Ping Identity PAP-001 시험

Question No : 1

An administrator must protect an application on multiple domains or hosts.
What should the administrator configure to complete this action?

• A.Sites
• B.Virtual Hosts
• C.Redirects
• D.Rules

답을 확인하기

정답:
Explanation:
Applications in PingAccess can be associated with multiple Virtual Hosts. Each virtual host defines an FQDN and port combination through which the application is exposed, allowing protection across multiple domains or hostnames.
Exact Extract:
“Virtual hosts specify the fully qualified domain names (FQDNs) and ports that PingAccess uses to expose applications.”
Option A (Sites) represent the target back-end servers, not the external FQDN.
Option B (Virtual Hosts) is correct ― use multiple virtual hosts for multiple domains.
Option C (Redirects) are unrelated to multi-domain application protection.
Option D (Rules) define access policies, not hostnames.
Reference: PingAccess Administration Guide C Virtual Hosts

Question No : 2

An application owner would like customized errors for rule violations within an application.
Where is this configured?

• A.When assigning a Rule to a Resource
• B.Within the Root Resource of the Application
• C.When combining Rules into Rule Sets
• D.Within the Rule definition

답을 확인하기

정답:
Explanation:
PingAccess allows administrators to configure custom error pages or messages at the Root Resource
level of an application. This ensures that when rule violations (e.g., authorization failures) occur, the
application can display tailored error responses.
Exact Extract:
“Custom error handling for rule violations is configured within the Root Resource of an application.”
Option A is incorrect ― assigning a rule to a resource does not allow defining custom errors.
Option B is correct ― the Root Resource is where administrators define custom error handling for the entire application.
Option C is incorrect ― Rule Sets only combine rules; they do not handle error responses.
Option D is incorrect ― individual rule definitions do not contain custom error configurations.
Reference: PingAccess Administration Guide C Configuring Application Resources and Error Handling

Question No : 3

A business application must be accessible via two FQDNs.
Which PingAccess functionality should an administrator use to meet this requirement?

• A.Virtual Hosts
• B.Applications
• C.Sites
• D.Web Sessions

답을 확인하기

정답:
Explanation:
Virtual Hosts in PingAccess define the external FQDNs (and ports) through which applications are accessed. An application can be bound to multiple virtual hosts to allow access via multiple FQDNs.
Exact Extract:
“A virtual host specifies the fully qualified domain name and port number through which an application is accessed.”
Option A (Virtual Hosts) is correct ― multiple FQDNs can be supported by assigning multiple virtual hosts.
Option B (Applications) define resource protection but do not manage FQDN binding.
Option C (Sites) define back-end targets, not the public-facing FQDN.
Option D (Web Sessions) handle authentication state, unrelated to hostnames.
Reference: PingAccess Administration Guide C Virtual Hosts

Question No : 4

An administrator is integrating a new PingAccess Proxied Application. The target site uses a certificate issued by an internal Certificate Authority hosted by the customer.
Prior to assigning the certificate group in the Site configuration, which action should the administrator take to configure PingAccess to trust the certificate?

• A.Configure the PingAccess Site to use the Java Trust Store Certificate Group.
• B.Import the certificate chain into Key Pairs and add it to the Trusted Certificate Group.
• C.Import the certificate chain into Key Pairs and assign it to a new engine listener.
• D.Import the certificate chain and add it to the Trusted Certificate Group.

답을 확인하기

정답:
Explanation:
PingAccess must trust the back-end site’s certificate to establish TLS. For internally issued certificates, the administrator imports the certificate chain into a Trusted Certificate Group.
Exact Extract:
“When a target site uses an internal CA, import the certificate or chain into a Trusted Certificate Group and assign that group to the site.”
Option A is incorrect ― the Java trust store does not contain the internal CA by default.
Option B is incorrect ― Key Pairs store private keys for SSL termination, not trusted CA certs.
Option C is incorrect ― engine listeners use key pairs for inbound SSL, not site trust.
Option D is correct ― the certificate must be imported into Trusted Certificate Groups.
Reference: PingAccess Administration Guide C Trusted Certificate Groups

Question No : 5

A business requires logs to be written to a centralized Oracle database.
Which two actions must the PingAccess administrator take to enable this? (Choose 2 answers.)

