Pass the Ping Identity PingAccess PAP-001 Questions and answers with ValidTests

PingAccess must trust the back-end site’s certificate to establish TLS. For internally issued certificates, the administrator imports thecertificate chaininto aTrusted Certificate Group.

Exact Extract:

“When a target site uses an internal CA, import the certificate or chain into a Trusted Certificate Group and assign that group to the site.”

Option Ais incorrect — the Java trust store does not contain the internal CA by default.

Option Bis incorrect — Key Pairs store private keys for SSL termination, not trusted CA certs.

Option Cis incorrect — engine listeners use key pairs for inbound SSL, not site trust.

Option Dis correct — the certificate must be imported into Trusted Certificate Groups.

In Log4j2, theLoggerelement controls the log level (INFO,DEBUG,ERROR, etc.) for specific packages or classes.

Exact Extract:

“To modify logging levels, edit theelement inlog4j2.xmland change the level attribute.”

Option A (AsyncLogger)is a performance optimization, not for changing levels.

Option B (RollingFile)defines file rotation, not log levels.

Option C (Logger)is correct — this is where log levels are defined.

Option D (Appenders)define output destinations, not severity levels.

PingAccess allows administrators to configurecustom error pages or messagesat theRoot Resource levelof an application. This ensures that when rule violations (e.g., authorization failures) occur, the application can display tailored error responses.

Exact Extract:

“Custom error handling for rule violations is configured within the Root Resource of an application.”

Option Ais incorrect — assigning a rule to a resource does not allow defining custom errors.

Option Bis correct — the Root Resource is where administrators define custom error handling for the entire application.

Option Cis incorrect — Rule Sets only combine rules; they do not handle error responses.

Option Dis incorrect — individual rule definitions do not contain custom error configurations.

PingAccess usesEngine Listenersfor SSL termination of proxied applications. To minimize the number of certificates, administrators can:

Use awildcard certificate(e.g.,*.customer.com) on the engine listener.

Use aSubject Alternative Name (SAN) certificatethat covers multiple FQDNs under thecustomer.comdomain.

Exact Extract:

“PingAccess engine listeners can use certificates containing either wildcard entries or Subject Alternative Names to secure multiple applications under a single domain.”

Option Ais incorrect — assigning unique key pairs increases, not decreases, certificate management overhead.

Option Bis correct — a wildcard certificate covers all subdomains (e.g.,app1.customer.com,app2.customer.com).

Option Cis correct — a SAN certificate lists multiple FQDNs explicitly.

Option Dis incorrect — agent listeners don’t handle SSL termination for proxied apps.

Option Eis incorrect for the same reason — agent listeners aren’t used for SSL.

When a resource is configured asanonymous, PingAccess does not challenge the user for authentication. However, certain processing and identity propagation still occur.

Exact Extract:

“Anonymous resources do not require authentication. Identity mappings and request/response processing rules still apply.”

Option Ais incorrect because rules such as identity mappings and processing still apply.

Option Bis correct — Identity Mappings can still forward attributes, even for anonymous access.

Option Cis correct — Processing rules (e.g., request/response modifications) still apply.

Option Dis incorrect — requestsarelogged; anonymous does not disable logging.

Option Eis incorrect — access control rules (authorization) are not evaluated for anonymous resources.

To enableSingle Logout (SLO), theSLO scopemust be defined in the PingAccess Web Session configuration. This determines which sessions are ended when a logout request occurs.

Exact Extract:

“The SLO scope option in a web session specifies which applications are included in a logout event when Single Logout is triggered.”

Option A (SLO scope)is correct; it explicitly enables SLO support by linking session termination across apps.

Option B (Idle timeout)is unrelated; this controls session expiration, not SLO.

Option C (Validate Session)ensures session state is synchronized but does not configure SLO.

Option D (Refresh User Attributes)is unrelated; it only controls whether attributes are reloaded.

When APIs are remote, latency is introduced by frequent token validation requests. EnablingCache Tokenon the OAuth Resource Server reduces repeated validation calls and improves performance.

Exact Extract:

“The OAuth Resource Server configuration includes aCache Tokenoption that improves performance by reducing round trips for token validation.”

Option Ais incorrect — key rolling affects cryptographic keys, not API latency.

Option Bis incorrect — virtual hosts control external FQDNs, not performance.

Option Cis incorrect — token attribute size does not significantly affect remote latency.

Option Dis correct — caching tokens reduces validation overhead.

PingAccess supports logging directly to a relational database usingLog4j database appenders. To enable this:

Configurelog4j2.xmlto use a JDBC Appender.

Configurelog4j2.db.propertieswith the database connection information.

Provide the appropriate database driver in thePA_HOME/libdirectory.

Exact Extract:

“To log to a database, configure log4j2.xml and log4j2.db.properties, and place the JDBC driver JAR file in PA_HOME/lib.”

Option Ais correct — both files must be configured.

Option Bis incorrect — existing logs do not need removal.

Option Cis incorrect — enabling audit is unrelated to database logging.

Option Dis correct — the Oracle JDBC driver must be installed in PA_HOME/lib.

Option Eis incorrect unless TLS is used to connect to the DB, but it is not required for standard DB logging setup.

When usingHTTP Basic Authentication(admin.auth=native), PingAccess only supports asingle administrative account(the default admin user). For multiple administrators, SSO integration (e.g., OIDC) is required.

Exact Extract:

“When admin authentication is set to native (HTTP Basic), only one administrative user is supported. For multiple admins, configure UI authentication with an OIDC provider.”

Option A (1000)is incorrect.

Option B (1)is correct — only one basic auth admin account.

Option C (10)andOption D (100)are incorrect.

All onboarding in PingAccess begins with defining anApplication. Once the application exists, the administrator can defineResourceswithin it and assign different rules to those resources.

Exact Extract:

“Before you can configure resources and rules, you must first create an application in PingAccess.”

Option A (Identity Mapping)may be required later but not the first step.

Option B (Web Session)can be shared but is not the first onboarding step.

Option C (Application)is correct — the starting point for onboarding.

Option D (Resource)comes after creating the application.