Adding Password Self-Service to Your Company Portal

Most of the procedures in the Password Self-Service section assume that you are using the Password Self-Service features on an iManager 2.0.2 server.

Refer to the following table for instructions on how Password Self-Service features can be used with portal products, including products other than iManager.

Product Support for Password Self-Service Use the following instructions...

iManager 2.0.2

You can integrate the features.

This product supports Password Self-Service features if you install the password management plug-ins. These plug-ins are included with the DirXML 2 plug-ins and are also available separately from download.novell.com.

Follow the steps in

exteNdTM DirectorTM Standard Edition 4.1 with Support Pack 1

You can integrate the features.

This version of exteNd Director supports Password Self-Service features if you install the necessary Novell portal modules (.npm files).

To support the features, you must have Support Pack 1 or later.

Integrating Password Self-Service with exteNd Director 4.1

Virtual Office, provided with NetWare 6.5 Support Pack 2, running on an iManager server

You can integrate the features.

You can use the Password Self-Service features on the same NetWare server used for Virtual Office and iManager by installing the plug-ins and completing some additional steps.

Integrating Password Self-Service with Virtual Office

exteNd Director 5

You must link to the features.

Because exteNd Director 5 is based on portlets, and Password Self-Service is based on Novell portal modules (NPMs), you can't use the Password Self-Service features directly in another product.

To use this product with Password Self-Service, create links from your company portal to the end-user password features on an iManager server.

Linking to Password Self-Service from a Company Portal

Novell Portal Services (NPS) versions earlier than 4.1

You must link to the features.

Although these legacy NPS products run Novell portal modules (NPMs), they don't have some of the enhancements that are required for the Password Self-Service features of the ForgottenPassword.npm.

To use this product with Password Self-Service, create links from your company portal to the end-user password features on an iManager server.

Linking to Password Self-Service from a Company Portal

Third-party products

You must link to the features.

Because third-party products don't run Novell portal modules, you can't use the Password Self-Service features directly in another product.

To use third-party products with Password Self-Service, create links from your company portal to the end-user password features on an iManager server.

Linking to Password Self-Service from a Company Portal


Integrating Password Self-Service with exteNd Director 4.1

If you are using exteNd Director Standard Edition 4.1 with Support Pack 1 for a company portal, you can add the Forgotten Password module to your portal like any other Novell portal module. This module provides the same features that are available when using it on iManager 2.0.2:

To add these features:

  1. Make sure you have installed Support Pack 1.

    It includes enhancements that are necessary for the ForgottenPassword.npm.

  2. Make sure that SSL is configured between the exteNd Director Web server and eDirectory, even if they are running on the same machine.

    This is a requirement of NMAS 2.3 or later.

  3. To ensure security for the Forgotten Password gadgets, check your LDAP SSL port number.

    If you are using an LDAP SSL port other than 636, the following configuration step must be completed:

    Add the following key pair into the PortalServlet.properties file:

    LDAPSSLPort=your_port_number

    For example, if your Web server is running Active Directory you will need to make this change, because Active Directory uses port 636. If you are running Tomcat, change the setting in the PortalServlet.properties file in the tomcat\webapps\nps\WEB_INF directory.

    This setting takes a higher precedence than the default value of 636 if that value exists in the file.

  4. After changing the setting, restart the Web server.

  5. Make sure all the eDirectory users in the portal users container have rights to self for the Hint attribute, named nsimHint.

    When you install the DirXML plug-ins on an iManager Web server, this step is automatically completed for the tree that iManager is configured for.

    However, if you are pointing to a different tree, you must complete this step manually.

    A utility is provided to help you do this, which you can download and run by doing the following:

    1. Go to http:\\download.novell.com.

    2. Fill in the following fields:

      • Search by: Product

      • Choose a Product: Nsure Identity Manager

    3. Download the item named "2.0 Password Management Plug-in for iManager 2.0.x."

    4. Follow the instructions in the nsimhintreadme.txt file.

    If users do not have rights to self for the nsimHint attribute, they get an error like the following when they try to create a Hint:

    "Could not write user hint" (Task could not be completed).
  6. (Conditional) If you have not installed Identity Manager on the server that holds eDirectory and NMAS, install the Challenge Response Login Method for NMAS.

    This Login Method is installed automatically with Identity Manager, and is provided as part of the eDirectory 8.7.3 product.

    One way to install a Login Method is on Windows, using the Method Installer:

    1. Locate the MethodInstaller.exe file in the \nmas\NmasMethods\ directory of the eDirectory CD.

    2. Run the executable on a workstation and check the Challenge Response method.

    3. Accept the agreement and the defaults for the Login Sequence.

      The method is added to the Authorized Login Methods.Security.tree_name container.

    For more information on installing a Login Method, including installing on UNIX, see "Installing a Login Method" in the NMAS 2.3 Administration Guide.

  7. Add the following modules to exteNd Director:

    • ForgottenPassword.npm
    • nmasclient.npm

    They are included with the DirXML product distribution.

    For instructions on adding a module, see the Novell exteNd Director Standard Edition Installation and Configuration Guide.


Integrating Password Self-Service with Virtual Office

In NetWare 6.5 Support Pack 2, Virtual Office supports all the features of Password Self-Service. There are some steps you must complete before you can use the features, but some of them are done for you automatically when you install Identity Manager in your eDirectory tree and install the Identity Manager plugins on your iManager server.

