You can deploy Self Service Password Reset along with applications that are available on the internet in the public domain. As an administrator, you must protect Self Service Password Reset so that unauthorized users cannot gain access to it and access users’ credentials or make any configuration changes. You must check and control the installation, maintenance, and monitoring processes of Self Service Password Reset to ensure that you are following security best practices.
Depending on how you configure Self Service Password Reset, there are four different certificates you must create, manage, and maintain. Use the following information to help understand or create the certificates required to secure Self Service Password Reset.
If you choose to deploy the Self Service Password Reset appliance, you perform all administration and configuration tasks for the appliance over port 9443. The appliance certificate provides SSL encryption over port 9443 so that you perform the configuration and administration task securely.
The configuration process of the appliance generates a certificate using the specified DNS name of the appliance. When you access the administration console for the appliance the first time, you received an error in the browser stating this site is not trusted. You are given the option to trust the site or add an exception for the site. It depends on your browser as to what message you see.
The appliance administration console allows you to generate a new certificate key pair or import an officially signed certificate. For more information, see Managing Digital Certificates
in the Self Service Password Reset 4.2 Administration Guide.
The HTTPs certificate creates the secure SSL channel between the Self Service Password Reset application, which runs on Apache Tomcat, and the users’ browsers. By installing the certificate in the users’ browsers, the users do not see any warning messages that the site they are accessing is an untrusted site. It also removes any warning icons in the toolbars of the browsers.
By default, the Self Service Password Reset appliance and Windows deployment contain a certificate that the installation generates. The WAR file deployment does not and you must ensure that the Apache Tomcat web server on the Linux server is configured to use a certificate and communicate over SSL.
Self Service Password Reset uses the following ports for secure SSL traffic. The ports are different depending on the deployment of Self Service Password Reset you use.
Appliance: port 443
Windows: port 8443
Linux: port 8443. This is the default secure port for Apache Tomcat. Depending on how you configured the Linux server, this port might be different.
To stop the untrusted site warning messages, you must create a vendor-signed SSL Certificate and then import that certificate into your users’ browsers.
For detailed instructions on how to create a vendor-signed certificate to a to your users’ browsers, see the following videos:
The LDAP certificate is a certificate used to secure communication between Self Service Password Reset and the LDAP directories.The LDAP directories that contain your users and store the challenge-response information. Self Service Password Reset must trust the LDAP directory’s server certificate to create a secure channel between the two products.
Self Service Password Reset manages the LDAP server certificates for you. If you use the Configuration Guide to walk you through configuring Self Service Password Reset, it automatically imports the LDAP server certificate for you. If you manually configure Self Service Password Reset, the Configuration Editor imports the LDAP server certificate for you when you create an LDAP profile. For more information, see Configuring LDAP Directory Profile
in the Self Service Password Reset 4.2 Administration Guide.
To meet compliance standards, many companies require auditing for password changes, whether the changes came from the users or the help desk. Self Service Password Reset provides an auditing solution that tracks specific events that occur in the system. It also allows you to forward events to a Syslog server for further analysis of the information.
Self Service Password Reset manages the audit server certificates for you. If you use the Configuration Guide to walk you through configuring Self Service Password Reset, it automatically imports the audit server certificate for you. If you manually configure Self Service Password Reset, the Configuration Editor imports the LDAP server certificate for you when you configure an audit server. For more information, see Auditing for Self Service Password Reset
in the Self Service Password Reset 4.2 Administration Guide.