
Valid PT-AM-CPE Practice Test Dumps with 100% Passing Guarantee [Jul-2026]
PT-AM-CPE PDF Dumps Are Helpful To produce Your Dreams Correct QA's
NEW QUESTION # 57
Which audit event handler is used by PingAM by default, when audit logging is enabled?
- A. CSV audit event handler
- B. Elasticsearch audit event handler
- C. Syslog audit event handler
- D. JSON audit event handler
Answer: D
Explanation:
Audit logging is a vital security feature in PingAM 8.0.2 that provides a record of system activity. To make these logs useful for modern analysis tools and to ensure they contain rich metadata, PingAM utilizes structured logging.
According to the PingAM "Audit Logging Service" documentation:
When an administrator enables audit logging in a new installation, the system is pre-configured with the JSON audit event handler as the default. This handler writes log entries to the local filesystem in a structured JSON format (e.g., access.audit.json).
The choice of JSON (Option D) as the default is strategic:
Structure: JSON allows for complex, nested data structures, which is necessary to capture the full context of an authentication journey or a policy decision.
Interoperability: JSON is the "native language" of modern log aggregators and SIEM platforms like Splunk, ELK (Elasticsearch/Logstash/Kibana), and Sumo Logic.
Readability: While structured, it remains human-readable for quick manual inspection.
Why other options are incorrect:
CSV (B) and Syslog (C) are available handlers but must be explicitly added or configured; they are not the primary default.
Elasticsearch (A) is a powerful target for audit logs, but PingAM typically sends data there via an external collector reading the JSON files or via a specifically configured Elasticsearch handler, rather than it being the out-of-the-box default for a local installation.
The JSON handler ensures that from the moment logging is turned on, the data is stored in a format that balances detailed reporting with ease of integration.
NEW QUESTION # 58
Sam wants to start a service provider-initiated single sign-on and redirect to their own application, myapp.com. Which of the following URLs is the correct one to perform this action?
- A. http://sso.domain.com/openam/saml2/jsp/idpSSOInit.jsp&RelayState=http%3A%2F%2Fmyapp.com
- B. http://sso.domain.com/openam/saml2/jsp/spSSOInit.jsp&goto=http%3A%2F%2Fmyapp.com
- C. http://sso.domain.com/openam/saml2/jsp/idpSSOInit.jsp&goto=http%3A%2F%2Fmyapp.com
- D. http://sso.domain.com/openam/saml2/jsp/spSSOInit.jsp&RelayState=http%3A%2F%2Fmyapp.com
Answer: D
Explanation:
In SAML 2.0 federation with PingAM 8.0.2, there are two ways to initiate SSO: IdP-Initiated (where the user starts at the Identity Provider) and SP-Initiated (where the user starts at the Service Provider).3 According to the "SAML 2.0 Guide" for PingAM:
SP-Initiated SSO: The correct JSP file for an SP-initiated flow is spSSOInit.jsp. 4This script is used by an SP (in this case, PingAM acting as an SP or a "Fedlet") to generate a SAML AuthnRequest and send it to the IdP.
Redirecting to the Application: In the SAML 2.0 standard, the mechanism used to preserve state (like the final destination URL) across the redirect-heavy SSO process is the RelayState parameter. When the IdP sends the SAML assertion back to the SP, it also returns the RelayState value. The SP then uses this value to redirect the user to the final application.
While PingAM uses the goto parameter for internal redirects (like standard web login), RelayState is the required parameter name for SAML-related JSPs to ensure interoperability with the SAML specification. Therefore, the correct URL is .../spSSOInit.jsp combined with the RelayState parameter (Option D). Using idpSSOInit.jsp (Options A and B) would trigger an IdP-initiated flow, which is not what the question describes. Option C is incorrect because it uses the non-SAML goto parameter in a SAML initialization context.
NEW QUESTION # 59
What authentication tree nodes are provided for device registration in PingAM?
