Before you install Self Service Password Reset, you must decide where you want to install it. Do you want to install it on-premise or in the Cloud? If you choose to install Self Service Password Reset in the Cloud, there are some prerequisites you must meet and have a good understanding of the Cloud environment.
Next, ensure that you have read and understand about the different deployment scenarios and where you want to store the users’ information. For example, if you want to store the users’ information in an external database, you must have the database installed and running. For more information, see Selecting an Appropriate Deployment.
Lastly, you must select a platform specific installer for your environment. Use the following information to install the platform specific version that is appropriate for your environment.
You can deploy Self Service Password Reset in Amazon Web Service (AWS) or Microsoft Azure Marketplace. The following documentation is for only when you deploy Self Service Password Reset in one of the Cloud environments. Use the following information to deploy Self Service Password Reset in the Cloud.
Self Service Password Reset supports deploying the WAR file in the Amazon Web Service (AWS} on a SUSE Linux Enterprise 12 SP3 Server that connects to Active Directory Domain Services which contains your users accounts you want to manage. Currently, this is the only scenario that has been tested and is supported for Self Service Password Reset. Use the following information to deploy Self Service Password Reset on AWS.
You must meet the following prerequisite to deploy Self Service Password Reset on AWS:
You must have an AWS account. For more information, see Getting Started with Amazon Elastic Container Service
.
You must have a basic understanding of Amazon Elastic Compute Cloud (EC2). For more information, see Amazon Elastic Compute Cloud Documentation.
You must have a basic understanding of the networking on AWS. For example, you must understand:
Virtual Private Cloud (VPC)
Subnets
Network address translation (NAT)
Security group
For more information, see Networking Products with AWS.
You must have a basic understanding deploying Microsoft Windows 2016 server on AWS. For more information, see Getting Started with a Service.
You must have a basic understanding of Microsoft Active Directory running on AWS. For more information, see Microsoft Active Directory.
You can configure the Self Service Password Reset Amazon Web Services (AWS) environment in several ways. The following example NetIQ tested and supports.
Figure 3-1 Overview of the AWS Deployment
Specifically, you deploy an AWS Elastic Compute Cloud (EC2) SLES12 instances and a Windows 2016 EC2 instance in an AWS Virtual Private Cloud (VPC) connected with a common subnet. The SLES12 instance hosts Self Service Password Reset with an elastic IP assigned. The Windows 2016 instance hosts Active Directory that stores all of the user accounts that you want to manage.
Deploying the EC2 instance of SUSE Linux Enterprise Server and the Windows 2016 server running Active Directory into an EC2 instance is beyond the scope of this documentation. For more information, see:
SUSE Linux Enterprise Server:
SUSE Linux Enterprise Server on Amazon EC2
in the AWS documentation.
Microsoft Windows 2016 Server:
Running a Recipe on a Windows Instance
and Microsoft Active Directory
in the AWS documentation.
In this scenario, this is the first deployment of Self Service Password Reset into AWS. This means you must create a new security group for Self Service Password Reset. A security group is a a virtual firewall that controls the traffic for one or more instances. AWS associates each security group with a list of firewall rules to secure associated EC2 instances. You must create a security group that contains the firewall rules for Self Service Password Reset.
You must access the RSA key pair file you downloaded when creating the SLES 12 SP3 instance. The key pair file name is similar to SSPR_keypair.pem.txt. Protect this file using a Linux command such as:
chmod 500 SSPR_keypair.pem.txt
To access the new instance using SSH, issue a Linux command such as:
ssh -i "SSPR_keypair.pem.txt" ec2-user@ec2-34-216-102-176.us-west-2.compute.amazonaws.com or ssh -i "SSPR_keypair.pem.txt" ec2-user@34.216.102.176
The -i "SSPR_keypair.pem.txt" parameter instructs SSH to apply the downloaded identity file from which the identity (private key) for public key authentication is read. The ec2-user@ parameter indicates the default user name used by SSH to connect to the instance.
After you have created the AWS EC2 SLES 12 SP3 instance, you must deploy the Self Service Password Reset WAR file. Deploying the WAR file on a SLES 12 SP3 server on AWS the same as if you installed SLES 12 SP3 on a physical server.
Self Service Password Reset is a web application you must install Apache Tomcat and Java on the SLES 12 SP3 instance before deploying the WAR file.
Download the Self Service Password Reset War file. For more information, see Obtaining Self Service Password Reset.
You must complete the prerequisites of installing Apache Tomcat, Java, and set the correct environment variables before deploying the WAR file. For more information, see Prerequisites for Deploying the WAR File.
Deploy the WAR file into the Apache Tomcat instance running on the AWS EC2 SLES 12 SP 3 instance. For more information, see Deploying the WAR File on Linux.
