Password Reset consists of several client-side and server-side components that communicate with one another via SSL-encrypted HTTP and access a data repository over an SSL-encrypted channel.
On the client side, Password Reset hooks into the Windows logon mechanism using a credential provider and a system service running under the LocalSystem account. This mechanism allows Password Reset to add password reset functionality to the standard Windows logon dialog by adding a hyperlink that launches a locked-down Internet Explorer window that connects (via HTTP with SSL) to the server-side Password Reset Web applications described below. Assuming that the server-side components are configured for SSL connectivity, the client-side configuration is secure by default and does not require additional hardening.
Note:
After configuring the server-side components to use SSL, make sure that the Web application URLs on end-user machines are updated to use the HTTPS protocol.On the server side, Password Reset runs IIS-hosted Web applications as well as a Windows system service that together provide the password reset, challenge question quiz, and administration functionality, as well as user interfaces for each. They also provide the challenge question functionality to Universal Authentication Manager.
The Web applications are EnrollmentClient, ResetClient, ManagementClient, and WebServices. The ResetClient and WebServices Web applications require that a limited-privilege domain user account (SSPRWeb) is created and assigned as the sole account able to access the pages within them as well as modify user data within the repository.
The EnrollmentClient and ManagementClient applications, as well as the Administration.aspx page of the WebServices application are configured for access by the domain user account currently logged on to the Password Reset-enabled end-user workstation. Configuration steps are described in the Enterprise Single Sign-On Suite Installation Guide.
Oracle strongly recommends that you configure the Password Reset Web applications within IIS to use SSL. To enable SSL support for Password Reset, you must create and install an X.509 SSL certificate for the IIS Web sites serving the Password Reset Web applications. (The certificate is issued by a Certificate Authority (CA), which can be a commercial entity or a software application on the target local machine.) You must then update your end-user workstations with secure (HTTPS) URLs to the Password Reset Web applications. Instructions are provided in the Enterprise Single Sign-On Suite Administrator's Guide.
Note:
Oracle highly recommends that you do not disable SSL functionality to maintain maximum security.Password Reset also utilizes a Windows system service, SSPRChangePasswordSvc.exe, which runs in the background and is responsible for the actual changing of each user's password once the user has passed the Password Reset challenge quiz. This service requires a limited-privilege domain account (SSPRReset) that possesses only the permissions required to change user account passwords as well as write the lockoutTime and pwdLastSet values in Active Directory. The configuration steps and exact permissions that must be assigned to this account are described in the Enterprise Single Sign-On Suite Installation Guide.
Password Reset stores user data in a supported repository: Active Directory, AD LDS (ADAM), LDAP directories such as Oracle Internet Directory and Oracle Virtual Directory, as well as Oracle and Microsoft SQL databases. After installation, during the first-time configuration, Password Reset creates an organizational unit (directory-based repositories) or databases and tables (database-based repositories) and grants the SSPRWeb domain account full access to the newly created container or database and all its contents.
Oracle recommends that the administrator explicitly restricts access to a bare-minimum through the access control of the Password Reset container or database. Password Reset only requires the SSPRWeb account. For example, the administrator may want to limit the Password Reset OU through ACL to just the SSPRWeb account, System, and Domain Admins.