PAP-001 Sample Questions Answers

When APIs are remote, latency is introduced by frequent token validation requests. EnablingCache Tokenon the OAuth Resource Server reduces repeated validation calls and improves performance.

Exact Extract:

“The OAuth Resource Server configuration includes aCache Tokenoption that improves performance by reducing round trips for token validation.”

Option Ais incorrect — key rolling affects cryptographic keys, not API latency.

Option Bis incorrect — virtual hosts control external FQDNs, not performance.

Option Cis incorrect — token attribute size does not significantly affect remote latency.

Option Dis correct — caching tokens reduces validation overhead.

When configuring PingAccess to use PingFederate as theStandard Token Providerfor runtime engines, PingAccess must know how to contact PingFederate. The configuration requires theHost(PingFederate base URL).

Exact Extract:

“When configuring the Standard Token Provider, specify the PingFederate host to which PingAccess engines will connect for token validation.”

Option A (Issuer)is part of OIDC metadata but not required explicitly in this configuration.

Option B (Client ID)is needed for OAuth clients but not when defining the token provider connection itself.

Option C (Host)is correct — this is required to connect to PingFederate.

Option D (Port)may be included within the host definition (host:port) but is not the required field.

Legacy PKIs often provide certificate chains that areout of orderor non-compliant with RFC-5280 path validation. PingAccess provides an option in Trusted Certificate Groups calledValidate disordered certificate chainsto allow chaining even if the order is not RFC-5280 compliant.

Exact Extract:

“EnableValidate disordered certificate chainswhen the certificate chain is not in RFC-5280 compliant order but should still be accepted.”

Option Ais incorrect; using the Java trust store is unrelated to PKI ordering.

Option Bis correct — this setting allows PingAccess to process disordered certificate chains.

Option Cis incorrect; date checks are unrelated to RFC-5280 path ordering.

Option Dis incorrect; revocation status handling does not address legacy PKI ordering issues.

PingAccess is designed to work with modern identity protocols. It doesnotsupport legacy WS-* protocols directly.

Exact Extract:

“PingAccess integrates with OAuth 2.0 and OpenID Connect (OIDC) to provide authentication and authorization for web and API resources.”

Option A (SAML)is incorrect — PingAccess does not natively consume SAML assertions; SAML can be used indirectly via PingFederate.

Option B (WS-Fed)is not supported.

Option C (WS-Trust)is not supported.

Option D (OAuth2)is correct — used for authorization and token validation.

Option E (OIDC)is correct — used for user authentication and sessions.

PingAccess must trust the back-end site’s certificate to establish TLS. For internally issued certificates, the administrator imports thecertificate chaininto aTrusted Certificate Group.

Exact Extract:

“When a target site uses an internal CA, import the certificate or chain into a Trusted Certificate Group and assign that group to the site.”

Option Ais incorrect — the Java trust store does not contain the internal CA by default.

Option Bis incorrect — Key Pairs store private keys for SSL termination, not trusted CA certs.

Option Cis incorrect — engine listeners use key pairs for inbound SSL, not site trust.

Option Dis correct — the certificate must be imported into Trusted Certificate Groups.

For SSL termination, PingAccess requires aKey Pair(certificate + private key). During a POC/demo, when aself-signed certificateis used, the administrator can create it directly in theKey Pairssection of the console.

Exact Extract:

“Use the Key Pairs section to create self-signed certificates for testing or proof-of-concept deployments. For production, import a PKCS#12 file containing a certificate chain and private key.”

Option Ais incorrect — Certificates store trust anchors (CAs), not SSL termination certs.

Option Bis incorrect — an internal CA-signed cert requires PKCS#12 import, not self-signed creation.

Option Cis incorrect — a publicly trusted CA is not used for a demo phase.

Option Dis correct — creating a new certificate in Key Pairs generates a self-signed cert suitable for demos.

To transmit theid_tokenvia a back channel according to OIDC best practices, the application must use theAuthorization Code Flow(login type =code). This ensures tokens are retrieved securely via the back channel instead of being exposed in the browser.

