10.2 Installing Password Management for Identity Manager

This section describes the installation process for SSPR. You can install these programs on the same server where OSP component is installed or on the separate server.

NOTE:If you use the legacy forgot password method, you do not need to install SSPR.

10.2.1 Using the Wizard to Install Self Service Password Request

The following procedure describes how to install SSPR on a Windows platform using an installation wizard. To perform a silent, unattended installation, see Silently Installing Self Service Password Reset. To prepare for the installation, review the prerequisites and system requirements listed in Checklist for Installing Password Management Components.

  1. Log in as an administrator to the server where you want to install SSPR.

  2. Stop the Tomcat server.

  3. (Conditional) If you have the .iso image file for the Identity Manager installation package, navigate to the directory containing the SSPR installation files, located by default in the products\CommonApplication\sspr_install directory.

  4. (Conditional) If you downloaded the SSPR installation files, complete the following steps:

    1. Navigate to the win.zip file for the downloaded image.

    2. Extract the contents of the file to a directory on the local computer.

  5. From the directory that contains the installation files, run the sspr-install-win.exe file.

  6. Read and accept the license agreement, and then click Next.

  7. Specify a path for the installed files.

  8. Complete the guided process, using the following parameters:

    • Tomcat details

      Represents the home directory for the Tomcat server. For example, C:\NetIQ\idm\apps\tomcat. The installation process adds some files for SSPR to this folder.

    • Tomcat connection

      Represents the settings of the URL that users need to connect to SSPR on the Tomcat server. For example, https://myserver.mycompany.com:8080.

      NOTE:You must also select Connect to an external authentication server and specify values for the external server if the following considerations are true:

      • You are installing SSPR.

      • OSP runs on a different instance of the supported application server than SSPR does.

      Protocol

      Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.

      Host Name

      Specifies the DNS name or IP address of the server where you are installing SSPR. Do not use localhost.

      Port

      Specifies the port that you want the server to use for communication with client computers.

      Connect to an external authentication server

      Specifies whether a different instance of Tomcat hosts the authentication server (OSP). The authentication server contains the list of users who can log in to SSPR.

      If you select this setting, also specify values for the authentication server’s Protocol, Host name, and Port.

    • Tomcat Java home

      Represents the home directory for Java on the Tomcat server. For example, C:\NetIQ\idm\jre. The installation process adds some files for OSP to the directory.

    • Authentication details

      Represents the requirements for connecting to the authentication server which contains the list of users who can log in to the application.

      LDAP host

      Specifies the DNS name or IP address of the LDAP authentication server. Do not use localhost.

      LDAP port

      Specifies the port that you want the LDAP authentication server to use for communication with Identity Manager. For example, specify 389 for a non-secure port or 636 for SSL connections.

      Use SSL

      Specifies whether you want to use Secure Sockets Layer protocol for connections between the Identity Vault and the authentication server.

      JRE Trust store (cacerts) file

      Applies only when you want to use SSL for the LDAP connection.

      Specifies the path to the certificate. For example, C:\NetIQ\idm\apps\jre\lib\security\cacerts.

      JRE Trust store password

      Applies only when you want to use SSL for the LDAP connection.

      Specifies the password for the cacerts file.

      Admin DN

      Applies only when installing a new authentication server.

      Specifies the DN for an administrator account of the LDAP authentication server. For example, cn=admin,ou=sa,o=system.

      Admin password

      Applies only when installing a new authentication server.

      Specifies the password for the administrator account of the LDAP authentication server.

      User container

      Applies only when installing a new authentication server.

      Specifies the container in the LDAP authentication server where you store the user accounts that can log in to Access Review. For example, o=data.

      Admin container

      Applies only when installing a new authentication server.

      Specifies the container in the LDAP authentication server where you store the administrator accounts for Access Review. For example, ou=sa,o=system.

      Keystore Password

      Applies only when installing a new authentication server.

      Specifies the password that you want to create for the new keystore for the LDAP authentication server.

      The password must be a minimum of six characters.

    • SSPR details

      Represents the settings required for configuring SSPR.

      Configuration password

      Specifies the password that you want to create for an administrator to use to configure SSPR.

      By default, SSPR does not have a configuration password. Without the password, any user who can log in to SSPR can also modify the configuration settings.

      SSPR redirect URL

      Specifies the absolute URL to which the client will redirect when actions such as password changes or challenge questions have been completed in SSPR. For example, forward to the Dashboard.

      Use the following format: protocol://server:port/path. For example, http://idm_userapp_server_ip:port_no/idmdash/#/landing.

    • Authentication server details

      Represents the password that you want to create for the SSPR service to use when connecting to the OSP client on the server. Also referred to as the client secret.

      To modify this password after installation, use the RBPM Configuration utility.

    • Auditing details (SSPR)

      Represents the settings for auditing SSPR events that occur in the authentication server.

      (Conditional) Enable auditing for SSPR

      Specifies whether you want to send SSPR events to an auditing server.

      If you select this setting, also specify the settings for the syslog server.

      Syslog host name

      Applies only when you enable auditing for SSPR.

      Specifies the DNS or IP address of the server that hosts the syslog server. Do not use localhost.

      Syslog port

      Applies only when you enable auditing for SSPR.

      Specifies the port of the server that hosts the syslog server.

  9. To configure the identity applications and Identity Reporting to use SSPR, continue to Section 11.0, Installing Identity Applications.

  10. In Configuration Update Utility, update the SSO clients Parameters. For more information see, Self Service Password Reset.

    For more information about configuring forgotten password management, see Configuring Forgotten Password Management.

