Forgot Password Functionality

If you're not using a directory server to manage user authentication, the Forgotten Password functionality can save a tremendous amount of time for your help desk by allowing users to reset their own passwords in a self-service fashion. Unfortunately it's not "out of the box" functionality and does require a minor customization or two.

The forgotten passwords functionality is documented in the Security PeopleBook. Another good resource is on customer connection [1] Here's how it works: When a user forgets a password, they log on to the Forgotten Password site go through a series of screens to specify their user ID, confirm their e-mail address, and answer a question to verify their authenticity. Then the system generates a new password and e-mails it to them. We can set up generic password hint questions, and the user can customize the hint to be anything they like. Here are the steps to set up Forgotten Password functionality:

While we’re doing security, let’s go ahead and create a user ID that only has access to log on and e-mail forgotten passwords.
- Create a permission list called "WX_MAILPSWD".
- On the Pages tab of this Permission List you will need to authorize the component called EMAIL_PSWD. This is done by adding the Menu named MAINTAIN_SECURITY and hit edit component. Find the component called EMAIL_PSWD with the description Forgot My Password. Edit the pages and select all.
- Now go to the Component Interface tab of this same Permission List, add and give full access to the USERMAINT_SELF component.
- Now go to the Web Libraries tab of this same Permission List and add the WEBLIB_PORTAL and WEBLIB_PT_NAV web libraries. Then click edit and give FULL access to ALL iscripts on both web libraries.
- Click Save.
- Create a Role called " WX_FORGOT_PASSWORD". This role will have only 1 permission list, the MAILPSWD permission list you just created. Add this Permission List and save.
- Create a new User called "FORGOTPASSWORD". Create a password for this user and remember it, as it is case sensitive, and you will be using it again in step 9. The User ID Type for this user should be none and on the roles tab you will want to add the role you just created called "Forgot Password".
- Now sign out and test singing on as this FORGOTPASSWORD user and see if you can logon.

Create email text for forgotten passwords. This is generic e-mail text that will be sent along with their password. We'll probably want to include a link to the production system and a tip to change the password to be something easy to remember.

Create generic hints for forgotten passwords. We just need to decide what the hints will be -- maybe "What are the last five digits of your Social Security Number?"

Build a set of answers to the Password Hint question for the user population. There are no pages on-line to do this for all users, users are expected to set this up themselves through the My System Profile link. However, we can do it globally by inserting hint questions and responses into the PSUSERATTR table.

Here’s how users would do it on-line:

And this script will insert a password hint for all users based on the last 4 digits of their SSN:
delete from psuserattr
/
insert into psuserattr (OPRID,HINT_QUESTION,HINT_RESPONSE, NO_SYMBID_WARN, LASTUPDDTTM, LASTUPDOPRID, MPDEFAULMP)
select a.oprid, 'Enter the last five digits of your SSN', substr(national_id, -5), 'N', SYSDATE, 'VP1', a.oprid
from psoprdefn a, ps_pers_nid b
where a.emplid = b.emplid
/

Set up a web profile for forgotten passwords. This will be used by the dedicated Forgotten Passwords web site that we will create in the next step. The web profile will have the username and password information necessary to allow users to log on anonymously.
- Navigate to PeopleTools > Web Profile > Copy Web Profile. Select the PROD web profile to copy from.
- In the “TO” box, enter PWD.
- Click Save.
- The PWD profile name will appear. This web profile needs to be adjusted so that it doesn’t allow single signon, it automatically signs in with the FORGOTPASSWORD user, and that on signout it redirects back to the primary web site sign-in page.
  - On the General tab:
    - Change description to “Forgot Password”
    - Blank out Authentication Domain.
    - Uncheck “Enable New Window”
    - Blank out the help URL
    - Uncheck Enable Report Repository
  - On the Security tab:
    - Change Days to Auto Fill User ID to 0.
    - Check “Allow Public Access”. Enter the Username and Password for the Forgot Password user that you created earlier.
    - Blank out XML Link information
  - On the Cookie Rules tab:
    - On the first row that has *AuthTokenDomain entered in Cookies Passed to Server, check “Delete Cookie on Logout”.
  - On the Debugging tab:
    - Uncheck everything except for “Write Dump File”. Leave this checked.
  - On the Look and Feel tab:
    - Change Logout page to “signout_wx.html,signin.wml”. We’ll create a signout_wx.html page in a later step that will redirect the user back to the primary web site when they click Sign Out.
- Click Save

Set up a new site for Forgotten Passwords. This involves a new PIA installation with it's own web profile that allows anonymous access so users can access the "Forgot Password" pages.
- Log on to the app server box
- Shut down PIA
- run mpinternet
  cd $PS_HOME/setup/mpinternet
  setup.solaris -console
- Be sure to select "Existing Weblogic Domain" when you get to the "Select domain type" step.
- Be sure to select "Install additional PeopleSoft site" when you get to that point.
- The website name should be <environment name>_pwd, for example:
  Please specify a name for the PeopleSoft web site:
  Website name:
  [ps] ps_pwd
- For web profile name, enter the same web profile that was set up in step 4 above (PWD)
- Enter the same app server and port number as the primary website.