- A. MFA Registration Options node, OATH Registration node, WebAuthn Registration node
- B. OATH Registration node, Push Registration node, WebAuthn Registration node
- C. MFA Registration Options node, OATH Registration node, Push Registration node
- D. MFA Registration Options node, Push Registration node, WebAuthn Registration node
Answer: B
Explanation:
In PingAM 8.0.2, the Intelligent Access designer provides specialized nodes to handle the onboarding and registration of Multi-Factor Authentication (MFA) devices.3 These nodes are essential for building "Self-Service" registration trees where users can enroll their smartphones or security keys.
According to the "Authentication Node Reference," the three primary nodes dedicated specifically to the act of registering a device are:
OATH Registration Node: This node generates a secret and a QR code (or manual entry code) that the user scans with an OATH-compliant app (like ForgeRock Authenticator).4 It then verifies the first code generated by the app to finalize the registration in the user's profile.
Push Registration Node: This node is used to register a device for Push notifications.5 It coordinates with the Push service to link the user's specific installation of the ForgeRock Authenticator app to their AM identity store entry.
WebAuthn Registration Node: This node handles the FIDO2/WebAuthn ceremony. It prompts the browser to interact with the user's local authenticator (like TouchID or a YubiKey) and saves the resulting public key and credential ID to the user's profile.
Why other options are incorrect: The MFA Registration Options node (found in Options A, B, and C) is a "decision" or "UI" node that allows a user to choose which MFA method they want to register (e.g., "Would you like to register Push or OATH?").6 However, it does not perform the actual technical registration logic itself. The question asks for the nodes provided for device registration, which refers to the functional nodes that execute the registration protocols. Therefore, the set of OATH, Push, and WebAuthn Registration nodes (Option D) is the correct answer.
NEW QUESTION # 60
Why should module-based authentication be disabled in production?
- A. Module-based authentication allows a user to select any authentication level
- B. Module-based authentication allows users to authenticate in any realm
- C. Module-based authentication allows a user to authenticate with the amAdmin account
- D. Module-based authentication allows a user to bypass steps in an authentication chain
Answer: D
Explanation:
In PingAM 8.0.2, there is a critical distinction between Tree-based (or Chain-based) authentication and Module-based authentication. Module-based authentication is a legacy feature that allows a user to target an individual authentication module directly (e.g., .../UI/Login?module=DataStore).
According to the "Security Considerations" and "Hardening PingAM" documentation, module-based authentication poses a significant security risk and should be disabled in production. This is because it allows a user to bypass steps in an authentication chain (Option C).
If an administrator has designed a secure "Chain" that requires both a DataStore (password) check AND a One-Time Password (MFA) check, the intention is for these to be inseparable. However, if module-based authentication is enabled, a malicious user or a tester could bypass the MFA requirement by crafting a URL that calls only the "DataStore" module. This effectively circumvents the multi-factor security logic intended by the administrator.
To mitigate this, PingAM provides a global and realm-level setting to "Disable Module-based Authentication." Once disabled, PingAM will only process authentication requests that target a named Authentication Tree or Chain, ensuring that the user is forced through the entire sequence of nodes and logic defined by the security architect.
NEW QUESTION # 61
Which authentication node can you use in PingAM to add a key:value property to the user's session after successful authentication?
- A. The Get Session Data node
- B. The Set Session Properties node
- C. You have to use a webhook, not a node
- D. The Provision Dynamic Account node
Answer: B
Explanation:
In PingAM 8.0.2 Intelligent Access, the Set Session Properties node is a specialized utility node designed to modify the session object once it is created.
According to the "Authentication Node Reference":
During an authentication journey, data is typically stored in the sharedState. However, sharedState is transient and is destroyed once the tree finishes. If an administrator wants to take a piece of information (e.g., a "Risk Score" calculated during the tree, or a "Branch ID" retrieved from a legacy system) and make it a permanent part of the user's session, they must use the Set Session Properties node.
Functionality: This node allows you to map a value from the sharedState or transientState to a session property name. After the tree reaches a Success node, these properties are persisted in the session (either in the CTS for server-side sessions or the JWT for client-side sessions).
