15.1 Configuring Locked and Unlocked Modes

Self Service Password Reset administrators belonging to an LDAP Self Services Password Reset group that usually performs configuration operations. For more information, see Configuring the Administrators Module. However, there are circumstances when an LDAP defined Self Service Password Reset administrator cannot perform various Self Service Password Reset configuration operations. For this reason, Self Service Password Reset has two configuration modes:

Locked Configuration: In this mode, configuration operations require the authentication of a Self Service Password Reset administrator, who is a member of the LDAP Self Service Password Reset administration group.

Unlocked Configuration: In this mode, Self Service Password Reset allows:

  • Configuration operations without an LDAP authentication from the administration group.

  • End user services are unavailable such as Change Password, Setup Security Questions, and My Account modules.

  • Self Service Password Reset administrative users can perform additional administrative operations such as importing the Self Service Password Reset configuration file.

IMPORTANT:While in production use, and accessible by untrusted network entities, you must always keep Self Service Password Reset in the locked configuration mode to preserve the security integrity of Self Service Password Reset.

Changing the configuration mode from a locked configuration mode to an unlocked configuration mode is a security sensitive operation, and must not be accessible by standard Self Service Password Reset access channels. Rather, Self Service Password Reset implements the unlock configuration operation using various side-band channels available to each deployment type of Self Service Password Reset.

15.1.1 When to Run Self Service Password Reset in the Unlocked Configuration Mode

There are two uses cases for running Self Service Password Reset in the unlocked mode. Those use cases are: you have lost the configuration password or the connection to the LDAP directory became corrupt.

Lost Configuration Password

During the Self Service Password Reset installation, you specify a Configuration Password. Self Service Password Reset requires the Configuration Password prior to any modifications of its configuration. In the unlocked configuration mode, it is possible to delete the current Self Service Password Reset configuration, and then reconfigure Self Service Password Reset as if it is a new installation, including specifying a new Configuration Password.

Corrupted Configuration for the LDAP Connection

Self Service Password Reset interfaces with LDAP directories that contain your users. If the LDAP directory becomes unavailable or corrupted you must run Self Service Password Reset in the unlocked configuration mode to fix the connection. Also, if you modify the Self Service Password Reset configuration for the LDAP connection in such a way that you severe the connection, you must run Self Service Password Reset in the unlocked configuration mode.

15.1.2 How to Lock and Unlock the Self Service Password Reset Configuration

Each platform deployment of Self Service Password Reset requires different steps to lock or unlock the Self Service Password Reset configuration. Use the platform-specific steps for your environment to unlock the configuration.

How to Lock and Unlock the Self Service Password Reset Configuration for the Appliance

Use the following information if you have deployed the Self Service Password Reset appliance to lock and unlock the Self Service Password Reset configuration.

The Self Service Password Reset appliance has two user interface ports:

  • Port 443: The public interface port for the Self Service Password Reset application.

  • Port 9443: The private interface for maintenance of Self Service Password Reset.

Only the appliance version of Self Service Password Reset uses the port 9443 interface. We recommend that only administrators access this interface and that you protect this interface behind a firewall to limit access to administrators. This interface allows for the overall appliance maintenance. It also provides a convenient side-band interface to specific Self Service Password Reset administrative operations.

To lock or unlock the Self Service Password Reset configuration for the appliance:

  1. Log in to the appliance administration interface as the appliance root user.

    https://dns-name-sspr-appliance:9443
  2. Click Administrative Commands.

  3. Specify the appropriate command.

    Lock Configuration: Prevents anyone from editing the configuration without an LDAP authentication.

    Unlock Configuration: Allows anyone to edit the configuration without an LDAP authentication.

    Delete Configuration: Deletes the product configuration of Self Service Password Reset, if it exists.

    Reset HTTPS Settings: Resets the HTTPS settings to the default values.

    Show version: Displays the current Self Service Password Reset product version.

  4. Ensure to lock the configuration for normal Self Service Password Reset functionality.

When the appliance is in the unlocked configuration mode, locking the Self Service Password Reset configuration through the appliance administrative commands accomplishes the same this as clicking Restrict Configuration in the Configuration Manager https://dns-name-appliance/sspr.

How to Lock and Unlock the Self Service Password Reset Configuration on Windows

Use the following information if you have deployed Self Service Password Reset on Windows using the .msi file.

The Self Service Password Reset version for Windows implements a .bat command-line utility to facilitate various Self Service Password Reset administrative operations. You must have access to the Windows file system where you installed Self Service Password Reset to access and use the .bat command-line utility.

To lock and unlock the Self Service Password Reset configuration on Windows:

  1. Log in to the Windows server as an administrator with file system access to where you installed Self Service Password Reset.

  2. Access the .bat file here:

    x:\ProgramFiles\NetIQ Self Service Password Reset\sspr.cmd
  3. From the command line, enter sspr.cmd.

  4. Specify the appropriate commands:

    help: Lists all available commands from the .bat file.

    ConfigDelete: Deletes the Self Service Password Reset configuration file.

    ConfigLock: Locks the Self Service Password Reset configuration file, and prevents administrators from editing the configuration file without LDAP authentication.

    ConfigResetHttps: Resets the Self Service Password Reset HTTPS settings to the default values.

    ConfigSetPassword [password]: Sets the configuration password for Self Service Password Reset.

    ConfigUnlock: Unlocks the Self Service Password Reset configuration file and allows administrators to edit the configuration file without LDAP authentication.

    Version: Lists the current version of the Self Service Password Reset deployment.

    Exit: Exits the command line shell for the .bat file.

  5. Ensure to lock the configuration for normal Self Service Password Reset product activity.

When the Windows version of Self Service Password Reset configuration is in the unlocked configuration mode, locking the Self Service Password Reset configuration with the .bat file accomplishes the same this as clicking Restrict Configuration in the Configuration Manager https://dns-name-appliance/sspr.

How to Lock and Unlock the Self Service Password Reset Configuration on Linux

Use the following information if you have deployed Self Service Password Reset on Linux using the WAR file.

The Linux version of Self Service Password Reset implements a shell script command-line utility to facilitate various Self Service Password Reset administrative operations. You must have file system access to where you installed Self Service Password Reset to run the shell script command-line utility.

To lock or unlock the Self Service Password Reset configuration on Linux:

  1. Log in to the Linux server as a user with file system access to where you installed Self Service Password Reset.

  2. Access the shell script command-line utility here:

    /Tomcat_home/webapps/sspr/WEB-INF/command.sh
  3. Specify the appropriate command:

    Lock: ./command.sh configLock

    Unlock: ./command.sh configUnlock

  4. Ensure to lock the configuration for normal Self Service Password Reset product activity.

When the Linux version of Self Service Password Reset configuration is in the unlocked configuration mode, locking the Self Service Password Reset configuration with the shell script command-line utility accomplishes the same this as clicking Restrict Configuration in the Configuration Manager https://dns-name-appliance/sspr.