PAP-001 Certified Professional - PingAccess Question and Answers

The Rule Set GroupC(ALL) requiresboth Rule Set A and Rule Set Bto evaluate to true.

Rule Set A (ALL)requirescan_read=yes.

Rule Set B (ANY)requireseitherOpt-in=yesORgroup=customerService.

Together in Rule Set Group C (ALL), both conditions must hold:

can_read=yesmust be present in the request.

User must have eitheropt-in=yesor be in thecustomerServicegroup.

This matchesOption Dexactly.

Option Ais incorrect; it requires both attributes in Rule Set B, but B is ANY (either is sufficient).

Option Bis incorrect; the “unless” wording is misleading — the parameter is always required because Rule Set A uses ALL.

Option Cis incorrect; same reasoning as above, B is ANY not AND.

Option Dis correct —can_read=yesAND(opt-in=yesORgroup=customerService).

PingAccess retains backup archives of its configuration in thedata/archivedirectory. The number of retained backups is controlled in therun.propertiesfile.

Exact Extract:

“The number of configuration backups retained in thedata/archivedirectory is controlled by thearchive.maxCountproperty inrun.properties.”

Option A (log4j2.db.properties)is incorrect; this file controls database logging, not archive retention.

Option B (jvm-memory.options)is incorrect; this file sets JVM heap and memory arguments.

Option C (run.properties)is correct — it contains system-level settings includingarchive.maxCount.

Option D (log4j2.xml)is incorrect; this file configures log appenders and levels, not archive backups.

To prevent CORS errors, administrators must configure aCross-Origin Request (CORS) Processing Rule. The secure practice is to allow thespecific trusted domain(www.anycompany.com ) and, when cookies or credentials are required, to enableAllow Credentials.

Exact Extract:

“For secure CORS, specify exact origins rather than wildcards. Enable ‘Allow Credentials’ when client-side resources must include cookies or authentication data.”

Option Ais incomplete — multiple values are possible, but in this case onlywww.anycompany.com is required.

Option Bis less secure — using a wildcard (*.anycompany.com) broadens exposure unnecessarily.

Option Cis insecure —*with credentials is disallowed by CORS specifications.

Option Dis correct — restricts access to the trusted domain and allows credentialed requests.

PingAccess supportsone primary administrative console (active)and any number ofreplica administrative consoles. Engines must be configured to connect to theactive console, with replicas available for failover.

Exact Extract:

“In a clustered environment, PingAccess supports one clustered console (active) and replica consoles. Engines can connect to any console node for high availability.”

Option Ais incomplete — only one replica limits redundancy.

Option Bis incorrect — multiple active consoles are not supported.

Option Cis incorrect — cannot run two active consoles.

Option Dis correct — one active admin console with multiple replicas ensures HA.

For SSL termination, PingAccess requires aKey Pair(certificate + private key). During a POC/demo, when aself-signed certificateis used, the administrator can create it directly in theKey Pairssection of the console.

Exact Extract:

“Use the Key Pairs section to create self-signed certificates for testing or proof-of-concept deployments. For production, import a PKCS#12 file containing a certificate chain and private key.”

Option Ais incorrect — Certificates store trust anchors (CAs), not SSL termination certs.

Option Bis incorrect — an internal CA-signed cert requires PKCS#12 import, not self-signed creation.

Option Cis incorrect — a publicly trusted CA is not used for a demo phase.

Option Dis correct — creating a new certificate in Key Pairs generates a self-signed cert suitable for demos.

When PingAccess is first installed, theAdministrative Console(the web-based UI for managing configuration) is bound to adefault port of 9000. This is documented in the installation and configuration guides:

Exact Extract from documentation:

“By default, the administrative console is available athttps:// :9000.”

(PingAccess Installation Guide – Default Ports)

This means that unless the administrator has explicitly changed the port inrun.propertiesor during installation, the console will always be available onport 9000.

Option Analysis:

A. 9000✅Correct. Default administrative console port.

B. 3000❌Incorrect. This is not a PingAccess default port.

C. 9090❌Incorrect. Sometimes used by other Ping products for APIs, but not the PingAccess admin console.

D. 3030❌Incorrect. Not a default PingAccess port.

PingAccess automatically creates configurationarchive backupswhenever changes are made. These are stored in thedata/archivedirectory.