Usage: Once set, these properties can be retrieved later for Response Attributes in policies, or by applications using the /json/sessions endpoint.
Option A (Get Session Data node) is used to retrieve existing properties from an active session, not set them. Option B is incorrect because while webhooks can trigger external logic, the native way to modify the session within a tree is a node. Option C (Provision Dynamic Account node) is for creating user entries in the Identity Store (LDAP), not for managing session-level properties. Therefore, Set Session Properties (Option D) is the correct technical tool for this requirement in version 8.0.2.
NEW QUESTION # 62
Which OAuth2 web endpoint is used to validate a token?
- A. /oauth2/userinfo
- B. /oauth2/introspect
- C. /oauth2/access_token
- D. /oauth2/validate
Answer: B
Explanation:
While several endpoints in PingAM 8.0.2 interact with tokens, only one is explicitly designed for the purpose of checking the metadata and validity of an opaque or structured OAuth2 token.
According to the "OAuth 2.0 Endpoints" and "Token Introspection" documentation:
/oauth2/introspect (Option B): This is the RFC 7662-compliant endpoint. It is used by resource servers (or other authorized clients) to determine the "activeness" of a token. When a token is sent to this endpoint, PingAM returns a JSON object indicating if the token is valid, its scope, its expiration time, and the subject it represents. This is the standard way to validate tokens that are not self-validated (like opaque tokens stored in the CTS).
Why other options are incorrect:
/oauth2/userinfo (Option A): This endpoint is part of OpenID Connect. While it requires a valid token to function, its purpose is to return user claims, not to provide a "valid/invalid" metadata check of the token itself.
/oauth2/validate (Option C): This is a legacy endpoint used in older versions of the product. In PingAM 8.0.2, introspection is the standardized replacement.
/oauth2/access_token (Option D): This is the Token Endpoint used to issue tokens, not to validate them.
Using the /oauth2/introspect endpoint is a best practice for security because it allows the authorization server (PingAM) to verify that a token has not been revoked in the Core Token Service (CTS) before a resource server grants access.
NEW QUESTION # 63
When the OATH Registration node's OATH Algorithm property is set to TOTP in an authentication tree, which node needs to have the same value set?
- A. OATH Device Storage node13
- B. OATH Token Verifier node
- C. Recovery Code Collector Decision node11
- D. MFA Registration Options node12
Answer: B
Explanation:
In PingAM 8.0.2, Multi-Factor Authentication (MFA) using the OATH standard supports two primary algorithms: TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password).14 For an authentication journey to function correctly, the "Registration" phase (where the user's device and AM agree on a secret and algorithm) and the "Verification" phase (where AM checks the submitted code) must be perfectly synchronized.
According to the "Authentication Node Reference" for the OATH Token Verifier node and OATH Registration node:
Both nodes contain a configuration property named OATH Algorithm.15 This property determines how the six- or eight-digit code is generated and validated. If the OATH Registration node is configured to set up a user for TOTP, it will generate a QR code containing the TOTP parameters for the user's authenticator app.
When that user later attempts to log in, the OATH Token Verifier node (Option A) must also be set to TOTP.16 If the verifier is accidentally set to HOTP (which uses a counter rather than a time step), the validation will consistently fail because the server will be looking for a counter-based value while the app is providing a time-based value.
Other nodes like the Recovery Code Collector Decision node (Option B) or OATH Device Storage node (Option D) handle subsequent or separate tasks (like account recovery or writing the final profile to LDAP) and do not directly participate in the real-time OATH mathematical validation logic. Thus, the OATH Token Verifier is the mandatory counterpart that must match the registration's algorithm setting.
NEW QUESTION # 64
Which type of logs are written by PingAM?
- A. Java logs, debug logs, and audit logs
- B. Audit logs and Java logs
- C. Debug logs and audit logs
- D. Debug logs and Java logs
Answer: C
Explanation:
According to the PingAM 8.0.2 "Maintenance and Troubleshooting" documentation, the system generates two primary, distinct categories of logs for monitoring and problem-solving: Audit Logs and Debug Logs.
