4 Replies Latest reply: Apr 10, 2013 4:51 AM by ColinPurdon-Oracle RSS

    OAM 10g Challenge response encryption

    Darren S
      Does anyone know what controls the encryption of OAM's Lost Password Management challenge response attribute when held in OID and whether the values can be copied between users?

      We have LPM deployed in OAM 10.1.4.3 and I wanted to preset these security questions and answers in a test environment for all users.
      I took the values of the chosen questions and encrypted answers from one user and copied these into the OID question and answer attibutes for all other users.
      Some users can now login OK, but some are still getting prompted to set up their own questions and answers.

      Anyone know why?

      Thanks

      Darren
        • 1. Re: OAM 10g Challenge response encryption
          Darren S
          Anyone?

          Hoping Colin might come along!

          Thanks
          Darren
          • 2. Re: OAM 10g Challenge response encryption
            ColinPurdon-Oracle
            Hi Darren,

            I would expect that to work, although I haven't tested it. Comparing the working/failing users, are the objectclasses the same (thinking about oblixorgperson and possible oblixpersonpwdpolicy), and are there any other ob* attributes present in the user entries that could be affecting behaviour?

            Regards,
            Colin
            • 3. Re: OAM 10g Challenge response encryption
              Darren S
              Hi Colin, thanks for replying.

              Users object classes are the same, both have oblixOrgPerson and oblixPersonPwdPolicy.
              ob attributes are also the same except that the working user has obpasswordcreationdate and obpasswordhistory. I was assuming these came along after the security questions issue, but I don't know for certain.

              Initially I took one user's questions and encrypted answers and copied these to all others. When we saw that some users were still prompted for questions and answers I did a test. At the logon screen I chose the same questions and gave the same answers to two different users. In OID I could see that the encrypted answers were different which made me wonder what did the encryption and whether it was valid to copy the answers.

              Our setup in the environment is OAM using OID as the user store. We have two OID instances pointing to the same Oracle RAC database.

              When I look at the user that was prompted for Q&A's they now have slightly corrupted Q's and the encrypted Answer has changed from the value I set with my ldif script. When they were prompted for Q's and A's they just killed the browser and I'm assuming this is what changed the values, but obviously doesn't explain why they were prompted for them in the first place.

              I guess my questions are:
              Any more thoughts from what I've said above?
              Any idea whether it's OAM, OID or the database that encrypts the security answers?
              I'm half wondering whether the prompting came from OAM/OID not being able to decrypt the values I'd set in some circumstances (I'm thinking about the two OID's here). Could that be relevant or am I way off?

              Cheers and sorry for providing chapter and verse!
              • 4. Re: OAM 10g Challenge response encryption
                ColinPurdon-Oracle
                Hi Darren,

                It is OAM that is encrypting the challenge responses, which is why I would expect what you're doing to work (assuming that the copied responses are from users in the same OAM infrastructure). obpasswordcreationdate would be created when OAM creates the password - either via the change password screens or through the Identity System (eg edit profile) directly, when a password policy is in effect.

                Regards,
                Colin