Before installing SSPR, determine which directory service you want to use for storing user details and responses to security questions. SSPR includes the following configuration templates for supported directories:
NetIQ eDirectory
Active Directory
Oracle Directory Server
NOTE:You can use the Unspecified template if you are using an unsupported directory.
For more information about specific configurations steps, see Section 2.4, Setting Up Your Environment.
SSPR installation consists of the following steps:
(Conditional) If you are installing SSPR by using the ZIP file, install Tomcat.
Set up a secure channel between the application server and the LDAP server.
See Section 2.3.2, Setting Up a Secure Channel Between the Application Server and the LDAP Server
Install SSPR.
See Installing SSPR
Set up a secure channel between the client and SSPR (optional).
See Section 2.3.4, Setting Up a Secure Channel Between the Client and SSPR (Optional)
For information about how to install Tomcat, see the Tomcat documentation.
You can verify the installation by accessing Tomcat at http://server:port/.
NOTE:Use -Xms1024m -Xmx1024m to control Java heap size. 1024m is only for example. The exact number depends on your system memory. The recommended value is 1 GB. Setting minimum and maximum heap size to the same is a best practice because JVM does not increase heap size at runtime. For more information about how to set Java heap size, see Tomcat documentation.
SSPR must trust the LDAP server’s certificate. To establish a secure channel between an application server and an LDAP server, perform the following steps:
Identify the certificate you want to use. You can use any one of the following certificates:
A certificate issued by a recognized commercial certificate authority. The certificate of this authority should be present in the certificate database. If the server name in the LDAP URL is identical to the common name of the certificate, the certification process is complete.
A certificate issued by a private certificate authority such as Novell iManager or Microsoft Active Directory. In this case, the certificates of that certificate authority need to be imported into the java certificate database.
A self-signed certificate. In this case, import the self-signed certificate in to the java certificate database.
To export the eDirectory certificates by using iManager, see Exporting the SSL Certificate Using iManager.
To export the Active Directory certificates, see Exporting the LDAPS Certificate and Importing for use with AD DS.
Import certificates in to the Java keystore by performing any one of the following ways:
Using SSPR: In Configuration Manager, click Actions > Import LDAP Server Certificates.
You can also import certificates during configuring the LDAP directory through the Configuration Guide.
Manually
On Windows: Use keytool to import the file.
cd <JAVA_HOME>\jre\bin keytool -importcert -alias <alias> -file <filepath> -keystore ..\lib\security\cacerts -storepass <password>
keytool prompts for a password. The default password is changeit.
The certificate database is located in the following location:
JAVA_HOME\lib\security\cacerts
JAVA_HOME is the directory where Java is installed.
On Linux: Do the following:
Use keytool to import the file.
cd <JAVA_HOME>/jre/bin keytool -importcert -alias <alias> -file <filepath> -keystore ../lib/security/cacerts -storepass <password>
keytool prompts for a password. The default password is changeit.
The certificate database is located in the following location:
JAVA_HOME/lib/security/cacerts
JAVA_HOME is the directory where Java is installed.
Continue with Using SSPR_3.2.zip.
SSPR is available for download in the following two formats:
SSPR.EXE (recommended for a new installation)
SSPR_3.2.ZIP (recommended for an upgrade)
SSPR.EXE is an executable file that includes the installation of Tomcat, Java and SSPR service. You do not have to install Tomcat manually.
If you are installing SSPR for the first time and do not have Tomcat installed on the machine, then running the installer, with SSPR Application Service selected, installs Tomcat along with SSPR. The SSPR service is selected by default.
Incase you are using a previous version of SSPR then, deselect SSPR Application Service and run the installation wizard. The installer extracts the sspr.war file to the specified installation path, default path is C:\Program Files (x86)\NetIQ Self Service Password Reset. Copy the sspr.war file and place it in the existing Tomcat/webapps folder.
The installer file, SSPR.EXE launches an installation wizard. Follow the on-screen instructions to install the latest version of SSPR.
If you select the SSPR Service option, you need to provide the following information:
Specify the display name of SSPR Service in the Windows Service Display Name for SSPR Service field.
NOTE:Ensure that you provide the SSPR Service display name without any space. If you do not provide any display name then, the service is displayed as SSPR-Service.
Specify the HTTP port number for SSPR Service.
Select the Enable Secure HTTP check box if you require a secured port, and then provide the https port number.
Continue with Deploying SSPR.
Uninstalling SSPR: To uninstall SSPR, perform the following:
Shut down the tomcat Web service.
Download the XML configuration file for future use. (Optional)
Export the local database (if any challenge-response questions are saved there) by using the SSPR command utility. (Optional)
Run the following command to delete the SSPR service from the bin folder of Tomcat Service:
ssprservice.bat remove <service>
where, service is the name of the service.
Reboot the machine.
Delete the NetIQ Self Service Password Reset folder.
SSPR_3.1.zip is a compressed zip file that contains SSPR Web archive and tools. Unzip the SSPR package and save the sspr.war file to a preferred location.
To install SSPR by using the WAR file, perform the following:
Stop Tomcat.
On Windows:
Tomcat as service: Right-click the Tomcat icon on the task bar to start or stop the Tomcat service.
Standalone Tomcat: Go to the bin folder of Tomcat and run shutdown.bat.
