Home/Access/Integrations/Genetec/Synergis Integration Guide

1 SAFR - Genetec Synergis Integration Guide

1.1 Introduction

Deploying and configuring SAFR and Genetec Security Center (GSC) with Synergis will allow SAFR to import Genetec Cardholders and Credentials to be used on SAFR SCAN face authentication readers. SAFR SCAN is using the imported Cardholder picture, converted into a biometric signature, to verify a person identity when presented at a SAFR SCAN reader. When a person’s identity has been verified the SAFR SCAN reader transmits the imported Access Credentials to the access control panel via Wiegand or OSDP signaling.

Please note that SAFR will not import a person record if it does not have a card access credential. Likewise, if the access credential is removed from the cardholder, SAFR will delete the person record in SAFR. SAFR only supports one card access credential per person record. If multiple credentials exist, the most recently updated credential is imported.

To integrate and use the SAFR SCAN RTSP video feed in Genetec Security Center for surveillance please see the SAFR Genetec Integration Guide.

For complete SAFR and SAFR SCAN documentation please visit http://docs.real.com.

1.2 Integration Overview and Requirements

Integrated SAFR - Genetec Synergis is available on Windows and Linux.

Please note that this Guide does not include the Installation of the SAFR Server (SAFR Platform) or the Genetec Security Center (GSC) with Synergis. This guide specifically describes:

  1. Configure GSC to allow SAFR server to import Cardholders and Access Credentials from Synergis.
  2. Configure the External Identification Synchronization in SAFR server.

A typical integration architecture:

1.3 Attribute mapping between Genetec and SAFR

The following is the current imported and supported attributes/field from GSC

Genetec

SAFR (People data record)

Notes

First Name

First Name

Last Name

Last Name

OwnerRoleType in Genetec Credential

Person Type

“Card Holder” if OwnerRoleType not defined.

Image

Image

Email Address

Email

Mobile Phone Number

Phone

Activation

Access Activation

Expiration

Access Expiration

When expiration is reached, SAFR will generate Access Denied before sending credentials to panel. Record is not deleted.

Credential Card Format

Access Card Format

Credential Facility code

Access Card Facility ID

Only for cardholders with Wiegand 26.

Credential Card Number

Access Card ID

If multiple card credentials exist for person, only the most recently added or updated credential will be added to person record in SAFR.

Credential PIN Code

PIN Credential

If multiple PINs exist for person, only the most recently added or updated PIN will be added to person record in SAFR.

1.3.1 Import Behavior

  • If deleted in Genetec, SAFR will delete the record.
  • Only access card credentials assigned to a person are imported.
  • SAFR imports the most recently updated credential for each cardholder.
  • For cardholders with Wiegand 26, the Facility code and Card Number is populated in SAFR. For all other card formats, the facility code and card number are populated in the Access Card ID field as a raw card number. Use Raw Card Format in SAFR SCAN for the cases.

1.4 GSC Synergis Licensing

SAFR use the Genetec WEB SDK to connect and synchronize cardholders. The SAFR Part number # license must also be installed on GSC to enable this functionality and a “safrsync” user with required permissions needs to be created in Genetec. These are described below.

No additional license or software is required on the SAFR server.

1.4.1 GSC Licensing and the Genetec Part Number

An accompanying Genetec part number for SAFR integration must be added to your Genetec connection license (it is the same license and part number as for SAFR video feed integration) It currently comes in three options based on number of connections. For cardholder synchronization only one license is required per SAFR server.

Part number “GSC-1SDK-RealN-FR1”. Please ask your Genetec representative for the license.

1.5 Configuring API Access

To create a SAFR user in Genetec to synchronize the Cardholders and Credentials a minimum set of privileges will need to be set. If you would like to use one of the Genetec Privilege Templates you will need to use either “Provisioning” or “Administrator”. The specific privileges that need to be applied are documented below in section 1.2.2.1.

1.5.1 Create SAFR Sync User

The specific create a user with the permissions that SAFR will require, do the following:

1. Open the Genetec Config Tool.

2. Click Tasks > User Management.

3. Create a new user (for example, “safrsync”) based on the Privilege template “Supervisor”.

Graphical user interface

Description automatically generated

4. The following specific privileges will need to be set for SAFR synchronization.

In Application privileges.

Log on using SDK

1.5.1.1 Set Privileges for SAFR user

If you create a user without an assigned privilege template, the following specific privileges will need to be set for SAFR synchronization.

  1. Application privileges.
    1. Log on using SDK

  1. Administration privileges - -> Access control management
    1. View access rules properties
    2. View badge template properties
    3. View cardholder group properties
    4. View credential properties
    5. View visitor properties

  1. Task privileges --> Maintenance
    1. Audit trails

1.6 Set Minimum Cardholder Image Size

It is important to have a good quality images loaded into Genetec to eliminate any false positives and faster face matching times. For optimal performance of SAFR SCAN reader, a face image size of 220 pixels ear-to-ear is required.

The Genetec settings for Maximum picture size does not take into consideration face size pixel density but instead the raw size of the picture. Assuming pictures uploaded are typical head profile shots or selfies we record to set the Maximum picture file size to 200KB. Please check with your Genetec representative to make sure your system is sized for this.

Do the following:

  1. Open the Genetec Config Tool.
  2. Open Tasks > Administration > Access Control > General Settings.
  3. Set Maximum Picture File Size to 200 kb or larger.

