The Password Reset Web Interface

Password Reset can be used by either a web interface or a green screen interface. Both interfaces use the same definitions and have similar capabilities.

This document describes:

Web interface installation and implementation

The Password Reset Web Interface comes as a Java servlet. It can be run by any Servlet Container. A reasonable choice is Tomcat (but any other compatible web server will work as well). You can choose to run it on the IBM i or on any other platform.

The following describes how to install and use the Web interface with Tomcat as the server of choice and refers to its installation and usage on an IBM i.

Since IBM i release 6.1, Tomcat has not been part of OS400. It has to be installed by the client. The IBM document Running your IBM i web solution on ASF Tomcat is a good source of details about installation and deployment.

NOTE: During installation, you will be required to define a Manager-GUI Role, which is actually a user and password for the Tomcat manager.

Password Reset Web Customization

  1. Copy the /iSecurity/PRWEB/pr.war file from the IFS to your PC.
  2. Open the pr.war file. A .war file is similar to a .zip file. Opening the file presents a set of folders.
  3. Modify the /WEB-INF/web.xml file.
  4. To customize the interface:
    1. Replace the image file /assets/img/logo.png with the logo of your own brand
    2. Change the text font and size, logo size, and related parameters by editing the /assets/img/style.css file.
  5. If the web server is not on the IBM i, edit these values in the /WEB-INF/web.xml file:
    1. Change the IBMi-Name value from LOCALHOST to the IP or host name
    2. Change the IBMi-User value from *CURRENT to the user name
    3. Change the IBMi-Password value from *CURRENT to the user password
  6. Close the pr.war file.
  7. If your web server is on the local IBM i, copy the pr.war file back to /iSecurity/PRWEB/pr.war . The pr-bkp.war file in that folder is a backup of the original pr.war file.
  8. Start the Web server
  9. If you web server is on the IBM i, enter the command QSHELL or QSH as a powerful user.
  10. To start Tomcat, enter: /Tomcat-installation-location/bin/startup.sh (e.g. /home/tomcat/apache‑tomcat‑7.0.28/bin/startup.sh)

Deploying

Access the Tomcat manager from a browser on your PC at http://your-IBM-i-IP-or-URL:8080/manager .

Navigate to the location where the .war file exists and select Deploy.

By default, the WAR file is placed in the IBM i IFS at /iSecurity/PRWEB/pr.war

Web interface capabilities and best practices

To support web implementation, Password Reset provides an API with which you can:

  • Check if the Password Reset system is available and the status of a user in the Password Reset system
  • Obtaining a token for the duration of the process. This token hides the actual user identity.

A user web interface should perform on entry the following steps:

  1. Identify the IBM i user profile.
  2. Call the API with 'GETSTATUS'
  3. If the answer is that there are missing attributes for the user in the Password Reset system, call the API with 'GETTOKEN'
  4. Run the Password Reset Web using the Token

In addition, the organization portal may provide an option to enable the user to update his details at will.

The web application may ask the user to provide the details by running the Password Reset web interface at either of the following URLs:

To activate entry of person Attributes, run:

localhost:8080/pr/ChangeQuestions.html?screen_mode=attributes&token=XXXXXX

Note that this URL will automatically activate the following one after its entry has been satisfied.

To activate entry of personal questions, run:

localhost:8080/pr/ChangeQuestions.html?screen_mode=questions&token=XXXXXXX

Check status of user definition API - SMZO/PRIFEXSTR

Operation 10A (i) 'GETSTATUS', 'GETTOKEN'
Type 10A (i) Should include ‘USER’
Value 10A (i) Name of user
Return code 10A See list below
Seconds 5A Number of seconds that token is valid
NoOfUses 5A Number of uses the token is valid
Token 10A Token to call the process

A call with GETTOKEN disables any existing token for the specified user.

Possible Return codes are:

  • General
    • OK All is OK
    NOTACTIVE Password-Reset is not active (see option 81)
    NOTALW Password-Reset does not allow self-operations (see option 81)
    ERROR Any other error
  • For GETSTATUS
    • ERPARMUSER Parameter Type does not contain 'USER'
    NOATR User specified does not exist in Password-Reset
    NOQST Missing question (as per needed: entirely or partially)
    NOATR+WAIT NOATR + Time is not convenient to ask for it now
    NOQST+WAIT MISQST + Time is not convenient to ask for it now is text and replace it with your own content.