PAP-001 Practice Exam Questions with Answers Certified Professional - PingAccess Certification

To pass user attributes into HTTP headers for applications, PingAccess usesIdentity Mappings. When attributes need to be passed specifically as headers, the administrator must update theHeader Identity Mapping.

Exact Extract:

“Header identity mappings map attributes from a user’s web session to HTTP headers that are then sent to the back-end application.”

Option A (HTTP Request Header Rule)is incorrect — this adds or modifies static request headers, not user attributes.

Option B (Header Identity Mapping)is correct — this maps identity attributes into headers dynamically.

Option C (JWT Identity Mapping)is incorrect — that’s used for passing attributes as claims in JWTs.

Option D (Web Session Attribute Rule)is incorrect — that is for access control evaluation, not propagation of attributes.

The propertyengine.ssl.protocolsinrun.propertiesspecifies the TLS protocol versions that PingAccess engines will support for incoming HTTPS traffic.

Exact Extract:

“Theengine.ssl.protocolsproperty configures which TLS versions are enabled for HTTPS listeners.”

Option A (ciphers)is incorrect — cipher suites are defined separately, not in this property.

Option B (HTTPS port)is incorrect — the port is defined in the engine listener, not here.

Option C (TLS versions)is correct — this property controls TLS version support (e.g., TLSv1.2, TLSv1.3).

Option D (clustering)is incorrect — clustering does not depend on this property.

PingAccess rules are categorized intoAccess Control RulesandProcessing Rules.

Processing Rulesmodify or add to HTTP requests and responses.

Cross-Origin Request (CORS)is specifically listed as aProcessing Rule, because it modifies response headers to support cross-origin requests.

Exact Extract:

“Processing rules apply to HTTP traffic, such as Cross-Origin Resource Sharing (CORS), header injection, or response modification.”

Option A (Web Session Attribute)is an access control rule.

Option B (Cross-Origin Request)is correct — this is a processing rule.

Option C (HTTP Request Parameter)is an access control rule.

Option D (HTTP Request Header)is an access control rule.

PingAccess enforces step-up or multi-factor authentication usingAuthentication Requirements, which can be applied to specific resources within an application.

Exact Extract:

“Authentication requirements allow administrators to configure additional authentication (for example, MFA) when accessing sensitive application resources.”

Option A (UI Authentication)applies to access to theadmin console, not application resources.

Option B (Auth Token Management)relates to OAuth token lifetimes and refresh, not MFA enforcement.

Option C (Authentication Requirements)is correct — these rules enforce MFA or step-up auth for specific URLs/resources.

Option D (Authentication Challenge Policy)governs how failed auth challenges are presented but does not enforce MFA.

Theadmin.authsetting in therun.propertiesfile is used to specify a fallback authentication method for the administrative console.

Exact Extract from official documentation:

“To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication.”

This makes it clear that the purpose ofadmin.authis tooverrideany configured SSO for the admin UI and enforce native (basic) authentication instead.

Option Ais incorrect because theadmin.authsetting does not configure SSO. SSO for the admin UI is configured separately.

Option Bis incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.

Option Cis correct because it directly reflects the documented behavior:admin.authoverrides SSO configuration for the administrative UI and enables native authentication.

Option Dis incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.

PingAccess allows administrators to configurecustom error pages or messagesat theRoot Resource levelof an application. This ensures that when rule violations (e.g., authorization failures) occur, the application can display tailored error responses.

Exact Extract:

“Custom error handling for rule violations is configured within the Root Resource of an application.”

Option Ais incorrect — assigning a rule to a resource does not allow defining custom errors.

Option Bis correct — the Root Resource is where administrators define custom error handling for the entire application.

Option Cis incorrect — Rule Sets only combine rules; they do not handle error responses.

Option Dis incorrect — individual rule definitions do not contain custom error configurations.

All onboarding in PingAccess begins with defining anApplication. Once the application exists, the administrator can defineResourceswithin it and assign different rules to those resources.

Exact Extract:

“Before you can configure resources and rules, you must first create an application in PingAccess.”

Option A (Identity Mapping)may be required later but not the first step.

Option B (Web Session)can be shared but is not the first onboarding step.

Option C (Application)is correct — the starting point for onboarding.

Option D (Resource)comes after creating the application.

PingAccess supportsone primary administrative console (active)and any number ofreplica administrative consoles. Engines must be configured to connect to theactive console, with replicas available for failover.

Exact Extract:

“In a clustered environment, PingAccess supports one clustered console (active) and replica consoles. Engines can connect to any console node for high availability.”

Option Ais incomplete — only one replica limits redundancy.

Option Bis incorrect — multiple active consoles are not supported.

Option Cis incorrect — cannot run two active consoles.

Option Dis correct — one active admin console with multiple replicas ensures HA.

Legacy PKIs often provide certificate chains that areout of orderor non-compliant with RFC-5280 path validation. PingAccess provides an option in Trusted Certificate Groups calledValidate disordered certificate chainsto allow chaining even if the order is not RFC-5280 compliant.

Exact Extract:

“EnableValidate disordered certificate chainswhen the certificate chain is not in RFC-5280 compliant order but should still be accepted.”

Option Ais incorrect; using the Java trust store is unrelated to PKI ordering.