After you have deployed the WAR file you must configure this instance of Self Service Password Reset to connect to the AWS EC2 Windows 2016 server instance running Active Directory. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.
Self Service Password Reset supports deploying the .msi file on Azure on a Windows 2016 Server that connects to Active Directory Domain Services which contains your users’ accounts you want to manage. Currently, this is the only scenario that has been tested and is supported for Self Service Password Reset. Use the following information to deploy Self Service Password Reset on Azure.
You must meet the following prerequisites to deploy Self Service Password Reset on Azure:
You must have a basic understanding of Azure and the following concepts:
Source environments
Virtual networks (VNets)
Storage Accounts
Subnets
Networking security groups (NSG)
For more information, see Microsoft Azure Documentation.
You must have a basic understanding of AD DS on Azure. For more information, see Creating an Active Directory Domain Services (AD DS) on Azure
.
You must have an Azure account. For more information, see Microsoft Azure Account.
You must deploy the Windows 2016 server in Azure that will run Self Service Password Reset. For more information, see Windows Virtual Server Documentation
.
There are many different ways you can configure the Self Service Password Reset on Azure. The following is a tested and supported example.
The tested and supported scenario consists of two Azure Windows 2016 Server VM instances deployed in an Azure Virtual Network (VNet) connected with a common subnet. You dedicate one Windows 2016 Server VM instance to hosting Active Directory Domain Services (AD DS). You dedicate the other Windows 2016 Server VM instance to hosting Self Service Password Reset where you assign a Public IP address.
The installation of Active Directory Domain Services (AD DS) into a second Windows 2016 Server instance is beyond the scope of this section. For more information, see Creating an Active Directory Domain Services (AD DS) on Azure
.
After you have deployed the Windows 2016 Server, you must now install the .msi file to install Self Service Password Reset.
Download a copy of the Self Service Password Reset .msi file from the download site. For more information, see Obtaining Self Service Password Reset.
Copy the .msi file to the Windows 2016 VM using Remote Desktop. For more information, see Remote Desktop Service
.
Access the .msi file on the Windows 2016 VM, then launch the Self Service Password Reset installer.
Follow the prompts to complete the installation. For more information, see Deploying Self Service Password Reset on Windows.
After the installation completes, you must configure Self Service Password Reset to communicate to the second Windows 2016 VM server that has Active Directory Domain Services installed and where your user accounts reside.
After installing Self Service Password Reset, you must configure it using a compatible web browser. Since the Windows 2016 Server VM has a public address, this configuration can occur from any internet-connected machine by browsing to the Self Service Password Reset port. For this example it is:
https://netiq-sspr.westus.cloudapp.azure.com:8443/sspr
The steps for configuring Self Service Password Reset are the same whether it is deployed on-premise or in the Cloud. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.
You can deploy a virtual appliance that contains Self Service Password Reset as one of the installation options. The currently supported platforms for the appliance are VMware and Hyper-V. We recommend that you have a good understanding of the virtual platform before deploying the appliance. Currently, the appliance is not supported in Amazon Web Service or Azure environments.
Before you deploy the appliance, ensure that you meet all of the appliance requirements and that you have downloaded and extracted the appropriate version of the appliance. For more information, see Deployment Requirements for the Appliance.
To deploy the Self Service Password Reset appliance:
Deploy the appliance to your virtual environment. For more information, see:
Hyper-V: Importing a Virtual Machine.
VMware: Deploy an OVF Template.
Power on the appliance.
Select the appropriate language, then read the license and click Accept.
Use the following information to configure the appliance:
Specify a password for the root user on the appliance.
Specify a primary and secondary NTP server used to keep time on the appliance.
Select your region and time zone.
Specify a hostname for the appliance, then select whether to use a static IP address or DHCP. If you use a static IP address, you must specify the IP address, subnet mask, the gateway, and the DNS servers.
Click Finish and wait for the appliance initialization to complete.
After you complete the deployment of the appliance, you must configure your environment to work with Self Service Password Reset. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.
NOTE:The appliance is the only platform that requires a license for online updates. You must obtain the license from the Customer Care Center. After you have the license, you install the license through the appliance administration console. For more information, see Performing an Online Update
in the Self Service Password Reset 4.5 Administration Guide.
Installing Self Service Password Reset on Windows server is another configuration option. There is a .msi executable file that installs Self Service Password Reset on a Windows server. Use the following information to install Self Service Password Reset on Windows.
Ensure that you have met all of the installation requirements for installing Self Service Password Reset on Windows and that you have downloaded an extracted the .msi file before beginning the installation. For more information, see Deployment Requirements for Self Service Password Reset on Windows.