Exact Extract:

“PingAccess stores configuration archive files in thePA_HOME/data/archivedirectory.”

Option A (tools)is incorrect — contains administrative scripts.

Option B (conf)is incorrect — holds configuration files likerun.properties.

Option C (data)is correct — archives are stored underdata/archive.

Option D (bin)is incorrect — contains executables and scripts.

Identity Mapping in PingAccess relies on attributes provided by thetoken provider(e.g., PingFederate, OIDC provider). If the desired attributes are not present in the dropdown, it means they are not being provided in the token or userinfo response.

Exact Extract:

“Attributes available in identity mappings are those provided in the web session by the token provider. If attributes are missing, they must be added to the token by the identity provider.”

Option Ais correct — the token provider administrator must configure the IdP to include the additional attributes.

Option Bis incorrect — rewrite rules modify content but do not supply new identity attributes.

Option Cis incorrect — developers cannot directly add identity attributes; they must come from the IdP.

Option Dis incorrect — Web Session Attribute rules only evaluate available attributes; they don’t create new ones.

Therun.propertiesfile in PingAccess is the primary configuration file that defines system-level runtime behavior. According to PingAccess documentation:

Exact Extract:

“Therun.propertiesfile contains configuration properties for PingAccess, including operational mode, logging levels, admin authentication fallback, cluster settings, and system defaults.”

(PingAccess Administrator’s Guide –run.properties Reference)

From this, we can determine:

C. Operational mode for PingAccess→CorrectThe propertypa.operational.modeinrun.propertiesdefines whether the node operates asSTANDALONE,CLUSTERED_CONSOLE,CLUSTERED_CONSOLE_REPLICA, orCLUSTERED_ENGINE. This is one of the core configurable options.

E. Logging levels→CorrectProperties such aslog.leveland other logging configurations are explicitly defined inrun.properties, allowing administrators to adjust the verbosity of logs (DEBUG, INFO, WARN, ERROR).

Why the others are incorrect:

A. Default logs location→IncorrectThe log file path is not controlled viarun.properties. It is defined inlog4j2.xml, not inrun.properties.

B. URL for heartbeat endpoint→IncorrectThe heartbeat endpoint (/pa/heartbeat.ping) is a fixed system endpoint and is not configurable inrun.properties.

D. X-Frame-Options header→IncorrectSecurity headers likeX-Frame-Optionsare managed under application security policies or global response headers, not inrun.properties.

PingAccess terminates SSL at theVirtual Hostlevel. To configure an existing certificate, the administrator must assign the appropriateKey Pair(which contains the certificate and private key) to the Virtual Host.

Exact Extract:

“SSL termination occurs on the engine listener through virtual hosts. Assign the certificate’s key pair to the virtual host to secure proxied applications.”

Option Ais correct — assign the key pair to the Virtual Host for SSL termination.

Option Bis incorrect — Require HTTPS enforces secure access but does not configure SSL termination.

Option Cis incorrect — Agent Listener is for PingAccess Agents, not proxied apps.

Option Dis incorrect — secure flag affects cookie settings, not SSL certificates.

When usingHTTP Basic Authentication(admin.auth=native), PingAccess only supports asingle administrative account(the default admin user). For multiple administrators, SSO integration (e.g., OIDC) is required.

Exact Extract:

“When admin authentication is set to native (HTTP Basic), only one administrative user is supported. For multiple admins, configure UI authentication with an OIDC provider.”

Option A (1000)is incorrect.

Option B (1)is correct — only one basic auth admin account.

Option C (10)andOption D (100)are incorrect.

When using theAuthorization Code Flowfor authentication, PingAccess must be configured with:

AnOAuth Client IDthat identifies the application to the IdP.

TheOpenID Connect Login Typeset to Authorization Code.

Exact Extract:

“When configuring an OIDC web session, specify the OAuth client ID and select the OpenID Connect login type (Authorization Code, Hybrid, or Implicit).”

Option A (OAuth Token Introspection Endpoint)is not required for Authorization Code flow — token introspection is used in other cases.

Option B (OAuth Client ID)is correct — required for OIDC authorization requests.