Audit Logs: These are high-level logs intended for security auditing, compliance, and reporting. They record specific "business events" or "state changes" within the system. Examples include successful logins, failed authentication attempts, administrative configuration changes (logged in config.audit.json), and policy evaluation decisions (logged in access.audit.json). These logs are structured (often in JSON) to be easily consumed by SIEM (Security Information and Event Management) tools.
Debug Logs: These are low-level, highly verbose logs intended for developers and support engineers. They record the internal "thought process" of the PingAM engine. They track the execution of specific Java classes, the results of LDAP queries, and the movement of data between authentication nodes. These logs are stored in the /debug directory and can be adjusted to different levels of verbosity (Error, Warning, Message, Info).
While PingAM runs within a Java Virtual Machine (JVM), and you may see container logs (like catalina.out in Tomcat) or "Java logs" from the underlying web server, these are technically external to the PingAM application itself. The PingAM application's internal logging framework is strictly split between Audit (what happened at a functional level) and Debug (why it happened at a code level). Therefore, Option C is the most accurate technical description of the logs natively managed and written by the PingAM service.
NEW QUESTION # 65
Which of the following steps must be configured in PingAM to implement mutual TLS using the public key infrastructure (PKI) approach?
Import the trusted certificates into the trust store used by the PingAM web container.
Create a secret store in the realm that maps the appropriate secret ID with the certificate alias in the trust store.18 Select tls_client_auth as the authentication method in the client profile.
Select self_signed_tls_client_auth as the authentication method in the client profile.19 Provide the certificate subject distinguished name in the client profile.20 Configure a revocation check in the client profile.
Register the X.509 certificate in the client profile.
- A. 1, 2, 3, and 5 only
- B. 1, 2, 4, and 7 only
- C. 1, 2, 4, and 6 only
- D. 1, 2, 4, and 5 only
Answer: A
Explanation:
In PingAM 8.0.2, there are two distinct ways to implement Mutual TLS (mTLS) for OAuth2 client authentication: the PKI Approach (CA-signed) and the Self-Signed Approach.21 According to the documentation on "Mutual TLS using PKI":
The PKI approach relies on a chain of trust. The steps required are:
Step 1 (Trust): You must import the CA certificates that signed the client certificates into the truststore of the web container (Tomcat) or the AM Secret Store.22 This allows AM to verify the signature of the client's certificate during the TLS handshake.
Step 2 (Mapping): You must configure a Secret Store and map the am.services.oauth2.tls.client.cert.authentication secret label to the trusted CA aliases.23 Step 3 (Authentication Method): In the OAuth2 Client Profile, you must select tls_client_auth. 24This is the specific OIDC standard string for CA-based mTLS. (In contrast, self_signed_tls_client_auth (Step 4) is used only when you trust individual certificates directly without a CA).25 Step 5 (Identity Mapping): Because multiple clients might have certificates signed by the same CA, you must provide the Subject Distinguished Name (DN) (e.g., CN=myClientApp) in the client profile. PingAM uses this to ensure that the certificate presented by the client during the handshake actually belongs to that specific Client ID.
Why other steps are excluded: Step 7 (Registering the certificate) is only required for the Self-Signed approach, as the PKI approach validates against the CA. Step 6 (Revocation check) is a global provider setting or an optional enhancement, but not a fundamental "must-configure" step for the basic PKI identity mapping logic. Thus, the correct sequence for the PKI approach is 1, 2, 3, and 5, making Option C the correct answer.
NEW QUESTION # 66
After installing a PingAM instance with the configuration directory path set to /home/forgerock/am, where is the default directory that contains the debug log files?
- A. /home/forgerock/am/debug
- B. /home/forgerock/am/var/logs
- C. /home/forgerock/am/var/debug
- D. /home/forgerock/am/logs
Answer: A
Explanation:
When PingAM is installed, it creates a specific directory structure within its Configuration Directory (also known as the AM_HOME or .openamcfg pointer target). This structure is standardized across versions to ensure that administrators and automated scripts can locate critical files.
