3.4 Installing Self Service Password Reset

Before you install Self Service Password Reset, you must decide where you want to install it. Do you want to install it on-premise or in the Cloud? If you choose to install Self Service Password Reset in the Cloud, there are some prerequisites you must meet and have a good understanding of the Cloud environment.

Next, ensure that you have read and understand about the different deployment scenarios and where you want to store the users’ information. For example, if you want to store the users’ information in an external database, you must have the database installed and running. For more information, see Selecting an Appropriate Deployment.

Lastly, you must select a platform specific installer for your environment. Use the following information to install the platform specific version that is appropriate for your environment.

3.4.1 Deploying Self Service Password Reset in the Cloud

You can deploy Self Service Password Reset in Amazon Web Service (AWS) or Microsoft Azure Marketplace. The following documentation is for only when you deploy Self Service Password Reset in one of the Cloud environments. Use the following information to deploy Self Service Password Reset in the Cloud.

Deploying Self Service Password Reset in Amazon Web Services

Self Service Password Reset supports deploying the WAR file in the Amazon Web Service (AWS} on a SUSE Linux Enterprise 12 SP3 Server that connects to Active Directory Domain Services which contains your users accounts you want to manage. Currently, this is the only scenario that has been tested and is supported for Self Service Password Reset. Use the following information to deploy Self Service Password Reset on AWS.

Prerequisites for Deploying Self Service Password Reset on AWS

You must meet the following prerequisite to deploy Self Service Password Reset on AWS:

Supported Deployment Scenario for Self Service Password Reset on AWS

You can configure the Self Service Password Reset Amazon Web Services (AWS) environment in several ways. The following example NetIQ tested and supports.

Figure 3-1 Overview of the AWS Deployment

Specifically, you deploy an AWS Elastic Compute Cloud (EC2) SLES12 instances and a Windows 2016 EC2 instance in an AWS Virtual Private Cloud (VPC) connected with a common subnet. The SLES12 instance hosts Self Service Password Reset with an elastic IP assigned. The Windows 2016 instance hosts Active Directory that stores all of the user accounts that you want to manage.

Deploying the EC2 instance of SUSE Linux Enterprise Server and the Windows 2016 server running Active Directory into an EC2 instance is beyond the scope of this documentation. For more information, see:

In this scenario, this is the first deployment of Self Service Password Reset into AWS. This means you must create a new security group for Self Service Password Reset. A security group is a a virtual firewall that controls the traffic for one or more instances. AWS associates each security group with a list of firewall rules to secure associated EC2 instances. You must create a security group that contains the firewall rules for Self Service Password Reset.

Accessing the AWS EC2 SLES12 SP3 Instance Using SSH on Linux

You must access the RSA key pair file you downloaded when creating the SLES 12 SP3 instance. The key pair file name is similar to SSPR_keypair.pem.txt. Protect this file using a Linux command such as:

chmod 500 SSPR_keypair.pem.txt

To access the new instance using SSH, issue a Linux command such as:

ssh -i "SSPR_keypair.pem.txt" ec2-user@ec2-34-216-102-176.us-west-2.compute.amazonaws.com
or
ssh -i "SSPR_keypair.pem.txt" ec2-user@34.216.102.176

The -i "SSPR_keypair.pem.txt" parameter instructs SSH to apply the downloaded identity file from which the identity (private key) for public key authentication is read. The ec2-user@ parameter indicates the default user name used by SSH to connect to the instance.

Deploying the WAR File on the AWS EC2 SLES 12 SP3 Instance

After you have created the AWS EC2 SLES 12 SP3 instance, you must deploy the Self Service Password Reset WAR file. Deploying the WAR file on a SLES 12 SP3 server on AWS the same as if you installed SLES 12 SP3 on a physical server.

Self Service Password Reset is a web application you must install Apache Tomcat and Java on the SLES 12 SP3 instance before deploying the WAR file.

  1. Download the Self Service Password Reset War file. For more information, see Obtaining Self Service Password Reset.

  2. You must complete the prerequisites of installing Apache Tomcat, Java, and set the correct environment variables before deploying the WAR file. For more information, see Prerequisites for Deploying the WAR File.

  3. Deploy the WAR file into the Apache Tomcat instance running on the AWS EC2 SLES 12 SP 3 instance. For more information, see Deploying the WAR File on Linux.

After you have deployed the WAR file you must configure this instance of Self Service Password Reset to connect to the AWS EC2 Windows 2016 server instance running Active Directory. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.

