2.5 Configuring Forgotten Password Self-Service

The User Application provides password self-service for users who have forgotten their passwords. This service enables

The forgotten password service is available by default to users inside your corporate firewall through the deployed User Application WAR.

You can also set up a separate forgotten-password management WAR, IDMPwdMgt.WAR, and deploy it on a system inside your corporate firewall or external to the firewall. Deploying this WAR outside the firewall can provide an additional layer of security while providing forgotten-password self-service to remote users. The forgotten-password WAR is also called the external password WAR. To set up the external password WAR, see Table 2-4.

IDMPwdMgt.WAR contains only forgotten-password self-service software and the default User Application theme.

Table 2-4 Steps for Enabling an External Password WAR



Install the User Application. During the installation, you are asked to specify User Application configuration parameters. Specify the following to enable the external password WAR:

  • Use External Password WAR

  • Forgot Password Link

  • Forgot Password Return Link

You can also update the configuration after installation with the configupdate tool.

When you specify Use External Password WAR, the install program generates and installs IDMPwdMgt.WAR in the install directory that you specify.

For Forgot Password Link, specify the location for the external password WAR. Include the application server host and its secure port, for example http://localhost:8080/ExternalPwd/jsps/pwdmgt/ForgotPassword.jsf. The install program renames IDMPwdMgt.WAR based on the location you specify.

For Forgot Password Return Link, supply the path that the external password WAR uses to call back the User Application, (it uses a Web Service), for example https://idmhost:sslport/idm.

If you want to change the link locations, you can do so in the User Application Administration tab.

Deploy the external password WAR to an application server.

Before you deploy the external password WAR to an application server, ensure that the application server is configured to support SSL. See Section 2.2.3, Enabling SSL. In addition:

  • If the external password WAR is deployed outside the firewall, make sure that the firewall’s SSL port is open to allow communication between both application server hosts.

  • The application server that hosts the external password WAR must have the server certificate of the application server hosting the core User Application. Use the keytool import command to import the server certificate to the keystore (cacerts) of the JRE used by the application server hosting the external password WAR. The keytool command has this syntax:

    keytool -import -file certname.cer -keystore cacerts -storepass changeit -alias uacerts

Do you want to customize the theme for the external password WAR?

For more information, see Customizing the Theme for External Password WAR.

The external password WAR location is saved to the

configuration.AppDefs.AppConfig.driver.driverset as

The return location is saved to the

configuration.AppDefs.AppConfig.driver.driverset as

The return location is saved to the userAppURL property in External WAR/WEB-INF/faces-managed-beans.xml, for example

2.5.1 Accessing an External Password WAR

Users can go to the Forgot Password page in the external password WAR directly from a browser like this:


When accessed directly, the external password WAR checks the WEB-INF\faces-managed-beans.xml for this entry:


The external password WAR uses the userAppURL entry to call the Web Service that handles the forgot password functionality in the User Application WAR.

Users can access the Forgot Password page by clicking the Forgot Password? link in the User Application’s Login page. The User Application redirects the user to the external password WAR based on the value specified for the Forgot Password link. The external password WAR uses the Forgot Password Return Link value to call back to the User Application.