• A.Configure log4j2.xml and log4j2.db.properties.
• B.Remove the logs located in PA_HOME/log.
• C.Enable the Audit flag in the Resource.
• D.Copy the database driver JAR file to the PA_HOME/lib directory.
• E.Import the database certificate into the Trusted Certificate Group.

답을 확인하기

정답:
Explanation:
PingAccess supports logging directly to a relational database using Log4j database appenders.
To enable this:
Configure log4j2.xml to use a JDBC Appender.
Configure log4j2.db.properties with the database connection information. Provide the appropriate database driver in the PA_HOME/lib directory.
Exact Extract:
“To log to a database, configure log4j2.xml and log4j2.db.properties, and place the JDBC driver JAR file in PA_HOME/lib.”
Option A is correct ― both files must be configured.
Option B is incorrect ― existing logs do not need removal.
Option C is incorrect ― enabling audit is unrelated to database logging.
Option D is correct ― the Oracle JDBC driver must be installed in PA_HOME/lib.
Option E is incorrect unless TLS is used to connect to the DB, but it is not required for standard DB logging setup.
Reference: PingAccess Administration Guide C Log Configuration

Question No : 6

An administrator needs to configure a signed JWT identity mapping for an application that expects to be able to validate the signature.
Which endpoint does the application need to access to validate the signature?

• A./pa/authtoken/JWKS
• B./pa-admin-api/v3/identityMappinga/descriptora/jwtidentitymapping
• C./pa/aidc/cb
• D./pa-admin-api/v3/authTokenManagement

답을 확인하기

정답:
Explanation:
Applications consuming signed JWTs need the JSON Web Key Set (JWKS) endpoint to retrieve the public keys used for validating JWT signatures. PingAccess exposes this at /pa/authtoken/JWKS.
Exact Extract:
“When using JWT identity mapping, applications can obtain the signing keys from the /pa/authtoken/JWKS endpoint to validate the JWT signature.”
Option A is correct ― /pa/authtoken/JWKS provides the key set for signature validation.
Option B is incorrect ― that’s an administrative API for configuring identity mappings, not a runtime validation endpoint.
Option C is incorrect ― /pa/aidc/cb is the OIDC callback endpoint.
Option D is incorrect ― /pa-admin-api/v3/authTokenManagement is for admin token management, not JWT validation.
Reference: PingAccess Administration Guide C JWT Identity Mapping

Question No : 7

An administrator configures the following:
HTTP Request Parameter Rule for "can_read=yes"
Web Session Attribute Rule for Opt-in = yes
Web Session Attribute Rule for group = customerService
Rule Set A (ALL) → includes (HTTP Request Parameter Rule)
Rule Set B (ANY) → includes (Opt-in yes, group customerService)
Rule Set Group C (ALL) → includes (Rule Set A, Rule Set B)
Assigned to the web application.
Which set of conditions must be met to be able to access the application?

• A.The request requires a parameter called can_read with a value of yes. Additionally, the authenticated user must be in customer service and have the opt-in attribute set to yes.
• B.The request requires a parameter called can_read with a value of yes unless the authenticated user is in either customer service or has the opt-in attribute set to yes.
• C.The request requires a parameter called can_read with a value of yes unless the authenticated user is in customer service and the opt-in attribute set to yes.
• D.The request requires a parameter called can_read with a value of yes. The authenticated user must be either in customer service or have the opt-in attribute set to yes.

답을 확인하기

정답:
Explanation:
The Rule Set Group C (ALL) requires both Rule Set A and Rule Set B to evaluate to true.
Rule Set A (ALL) requires can_read=yes.
Rule Set B (ANY) requires either Opt-in=yes OR group=customerService. Together in Rule Set Group C (ALL), both conditions must hold: can_read=yes must be present in the request.
User must have either opt-in=yes or be in the customerService group.
This matches Option D exactly.
Option A is incorrect; it requires both attributes in Rule Set B, but B is ANY (either is sufficient).
Option B is incorrect; the “unless” wording is misleading ― the parameter is always required because Rule Set A uses ALL.
Option C is incorrect; same reasoning as above, B is ANY not AND.
Option D is correct ― can_read=yes AND (opt-in=yes OR group=customerService).
Reference: PingAccess Administration Guide C Rules, Rule Sets, and Rule Set Groups

Question No : 8

A company uses an internally based legacy PKI solution that does not adhere to the Certification Path Validation section of RFC-5280.
Which configuration option needs to be enabled when creating Trusted Certificate Groups in PingAccess?