For instructions, see the Novell Virtual Office for NetWare 6.5 Configuration Guide. The items that are already completed if you have installed Identity Manager are the following:


Linking to Password Self-Service from a Company Portal

For products that can't provide the Password Self-Service features by running the ForgottenPassword.npm (as noted in the table in Adding Password Self-Service to Your Company Portal), you can use the Password Self-Service features by creating another iManager server with the password management plug-ins installed, and then linking from your portal home page to the iManager self-service console on the other server, such as https://iManager_server_IP_address/nps.

The password management plug-ins are included with the DirXML 2 plug-ins, and are available separately by downloading the 2.0 Password Management Plug-in for iManager 2.0.x from http:\\download.novell.com.

The one feature that is not easy to incorporate is post-authentication services, which prompts users to update their passwords to comply with password policies, and prompts them to set up Forgotten Password Self-Service according to the Password Policy, such as creating a Password Hint. To make sure that users have compliant passwords and are set up to use Forgotten Password Self-Service, you need to make sure that users log in to the iManager self-service console at least once to create compliant passwords and complete password management setup, and again whenever you make changes to Password Policies.

Complete the items in these sections:


Prerequisites

The iManager server and the tree you are using must be prepared as follows:


Linking to Forgotten Password Self-Service

To give users access to Forgotten Password Self-Service from your company portal, you can link to that service on a separate iManager Web server.

  1. Create a link such as "Forgot your password?" on the login page for your company portal, and point it to the following URL on your iManager Web server:

    http://iManager_server_IP_address/nps/servlet/fullpageservice?NPService=ForgotPassword&nextState=getUserID

    This URL takes the user to the following page, where you begin the Forgotten Password process. For examples of the other pages in the process, see Providing End Users with Forgotten Password Self-Service.


    Forgotten Password page for entering username
  2. Complete the steps in Returning Self-Service Users to the Company Portal.


Linking to End-User Password Management Tasks

  1. Make sure all the eDirectory users in the portal users container have rights to self for the Hint attribute, named nsimHint.

    When you install the DirXML plug-ins on an iManager Web server, this step is automatically completed for the tree that iManager is configured for.

    If you are pointing to a different tree, you must complete this step manually.

    A utility is provided to help you do this, which you can download and run by doing the following:

    1. Go to http:\\download.novell.com.

    2. Fill in the following fields:

      • Search by: Product

      • Choose a Product: Nsure Identity Manager

    3. Download the item named "2.0 Password Management Plug-in for iManager 2.0.x."

    4. Follow the instructions in the nsimhintreadme.txt file.

    If users do not have rights to self for the nsimHint attribute, they get an error like the following when they try to create a Hint:

    "Could not write user hint" (Task could not be completed).
  2. Provide users with a link from your company portal to the password management tasks.

    You can create a Manage Passwords link from the company portal, and link to https://other_iManager_server/nps. This link would provide access to the Password Management end-user tasks:

    • Hint Setup
    • Answer Challenge Questions
    • Change Password (Universal)

    A user who clicks on the link would first need to log in, and then would see a page like the following example.


    Forgotten Password page for entering username
  3. Complete the steps in Returning Self-Service Users to the Company Portal.


Returning Self-Service Users to the Company Portal

The Password Self-Service features include scenarios in which users are provided with a link that lets them return to the login page. For example, when a user changes a password using the Forgotten Password Self-Service, a page is displayed that says "Your password has been successfully changed. Click here to return to login page."

If you point from your company portal to Password Self-Service on a separate iManager server, you might want to customize the default return page so that users are returned to the login page for your company portal when they complete password tasks. By default, clicking the button returns the user to a page on the iManager Web server.

A link to return to the login page is provided in these three places:

  • The page where a user can set a new password
  • The page displayed after a user successfully changes a password
  • The page where a user views a Hint

To customize the return page to go to the login page for your company portal:

  1. On the iManager Web server you are using for Forgotten Password Self-Service, locate the following directory:

    \tomcat\webapps\nps\portal\modules\ForgottenPassword\skins\default\devices\default

  2. Locate the following file in that directory:

    forgottenpassword.xsl

  3. Edit the forgottenpassword.xsl file to customize the default return page.

    Replace the following code

    href="{LoginURL}"

    with a hard-coded URL such as

    href="(http:\\www.your_company_portal_home_page.com)"

    You need to make this change in three places in the file.

  4. Stop and restart Tomcat on the iManager server.

    The "Return to Login Page" links now redirect users to your company's portal login pag


Making Sure Users Have Configured Password Features

When users log in to the iManager self-service console at https://iManager_server_IP_address/nps, they are prompted to take action through a series of post-authentication pages if conditions such as the following are true:

For example, these prompts are necessary to make sure that the user can use Forgotten Password Self-Service. If the Password Policy requires users to answer Challenge Questions, and the user has never configured them initially, the user can't access Forgotten Password Self-Service. If the user has not created a Password Hint, the user can't retrieve it to help in remembering the password.

Because other portal products won't automatically provide the post-authentication features, you need to make sure that users log in to the iManager self-service console at least once to create compliant passwords and complete password management setup, and periodically thereafter whenever you make changes to Password Policies.

This can be done by making sure that users go to a Manage Passwords link you provide as described in Linking to End-User Password Management Tasks, which requires users to log in to the iManager self-service console.