To install Self Service Password Reset on Windows:
Launch the sspr.x.x.msi file.
Read the notice for Self Service Password Reset, then click Next.
Read and accept the end user license, then click Next.
Specify the path for the installation of Self Service Password Reset, then click Next.
In Configure SSPR-Service URLs, specify the following:
Specify the port number for Apache Tomcat shutdown port.
Specify the secure port for Self Service Password Reset service.
Select the firewall setting for Self Service Password Reset to use on the Windows server. The installer selects the open HTTPS Windows firewall port by default. The options for the firewall are:
This enables users to use Self Service Password Reset on a domain, private or public networks.
This enables users to use Self Service Password Reset on a domain network only.
This enables users to use Self Service Password Reset on a private network.
This enables users to use Self Service Password Reset on a public network.
Click Next, then click Install.
Click Install.
Record the HTTPS Secure URL, then click Finish.
After completing the installation, you must configure your environment to work with Self Service Password Reset. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.
Self Service Password Reset is a web application. When you install Self Service Password Reset, you are deploying a WAR (Web application ARchive) file as Java servlet application running on the Apache Tomcat web server. The WAR file contains an Apache Tomcat implementation of the Self Service Password Reset application. The following procedures work for the supported distributions of Linux.
You must have Java and Apache Tomcat installed and running on Linux before you deploy the WAR file. If you already have Java and Tomcat installed, proceed to Setting Operating System Environment Variables. Follow these steps to install and validate the installation of Java and Tomcat.
To install Java and Tomcat:
Install Java 8. For more information, see JDK 8 and JRE 8 Installation
.
Verify JAVA_HOME (or JRE_HOME) path is set appropriately by entering:
echo $JAVA_HOME
or
echo $JRE_HOME
Install Tomcat 8. For more information, see Tomcat Setup
.
Start Tomcat by executing the catalina.sh script in the Tomcat_Home/bin directory.
./catalina.sh start
Validate you can access http://localhost:port. The default port is 8080.
Check the Tomcat_Home/logs/catalina.out file for any errors if you are unable to access the default Tomcat page.
Self Service Password Reset, as a Java servlet application running on Apache Tomcat, requires several operating system environmental variables to be set. There are various methods for setting environmental variables depending on the operating system. The recommended place to specify these variables is a setenv script. For more information, see Section 3.4 in the Apache Tomcat documentation.
The following are the Self Service Password Reset specific environment variables:
SSPR_APPLICATIONPATH (Required): Specifies where Self Service Password Reset stores its configuration data file (SSPRConfiguration.xml). This file contains all of the Self Service Password Reset configuration data. The specified path must exist prior to starting Self Service Password Reset.
For example: export SSPR_APPLICATIONPATH="/etc/opt/microfocus/sspr"
CATALINA_OPTS: Allows specification of additional options for the Java command that starts Apache Tomcat. The recommended Java options for the Self Service Password Reset Java servlet application running on Apache Tomcat include:
-Xms
Specifies the initial heap memory allocation pool.
-Xmx
Specifies the maximum heap memory allocation pool for a Java Virtual Machine (JVM).
Setting the initial and maximum heap memory size to the same size is a best practice because the JVM does not increase heap memory size at runtime. The recommended SSPR heap memory size is 1 GB (1024 MB). For more information about how to set Java heap size, see the Apache Tomcat documentation.
For example: export CATALINA_OPTS="-Xms1024M -Xmx1024M"
The following is an example of a setenv script located here Tomcat_Home/bin/setenv.sh:
export SSPR_APPLICATIONPATH="/etc/opt/microfocus/sspr" export CATALINA_OPTS="-Xms1024M -Xmx1024M"
After you have installed Java and Apache Tomcat and they are running with the appropriate OS environmental variables set, you must deploy the Self Service Password Reset WAR file. Ensure that you have downloaded and extracted the file. For more information, see Obtaining Self Service Password Reset.
To deploy the WAR file on Linux:
Copy the sspr.war file to the Tomcat_Home/webapps/ directory.
When Apache Tomcat discovers the sspr.war file in the Tomcat_Home/webapps/ directory, Apache Tomcat auto-deploys Self Service Password Reset in an automatically created directory; Tomcat_Home/webapps/sspr/.
Stop Apache Tomcat by running the catalina.sh script in the Tomcat_Home/bin directory.
./catalina.sh stop
Start Apache Tomcat by running the catalina.sh script in the Tomcat_Home/bin directory.
./catalina.sh start
After deploying the WAR file, you must configure your environment to work with Self Service Password Reset. For more information, see Section 4.0, Configuring Your Environment for Self Service Password Reset.