ptown Respected Contributor.
Respected Contributor.
1029 views

Lost access to the SSPR admin console

I've lost access to the admin console due to a cert issue. Can anyone direct me to the keystore for the admin console or to the config file so I can switch it to an insecure port until I get this fixed. Or if you know another workaround, I'm open to suggestions. Thanks.

Peggy Townsend Novacoast
0 Likes
6 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Lost access to the SSPR admin console

Could you explain more about the cert issue? If your HTTPS certificate
expired you could probably still tell your browser to ignore that and let
you configure things.

Back to your original question, the SSPRConfiguration.xml file is in your
Apache Tomcat application service's WEB-INF directory, ro maybe something
like /var/tomcat/webapps/sspr/WEB-INF/SSPRConiguration.xml file. See TID#
7014954 for the same info:
https://www.netiq.com/support/kb/doc.php?id=7014954


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
ptown Respected Contributor.
Respected Contributor.

Re: Lost access to the SSPR admin console

The self signed cert that the admin console was pulling has been removed. Now we can't get into the admin console. Users are not affected. This is just access to the admin console on port 9443. The TID above tells you to login to the admin console. We cannot.

Peggy Townsend Novacoast
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Lost access to the SSPR admin console

Ah.... I mis-assumed that "admin console" just meant the SSPR
administration interface, where you are actually using the SSPR Appliance
which uses TCP 9443. Sorry for misunderstanding.

Out of curiosity, how was that self-signed certificate deleted? I presume
somebody saw it, did not like it, and rm'd it, but I'm curious in case it
was something within the product that made it a bit too easy and could be
improved, maybe with big warnings or other checks.

The only thing I have found is documentation on how to update that
certificate while in the appliance's admin console itself, which is not
really useful for you right now. I am sure we could reverse engineer it,
but before going down that path, do you have a backup of the filesystem
from which we could restore the file that was lost? Another option may be
to build a new appliance, then copy over SSPR from the bad one to the good
one so both the appliance's admin console as well as SSPR work.

I'll see what else I can find and post back if I find anything useful.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
ptown Respected Contributor.
Respected Contributor.

Re: Lost access to the SSPR admin console

This all started with errors on the admin console because it was using a self signed cert. Company policy requires a 3rd party cert. The self signed was removed in an effort to force use of the desired cert. Not a good move. We did rebuild the appliance and are back to where the admin console is giving certificate errors because of the self signed cert. How do we get the admin console to pull the correct cert?

Peggy Townsend Novacoast
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Lost access to the SSPR admin console

That's good news. The documentation for doing this the official way,
including using third-party certificates, is here:

https://www.netiq.com/documentation/self-service-password-reset-40/adminguide/data/certificates.html

I am not sure what you may mean, other than that, by "pull the correct
cert" with regard to TLS/SSL services. Usually (always/) applications
store their TLS/SSL keys, and matching certificate data, locally, so they
pull them from their filesystem or other datastore. This this includes
highly-sensitive data (the private key), the store is usually not
something I would consider a "pull", since to me that means over a
network, but the lines between storage and network have been blurred for
so long I am probably assigning meaning to words where there should be none.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Lost access to the SSPR admin console

On 12/8/2017 11:54 AM, ab wrote:
> Could you explain more about the cert issue? If your HTTPS certificate
> expired you could probably still tell your browser to ignore that and let
> you configure things.
>
> Back to your original question, the SSPRConfiguration.xml file is in your
> Apache Tomcat application service's WEB-INF directory, ro maybe something
> like /var/tomcat/webapps/sspr/WEB-INF/SSPRConiguration.xml file. See TID#
> 7014954 for the same info:
> https://www.netiq.com/support/kb/doc.php?id=7014954


Agreed it was, as of 4.2 I think it is now whereever an ENV setting
points it to. But this is a good place to start.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.