Unable to set Security Question and Answers - "Bad attribute specified"

Document ID : KB000005087
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Entering the Security Questions and Answers through "Modify My Profile" CA Identity Manager Admin Task fails with error message "Logical Attribute: |Answer4|,|Answer3|,|Answer2|,|Answer1|,|Question5|,|Question4|,|VerifyAnswer|,|Question3|,|Question2|,|Question1|,|VerifyQuestion|,|Answer5|, had error: [facility=6 severity=3 reason=0 status=1 message=Bad attribute specified]."

Environment:
Identity Manager 12.6 SPx
Cause:

Security Questions and Answers logical attributes are handled through the Forgotten Password Handler and stored within the %PASSWORD_HINT% multi-valued attribute.

If the %PASSWORD_HINT% attribute is not defined as a multi-valued string in the User Directory definition, the Handler fails to pass the field values from the logical attributes (|Answer1|,|Question1|,|VerifyAnswer|,|VerifyQuestion|) to the physical attribute (mapped by %PASSWORD_HINT%).

Resolution:

Use CA Identity Manager Management Console to export and modify User Directory definition and ensure the %PASSWORD_HINT% attribute is set as a multi-valued.

For example
        <ImsManagedObjectAttr physicalname="MyAttribute" description="Password Hint" displayname="Password Hint" valuetype="String" multivalued="true" wellknown="%PASSWORD_HINT%" maxlength="0" hidden="true" system="true">
            <DataClassification name="AttributeLevelEncrypt"/>
            <DataClassification name="sensitive"/>
        </ImsManagedObjectAttr>

Import User Directory XML and restart IME to ensure changes are reflected correctly.