• A.Use Java Trust Store
• B.Validate disordered certificate chains
• C.Skip Certificate Date Check
• D.Deny when unable to determine revocation status

답을 확인하기

정답:
Explanation:
Legacy PKIs often provide certificate chains that are out of order or non-compliant with RFC-5280 path validation. PingAccess provides an option in Trusted Certificate Groups called Validate disordered certificate chains to allow chaining even if the order is not RFC-5280 compliant.
Exact Extract:
“Enable Validate disordered certificate chains when the certificate chain is not in RFC-5280 compliant order but should still be accepted.”
Option A is incorrect; using the Java trust store is unrelated to PKI ordering.
Option B is correct ― this setting allows PingAccess to process disordered certificate chains.
Option C is incorrect; date checks are unrelated to RFC-5280 path ordering.
Option D is incorrect; revocation status handling does not address legacy PKI ordering issues.
Reference: PingAccess Administration Guide C Trusted Certificate Groups

Question No : 9

A change is made to the configuration that prevents user access to an application. No one claims to have made the change.
Which log file should the administrator use to determine who made the change?

• A.pingaccess.log
• B.pingaccess_engine_audit.log
• C.pingaccess_agent_audit.log
• D.pingaccess_api_audit.log

답을 확인하기

정답:
Explanation:
All administrative API calls that change PingAccess configuration are logged in
pingaccess_api_audit.log. This allows administrators to track who made configuration changes.
Exact Extract:
“The pingaccess_api_audit.log file contains entries for all administrative API calls and is used to audit configuration changes.”
Option A (pingaccess.log) contains runtime system messages but not detailed API audit entries.
Option B (pingaccess_engine_audit.log) is specific to engine request/response audit logging.
Option C (pingaccess_agent_audit.log) is used for PingAccess Agent traffic auditing, not administrative changes.
Option D (pingaccess_api_audit.log) is correct ― it tracks admin API modifications.
Reference: PingAccess Administration Guide C Log Files

Question No : 10

A modified application now requires additional attributes to be passed in the headers.
What needs to be modified in order to pass the additional attributes?

• A.HTTP Request Header Rule
• B.Header Identity Mapping
• C.JWT Identity Mapping
• D.Web Session Attribute Rule

답을 확인하기

정답:
Explanation:
To pass user attributes into HTTP headers for applications, PingAccess uses Identity Mappings. When attributes need to be passed specifically as headers, the administrator must update the Header Identity Mapping.
Exact Extract:
“Header identity mappings map attributes from a user’s web session to HTTP headers that are then sent to the back-end application.”
Option A (HTTP Request Header Rule) is incorrect ― this adds or modifies static request headers, not user attributes.
Option B (Header Identity Mapping) is correct ― this maps identity attributes into headers dynamically.
Option C (JWT Identity Mapping) is incorrect ― that’s used for passing attributes as claims in JWTs.
Option D (Web Session Attribute Rule) is incorrect ― that is for access control evaluation, not propagation of attributes.
Reference: PingAccess Administration Guide C Identity Mapping (Header Identity Mapping)

Question No : 11

A protected web application requires that additional attributes be provided once the user is authenticated.
Which two steps must the administrator perform to meet this requirement? (Choose 2 answers.)

• A.Request that the token provider update the ID token with the additional attributes.
• B.Update the Identity Mapping.
• C.Update the Site Authenticator.
• D.Request that the token provider update the access token with the additional attributes.
• E.Update the Web Session.

답을 확인하기

정답:
Explanation:
When applications require additional attributes:
The Web Session must be configured to retrieve those attributes from the token provider (OIDC or PingFederate).
The Identity Mapping must be updated to forward those attributes to the application (e.g., as headers).
Exact Extract:
“Web sessions define how user attributes are retrieved from the token provider. Identity mappings determine how those attributes are inserted into requests to applications.”
Option A is not necessarily required; attributes can be retrieved via userinfo endpoint or access token, not only ID tokens.
Option B is correct ― Identity Mappings must be updated to pass attributes to the app.
Option C is incorrect ― Site Authenticators define how PingAccess authenticates to apps, not attribute handling.
Option D is incorrect unless the architecture specifically requires access token updates; PingAccess often uses the Web Session to fetch attributes.
Option E is correct ― Web Session must be updated to retrieve additional attributes.
Reference: PingAccess Administration Guide C Web Sessions and Identity Mapping

Question No : 12

An administrator needs to prevent PingAccess from automatically starting on a Windows Server.
Which command would accomplish this task?

