Forgot Password service
As of release 4.0.0, Kx Platform provides an automated service allowing users to reset their password.
A user requests a password reset from the front end and then receives an email asking her to confirm the request. If she clicks on this link her password will be reset and she receives a second email containing the new password. She can immediately log on to Kx Platform with the new password.
- Kx Control and AppServer (version 4.0.0) running
- Alerts workflow service running
- JEMAIL service set up correctly (see configuration section below)
Using the service
To request a password reset for a particular user, enter a URL in the following format into a web browser:
If the request is successful
- the response Password reset request received for userId XXX. Please check your email will be displayed in the browser
- the user will receive an email confirming the password reset request.
The screenshots below show an example request and the corresponding email.
Clicking on the link in the above email will result in browser displaying Please check your email for details of new password, and the user being emailed their new password. The email link contains a token that can only be used once. If the link is clicked a second time then the browser will display Invalid Request and the user’s password will not be reset again. To reset the user's password again, make a new request; it will produce another email, with a fresh token.The token will expire after the minutes detailed in the email. The time taken for tokens to expire, can be configured via the environment variable which can be set in the
delta.profile file. If this is not set the default expire time is 30 minutes
The servlet API
- All calls to the Forgot Password service should be HTTP GET requests to the URL
http://<server>:<host>/kxuseradmin, and include values for the parameters
- There are two acceptable values for operation:
requestoperation the value of
datashould be a valid user ID. If the request is successful then the response Password reset request received for userId XXXX. Please check your email. is sent; otherwise Invalid request. In the case of an invalid response, check
delta.logfor details of the reason for failure.
confirmoperation the value of data should be the value of a valid token, generated as a result of a
requestcall. Note however that it is unlikely to ever be necessary to construct the
confirmrequest, as the correct URL for the confirm operation is generated by Kx Control and emailed to the user.
- The data (token) value of a confirm operation can be used only once. If the same token is sent down again, the request fails with an Invalid request response.
- Only one token at a time per user ID is valid. If two rest requests are made for the same user, only the most recent token is valid.
- Tokens are valid for a limited period of time. The timeout period (in minutes, default 30) is configured via the
- Only tokens that have been generated as a result of a password-reset request are valid.
Unlock user on reset
Control can be configured to unlock a user's account when a password reset is requested. This is configured via an environment variable which can be set in the
delta.profile file. By default it is set to
If this variable is set to
YES then when a user requests a password reset their account will be unlocked if it was in a locked state.
For emails to be sent out correctly, the JEmail service must be running (this should be the case if alerts workflow is running) and configured properly. The JEmail service can be configured to use different mail servers in different modes. The particular mode to use is defined by specifying an override in the
DS_LAUNCH command line param for the
ds_jemail process, and then defining the server config in a corresponding override of
DS_JEMAIL_SERVER, as in the example below:
The default verification URL that is emailed out will start with
http://<tomcat_server>:<tomcat_port> – for example,
If a different URL is required (for example if all requests need to point to a public netscaler URL), this can be achieved by setting environment variable
APPSERVER_BASEURL. For example, if
install.config contains the line
then the verification URLs that are emailed out will start with
Email content configuration
The email templates can be edited through the DS_AlertOverview dashboard in Kx Flex. In the PasswordReset alert instance, there are notifications for the reset and the reset request. The templates can be edited there.
To create new templates, either add your own (can be against a new alert or the same one) or just edit the existing templates and save in your own package. In that case you would need to change the
DC_PASSWORD_RESET:<DEFAULT> config param.
The tags in the email and config are case-insensitive. So
$Url$ in the template will still match with
URL in the config.