on Jul 8, 2020
Subsequent to our recent upgrade, I’m working on mitigating vulnerabilities that were raised during a penetration test. The testers listed a few secret questions that they felt should be removed from our question bank. I found the section on page 43 of the RSA Adaptive Authentication 7.3 Operations Guide about retiring questions and the information in Appendix F regarding the c-config-challenge.xml. Page 43 states that “Retiring a question can be performed through the Configuration Framework.” The only documentation I could find about the Configuration Framework was 11 years old. Is there any current documentation? Is it just a matter of editing the xml file directly in a text editor that supports UTF-8 and re-deploying the file? Will this require a restart of the WebSphere application server?
Also, I’d like to confirm that the information on page 296 is correct, because it seems counter-intuitive. It says an optional property tag can be added with the name “retired” and a (default) value of FALSE meaning that question is retired, it says a value of “True” means that the question is Active, is this correct???
Thanks,
Scott
Hello Scott,
Yes retiring a question can be performed by the configuration framework and it is in the c-config-challenge.xml file.
Modifying the file requires the restart of WebSphere application framework as it is a config change and configs are loaded when Adaptive Authentication is initialized.
Yes a value of FALSE means the question is retired and a value of TRUE means question is ACTIVE. If the property tag is used and we do not set any value, it defaults to FALSE
This is the snippet from c-config-challenge.xml file:
retired - true or false value indicating if a question has been withdrawn from active use. Only accounts using a question before it is retired will continue to see the question during challenges or in question maintenance.
Optional; default is 'false'.
Hope this helps.
Thanks,
Jasmine