Exact Extract:

“For back-channel transmission of ID tokens, configure the OIDC login type as Authorization Code.”

Option Ais correct — setting login type to code ensures back-channel delivery.

Option Bis incorrect — request preservation concerns request method persistence, not OIDC flow.

Option Cis incorrect — POST is not a valid login type; only Code, Implicit, or Hybrid.

Option Dis incorrect — request preservation has no bearing on token delivery.

When applications depend solely onheader-based identity mapping, attackers can attempt to bypass PingAccess by injecting headers directly into requests sent to the backend. To prevent spoofing, PingAccess should be configured to passcryptographically verifiable tokens(e.g.,ID tokens from OIDC) instead of relying on plain headers.

Exact Extract:

“Headers can be spoofed if not protected. Use signed tokens, such as ID tokens or JWTs, to provide strong identity assurance and prevent header injection attacks.”

Option A (Use ID Tokens)is correct — ID tokens are signed and verifiable, preventing spoofing.

Option B (Add Site Authenticator)protects PingAccess-to-site authentication, not client-to-API spoofing.

Option C (Require HTTPS)prevents eavesdropping but does not stop header spoofing from inside the network.

Option D (Use Target Host Header)ensures host header integrity but not user identity.

PingAccess retains backup archives of its configuration in thedata/archivedirectory. The number of retained backups is controlled in therun.propertiesfile.

Exact Extract:

“The number of configuration backups retained in thedata/archivedirectory is controlled by thearchive.maxCountproperty inrun.properties.”

Option A (log4j2.db.properties)is incorrect; this file controls database logging, not archive retention.

Option B (jvm-memory.options)is incorrect; this file sets JVM heap and memory arguments.

Option C (run.properties)is correct — it contains system-level settings includingarchive.maxCount.

Option D (log4j2.xml)is incorrect; this file configures log appenders and levels, not archive backups.

PingAccess supports flexible path matching for resources using wildcards. If the requirement is to matchany path that contains a folder named "escalated", the correct format is:

*/escalated/→ matchesany locationof theescalateddirectory within the path.

Exact Extract:

“The asterisk (*) wildcard matches zero or more characters. Use it in resource paths to match folders at any depth.”

Option A (escalated/)only matches when the resource starts with “escalated/” at the root, not at arbitrary depth.

Option B (*/escalated/)is correct — it matches theescalatedfolder no matter where it occurs.

Option C (*/escalated/+ )is incorrect —+is not a valid PingAccess wildcard operator.

*Option D (/escalated/)matches only when the path starts with “escalated” at the first level, not arbitrary positions.

When PingAccess is first installed, theAdministrative Console(the web-based UI for managing configuration) is bound to adefault port of 9000. This is documented in the installation and configuration guides:

Exact Extract from documentation:

“By default, the administrative console is available athttps:// :9000.”

(PingAccess Installation Guide – Default Ports)

This means that unless the administrator has explicitly changed the port inrun.propertiesor during installation, the console will always be available onport 9000.

Option Analysis:

A. 9000✅Correct. Default administrative console port.

B. 3000❌Incorrect. This is not a PingAccess default port.

C. 9090❌Incorrect. Sometimes used by other Ping products for APIs, but not the PingAccess admin console.

D. 3030❌Incorrect. Not a default PingAccess port.

PingAccess allows administrators to configurecustom error pages or messagesat theRoot Resource levelof an application. This ensures that when rule violations (e.g., authorization failures) occur, the application can display tailored error responses.

Exact Extract:

“Custom error handling for rule violations is configured within the Root Resource of an application.”

Option Ais incorrect — assigning a rule to a resource does not allow defining custom errors.

Option Bis correct — the Root Resource is where administrators define custom error handling for the entire application.

Option Cis incorrect — Rule Sets only combine rules; they do not handle error responses.

Option Dis incorrect — individual rule definitions do not contain custom error configurations.

The patternhttps://www.dumpspedia.com/images/sitel/*matches all subpaths and files under thehttps://www.dumpspedia.com/images/sitel/directory, including nested paths.

