32.3 Post-Installation Tasks

32.3.1 Ensuring Error-Free Installation

After you install SSPR, you can modify the configuration settings, such as change administrator permission of the LDAP group DN for the default profile or change the forward URL. Also, NetIQ recommends that you verify the URLs that the installation process created and change them if needed.

  1. To open the SSPR login page, enter the following URL on your browser:

    protocol://server:port/web-context

    For example,

    http://192.168.0.1:8080/sspr/

  2. On the top-right corner of the SSPR login page, select Configuration Editor from the list.

  3. Specify the configuration password and click Sign In.

  4. From the tree view, select Default Settings and ensure that NetIQ IDM/OAuth Integration is selected in the LDAP Vendor Default Settings list.

  5. From the tree view, click LDAP > LDAP Directories > default > Connection > LDAP Certificates, then click Import From Server to import the certificates.

    (Conditional) Click Test LDAP Profile on the same page to ensure that all configured LDAP servers are reachable.

  6. From the tree view, click Modules > Authenticated > Administration and ensure that the administrator permissions are assigned to the LDAP group DN for the default profile.

    If you are performing a fresh installation of SSPR, the list will be empty. You need to create a new group in iManager and add the admin user to the group.

  7. Click Settings > Application > Application, and ensure that the Forward URL is set to http://<Server:Port>/idmdash/#/landing.

    For example, http:/192.168.0.1:8080/idmdash/#/landing.

  8. From the tree view, click Settings > UserInterface > Look & Feel and change Interface Theme to Micro Focus if not already specified.

  9. From the tree view, click Settings > Single Sign On (SSO) Client > OAuth and verify the values are correctly specified for the following parameters:

    OAuth Login URL

    Specifies the URL for OAuth server login. When user logs in, this URL to redirects the users for authentication with OSP.

    For example, http://192.168.0.1:8080/osp/a/idm/auth/oauth2/grant

    OAuth Code Resolve Service URL

    Specifies the URL for OAuth Code Resolve Service. SSPR uses this web service URL to resolve the artifact that the OAuth identity server returns.

    For example, http://192.168.0.1:8080/osp/a/idm/auth/oauth2/authcoderesolve

    OAuth Profile Service URL

    Specifies the URL for the web service that the Identity Manager provides to return attribute data from the user.

    For example, http://192.168.0.1:8080/osp/a/idm/auth/oauth2/getattributes

    OAUTH Web Service Server Certificate

    (Conditional) If HTTPS is enabled, import the certificate for the OAuth web service server.

    OAuth Client ID

    Specifies the client ID of the OAuth client. For example, sspr.

    OAuth Shared Secret

    Specifies a password for the OAuth shared secret. This password is shared between OSP and SSPR applications.

    OAuth User Name/DN Login Attribute

    Specifies the attribute of the user that SSPR uses to request OAuth server to authenticate user locally. For example, name.

  10. Click from the top-right corner of the page to save your configuration.

  11. On the top right corner of the SSPR login page, select Configuration Manager from the list.

  12. Click Restrict Configuration.

32.3.2 Assigning the Universal Password Policy to a User Container

To assign the Universal Password policy to a user container:

  1. Log in to iManager.

  2. Select Roles and Tasks > Password Policies, then choose the password policy.

  3. To select a user with administrative rights:

    1. Click Universal Password > Configuration Options > Universal Password Retrieval.

    2. Select Allow admin to retrieve passwords or Allow the following to retrieve passwords and click OK.

      For example, cn=uaadmin,ou=sa,o=data

  4. Click Policy Assignment and assign container to the container where the user resides.

    For example, o=data or administrative users.

32.3.3 Granting Rights to pwmResponseSet Attributes

Users with authenticated rights perform operations based on the permissions associated with the user’s connection. Authenticated users need the following rights for their own user entry:

  • Browse rights to [Entry Rights]

  • Read, Compare, and Write rights to pwmResponseSet

To grant rights to pwmResponseSet attribute, perform the following steps:

  1. Log in to iManager.

  2. Click .

  3. Click iManager Server > Configure iManager.

  4. Click Misc > Enable [this].

  5. Click .

  6. From the Tree view, select the top level container of all users in the directory.

  7. Click the current level check box and then click Actions > Modify Trustees.

  8. Click [This] from the list and then click Add Trustee.

  9. Click Apply.

  10. Click Assigned Rights for [This] trustee.

  11. Click Add Property and then select the Show all properties in schema check box.

  12. Select pwdResponseSet from the list.

    Ensure that Write, Compare, Read, and Inherited options are selected.

  13. Click Done.