Self-Service Password Reset V4.4 – Upgrade Notes
For those you out there who are still using an older version of NetIQ’s (or MicroFocus) Self-Service Password Reset (SSPR) version 3.X or older (you know who you are), I’d like to take a few minutes to highlight some recent changes with newer versions of SSPR beginning with version 4.4. These are simple changes, but they can have a big impact on the ease of your upgrade if you are not aware of them.
New Data Structure
In older versions of SSPR, all of the application data was stored under the Tomcat webapp’s directory. This meant that any time you wanted to perform any type of upgrade to the application, you ran the risk of overwriting any application configurations or customizations that were made from within the tool’s Administration UI screens.
With version 4.4, there is a new SSPR data structure that can help you avoid these issues. The application now requires a folder to be created outside of Tomcat where the application can read/write data such as configuration settings and more.
Having the directory outside of Tomcat allows system administrators to delete or overwrite data within the Tomcat webapp’s directory as part of standard troubleshooting or application upgrade processes without endangering the SSPR configurations or customizations. However, because this path can be in any directory outside of Tomcat, the new version of SSPR expects there to be an environment variable declared on the Tomcat server hosting SSPR that points to the new external path. If the path or the variable does not exist, SSPR will fail to load properly after the new WAR file is deployed and an appropriate error message will be displayed on the browser page.
If you are not expecting this change, the error message displayed may be somewhat confusing, but the new SSPR documentation provided by NetIQ/MicroFocus provides adequate details about these requirements and how to implement them on both Linux and Windows-based servers.
The SSPR interface has undergone a significant facelift. This helps align the product with other newer versions of NetIQ/MicroFocus products, such as the User Application (UA) interface that is used with Identity Management (IdM).
While the Administration section of the application still allows for ample customization in terms of colors, text, etc., there are some general changes to navigation and options in the UI that are not subject to such customizations.
The most obvious and immediate change you’ll notice is the application’s dashboard. In the past, the dashboard contained text-based buttons or links to access the various pages for things like password changes, profile updates, Help Desk feature access (if so authorized), etc. In version 4.4 of SSPR, links on the dashboard are represented with tiles or panels.
Image 1: Old SSPR Dashboard
Image 2: New SSPR Dashboard
While the dashboard dominates the screen, there are also other, more subtle, changes to the navigation in SSPR 4.4.
In older versions of SSPR, the top right of the application screen contains links for basic navigation so users can always return “Home” or “Logout”. In SSPR 4.4, “Home” and “Logout” now use icons and buttons to represent these actions. In addition to the icon buttons, SSPR 4.4 also shows the current user’s name and a drop-down option for basic functions available to that user.
Image 3: Old SSPR Navigation
Image 4: New SSPR Navigation
For entities that use SSPR’s Help Desk feature, there are some surprising changes to the look and feel and other options within that module.
In the old versions of SSPR, the only option for displaying results when searching for data in the Help Desk screen was to display everything in a grid-like, list view. The Help Desk user would have to find the correct profile in this list if multiple results were found. The only real way to narrow down a search was to be very specific in the search criteria that was based on a pre-defined LDAP query that attempted to match all attributes listed in the query with the data in the search field (with some exceptions based on LDAP filter construction).
However, in the SSPR 4.4, the Help Desk search module is much more flexible for the end-user. First, if the end-user does not like the grid list view that the older versions of SSPR used, there is another view that displays the results in a series of panels that display similar, albeit less, detail than the grid list.
Not to worry, this is not the only output available. If the Help Desk module end-user is a fan or prefers the grid list over the new panel view, there is an option on the screen to select which view you’d like to use to display the results.
Image 5: Old SSPR Help Desk Results
Image 6: New SSPR Help Desk Results
Image 7: New SSPR Help Desk Results View Toggle
Before we discuss anything else, there is still one more new trick to the Help Desk screen in SSPR 4.4. SSPR now includes an “Advanced Search” option that allows Help Desk module users to better define criteria for finding target accounts. The Advanced Search fields can be defined in the Administration screens for the Help Desk module to define which attribute/fields can be used in this feature.
Clicking the magnifying glass to the right of the search box will activate the Advanced Search option. By default, users can define up to three attributes to be used in the new search. Any results found will be displayed similarly to the results found using the standard search.
Image 8: New SSPR Help Desk Advanced Search
If the user wants to return to the basic search screen, just click the X next to each of the fields listed and when all fields have been removed, the application will automatically revert back to the basic search screen.
Help Desk Password History
A helpful feature in the SSPR Help Desk module is the ability for Help Desk users to be able to see a selected user’s Password History. Now, this does not mean that Help Desk users get to see the actual passwords used by that user, only that the Help Desk user can see when passwords may have been changed, passwords recovered, etc. This can help Help Desk users determine if a user’s problem is the result of timing, account security breach, etc.
In SSPR 4.4 this history has to be enabled, but it’s not where you may think. Most SSPR configurations are managed in the Administration screen under the module of interest. This might lead you to think that the Help Desk module would contain the option to toggle Password History on or off, but you’d be wrong. In order to enable Password History in SSPR 4.4, an administration will need to enable the “Show Password History Event” option under the Account Information module.
Image 9: Password History
It is also important to note even if the Account Information module is disabled (as seen in the image above), this checkbox must be enabled in order for Help Desk users to see a selected user’s password history. There is no option to toggle this feature on or off in the Help Desk module and this is the only place in the SSPR Administration screens to allow that data to be displayed.
Password Policy Requirements
If your version of SSPR uses password policies from eDirectory, in SSPR 4.4 there is an additional password policy selection that may be required. When using eDirectory password policies, the password policy must have the option enabled to allow for “Allow non-alphabetic characters in the password” if you want passwords to include anything other than letters. This means that if you want passwords to include, either optionally or as a requirement, numbers, special characters, and/or non-ASCII characters, this checkbox must be enabled now on the eDirectory password policy.
Older versions of SSPR may allow these characters to be used without this box checked but in SSPR 4.4 this is a required changed to the password policy to allow characters other than letters.
We hope this rundown proves valuable to anyone using SSPR v4.4 or newer. As always, don’t hesitate to reach out if you’ve got questions we didn’t cover here.