The link for the forgotten passwords will need to be added to signin.html so that users can access it from the signon page. The link for forgotten passwords will be:
http://<host>.<domain>:<port>/psp/ps_pwd/EMPLOYEE/ERP/c/MAINTAIN_SECURITY.EMAIL_PSWD.GBL.
- Edit signin.html in .$PS_HOME/webserv/<webdomain>/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/<website>/signin.html.
- Search for the string “pwd”. You’ll find a set of lines that look something like this:
  <tr>
  <td align="right" class="PSLOGINTEXTBOLD"><%=134%></td>
  <td><input TYPE="password" id="pwd" name="pwd" class="PSEDITBOX"></td>
  </tr>
- Insert the following lines after the last </tr>:
  <tr>
  <td> </td>
  <td align="left" class="PSLOGINTEXT"><A href="<%=pswebservername%><%=psCtxPath%>/psp<%=psHome%>_pwd/EMPLOYEE/ERP/c/MAINTAIN_SECURITY.EMAIL_PSWD.GBL">Forgot your password?</A></td>
  </tr>

Now you’ll need to put a page in place to redirect users back to the primary web site so that once they click the log-out button they’ll be in the right place.
- Create an HTML file to do the redirect like this one:
  <HTML>
  <HEAD>
  <meta HTTP-EQUIV='Refresh' CONTENT='1; URL=http://psserver.psdomain.com:6000/psp/ps/?cmd=login'>
  </HEAD>
  </HTML>
- Change the URL to be the signon page URL for the environment you’re working with.
- Save the file in $PS_HOME/webserv/<domain>/applications/peoplesoft/ PORTAL/WEB-INF/psftdocs/ps_pwd/signout_wx.html

For PeopleTools 8.44 and 8.45, you’ll need to modify Component PeopleCode to be able to see the confirmation page after the password has been e-mailed. This is documented in PeopleSoft solution 200973825
- In Application Designer, open component EMAIL_PSWD. Click View, then View PeopleCode.
- Verify that you’re viewing the SavePostChange Peoplecode.
- Replace
  Transfer(Page.EMAIL_CONFIRM);
  with
  Transfer( False, MenuName.MAINTAIN_SECURITY, BarName.USE, ItemName.EMAIL_PSWD, Page.EMAIL_CONFIRM, "U");
- Save the component

Start up the web server and try it out.
- Bounce the web server
- The sign-in screen should now look like this:
- Click the Forgot your password link and try it out. Make sure clicking Signout takes you back to the main (non _pwd) website by looking at the URL. Also, make sure your new password is e-mailed to you and you can actually sign on with it.

As always, please let me know if you find any problems with this documentation so that I can correct it.

Written by :

Brent Martin

Set as favorite

Bookmark

Email this

Trackback(0)

TrackBack URI for this entry

Comments (9) Add Comment

Subscribe to this comment's feed

...
written by Francis Aligaen, April 23, 2007

Hi,

I'm trying to add this functionality to our client's PeopleSoft CRM application. I am having issues with this procedure:

Edit this file. Look for a â€œURL=â€ text. Change the URL to be the signon page URL for the environment youâ€™re working with.

"this file" is a link which when clicked opens a blank page. I can't finish the changes without this file which is supposed to be customized so that will point it back to the correct signin page after the password has been emailed.

Thanks in advance.

...
written by Brent Martin, April 23, 2007

I updated the article with the text you're looking for. It's basically just a redirect page to your signin page.

Before migrating to Joomla, the "this file" hyperlink used to open the HTML file, but for some reason Joomla was filtering it out. There were only a few lines of HTML, so it's not big deal to include them in the article.

Thanks for pointing out the problem.

while running insert query
written by Mukesh, March 17, 2008

Hi Brent,
Thanks for good article, I am facing problem while running
insert into psuserattr (OPRID,HINT_QUESTION,HINT_RESPONSE, NO_SYMBID_WARN, LASTUPDDTTM, LASTUPDOPRID, MPDEFAULMP)
select a.oprid, 'Enter the last five digits of your SSN', substr(national_id, -5), 'N', SYSDATE, 'VP1', a.oprid
from psoprdefn a, ps_pers_nid b
where a.emplid = b.emplid

it says that Unique Constraint violated, I truncated the psuserattr table and tried again but same error coming , can you suggest me what I have to do to resolve this problem

...
written by Kathryn, May 23, 2008

Do you have any information on how to implement Lost Password functionality in version 8.0?

...
written by Brent Martin, May 23, 2008

Sure don't. If I remember correctly, you have to write the whole thing from scratch.

...
written by Mike Albert, June 17, 2008

Thanks for the helpful guide. Any thoughts on setting this up when using Oracle Application Server as your webserver? I easily setup a Lost Password site with WebLogic, but I'm having trouble with an OAS install.

Thanks

RE: OAS
written by Brent Martin, June 17, 2008

You know, I had a client that set it up using OAS, but I didn't actually get to be the one to do it so I'm not sure what (if anything) special they did to make it work.

What kind of problems are you having?

...
written by Mike Albert, June 17, 2008

Thanks for the quick response Brent. I'm having trouble adding the additional site. I tried running a new PIA install, but I can't find a way to connect to the new site I created. I could see the new OC4J component alive and running in OEM, but the site does not appear to be up. The server is not even listening on the new ports I specified in the PIA installation.

Thanks.

I need to set up this, I've got some questions
written by Oscar, November 01, 2008

Hi Brent,

Thanks for the procedure. Iâ€™ve got some questions:

Looks like the procedure is considering that appserv and webserv live in the same box. Is there any additional consideration when appserv and webserv live in different boxes (besides two different IPaddresses/servernames?

In case of needing to re-configure the new site (i.e. need to try a different JSL port or appserv), whatâ€™s the best menu option after invoking setup.solaris console? (Do you know about any available reference guide or manual for this tool somewhere at the web? Could be helpful to understand this better)

Thank you!

Write comment

< Prev

Last Updated on Monday, 23 April 2007 06:00.

ERP Associates, Inc.