Note: File size is not a great predictor of image quality but that’s the only control Genetec provides. Even a 40 kb image can be good quality if cropped just to the face.

1.7 Enable Web SDK

SAFR is using the Genetec Web SDK for Cardholder synchronization.

  1. Add the Web SDK to Roles.
    1. System -> Roles. Click on Add an Entity and select Web based SDK. See image below.

  1. By default, SAFR uses SSL. To configure Web SDK for SSL enable it in Web SDK UI. The default port is 4590 and will need to match the port in the SAFR External Identity Synchronization configuration. See image below.
    1. If for some reason you cannot connect via SSL and would like to use unsecured http, please follow the steps outlined in the Troubleshooting section below to disable SSL in SAFR.

1.8 Configuring SSL

Genetec and SAFR must be use the same communication protocol. SAFR can be configured to handle the following conditions.

  • SSL (HTTPS) with SSL CERT issued by trusted CERT Authority
  • SSL (HTTPS) with self-signed SSL CERT
  • No SSL (HTTP)

By default, SAFR is configured to expect an SSL CERT issued by a trusted authority. If Genetec is using a self-signed CERT (default), you will see the following error when trying to connect.

A screenshot of a computer screen

Description automatically generated

You can resolve this issue in one of three ways:

Install an SSL Certificate issued by certificate authority such as Thawte.

Refer to Genetec documentation

Configure SAFR to use internal trust manager which will truest self-signed CERTs.

See section 1.8.1 below

Configure SAFR and Genetec to use HTTP (Disable SSL)

See section 1.8.2 below

1.8.1 Use Self-Signed CERTS

To enable SAFR’s internal trust manager, modify SAFR Configuration and restart SAFR Server as instructed below.

  1. Open a text editor with elevated permissions (“Run as administrator”)
    💡Notepad++ is a good text editor for Windows and will automatically elevate permissions when needed.
    💡On Linux use sudo to elevate permissions with editor of your choice (e.g. “sudo vi genetec.properties”).
  1. Open genetec.properties file located in following locations (See section 1.10 below)
    Windows: C:\Program Files\RealNetworks\SAFR\covi\app\config\covi
    Linux: /opt/RealNetworks/SAFR/covi/app/config/covi
  2. Edit the following line

genetec.trust.server.certificate:true

  1. Set value to true to implicitly trust cert (do not validate) Genetec SSL CERT.
  2. Save genetec.properties file
  3. Restart “SAFR Covi” Windows Service in the Windows Services Control Panel (if on Linux, run ‘stop’ and ‘start’ in the SAFR/bin directory).

1.8.2 Disable SSL CERT Validation

1.8.2.1 Disable SSL CERT Validation in SAFR

  1. Open genetec.properties as described in steps 1 and 2 of section 1.8.1 above.
  2. Edit the following line

genetec.ssl:auto:disabled

  1. Set value to ‘disabled’ to disable SSL (use HTTP).
  2. Save genetec.properties file
  3. Restart “SAFR Covi” Windows Service in the Windows Services Control Panel (if on Linux, run ‘stop’ and ‘start’ in the SAFR/bin directory).
1.8.2.1.1.1 Disable SSL CERT Validation in Genetec
  1. Open Genetec Config Tool
  1. Go to Gentec > System > Roles > Web-based SDK
  2. Set “Use SSL Connection” to “Off”

1.9 Set up External Identification Synchronization

To set up identity synchronization between SAFR and Gentec, do the following:

  1. Open SAFR .
  2. Click on the Tools menu in the client UI, select the System Configuration tool from the drop-down menu.

Check the Set up External Identity synchronization box. The following dialogue will appear:

A screenshot of a computer

Description automatically generated with medium confidence

  1. Enter information for the following fields:
    • User directory name: The name of your SAFR user directory.
    • External identity host: Select Genetec from the drop-down menu.
    • Host Address: The IP address or hostname of the target Genetec server that is running the Web-based SDK Role. This can be different from the directory server.
    • Host Port: The port number that the target Gentec server is listening on.
    • Host User Id: The User Id (“safrsynch” if used above) of a user who has the credentials to log into the Genetec server.
    • Host Password: The Password of a user who has the credentials to log into the Genetec server.
  2. Click the Apply button.

1.10 SAFR Configuration File

genetec.properties

Located in the SAFR application folder under covi\app\config\covi

C:\Program Files\RealNetworks\SAFR or /opt/RealNetworks/SAFR

## DEV/Alternate:
## external.sync.client.genetec.application.id:
##

external.sync.genetec.default.site:Genetec
external.sync.genetec.default.source:Genetec

## external.sync.genetec.default.ptype:Card Holder
## external.sync.genetec.override.access.clearance:#{null}
## external.sync.genetec.override.access.clearance.level:#{null}
## external.sync.genetec.page.size:250

## genetec.federated.full.sync* forces full sync once a day
##
## genetec.federated.full.sync.enabled:false
## genetec.federated.full.sync.hour:2
##
## IF genetec.federated.full.sync.enabled == false, the following
## will indicate duration between full sync, default 7 days:
##
## genetec.full.sync.frequency.millis:604800000


## auto, enabled, disabled
genetec.ssl:auto
genetec.trust.server.certificate:true
genetec.ws.client.retries:1
genetec.read.timeout:120000
genetec.connect.timeout:120000

##
## changing this will set access facility id on all people imported
##
## genetec.facility.id.override=123SUCCESS
##