PAP-001 Certified Professional - PingAccess Questions and Answers

Publicly trusted Certificate Authorities are already included in theJava Trust Store Certificate Group, which PingAccess can use directly. This avoids importing the certificate manually.

Exact Extract:

“If the target site uses a certificate from a well-known public CA, configure the site to use the Java Trust Store Certificate Group.”

Option Ais incorrect — Key Pairs store private keys for SSL termination, not public CA trust anchors.

Option Bis correct — Java Trust Store already contains trusted public CAs.

Option Cis incorrect — again, Key Pairs are not used for trust validation.

Option Dis unnecessary for public CAs — only internal/self-signed certs must be imported.

PingAccess is designed to work with modern identity protocols. It doesnotsupport legacy WS-* protocols directly.

Exact Extract:

“PingAccess integrates with OAuth 2.0 and OpenID Connect (OIDC) to provide authentication and authorization for web and API resources.”

Option A (SAML)is incorrect — PingAccess does not natively consume SAML assertions; SAML can be used indirectly via PingFederate.

Option B (WS-Fed)is not supported.

Option C (WS-Trust)is not supported.

Option D (OAuth2)is correct — used for authorization and token validation.

Option E (OIDC)is correct — used for user authentication and sessions.

When a back-end site requires HTTP Basic Authentication, PingAccess supports this via aBasic Authentication Site Authenticator. The authenticator is configured with credentials so that PingAccess can successfully authenticate to the target site.

Exact Extract:

“PingAccess can authenticate to target sites using a Site Authenticator. Use the Basic Authentication Site Authenticator when the site requires a username and password.”

Option Ais incorrect — identity mappings are used to forward user attributes, not for site-to-site authentication.

Option Bis incorrect — web sessions represent end-user sessions, not back-end credentials.

Option Cis correct — the Basic Authentication Site Authenticator should be configured on the Site.

Option Dis incorrect — mTLS authenticates with certificates, not username/password.

When configuring PingAccess to use PingFederate as theStandard Token Providerfor runtime engines, PingAccess must know how to contact PingFederate. The configuration requires theHost(PingFederate base URL).

Exact Extract:

“When configuring the Standard Token Provider, specify the PingFederate host to which PingAccess engines will connect for token validation.”

Option A (Issuer)is part of OIDC metadata but not required explicitly in this configuration.

Option B (Client ID)is needed for OAuth clients but not when defining the token provider connection itself.

Option C (Host)is correct — this is required to connect to PingFederate.

Option D (Port)may be included within the host definition (host:port) but is not the required field.

PingAccess service scripts depend on knowing:

Where the Java runtime is installed (JAVA_HOME)

Where PingAccess itself is installed (PA_HOME)

Exact Extract:

“The PingAccess startup scripts require theJAVA_HOMEenvironment variable to locate the JDK/JRE and thePA_HOMEvariable to locate the PingAccess installation directory.”

Option A (J2EE_HOME)is irrelevant to PingAccess.

Option B (JAVA_HOME)is correct — needed for Java execution.

Option C (PA_PATH)is not a standard variable.

Option D (PA_HOME)is correct — required to point to the PingAccess installation root.

Option E (JAVA_PATH)is not valid;PATHcan include Java, butJAVA_HOMEis the correct environment variable.

PingAccess must trust the back-end site’s certificate to establish TLS. For internally issued certificates, the administrator imports thecertificate chaininto aTrusted Certificate Group.

Exact Extract:

“When a target site uses an internal CA, import the certificate or chain into a Trusted Certificate Group and assign that group to the site.”

Option Ais incorrect — the Java trust store does not contain the internal CA by default.

Option Bis incorrect — Key Pairs store private keys for SSL termination, not trusted CA certs.

Option Cis incorrect — engine listeners use key pairs for inbound SSL, not site trust.

Option Dis correct — the certificate must be imported into Trusted Certificate Groups.

When applications depend solely onheader-based identity mapping, attackers can attempt to bypass PingAccess by injecting headers directly into requests sent to the backend. To prevent spoofing, PingAccess should be configured to passcryptographically verifiable tokens(e.g.,ID tokens from OIDC) instead of relying on plain headers.

Exact Extract:

“Headers can be spoofed if not protected. Use signed tokens, such as ID tokens or JWTs, to provide strong identity assurance and prevent header injection attacks.”

