AnsweredAssumed Answered

Configuration Framework - How to properly retire questions in AAOP 7.3

Question asked by Scott Reynolds Employee on Jul 8, 2020

 

Subsequent to our recent upgrade, I’m working on mitigating vulnerabilities that were raised during a penetration test. The testers listed a few secret questions that they felt should be removed from our question bank. I found the section on page 43 of the RSA Adaptive Authentication 7.3 Operations Guide about retiring questions and the information in Appendix F regarding the c-config-challenge.xml. Page 43 states that “Retiring a question can be performed through the Configuration Framework.” The only documentation I could find about the Configuration Framework was 11 years old. Is there any current documentation? Is it just a matter of editing the xml file directly in a text editor that supports UTF-8 and re-deploying the file? Will this require a restart of the WebSphere application server?

 

Also, I’d like to confirm that the information on page 296 is correct, because it seems counter-intuitive. It says an optional property tag can be added with the name “retired” and a (default) value of FALSE  meaning that question is retired, it says a value of “True” means that the question is Active, is this correct???

 

Thanks,

Scott

 

Outcomes