Deploying Self Service Password Reset on Azure

Self Service Password Reset supports deploying the .msi file on Azure on a Windows 2016 Server that connects to Active Directory Domain Services which contains your users’ accounts you want to manage. Currently, this is the only scenario that has been tested and is supported for Self Service Password Reset. Use the following information to deploy Self Service Password Reset on Azure.

Prerequisites

You must meet the following prerequisites to deploy Self Service Password Reset on Azure:

Supported Deployment Scenario of Self Service Password Reset on Azure

There are many different ways you can configure the Self Service Password Reset on Azure. The following is a tested and supported example.

The tested and supported scenario consists of two Azure Windows 2016 Server VM instances deployed in an Azure Virtual Network (VNet) connected with a common subnet. You dedicate one Windows 2016 Server VM instance to hosting Active Directory Domain Services (AD DS). You dedicate the other Windows 2016 Server VM instance to hosting Self Service Password Reset where you assign a Public IP address.

The installation of Active Directory Domain Services (AD DS) into a second Windows 2016 Server instance is beyond the scope of this section. For more information, see Creating an Active Directory Domain Services (AD DS) on Azure.

Installing the .msi File on the Windows 2016 Deployed In Azure

After you have deployed the Windows 2016 Server, you must now install the .msi file to install Self Service Password Reset.

  1. Download a copy of the Self Service Password Reset .msi file from the download site. For more information, see Obtaining Self Service Password Reset.

  2. Copy the .msi file to the Windows 2016 VM using Remote Desktop. For more information, see Remote Desktop Service.

  3. Access the .msi file on the Windows 2016 VM, then launch the Self Service Password Reset installer.

  4. Follow the prompts to complete the installation. For more information, see Deploying Self Service Password Reset on Windows.

After the installation completes, you must configure Self Service Password Reset to communicate to the second Windows 2016 VM server that has Active Directory Domain Services installed and where your user accounts reside.

After installing Self Service Password Reset, you must configure it using a compatible web browser. Since the Windows 2016 Server VM has a public address, this configuration can occur from any internet-connected machine by browsing to the Self Service Password Reset port. For this example it is:

https://netiq-sspr.westus.cloudapp.azure.com:8443/sspr

The steps for configuring Self Service Password Reset are the same whether it is deployed on-premise or in the Cloud. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.

3.4.2 Deploying the Self Service Password Reset Appliance

You can deploy a virtual appliance that contains Self Service Password Reset as one of the installation options. The currently supported platforms for the appliance are VMware and Hyper-V. We recommend that you have a good understanding of the virtual platform before deploying the appliance. Currently, the appliance is not supported in Amazon Web Service or Azure environments.

Before you deploy the appliance, ensure that you meet all of the appliance requirements and that you have downloaded and extracted the appropriate version of the appliance. For more information, see Deployment Requirements for the Appliance.

To deploy the Self Service Password Reset appliance:

  1. Deploy the appliance to your virtual environment. For more information, see:

  2. Power on the appliance.

  3. Select the appropriate language, then read the license and click Accept.

  4. Use the following information to configure the appliance:

    root Password

    Specify a password for the root user on the appliance.

    NTP Server

    Specify a primary and secondary NTP server used to keep time on the appliance.

    Region and Time Zone

    Select your region and time zone.

    Hostname and Networking options

    Specify a hostname for the appliance, then select whether to use a static IP address or DHCP. If you use a static IP address, you must specify the IP address, subnet mask, the gateway, and the DNS servers.

  5. Click Finish and wait for the appliance initialization to complete.

After you complete the deployment of the appliance, you must configure your environment to work with Self Service Password Reset. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.

NOTE:The appliance is the only platform that requires a license for online updates. You must obtain the license from the Customer Care Center. After you have the license, you install the license through the appliance administration console. For more information, see Performing an Online Update in the Self Service Password Reset 4.4 Administration Guide.

3.4.3 Deploying Self Service Password Reset on Windows

Installing Self Service Password Reset on Windows server is another configuration option. There is a .msi executable file that installs Self Service Password Reset on a Windows server. Use the following information to install Self Service Password Reset on Windows.

Ensure that you have met all of the installation requirements for installing Self Service Password Reset on Windows and that you have downloaded an extracted the .msi file before beginning the installation. For more information, see Deployment Requirements for Self Service Password Reset on Windows.

To install Self Service Password Reset on Windows:

  1. Launch the sspr.x.x.msi file.

  2. Read the notice for Self Service Password Reset, then click Next.

  3. Read and accept the end user license, then click Next.

  4. Specify the path for the installation of Self Service Password Reset, then click Next.

  5. In Configure SSPR-Service URLs, specify the following:

    Shutdown Port

    Specify the port number for Apache Tomcat shutdown port.