Option A (Use ID Tokens)is correct — ID tokens are signed and verifiable, preventing spoofing.

Option B (Add Site Authenticator)protects PingAccess-to-site authentication, not client-to-API spoofing.

Option C (Require HTTPS)prevents eavesdropping but does not stop header spoofing from inside the network.

Option D (Use Target Host Header)ensures host header integrity but not user identity.

PingAccess enforces step-up or multi-factor authentication usingAuthentication Requirements, which can be applied to specific resources within an application.

Exact Extract:

“Authentication requirements allow administrators to configure additional authentication (for example, MFA) when accessing sensitive application resources.”

Option A (UI Authentication)applies to access to theadmin console, not application resources.

Option B (Auth Token Management)relates to OAuth token lifetimes and refresh, not MFA enforcement.

Option C (Authentication Requirements)is correct — these rules enforce MFA or step-up auth for specific URLs/resources.

Option D (Authentication Challenge Policy)governs how failed auth challenges are presented but does not enforce MFA.

The requirement is:

Allow access ifuser is in sales

OR ifuser is in marketing AND is a manager

This is logically represented as:

(A) OR (B AND C)

To configure this in PingAccess:

Rule Set (D) = ANY (A)

Rule Set (E) = ALL (B, C)

Rule Set Group (F) = ANY (D, E)

Assign Group (F) to the resource

This exactly matchesOption D.

Option Ais incorrect — requires both A and (B AND C), which is stricter than the requirement.

Option Bis incorrect — ANY(A, B, C) would allow users in marketing or managers without requiring both.

Option Cis incorrect — it uses ALL(D, E), which would require both conditions instead of OR.

Option Dis correct — it models (A OR (B AND C)).

PingAccess usesEngine Listenersfor SSL termination of proxied applications. To minimize the number of certificates, administrators can:

Use awildcard certificate(e.g.,*.customer.com) on the engine listener.

Use aSubject Alternative Name (SAN) certificatethat covers multiple FQDNs under thecustomer.comdomain.

Exact Extract:

“PingAccess engine listeners can use certificates containing either wildcard entries or Subject Alternative Names to secure multiple applications under a single domain.”

Option Ais incorrect — assigning unique key pairs increases, not decreases, certificate management overhead.

Option Bis correct — a wildcard certificate covers all subdomains (e.g.,app1.customer.com,app2.customer.com).

Option Cis correct — a SAN certificate lists multiple FQDNs explicitly.

Option Dis incorrect — agent listeners don’t handle SSL termination for proxied apps.

Option Eis incorrect for the same reason — agent listeners aren’t used for SSL.

PingAccess supports flexible path matching for resources using wildcards. If the requirement is to matchany path that contains a folder named "escalated", the correct format is:

*/escalated/→ matchesany locationof theescalateddirectory within the path.

Exact Extract:

“The asterisk (*) wildcard matches zero or more characters. Use it in resource paths to match folders at any depth.”

Option A (escalated/)only matches when the resource starts with “escalated/” at the root, not at arbitrary depth.

Option B (*/escalated/)is correct — it matches theescalatedfolder no matter where it occurs.

Option C (*/escalated/+ )is incorrect —+is not a valid PingAccess wildcard operator.

*Option D (/escalated/)matches only when the path starts with “escalated” at the first level, not arbitrary positions.

PingAccess resources have anAudit flag. When enabled, all access attempts (allowed or denied) are recorded in the audit logs.

Exact Extract:

“To audit access requests to a specific resource, enable the Audit option on that resource in the application configuration.”

Option Ais correct — enabling audit for/adminensures its access requests are logged.

Option Bis incorrect — enabling audit for/*is overly broad and logs everything, not just/admin.

Option Cis incorrect — Splunk integration is for log forwarding, not per-resource auditing.

Option Dis incorrect —log4j2.xmlcontrols log destinations/levels, not resource-specific auditing.

To prevent CORS errors, administrators must configure aCross-Origin Request (CORS) Processing Rule. The secure practice is to allow thespecific trusted domain(www.anycompany.com ) and, when cookies or credentials are required, to enableAllow Credentials.

Exact Extract:

“For secure CORS, specify exact origins rather than wildcards. Enable ‘Allow Credentials’ when client-side resources must include cookies or authentication data.”

