Deploy Step-By-Step

This section will guide you through the FindFace Security step-by-step deployment process. Follow the instructions below minding the sequence.


Before deploying FindFace Security, make sure that the system time and time zone are correct, and time synchronization via ntpd/systemd-timesyncd is enabled. When using FindFace Security, avoid any sudden changes in time, as they may result in unavailability of the FindFace Security services after reboot.

In this section:

Prepare Packages for Installation

To prepare the FindFace Security deb-packages for installation, do the following:

  1. Unpack the package with components.

    sudo dpkg -i <findface-security-repo>.deb
  2. Add a signature key.

    sudo apt-key add /var/findface-security-repo/public.key
    sudo apt-get update
  3. Unpack the packages with the neural network models.

    sudo dpkg -i findface-data*.deb


The FindFace Security basic configuration requires PostgreSQL and Redis. Install them from the Ubuntu repository as such:

sudo apt-get update
sudo apt install -y postgresql-server-dev-9.5 redis-server

The FindFace Security video-based biometric identification requires ETCD. Install it from the FindFace Security package with components:

sudo apt install -y etcd


You receive a license file from your NTechLab manager along with the FindFace Security distributable packages. For on-premise licensing, you will be also provided with a Guardant USB dongle.

To install and configure the license server (NTLS), do the following:

  1. Install the NTLS component:

    sudo apt-get update
    sudo apt-get install ntls


    In the NTLS configuration file, you can change the license folder and the NTLS web interface remote access settings. To open the NTLS configuration file, execute:

    sudo vi /etc/ntls.cfg

    If necessary, change the license folder in the license-dir parameter. By default, license files are stored at /ntech/license:

    license-dir = /ntech/license

    If necessary, uncomment the proxy line and specify your proxy server IP address:

    proxy =

    By default, you can access the NTLS web interface from any remote host (ui = To indicate that accessing the NTLS web interface must originate from a specific IP address, edit the ui parameter:

    ui =
  2. Enable the NTLS service autostart and launch the service:

    sudo systemctl enable ntls && sudo systemctl start ntls
  3. Upload the license file via the NTLS web interface http://<NTLS_IP_address>:3185/#/.

  4. For the on-premise licensing, insert a Guardant USB dongle into a USB port.

Basic Configuration

The FindFace Security basic configuration includes a database, database extensions, the ffsecurity and ffsecurity-ui components. To install the basic configuration, do the following:

  1. Install the findface-postgres-9.5-facen extension for PostgreSQL from the <ffsecurity-repo>.deb package:

    sudo apt install -y findface-postgres-9.5-facen
  2. Using the PostgreSQL console, create a new user ntech and a database ffsecurity. Upload the findface-postgres-9.5-facen extension to the ffsecurity database by using the facen-compare-bytea label.

    sudo -u postgres psql
    postgres=# CREATE ROLE ntech WITH LOGIN;
    postgres=# CREATE DATABASE ffsecurity WITH OWNER ntech ENCODING 'UTF-8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8' TEMPLATE template0;
    postgres=# \c ffsecurity;
    ffsecurity=# CREATE EXTENSION "facen-compare-bytea";

    To quit from the PostgreSQL console, type \q и press Enter.

  3. Allow authentication in PostgreSQL by UID of a socket client. Restart PostgreSQL.

    echo 'local all ntech peer' | sudo tee -a /etc/postgresql/9.5/main/pg_hba.conf
    sudo systemctl restart postgresql@9.5-main.service
  4. Install the ffsecurity component from the <ffsecurity-repo>.deb package.


    NginX will be automatically installed from dependencies.

    sudo apt install -y ffsecurity
  5. Install the ffsecurity-ui web interface from the <ffsecurity-repo>.deb package.

    sudo apt install -y ffsecurity-ui
  6. Open the /etc/ffsecurity/ configuration file. In the EXTERNAL_ADDRESS parameter , specify the external IP address or URL that will be used to access the FindFace Security web interface. If videomanager-api and/or extraction-api are to be installed on remote hosts, specify these hosts’ IP addresses in the VIDEO_MANAGER_ADDRESS and EXTRACTION_API parameters respectively (see Video-Based Biometric Identification for details). To authorize the video face detection module, come up with a token and specify it as VIDEO_DETECTOR_TOKEN. This token will be being passed to the videomanager-api jobs.


    If necessary, ensure data security by enabling SSL.


    If necessary, set ’IGNORE_UNMATCHED’: True to disable logging events for faces which have no match in the dossiers (negative verification result). Enable this option if the system has to process a large number of faces. The face similarity threshold for verification is defined by the CONFIDENCE_THRESHOLD parameter.