Option Bis correct — this setting allows PingAccess to process disordered certificate chains.

Option Cis incorrect; date checks are unrelated to RFC-5280 path ordering.

Option Dis incorrect; revocation status handling does not address legacy PKI ordering issues.

Thepa.operational.modeproperty inrun.propertiesdefines therole of the nodein a PingAccess deployment (e.g.,STANDALONE,CLUSTERED_CONSOLE,CLUSTERED_CONSOLE_REPLICA,ENGINE).

Exact Extract:

“Thepa.operational.modeproperty determines the role of the server in the cluster, such as standalone, console, console replica, or engine.”

Option Ais incorrect — replication is implicit in certain roles, not controlled directly.

Option Bis correct — the setting specifies whether the node is admin console, replica, or engine.

Option Cis incorrect — development vs production is not a function of this setting.

Option Dis incorrect — it does not enable/disable nodes.

TheSameSiteattribute is applied to session cookies to control cross-site behavior. In PingAccess, session cookie configuration (includingSameSite) is defined at theWeb Sessionlevel.

Exact Extract:

“Web session configuration includes cookie attributes such as name, domain, secure flag, HTTPOnly, and SameSite.”

Option A (Rules)is incorrect — rules govern access control, not cookies.

Option B (Sites)defines backend connections, not session cookies.

Option C (Applications)ties resources to sessions but does not define cookie behavior.

Option D (Web Sessions)is correct — session cookie SameSite settings are configured here.

In Log4j2, theLoggerelement controls the log level (INFO,DEBUG,ERROR, etc.) for specific packages or classes.

Exact Extract:

“To modify logging levels, edit theelement inlog4j2.xmland change the level attribute.”

Option A (AsyncLogger)is a performance optimization, not for changing levels.

Option B (RollingFile)defines file rotation, not log levels.

Option C (Logger)is correct — this is where log levels are defined.

Option D (Appenders)define output destinations, not severity levels.

Mutual TLS (mTLS) is used to establishtwo-way authenticationwhere both the client and the server present certificates to prove their identity. In the case of PingAccess, aMutual TLS Site Authenticatoris configured when PingAccess acts as a reverse proxy making requests to a backend (target) server.

Exact Extract from PingAccess documentation:

“Mutual TLS site authenticators provide client certificate authentication when PingAccess connects to a backend site. This allows PingAccess to present its certificate to the target server during the TLS handshake.”

This means the purpose is forPingAccess (client) to authenticate itself to the backend server (target resource)when establishing a secure connection.

Why other options are wrong:

A. Allows the backend server to authenticate to PingAccess

Incorrect. That’s normal server-side TLS authentication (the server presents a cert to the client), not mutual TLS initiated by PingAccess.

B. Allows the user to authenticate to the backend server

Incorrect. End users do not directly use this setting; this is between PingAccess and the backend application server.

C. Allows PingAccess to authenticate to the backend server

Correct. This is exactly the definition of a Mutual TLS Site Authenticator in PingAccess.

D. Allows PingAccess to authenticate to the token provider

Incorrect. That would involve OIDC/OAuth token exchange and possibly TLS trust, but it’s not the role of the Site Authenticator.

Thus, the correct answer isC. Allows PingAccess to authenticate to the backend server.

For PingAccess to terminate SSL for a proxied application, it requires access to theprivate key and certificate chain. These are stored asKey Pairs.

Exact Extract:

“For SSL termination, you must import the server certificate and its private key as a PKCS#12 file intoKey Pairs.”

Option Ais incorrect — a public key alone cannot terminate SSL.

Option Bis incorrect — PKCS#12 files must go intoKey Pairs, not Certificates.

Option Cis incorrect — public keys alone are insufficient; PingAccess must have the private key.

Option Dis correct — the PKCS#12 file with full chain and private key is imported intoKey Pairs.

When upgrading a PingAccess cluster, theAdmin Console node must always be upgraded firstbefore any replica admin or engine nodes. This ensures that the configuration and schema changes introduced in the new version are properly applied and replicated.

Exact Extract (from PingAccess documentation):

“In a clustered environment, you must first upgrade theadministrative console nodebefore upgrading any replica administrative nodes or engine nodes.”

Why A is correct:

A. Upgrade the Admin Console— This is correct because the admin console node acts as the configuration master in a PingAccess cluster. Upgrading it first ensures the new version schema is available to replicas and engines.

Why the other options are incorrect:

B. Disable cluster communication— This is not required for standard upgrades. Cluster communication remains in place to synchronize changes after the upgrade.

C. Disable Key Rolling— Key rolling is unrelated to the upgrade process. It is a feature used for key rotation, not version upgrades.

D. Upgrade the Replica Admin— This is incorrect because upgrading a replica admin before the primary administrative console is against the documented procedure and would cause replication issues.

PingAccess automatically creates configurationarchive backupswhenever changes are made. These are stored in thedata/archivedirectory.

Exact Extract:

“PingAccess stores configuration archive files in thePA_HOME/data/archivedirectory.”

Option A (tools)is incorrect — contains administrative scripts.

Option B (conf)is incorrect — holds configuration files likerun.properties.

Option C (data)is correct — archives are stored underdata/archive.

Option D (bin)is incorrect — contains executables and scripts.