According to the PingAM 8.0.2 "File System Reference" and "Debug Logging" documentation:
The primary directory for engine-level troubleshooting files (debug logs) is named debug.17 This directory is located immediately within the root of the configuration directory. Therefore, if the configuration path is explicitly set to /home/forgerock/am, the resulting path for debug files will be /home/forgerock/am/debug (Option D).
It is important to distinguish between Audit Logs and Debug Logs:
Audit Logs: (e.g., access.audit.json) are usually found in the .../openam/log or .../openam/logs directory (making Option A a common distractor).
Debug Logs: (e.g., amAuth, amSession, amCore) are strictly stored in the debug directory.
The var directory (Options B and C) is a convention used in some ForgeRock "ForgeOps" containerized deployments (like those in Kubernetes) to separate variable data from static config. However, in a standard standalone installation as described in the question, the direct .../debug path is the verified default behavior of the PingAM installation wizard and configurator tool.
NEW QUESTION # 67
A customer wishes to customize the OpenID Connect (OIDC) id_token JSON Web Token (JWT) to include the subject's employee number. Which of the following scripts should be customized to meet this requirement?
- A. OIDC JWT script
- B. OIDC attributes script
- C. OIDC parameters script
- D. OIDC claims script
Answer: D
Explanation:
In PingAM 8.0.2, the OpenID Connect (OIDC) Claims Script is the specific extensibility point designed to govern how user information is mapped and transformed into claims within an OIDC ID token or the UserInfo response. While PingAM supports standard scopes like profile and email out of the box, specialized business requirements-such as including an "employee number" which might be stored as employeenumber in an LDAP directory-require a custom transformation.
According to the "OIDC Claims Script" reference in the PingAM documentation:
The script acts as a bridge between the Identity Store (the source of truth) and the OIDC Provider (the issuer). When a client requests a token, PingAM executes this script, providing it with a claimObjects map and the userProfile. The developer can then write Groovy or JavaScript logic to retrieve the employeeNumber attribute from the user's profile and add it to the resulting claims set.
The script typically follows this logical flow:
Identify the requested claims from the OIDC scope.
Fetch the corresponding raw attributes from the Identity Store (e.g., PingDS or AD).
Format and name the claim as per the OIDC specification or the specific client requirement (e.g., mapping LDAP employeenumber to OIDC claim emp_id).
Return the claims to be signed and embedded into the JWT.
Why other options are incorrect: Options A, C, and D reference script types that do not exist under those specific names in the standard PingAM 8.0.2 scripting engine. While there are "Access Token Modification" scripts and "Client Registration" scripts, the OIDC Claims Script is the only one authorized and designed to manage the payload of the id_token.
NEW QUESTION # 68
For Proof of Possession OAuth2 tokens, in addition to the access token, what must be presented to the authorization server?
- A. Nonce
- B. State
- C. Client private certificate
- D. Client JSON Web Key (JWK)
Answer: C
Explanation:
Proof of Possession (PoP) tokens, specifically Certificate-Bound Access Tokens as defined in RFC 8705 and supported by PingAM 8.0.2, are designed to prevent token misuse by binding the access token to a specific client's cryptographic material.9 According to the PingAM documentation on "Certificate-Bound Proof-of-Possession," when an OAuth2 client requests a token, PingAM retrieves the client's public key (either from a provided certificate or a JWK) and embeds a thumbprint (the cnf claim) of that material into the issued token. When the client subsequently presents this token to the Resource Server (or the Authorization Server's introspection endpoint), it must also provide "Proof" that it possesses the private key corresponding to that thumbprint.