    It is recommended to change the MINIMUM_DOSSIER_QUALITY default value. This parameter determines the minimum quality of a face in a dossier photo. Photos containing faces of worse quality will be rejected when uploading to a dossier. Upright faces in frontal position are considered the best quality. They result in values around 0, mostly negative (such as -0.00067401276, for example). Inverted faces and large face angles are estimated with negative values some -5 and less. By default, ’MINIMUM_DOSSIER_QUALITY’: -2 which is the average quality.

    sudo vi /etc/ffsecurity/
    DEBUG = False
    LANGUAGE_CODE = 'en-us'
        'default': {
            'ENGINE': 'django.db.backends.postgresql',
            'NAME': 'ffsecurity',
    # use pwgen -sncy 50 1|tr "'" "." to generate your own unique key
    SECRET_KEY = 'changeme'
        'IGNORE_UNMATCHED': False,
        'EXTRACTION_API': '',
        'plugins' =
            'genetec' = True,


    If necessary, edit the /etc/nginx/sites-available/ffsecurity-nginx.conf configuration file as well.

  7. Generate a signature key for the session encryption (used by Django) by executing: pwgen -sncy 50 1|tr “’” “.”. Specify this key as SECRET_KEY.

  8. Disable the default nginx server and add the ffsecurity server to the list of enabled servers. Restart nginx.

    sudo rm /etc/nginx/sites-enabled/default
    sudo ln -s /etc/nginx/sites-available/ffsecurity-nginx.conf /etc/nginx/sites-enabled/
    sudo nginx -s reload
  9. Migrate the database architecture from FindFace Security to PostgreSQL, create user groups with pre-defined rights and the first user with administrator rights (a.k.a. Super Administrator).


    Super Administrator cannot be deprived of its rights, whatever the role.

    sudo findface-security migrate
    sudo findface-security create_groups
    sudo findface-security createsuperuser --username admin --email root@localhost
  10. Start the services.


    The ffsecurity service includes findface-security-proto (provides HTTP and web socket) and findface-security-worker (provides interaction of the other system components). The number of the findface-security-worker instances is calculated using the formula: N=(number of CPU cores-1). It is specified after the @ character, for example, findface-security-worker@{1,2,3} for 3 instances.

    sudo systemctl enable redis-server findface-security-proto findface-security-worker@{1,2,3,4}
    sudo systemctl start redis-server findface-security-proto findface-security-worker@{1,2,3,4}

Video-Based Biometric Identification

To install the videomanager-api, video-worker, and extraction-api components for video-based biometric identification, do the following:

  1. Enable the ETCD service autostart and launch the service:

    sudo systemctl enable etcd.service && sudo systemctl start etcd.service
  2. Install videomanager-api, video-worker, and extraction-api.

    sudo apt install -y findface-videomanager-api fkvideo-worker findface-extraction-api
  3. Open the /etc/findface-videomanager-api.conf configuration file for editing. In the router_url parameter, substitute the string that goes before v0/frame with the ffsecurity IP address and port (set as EXTERNAL_ADDRESS at /etc/ffsecurity/ The video-worker component will be posting detected faces to the specified address.

    sudo vi /etc/findface-videomanager-api.conf
  4. In the ntls -> url parameter, specify the NTLS host IP address if the NTLS host is remote.

  5. Open the /etc/video-worker.ini configuration file for editing.

    sudo vi /etc/video-worker.ini
  6. In the ntls-addr parameter, specify the NTLS host IP address if the NTLS host is remote.

  7. In the mgr-static parameter, specify the videomanager-api host IP address, which provides video-worker with settings and the video stream list.

  8. In the capacity parameter, specify the maximum number of video streams to be processed by video-worker.

  9. In the extraction-api configuration file, enable the quality_estimator to be able to estimate the face quality in a dossier.


    The minimum face quality in a dossier photo is set as MINIMUM_DOSSIER_QUALITY in /etc/ffsecurity/

    sudo vi /etc/findface-extraction-api.ini
    quality_estimator: true
  10. In the extraction-api configuration file, disable searching for gender, age, emotions, and country recognition models by passing empty values to the gender, age and emotions and countries47 parameters:


    Do not remove the parameters themselves as in this case the system will be searching for default models.

      gender: ''
      age: ''
      emotions: ''
      countries47: ''

    As a result, the extraction-api configuration file should look something like this:

    listen: :18666
      model: /usr/share/findface-data/normalizer.dat
        adjust_threshold: 0
        upsample_times: 1
      model: /usr/share/nnd/nnd.dat
      quality_estimator: false
      quality_estimator_model: /usr/share/nnd/quality_estimator_v2.dat
        min_face_size: 30
        max_face_size: .inf
        scale_factor: 0.79
        p_net_thresh: 0.5
        r_net_thresh: 0.5
        o_net_thresh: 0.9
        p_net_max_results: 0
      root: /usr/share/findface-data/models
      facen: elderberry_576
      gender: ''
      age: ''
      emotions: ''
      countries47: ''
      model_instances: 1
      enabled: true
      size_limit: 10485760
    max_dimension: 6000
    allow_cors: false
    ticker_interval: 5000
  11. Enable the videomanager-api, video-worker, and extraction-api autostart and launch the services.

    sudo systemctl enable findface-videomanager-api.service && sudo systemctl start findface-videomanager-api.service
    sudo systemctl enable video-worker.service && sudo systemctl start video-worker.service
    sudo systemctl enable findface-extraction-api.service && sudo systemctl start findface-extraction-api.service