Subsequent to our recent upgrade, I’m working on mitigating vulnerabilities that were raised during a penetration test. The testers listed a few secret questions that they felt should be removed from our question bank. I found the section on page 43 of the RSA Adaptive Authentication 7.3 Operations Guide about retiring questions and the information in Appendix F regarding the c-config-challenge.xml. Page 43 states that “Retiring a question can be performed through the Configuration Framework.” The only documentation I could find about the Configuration Framework was 11 years old. Is there any current documentation? Is it just a matter of editing the xml file directly in a text editor that supports UTF-8 and re-deploying the file? Will this require a restart of the WebSphere application server?
Also, I’d like to confirm that the information on page 296 is correct, because it seems counter-intuitive. It says an optional property tag can be added with the name “retired” and a (default) value of FALSE meaning that question is retired, it says a value of “True” means that the question is Active, is this correct???