In the Mutual TLS (mTLS) approach, this proof is provided by the Client private certificate presented during the TLS handshake.10 The server verifies that the certificate used to establish the secure connection matches the one bound to the token. Without presenting the certificate (Option D), the token is considered "unbound" or invalid, even if the token itself is otherwise well-formed. This mechanism effectively "pins" the token to the client, ensuring that if the token is stolen, it cannot be used by any other entity that does not possess the matching private key. Nonce and State (Options A and C) are used during the initial authorization request for different security purposes (replay protection and CSRF), and while a JWK (Option B) can be used to define the public key, the actual presentation of proof during an mTLS transaction is the certificate.
NEW QUESTION # 69
Which of the following approaches can be used to configure a basic installation of PingAM?
- A. There is no basic configuration needed
- B. The graphical user interface in a browser
- C. A command-line program
- D. Either the graphical user interface in a browser, or a command-line program
Answer: D
Explanation:
According to the PingAM 8.0.2 Installation Guide, once the am.war file has been deployed into a web container (such as Apache Tomcat), the administrator must perform an initial configuration to set up the configuration store and the primary administrative user (amAdmin). PingAM provides two primary pathways for this "basic" configuration to accommodate different environment needs:
GUI-based Configuration (Interactive): By accessing the AM deployment URL (e.g., https://auth.example.com:8443/am) in a standard web browser, the administrator is presented with an interactive setup wizard. This wizard guides the user through the license agreement, setting the amAdmin password, and defining the connection details for the Configuration Store (typically PingDS). This is the preferred method for single-instance setups or initial trials.
Command-Line Configuration (Automated/Passive): For DevOps-centric deployments, headless environments, or automated scripts, PingAM provides the configurator.jar (often used for "Passive" installations). Additionally, for version 8 deployments, Amster is the primary command-line interface (CLI) tool. Amster allows administrators to import a full configuration state from JSON files, bypassing the GUI entirely. This is crucial for CI/CD pipelines and Kubernetes-based deployments (like the ForgeOps CDK/CDP).
The flexibility to use either the browser-based GUI or command-line tools ensures that PingAM can be deployed efficiently across diverse infrastructures, from traditional on-premises servers to modern cloud-native orchestration platforms. Therefore, Option A is the correct answer as it recognizes both valid administrative interfaces for the initial setup.
NEW QUESTION # 70
Which of the following best represents the information that is typically contained in the debug output?
- A. A header with the time and date, The running thread ID, The debug level, A general message, Optional stack trace
- B. The component that created the debug entry, A header with the time and date, The running thread ID, The debug level, A general message, Optional stack trace
- C. The component that created the debug entry, A header with the time and date, The running thread ID, A general message, Optional stack trace
- D. The component that created the debug entry, A header with the time and date, The debug level, A general message, Optional stack trace
Answer: B
Explanation:
In PingAM 8.0.2, troubleshooting complex issues often requires moving beyond audit logs to Debug Logs. These logs capture the internal operations of the AM engine and its various components (e.g., Authentication, Core Token Service, Session Management).7 According to the "Debug Logging" section of the PingAM 8.0.2 Maintenance Guide, the standard format for a debug log entry is designed to provide maximum context for support engineers and developers. A typical entry includes:
Time and Date Header: Precise timestamp of when the event occurred.
The Component (Category): Identifies which part of the code issued the message (e.g., amAuth, amSession, amOAuth2).
The Debug Level: Indicates the verbosity/severity, such as ERROR, WARNING, INFO, MESSAGE, or OFF.
The Thread ID: Crucial for multi-threaded environments like Tomcat, allowing administrators to trace a single user's request across multiple log entries.
The Message: A descriptive string explaining the internal operation or the error encountered.
Stack Trace: If the entry is recording an exception, a full Java stack trace is optionally included to pinpoint the exact line of code where the failure occurred.
Option A is the most complete and accurate representation of this structured output. Options B, C, and D are incorrect because they omit essential troubleshooting fields like the Thread ID or the Component name, which are necessary for correlating logs in a high-concurrency production environment. Understanding this structure is fundamental for any administrator using tools like ssoadm or the REST API to capture and analyze troubleshooting information.