10.2.2 Silently Installing Self Service Password Reset

A silent (non-interactive) installation does not display a user interface or ask the user any questions.

  1. Log in as an administrator to the computer where you want to install the components.

  2. Stop Tomcat.

  3. (Conditional) If you have the .iso image file for the Identity Manager installation package, navigate to the directory containing the SSPR installation files, located by default in the sspr directory.

  4. (Conditional) If you downloaded the installation files from the NetIQ Downloads website, complete the following steps:

    1. Navigate to the .zip file for the downloaded image.

    2. Extract the contents of the file to a folder on the local computer.

  5. Edit the sspr-silent.properties file for the SSPR installation, located by default in the same directory as the installation scripts.

    For more information about the settings for installation, see Step 7 and Step 8.

  6. To run the silent installation, issue the following command:

    sspr-install-win.exe -i silent -f path_to_silent.properties_file

  7. In Configuration Update Utility, update the SSO clients Parameters. For more information see, Self Service Password Reset.

10.2.3 Post-Installation Tasks

Post-installation tasks generally include the following tasks:

Ensuring Error-Free Installation

After you install SSPR, you can modify the configuration settings, such as change administrator permission of the LDAP group DN for the default profile or change the forward URL. Also, NetIQ recommends that you verify the URLs that the installation process created and change them if needed.

  1. To open the SSPR login page, enter the following URL on your browser:

    protocol://server:port/web-context

    For example,

    http://192.168.0.1:8080/sspr/

  2. On the top-right corner of the SSPR login page, select Configuration Editor from the list.

  3. Specify the configuration password and click Sign In.

  4. From the tree view, select Default Settings and ensure that NetIQ IDM/OAuth Integration is selected in the LDAP Vendor Default Settings list.

  5. From the tree view, click LDAP > LDAP Directories > default > Connection > LDAP Certificates, then click Import From Server to import the certificates.

    (Conditional) Click Test LDAP Profile on the same page to ensure that all configured LDAP servers are reachable.

  6. From the tree view, click Modules > Authenticated > Administration and ensure that the administrator permissions are assigned to the LDAP group DN for the default profile.

    If you are performing a fresh installation of SSPR, the list will be empty. You need to create a new group in iManager and add the admin user to the group.

  7. From the tree view, click Settings > Application > Application, and ensure that the Forward URL is set to http://<Server:Port>/idmdash/#/landing.

    For example, http:/192.168.0.1:8080/idmdash/#/landing.

  8. From the tree view, click Settings > UserInterface > Look & Feel and change Interface Theme to Micro Focus (mdefault) if not already specified.

  9. From the tree view, click Settings > Single Sign On (SSO) Client > OAuth and verify the values are correctly specified for the following parameters:

    OAuth Login URL

    Specifies the URL for OAuth server login. When user logs in, this URL to redirects the users for authentication with OSP.

    For example, http://192.168.0.1:8080/osp/a/idm/auth/oauth2/grant

    OAuth Code Resolve Service URL

    Specifies the URL for OAuth Code Resolve Service. SSPR uses this web service URL to resolve the artifact that the OAuth identity server returns.

    For example, http://192.168.0.1:8080/osp/a/idm/auth/oauth2/authcoderesolve

    OAuth Profile Service URL

    Specifies the URL for the web service that the Identity Manager provides to return attribute data from the user.

    For example, http://192.168.0.1:8080/osp/a/idm/auth/oauth2/getattributes

    OAUTH Web Service Server Certificate

    (Conditional) If HTTPS is enabled, import the certificate for the OAuth web service server.

    OAuth Client ID

    Specifies the client ID of the OAuth client. For example, sspr.

    OAuth Shared Secret

    Specifies a password for the OAuth shared secret. This password is shared between OSP and SSPR applications.

    OAuth User Name/DN Login Attribute

    Specifies the attribute of the user that SSPR uses to request OAuth server to authenticate user locally. For example, name.

  10. Click from the top-right corner of the page to save your configuration.

  11. On the top right corner of the SSPR login page, select Configuration Manager from the list.

  12. Click Restrict Configuration.

Assigning the Universal Password Policy to a User Container

To assign the Universal Password policy to a user container:

  1. Log in to iManager.

  2. Select Roles and Tasks > Password Policies, then choose the password policy.

  3. To select a user with administrative rights:

    1. Click Universal Password > Configuration Options > Universal Password Retrieval.

    2. Select Allow admin to retrieve passwords or Allow the following to retrieve passwords and click OK.

      For example, cn=uaadmin,ou=sa,o=data

  4. Click Policy Assignment and assign container to the container where the user resides.

    For example, o=data or administrative users.

Granting Rights to pwmResponseSet Attributes

Users with authenticated rights perform operations based on the permissions associated with the user’s connection. Authenticated users need the following rights for their own user entry:

  • Browse rights to [Entry Rights]

  • Read, Compare, and Write rights to pwmResponseSet

To grant rights to pwmResponseSet attribute, perform the following steps:

  1. Log in to iManager.

  2. Click .

  3. Click iManager Server > Configure iManager.

  4. Click Misc > Enable [this].

  5. Click .

  6. From the Tree view, select the top level container of all users in the directory.

  7. Click the current level check box and then click Actions > Modify Trustees.

  8. Click [This] from the list and then click Add Trustee.

  9. Click Apply.

  10. Click Assigned Rights for [This] trustee.

  11. Click Add Property and then select the Show all properties in schema check box.

  12. Select pwmResponseSet from the list.

    Ensure that Write, Compare, Read, and Inherited options are selected.

  13. Click Done.