    HTTPS Secure Port

    Specify the secure port for Self Service Password Reset service.

    Open Secure HTTPS Port

    Select the firewall setting for Self Service Password Reset to use on the Windows server. The installer selects the open HTTPS Windows firewall port by default. The options for the firewall are:

    All

    This enables users to use Self Service Password Reset on a domain, private or public networks.

    Domain

    This enables users to use Self Service Password Reset on a domain network only.

    Private

    This enables users to use Self Service Password Reset on a private network.

    Public

    This enables users to use Self Service Password Reset on a public network.

  6. Click Next, then click Install.

  7. Click Install.

  8. Record the HTTPS Secure URL, then click Finish.

After completing the installation, you must configure your environment to work with Self Service Password Reset. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.

3.4.4 Deploying the WAR File on Linux

Self Service Password Reset is a web application. When you install Self Service Password Reset, you are deploying a WAR (Web application ARchive) file as Java servlet application running on the Apache Tomcat web server. The WAR file contains an Apache Tomcat implementation of the Self Service Password Reset application. The following procedures work for the supported distributions of Linux.

Prerequisites for Deploying the WAR File

You must have Java and Apache Tomcat installed and running on Linux before you deploy the WAR file. If you already have Java and Tomcat installed, proceed to Setting Operating System Environment Variables. Follow these steps to install and validate the installation of Java and Tomcat.

To install Java and Tomcat:

  1. Install Java 8. For more information, see JDK 8 and JRE 8 Installation.

    Verify JAVA_HOME (or JRE_HOME) path is set appropriately by entering:

    echo $JAVA_HOME

    or

    echo $JRE_HOME
  2. Install Tomcat 8. For more information, see Tomcat Setup.

  3. Start Tomcat by executing the catalina.sh script in the Tomcat_Home/bin directory.

    ./catalina.sh start
  4. Validate you can access http://localhost:port. The default port is 8080.

    Check the Tomcat_Home/logs/catalina.out file for any errors if you are unable to access the default Tomcat page.

Setting Operating System Environment Variables

Self Service Password Reset, as a Java servlet application running on Apache Tomcat, requires several operating system environmental variables to be set. There are various methods for setting environmental variables depending on the operating system. The recommended place to specify these variables is a setenv script. For more information, see Section 3.4 in the Apache Tomcat documentation.

The following are the Self Service Password Reset specific environment variables:

  • SSPR_APPLICATIONPATH (Required): Specifies where Self Service Password Reset stores its configuration data file (SSPRConfiguration.xml). This file contains all of the Self Service Password Reset configuration data. The specified path must exist prior to starting Self Service Password Reset.

    For example: export SSPR_APPLICATIONPATH="/etc/opt/microfocus/sspr"

  • CATALINA_OPTS: Allows specification of additional options for the Java command that starts Apache Tomcat. The recommended Java options for the Self Service Password Reset Java servlet application running on Apache Tomcat include:

    • -Xms

      Specifies the initial heap memory allocation pool.

    • -Xmx

      Specifies the maximum heap memory allocation pool for a Java Virtual Machine (JVM).

    Setting the initial and maximum heap memory size to the same size is a best practice because the JVM does not increase heap memory size at runtime. The recommended SSPR heap memory size is 1 GB (1024 MB). For more information about how to set Java heap size, see the Apache Tomcat documentation.

    For example: export CATALINA_OPTS="-Xms1024M -Xmx1024M"

The following is an example of a setenv script located here Tomcat_Home/bin/setenv.sh:

export SSPR_APPLICATIONPATH="/etc/opt/microfocus/sspr"
export CATALINA_OPTS="-Xms1024M -Xmx1024M"

Deploying the Self Service Password Reset WAR File

After you have installed Java and Apache Tomcat and they are running with the appropriate OS environmental variables set, you must deploy the Self Service Password Reset WAR file. Ensure that you have downloaded and extracted the file. For more information, see Obtaining Self Service Password Reset.

To deploy the WAR file on Linux:

  1. Copy the sspr.war file to the Tomcat_Home/webapps/ directory.

    When Apache Tomcat discovers the sspr.war file in the Tomcat_Home/webapps/ directory, Apache Tomcat auto-deploys Self Service Password Reset in an automatically created directory; Tomcat_Home/webapps/sspr/.

  2. Stop Apache Tomcat by running the catalina.sh script in the Tomcat_Home/bin directory.

    ./catalina.sh stop
  3. Start Apache Tomcat by running the catalina.sh script in the Tomcat_Home/bin directory.

    ./catalina.sh start

After deploying the WAR file, you must configure your environment to work with Self Service Password Reset. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.