How to read the security questions in OpenAM using REST ?

This topic has 7 replies, 4 voices, and was last updated 5 years, 5 months ago by zecaidam.

  • Author
  • #12339

    1. How can I read the security questions that have been set up in OpenAM using REST ?
    I want to issue a rest call to openam and get back a list of security questions that have been set up.

    2. Also how can I retrieve the security questions that a specific user has answered and update their answers, should a use wish to update their security questions and answers. Again using a rest command


     Rogerio Rondini

    Hi @gregluk

    Well, there is not a straightforward way to do that (AFAIK).

    The security questions are stored in the config-store as a localization bundle key and the corresponding values in a properties file. Of course, if you dont have requirement for multiples languages, you can store the questions itself without using bundle key. I dont know if is possible to manage configurations using REST API but it is using Client SDK.

    For user’s secret questions you can use the Read Identity REST endpoint. Answered questions are store in the “iplanet-am-user-password-reset-question-answer” attribute in the user account as a multi-valued attribute. An issue here is that values are stored encrypted and a question/answer pai separated by “,” and the only way to decrypt I know is using Client SDK.

    So.. you will need to “hacking” a bit to get that.


     Peter Major

    @rarondini not sure if the question was about the legacy password reset questions, could have been about KBA in 13+.

     Rogerio Rondini

    Yep, I Agree @peter-major.


    I was referring to the KBA in OpenAM 13

    How would we read what KBQ questions a user has chosen and allow the user to update their answers. I’m not sure how you update the KBA’s via a REST call

    • This reply was modified 6 years, 1 month ago by gregluk.
     Rogerio Rondini

    So… I don`t have so much experience with KBA yet, but I believe would be in a similar way of legacy pwreset. Just need to know what attribute is used to store answered KBA questions.

    Looking the documentation I can`t found a specif REST endpoint to do this.

     Rogerio Rondini


    User attribute “kbaInfo” hold the question/answers of the user as a JSON object as
    “<type of question>”: “<question>”,
    “answer”:{<encrypted answer}


    Hi Everyone!
    I need to modify the attribute “kbainfo”
    Anyone know if it is possible to change the encrypted answer format?

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?