On Linux: Run the shutdown.sh script that is available in the <Tomcat_Home>/bin folder.
Locate the sspr.war file from the folder where you saved it.
Copy the sspr.war file to the Tomcat/webapps folder.
Continue with Deploying SSPR.
Uninstalling SSPR: To uninstall SSPR, perform the following:
Shut down the tomcat Web service.
Download the XML configuration file for future use. (Optional)
Export the local database (if any challenge-response questions are saved there) by using the SSPR command utility. (Optional)
Delete the sspr folder and the sspr.war file from <tomcat>/webapps.
This path may vary on your system.
To deploy SSPR, perform the following steps:
(Conditional) If SSPR is installed by using the EXE file, Start the SSPR Service that is displayed as the name you specified for the service when you installed SSPR.
(Conditional) If SSPR is installed by using the WAR file, Start Tomcat.
On Windows:
Tomcat as service: Go to Start > All Programs > Apache Tomcat and click Monitor Tomcat to start Tomcat as a service.
You can also start the Tomcat service by right‐clicking the Tomcat icon on the task bar.
Standalone Tomcat: Go to the bin folder of Tomcat and run start.bat
On Linux: Run the startup.sh script that is available in the <Tomcat_Home>/bin folder.
Go to http://localhost:<port>/sspr. This link takes you to the SSPR portal.
To confirm the successful installation, check the tomcat\logs\catalina.out file.
To check whether the Tomcat Web server is running, open the link http://localhost:<port>/. This will open an Apache Tomcat Web page.
Continue with one of the following:
SSPR is a Web-based application and you can access it with Internet browsers through http. You can also access SSPR through https. To access SSPR through https, perform the following actions:
Modify the operating system firewall settings for the SSPR server.
Configure SSL in Tomcat by using certificates from CA
Go to Control Panel > Security Center > Windows Firewall > Advanced > Windows Firewall Settings.
Click Inbound Rules > New Rule.
Specify the port 8443 and other necessary ports.
In the Profile window, select the profiles this rule applies to, and then click Next.
Check if the profile has Inbound connections set to Block (default) and it allows these connections with rules specified.
You should configure SSL in Tomcat by using certificates from a trusted Certification Authority (CA) for more security.
For this configuration, you first require to generate a keystore and a Certificate Signing Request (CSR). CSRs include your public key and it must contain the same details that you have provided in the online request form. After your request is issued, download and install SSL in Tomcat.
Perform the following steps by using the keytool utility to generate a keystore and CSR on your server:
Run the following command in keytool to create a keystore:
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Specify a password. The default password is changeit.
Specify the following distinguished information:
|
Field |
Description |
|---|---|
|
First and Last Name |
The fully-qualified domain name, or URL that you want to secure. To request a wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example, *.ssprdomain.com. |
|
Organizational Unit |
Optional. If applicable, specify the DBA name. |
|
Organization |
The full legal name of your organization. |
|
City/Locality |
Name of the city in which your organization is registered or located. Do not abbreviate. |
|
State/Province |
Name of state or province where your organization is located. Do not abbreviate. |
|
Country Code |
The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered. |
The system prompts for a password for the private key within the keystore.
If you press Enter, the key password is set to the same password that you specified in Step 2. The key password must include at least six characters.
Run the following command in keytool to create a CSR:
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
Specify the password you provided in Step 2.
Open the CSR file, and copy all text (include ----BEGIN NEW CERTIFICATE REQUEST---- and ----END CERTIFICATE REQUEST----) into the online request form and complete your application.
For more information about how to complete the online request form, see respective certification authority documentation.
NOTE: This is a specific case. You can manage your certificates with Tomcat in other ways also. For more information about other configuration types, see the Tomcat documentation.
Download the certificate and place it in the same folder where you have placed your keystore. Then, install the certificate by using the keytool utility.
To Install SSL in Tomcat, perform the following steps:
Run the following command in keytool to install the root certificate:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <root.crt>
NOTE:Certificate names vary based on CA.
Install the intermediate certificate.
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file <intermediate.crt>
Install the issued certificate into the keystore:
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate>
Update the server.xml file with the correct keystore location in the Tomcat directory.
NOTE:The HTTPS connector is commented out by default. Remove the comment tags to enable HTTPS.
Update the following elements in server.xml for Tomcat 5.x, 6.x and 7.x:
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <!-- <Connector port="8443" maxThreads="200"scheme="https" secure="true" SSLEnabled="true"keystoreFile="path to your keystore file" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>
Restart Tomcat.
For testing purpose, you can use self- signed certificates to setup a secure channel:
Create a self-signed certificate in the cacerts store. Change to the %JAVA_HOME%\bin\ folder and run the following command:
Windows: keytool -genkey -alias tomcat -keyalg RSA -keystore ..\<jre>\lib\security\cacerts
Linux: keytool -genkey -alias tomcat -keyalg RSA -keystore ../<jre>/lib/security/cacerts
Enter changeit as the keystore password.
In the <Tomcat_Home>/conf folder, modify the server.xml file to support https.
Uncomment https connection and comment out http connection.
When you uncomment https connection, add the following attribute:
Windows: keystoreFile="${java.home}\lib\security\cacerts" keystorePass="changeit"
Linux: keystoreFile="${java.home}/lib/security/cacerts" keystorePass="changeit"
Restart Tomcat.