Option C (OpenID Connect Issuer)is discovered automatically via metadata when you configure the token provider.

Option D (Virtual Host)is required for application exposure but not specific to OIDC flow.

Option E (OpenID Connect Login Type)is correct — must be set to “Authorization Code.”

PingAccess service scripts depend on knowing:

Where the Java runtime is installed (JAVA_HOME)

Where PingAccess itself is installed (PA_HOME)

Exact Extract:

“The PingAccess startup scripts require theJAVA_HOMEenvironment variable to locate the JDK/JRE and thePA_HOMEvariable to locate the PingAccess installation directory.”

Option A (J2EE_HOME)is irrelevant to PingAccess.

Option B (JAVA_HOME)is correct — needed for Java execution.

Option C (PA_PATH)is not a standard variable.

Option D (PA_HOME)is correct — required to point to the PingAccess installation root.

Option E (JAVA_PATH)is not valid;PATHcan include Java, butJAVA_HOMEis the correct environment variable.

Modern browsers enforce stricter cookie handling rules. If cookies are not configured correctly with theSameSiteattribute, behavior can differ across browsers, leading to inconsistent authentication and access denials. Security exceptions may appear when session cookies are blocked.

Exact Extract:

“The SameSite cookie setting defines how browsers send cookies in cross-site requests. Misconfigured SameSite values can lead to inconsistent application behavior across browsers.”

Option A (Enable PKCE)is related to OAuth flow security, not browser cookie behavior.

Option B (SameSite Cookie)is correct — this directly explains the inconsistent browser issues.

Option C (Request Preservation)ensures query parameters are kept, not related to cross-browser session handling.

Option D (Validate Session)checks session state but does not address browser inconsistencies.

When a resource is configured asanonymous, PingAccess does not challenge the user for authentication. However, certain processing and identity propagation still occur.

Exact Extract:

“Anonymous resources do not require authentication. Identity mappings and request/response processing rules still apply.”

Option Ais incorrect because rules such as identity mappings and processing still apply.

Option Bis correct — Identity Mappings can still forward attributes, even for anonymous access.

Option Cis correct — Processing rules (e.g., request/response modifications) still apply.

Option Dis incorrect — requestsarelogged; anonymous does not disable logging.

Option Eis incorrect — access control rules (authorization) are not evaluated for anonymous resources.

For multiple subdomains to share the same PingAccess session, theCookie Domainmust be configured so that the session cookie is valid across all listed applications.

Exact Extract:

“Set the Cookie Domain in the web session configuration to a parent domain (for example, .company.com) to enable applications in different subdomains to share the same session.”

Option A (Set Audience option)applies to OAuth token validation, not cookie sharing.

Option B (Set Cookie Domain option)is correct — e.g., setting.company.comallows session cookies to be shared.

Option C (Rewrite Cookie Domain rule)modifies upstream cookies for back-end applications, not PingAccess session cookies.

Option D (Rewrite Cookie Path rule)is unrelated; it modifies paths for cookies, not domains.

When a PingAccess agent is compromised, the secure approach is toinvalidate the existing credentials and issue a new configuration filefrom the PingAccess Admin Console. This provides a freshagent.propertiesfile with new secrets, ensuring compromised keys cannot be reused.

Exact Extract:

“If an agent is compromised, revoke and regenerate the agent configuration by downloading a newagent.propertiesfile from the administrative console.”

Option Ais incorrect — manually changing the secret in the file does not propagate it to PingAccess.

Option Bis incorrect — trusted certificates are not tied to agent authentication.

Option Cis unnecessary — reinstalling the agent does not reset credentials.

Option Dis correct — downloading a newagent.propertiesfile re-secures the agent.

The pattern/images/sitel/*matches all subpaths and files under the/images/sitel/directory, including nested paths.

Exact Extract:

“The asterisk (*) matches zero or more characters within the path. For example,/images/sitel/*matches all resources under thesitelfolder.”

Option Ais incorrect — it references/aitel/instead of/sitel/.

Option Bis incorrect —/site*matches strings beginning with “site”, but may also match “siteX” incorrectly.

Option Cis incorrect — it only matches resources under/english/, missing other folders.

Option Dis correct —/images/sitel/*covers all given examples.