IBM Security Privileged Identity Manager, Version 2.0.2

Enabling forgotten password authentication

When a user forgets the IBM® Security Privileged Identity Manager password and must reset it, the user must verify credentials with the system.

About this task

You can configure IBM Security Privileged Identity Manager to present either administrator-defined questions or user-defined questions. You can also define how many questions must be answered.

Note: This task is effective only if a WebSphere® account repository is specified. This field is on the ISPIM service Manage Services > Change a Service > Service Information page. This repository can be ISPIM service or a service managed by the IBM Security Privileged Identity Manager server. If no registry is specified, the forgotten password option is not available on the Login page.
Important: If the IBM Security Privileged Identity Manager virtual appliance is configured to authenticate users against an external user registry, do not use the following password management feature. This password management feature does not apply when an external user registry is configured.

Respond to a set of forgotten password questions with answers that you previously specified. Responses are not case-sensitive by default, because the enrole.challengeresponse.responseConvertCase property from the enRole.properties file has a default value that is lower. The answers are stored in lowercase in the directory server. An answer that you entered is converted to lowercase while it is compared with the stored answers. If you want answers to be case-sensitive, change the value for enrole.challengeresponse.responseConvertCase from lower to none.

  • If you do not predefine the questions, the user must specify both the forgotten password questions and the answers.
  • If you predefine the forgotten password questions, the user must specify only the answers.

If the system configuration changes, for example, from undefined questions to predefined questions, the user must specify answers to the new questions.

Note: The requirement that a user must answer the challenge questions is configurable. By default, the user can bypass the challenge questions. You can force the user to respond to the challenge questions by modifying the property ui.challengeResponse.bypassChallengeResponse in the ui.properties file. To force user response, set the value to false.
Parent topic: Password administration

Feedback