Exact Extract:

“The asterisk (*) matches zero or more characters within the path. For example,https://www.dumpspedia.com/images/sitel/*matches all resources under thesitelfolder.”

Option Ais incorrect — it references/aitel/instead of/sitel/.

Option Bis incorrect —/site*matches strings beginning with “site”, but may also match “siteX” incorrectly.

Option Cis incorrect — it only matches resources under/english/, missing other folders.

Option Dis correct —https://www.dumpspedia.com/images/sitel/*covers all given examples.

Theadmin.authsetting in therun.propertiesfile is used to specify a fallback authentication method for the administrative console.

Exact Extract from official documentation:

“To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication.”

This makes it clear that the purpose ofadmin.authis tooverrideany configured SSO for the admin UI and enforce native (basic) authentication instead.

Option Ais incorrect because theadmin.authsetting does not configure SSO. SSO for the admin UI is configured separately.

Option Bis incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.

Option Cis correct because it directly reflects the documented behavior:admin.authoverrides SSO configuration for the administrative UI and enables native authentication.

Option Dis incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.

PingAccess enforces step-up or multi-factor authentication usingAuthentication Requirements, which can be applied to specific resources within an application.

Exact Extract:

“Authentication requirements allow administrators to configure additional authentication (for example, MFA) when accessing sensitive application resources.”

Option A (UI Authentication)applies to access to theadmin console, not application resources.

Option B (Auth Token Management)relates to OAuth token lifetimes and refresh, not MFA enforcement.

Option C (Authentication Requirements)is correct — these rules enforce MFA or step-up auth for specific URLs/resources.

Option D (Authentication Challenge Policy)governs how failed auth challenges are presented but does not enforce MFA.

PingAccess usesIdentity Mappingsto take identity attributes provided by the authentication source (e.g., PingFederate, OpenID Connect) and map them into HTTP request headers for back-end applications.

Exact Extract:

“An identity mapping allows you to map identity attributes from the user’s session to HTTP headers, cookies, or query parameters that are then forwarded to the target application.”

Option A (Site Authenticators)is incorrect because Site Authenticators configure how PingAccess communicates with applications requiring authentication, not how attributes are inserted into headers.

Option B (Identity Mappings)is correct — this is the feature designed specifically to expose user attributes to applications via HTTP headers.

Option C (Web Sessions)manages how sessions are stored and validated, but not the mapping of attributes into requests.

Option D (HTTP Requests)refers to request/response processing rules, but attributes are not mapped here.

When applications require additional attributes:

TheWeb Sessionmust be configured to retrieve those attributes from the token provider (OIDC or PingFederate).

TheIdentity Mappingmust be updated to forward those attributes to the application (e.g., as headers).

Exact Extract:

“Web sessions define how user attributes are retrieved from the token provider. Identity mappings determine how those attributes are inserted into requests to applications.”

Option Ais not necessarily required; attributes can be retrieved via userinfo endpoint or access token, not only ID tokens.

Option Bis correct — Identity Mappings must be updated to pass attributes to the app.

Option Cis incorrect — Site Authenticators define how PingAccess authenticates to apps, not attribute handling.

Option Dis incorrect unless the architecture specifically requires access token updates; PingAccess often uses the Web Session to fetch attributes.

Option Eis correct — Web Session must be updated to retrieve additional attributes.

The propertyengine.ssl.protocolsinrun.propertiesspecifies the TLS protocol versions that PingAccess engines will support for incoming HTTPS traffic.

Exact Extract:

“Theengine.ssl.protocolsproperty configures which TLS versions are enabled for HTTPS listeners.”

Option A (ciphers)is incorrect — cipher suites are defined separately, not in this property.

Option B (HTTPS port)is incorrect — the port is defined in the engine listener, not here.

Option C (TLS versions)is correct — this property controls TLS version support (e.g., TLSv1.2, TLSv1.3).

Option D (clustering)is incorrect — clustering does not depend on this property.