• A.init.bat
• B.uninstall-service.bat
• C.remove-install.bat
• D.wrapper-service.bat

답을 확인하기

정답:
Explanation:
PingAccess installs as a Windows service. To remove or prevent automatic startup, the uninstall-service.bat script is used.
Exact Extract:
“On Windows, use install-service.bat to install PingAccess as a service and uninstall-service.bat to remove the service.”
Option A (init.bat) initializes environment variables but does not manage services.
Option B (uninstall-service.bat) is correct ― it removes the Windows service, preventing auto-start.
Option C (remove-install.bat) is not a valid PingAccess script.
Option D (wrapper-service.bat) configures wrapper options, not service removal.
Reference: PingAccess Installation Guide C Windows Service Scripts

Question No : 13

An administrator is integrating a new PingAccess Proxied Application. The application will use an SSL certificate issued by a publicly trusted Certificate Authority. PingAccess is terminating SSL and is responsible for loading the SSL certificate for that application.
What initial action must the administrator take in PingAccess in this situation?

• A.Import the SSL public key with the full certificate chain into the Certificates.
• B.Import the PKCS#12 file with the full certificate chain into the Certificates.
• C.Import the SSL public key with the full certificate chain into the Key Pairs.
• D.Import the PKCS#12 file with the full certificate chain into the Key Pairs.

답을 확인하기

정답:
Explanation:
For PingAccess to terminate SSL for a proxied application, it requires access to the private key and certificate chain. These are stored as Key Pairs.
Exact Extract:
“For SSL termination, you must import the server certificate and its private key as a PKCS#12 file into Key Pairs.”
Option A is incorrect ― a public key alone cannot terminate SSL.
Option B is incorrect ― PKCS#12 files must go into Key Pairs, not Certificates.
Option C is incorrect ― public keys alone are insufficient; PingAccess must have the private key.
Option D is correct ― the PKCS#12 file with full chain and private key is imported into Key Pairs.
Reference: PingAccess Administration Guide C Managing Certificates and Key Pairs

Question No : 14

During a business review of an application, the administrator needs to change the Resource Authentication to anonymous.
What are the two effects of making this change to the resource? (Choose 2 answers.)

• A.The resource requires no further authentication, and no rules will apply.
• B.The resource requires no further authentication, and Identity Mappings still apply.
• C.The resource requires no further authentication, and Processing rules still apply.
• D.Requests to this resource are not logged, and Identity Mappings are applied.
• E.The resource requires no further authentication, and all Access Control rules still apply.

답을 확인하기

정답:
Explanation:
When a resource is configured as anonymous, PingAccess does not challenge the user for authentication. However, certain processing and identity propagation still occur.
Exact Extract:
“Anonymous resources do not require authentication. Identity mappings and request/response processing rules still apply.”
Option A is incorrect because rules such as identity mappings and processing still apply.
Option B is correct ― Identity Mappings can still forward attributes, even for anonymous access.
Option C is correct ― Processing rules (e.g., request/response modifications) still apply.
Option D is incorrect ― requests are logged; anonymous does not disable logging.
Option E is incorrect ― access control rules (authorization) are not evaluated for anonymous resources.
Reference: PingAccess Administration Guide C Resource Authentication

Question No : 15

According to a new business requirement, critical applications require dual-factor authentication when specific resources are accessed in those applications.
Which configuration object should the administrator use in the applications?

• A.UI Authentication
• B.Auth Token Management
• C.Authentication Requirements
• D.Authentication Challenge Policy

답을 확인하기

정답:
Explanation:
PingAccess enforces step-up or multi-factor authentication using Authentication Requirements, which can be applied to specific resources within an application.
Exact Extract:
“Authentication requirements allow administrators to configure additional authentication (for example, MFA) when accessing sensitive application resources.”
Option A (UI Authentication) applies to access to the admin console, not application resources.
Option B (Auth Token Management) relates to OAuth token lifetimes and refresh, not MFA enforcement.
Option C (Authentication Requirements) is correct ― these rules enforce MFA or step-up auth for specific URLs/resources.
Option D (Authentication Challenge Policy) governs how failed auth challenges are presented but does not enforce MFA.
Reference: PingAccess Administration Guide C Authentication Requirements