a DESFire contactless smartcard reader)desfire params (only for terminals equipped with a DESFire contactless smartcard reader)

[relay]aperture time in 10ms 300 [50-60000]enabled 1 (0, 1)relay default state 0 (0, 1)external control by LED1 0 (0,1)

[send ID UDP]host name 134.1.2.189 (IP address only)host port 11020 [0-65535]enabled 0 (0, 1)

[send ID ethernet]connect timeout 2000 ([1-65000]controller 1 port 11020 [0-65000]controller 1 IP 134.1.2.189 (IP address only)controller 2 port 11020 [0-65000]controller 2 IP 134.1.2.189 (IP address only)mode 0 [0 - 4]timeout back to controller 1 3600 [0-7200]controller on no response [0-1]

[tamper alarm]level 0 (0, 1, 2)interval 1500 [0-3000]

[send ID wiegand]valid format 1 (0,1) (read only)custom format 0.0 (do not edit)ID format 9.16 (n.m)site format 1.8 (n.m)stop format 3.12 (0.0, 1.0, 2.n, 3.n, 4.0)start format 2.12 (0.0,1.0, 2.n, 3.n, 4.0)frame length 26 [1 - 128]HID conversion 0 (0, 1)site code 7 [0-65535]enabled 0 (0, 1)

[send ID dataclock]data inverted 0 (0, 1)clock inverted 0 (0, 1)enabled 0 (0, 1)card present signal 0 (0, 1) (MorphoAccess 500 Series only)

[send ID serial]mode 485 (422, 485)terminal identifier terminal dependent value [0 255]parity 0 (0, 1, 2)stopbits 1 (1, 2)databits 8 (7, 8)speed 115200 (300,1200,2400,4800,9600,19200,38400,57600,115200)enabled 0 (0, 1)

[failure ID]send ID mask 255 [0-255] (only for send ID Ethernet modes)not on time ID 65535 [0-65535]timeout ID 65535 [0-65535]not in DB ID 65535 [0-65535]not recognized ID 65535 [0-65535]generic error ID 65535 [0-65535]FFD ID 65535 [0-65535] (only on terminals capable to detect false fingers)enabled 0 (0, 1)alarm ID 65535 [0-65535]

[log file]enabled 1 (0, 1)full handling 00000000

[led IN]controller ack timeout 300 [0-3000]enabled 0 (0, 1)

[G.U.I]database conversion 500 [300, 500] (MorphoAccess 500 Series only)display user info 2 [0 2] (MorphoAccess 500 Series only)default language 0 [0-5] (MorphoAccess 500 Series only)volume 10 [0-10]led out signal 0 (0, 1) (MorphoAccess 500 Series only)display hour 0 (0, 1) (MorphoAccess 500 Series only)time attendance icons 1 (1, 2) (MorphoAccess 500 Series only)wallpaper FILE:default.bmp;(MorphoAccess 500 Series only) (Extended Time and Attendance only)

[modes]time and attendance 0 (0, 1, 2, 3) (MorphoAccess 500 Series only)T&A operation timeout 20 (0-65535) (MorphoAccess 500 Series only)time mask 0 (0, 1)idle peripherals 3 (0, 255)idle timeout 0 (0-65535)

[dataclock in] (MorphoAccess 500 Series only)data inverted 0 (0, 1)clock inverted 0 (0, 1)

[wiegand in] (MorphoAccess 500 Series only)custom format 0.0 (do not edit)ID format 9.16 (n.m)site format 1.8 (n.m)stop format 3.12 (0.0 1.0 2.n 3.n 4.0)start format 2.12 (0.0 1.0 2.n 3.n 4.0)frame length 26 [1-128]site code 7 [0-65535]check Site Code 1 (0, 1)

[info]type (read only)release A (read only)minor Y (read only)major X (read only)

[keyboard] (MorphoAccess 500 Series only)timeouts PIN:20;mapping 1:1;2:5;3:2;4:5;5:5;6:5;7:3;8:5;9:4; (Extended Time and Attendance only).

Biometric sensor parameters (bio.cfg)[bio ctrl]matching th 3 [1-10]FFD security level 1 (0, 1, 2)finger type 0 (0, 1)

Administration settings (adm.cfg)[remote management TCP]latency timeout 3600 [0-600000]inactivity timeout 600000 [0-600000]port 11010 [0-65535]enabled 1 (0,1)

[remote management serial] (MorphoAccess 500 Series only)COM number 2 [0-2]parity 0 (0, 1, 2)stopbits 1 (1, 2)databits 8 [5-8]baudrate 115200 (300, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200)enable 0 (0, 1)flow control 0 (0, 1)

[distant session][remote management SSL]

Network parameters (net.cfg)[boot proto]DHCP activated 0 (0,1)

[parameters]network mask 255.255.240.0default gateway 134.1.6.20network address 134.1.32.214host name MA061110008

[device]speed 10 (10, 100)

SSL profiles (sslprofile.cfg) (SSL use only)[miscellaneous][profile0][profile1]

G.U.I. file (gui.cfg)[key screens] (MorphoAccess 500 Series only)(only in extended time and attendance mode)

Exe file (EXE.CFG)[init state][switch app]

WI-FI file (WIFI.CFG) (WI-FI USE ONLY)[access point: XXX][profile: YYY][properties]

Enrolment application (ENR.CFG)[contactless]encode type (Terminals equipped with a DESFire contactless smartcard reader only)

Logs file (log.cfg)[LogParam][Synchro]

Remote messages (remotemsg.cfg)[interfaces]

Events (events.cfg)[general][bio_chg][log_full]

SupportCustomer serviceHotline

morphoaccess parameters guide

Documents