Option Ais incomplete — multiple values are possible, but in this case onlywww.anycompany.com is required.

Option Bis less secure — using a wildcard (*.anycompany.com) broadens exposure unnecessarily.

Option Cis insecure —*with credentials is disallowed by CORS specifications.

Option Dis correct — restricts access to the trusted domain and allows credentialed requests.

All onboarding in PingAccess begins with defining anApplication. Once the application exists, the administrator can defineResourceswithin it and assign different rules to those resources.

Exact Extract:

“Before you can configure resources and rules, you must first create an application in PingAccess.”

Option A (Identity Mapping)may be required later but not the first step.

Option B (Web Session)can be shared but is not the first onboarding step.

Option C (Application)is correct — the starting point for onboarding.

Option D (Resource)comes after creating the application.

In PingAccess, when an application relies on claims from an OAuth access token, you must configure PingAccess to evaluate those claims and potentially inject them into headers for the backend application.

Exact Extract from PingAccess documentation:

“OAuth rules allow you to evaluate claims in OAuth access tokens. You can configure PingAccess to look at specific claims and enforce policies or pass them to target applications.”

“To extract attributes from an access token, configure anOAuth Attribute Rule.”

This clearly matches optionD.

Analysis of each option:

A. An authentication requirement definition

Incorrect. Authentication requirements determine how users authenticate to applications (OIDC provider, etc.), but do not manage access token claims.

B. A web session attribute rule

Incorrect. Web session attribute rules map attributes from the authenticated user’s web session (SSO session), not from OAuth access tokens.

C. An identity mapping definition

Incorrect. Identity mappings transform user attributes (from IdP to app), but they don’t directly pull claims from OAuth tokens.

D. An OAuth attribute rule

Correct. This rule is specifically designed to extract and enforce policies onclaims from OAuth access tokens.

Therefore, the correct answer isD. An OAuth attribute rule.

Mutual TLS (mTLS) is used to establishtwo-way authenticationwhere both the client and the server present certificates to prove their identity. In the case of PingAccess, aMutual TLS Site Authenticatoris configured when PingAccess acts as a reverse proxy making requests to a backend (target) server.

Exact Extract from PingAccess documentation:

“Mutual TLS site authenticators provide client certificate authentication when PingAccess connects to a backend site. This allows PingAccess to present its certificate to the target server during the TLS handshake.”

This means the purpose is forPingAccess (client) to authenticate itself to the backend server (target resource)when establishing a secure connection.

Why other options are wrong:

A. Allows the backend server to authenticate to PingAccess

Incorrect. That’s normal server-side TLS authentication (the server presents a cert to the client), not mutual TLS initiated by PingAccess.

B. Allows the user to authenticate to the backend server

Incorrect. End users do not directly use this setting; this is between PingAccess and the backend application server.

C. Allows PingAccess to authenticate to the backend server

Correct. This is exactly the definition of a Mutual TLS Site Authenticator in PingAccess.

D. Allows PingAccess to authenticate to the token provider

Incorrect. That would involve OIDC/OAuth token exchange and possibly TLS trust, but it’s not the role of the Site Authenticator.

Thus, the correct answer isC. Allows PingAccess to authenticate to the backend server.

Theadmin.authsetting in therun.propertiesfile is used to specify a fallback authentication method for the administrative console.

Exact Extract from official documentation:

“To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication.”

This makes it clear that the purpose ofadmin.authis tooverrideany configured SSO for the admin UI and enforce native (basic) authentication instead.

Option Ais incorrect because theadmin.authsetting does not configure SSO. SSO for the admin UI is configured separately.

Option Bis incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.

Option Cis correct because it directly reflects the documented behavior:admin.authoverrides SSO configuration for the administrative UI and enables native authentication.

Option Dis incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.

PingAccess usesobfuscated keysto secure sensitive configuration values (like passwords). Theobfuscate.bat(Windows) orobfuscate.sh(Linux) script is used to generate a new key and protect sensitive data.

Exact Extract:

“Useobfuscate.[bat|sh]to generate a new obfuscation key for protecting configuration values.”

Option A (db-passwd-rotate.bat)is not a valid PingAccess script.

Option B (memoryoptions.bat)configures JVM memory, not encryption.

Option C (run.bat)starts PingAccess.

Option D (obfuscate.bat)is correct — it is used to protect sensitive configuration.