NEW QUESTION # 71
What does the acronym SAML stand for?
- A. Secure Assertion Markup Language
- B. Strong Assertion Markup Language
- C. Security Assertion Markup Language
- D. Scoped Assertion Markup Language
Answer: C
Explanation:
As defined in the PingAM 8.0.2 documentation under "Introduction to SAML 2.0," the acronym SAML stands for Security Assertion Markup Language. It is an XML-based framework specifically designed for communicating user authentication, entitlement, and attribute information between distinct entities. In a typical federation scenario, these entities are the Identity Provider (IdP), which asserts the identity of the user, and the Service Provider (SP), which consumes the assertion to grant access to resources.
SAML is governed by OASIS and has become the industry standard for cross-domain Single Sign-On (SSO). The "Security" aspect of the name refers to the cryptographic methods used to ensure the integrity and confidentiality of the assertions. "Assertion" refers to the specific statements made by the IdP about a subject (usually a user). These assertions can include Authentication Statements (proving the user logged in), Attribute Statements (providing data like email or group membership), and Authorization Decision Statements (indicating what the user is permitted to do). PingAM 8.0.2 fully supports the SAML 2.0 core specifications, protocols, bindings, and profiles. Understanding this fundamental terminology is essential for administrators configuring "Circle of Trust" (CoT) environments or importing metadata from external partners, as the XML namespaces and schema definitions consistently reference the "urn:oasis:names:tc:SAML:2.0" identifier.
NEW QUESTION # 72
Which of the following multi-factor authentication protocols are supported by PingAM?
A) Open authentication
B) Security questions
C) Web authentication
D) Universal 2nd factor authentication
E) Push authentication
- A. A, B, and C
- B. A, B, and E
- C. B, C, and D
- D. A, C, and E
Answer: D
Explanation:
PingAM 8.0.2 provides a robust framework for Multi-Factor Authentication (MFA) centered around modern, secure protocols and the Intelligent Access (Authentication Trees) engine. When discussing supported "protocols" in the context of MFA in PingAM documentation, the focus is on standardized methods for secondary verification.
The primary supported MFA pillars in PingAM 8.0.2 are:
Open Authentication (OATH): AM supports the OATH standards, specifically TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password). This is implemented through the "OATH" authentication nodes, allowing users to use apps like ForgeRock Authenticator, Google Authenticator, or YubiKeys in OATH mode.
Web Authentication (WebAuthn): This is the implementation of the FIDO2 standard. It allows for passwordless and secure second-factor authentication using biometrics (like TouchID/FaceID) or hardware security keys (like YubiKeys). It is the successor to older standards and is natively supported via WebAuthn nodes.
Push Authentication: This is a proprietary but highly secure protocol used specifically with the ForgeRock/Ping Authenticator app. It allows a "Push" notification to be sent to a registered mobile device, which the user then approves or denies.
Why others are excluded from the selection: While PingAM supports Security Questions (KBA) and Universal 2nd Factor (U2F), they are often categorized differently in the 8.0.2 documentation. Security Questions are considered a "User Self-Service" or "Legacy" validation method rather than a modern MFA protocol. U2F is technically superseded by and included within the WebAuthn framework in PingAM 8.0.2. Thus, the most accurate grouping of distinct, core MFA protocols supported in the current version is A, C, and E, making Option C the correct answer.
NEW QUESTION # 73
A multi-server PingAM deployment is scheduled for upgrade. What measure can be implemented to prevent external user access during this process?
- A. Disable access from the load balancer
- B. Shut down the PingDS instances
- C. Shut down the PingAM instances
- D. Disable access from the firewall
Answer: A
Explanation:
According to the PingAM 8.0.2 Upgrade Guide and best practices for high-availability environments, performing an upgrade on a multi-server cluster requires a controlled redirection of traffic. While several methods can technically stop traffic, the load balancer is the primary tool for managing availability during maintenance.
In a production environment, PingAM instances are typically situated behind a load balancer that performs health checks and distributes user requests. By disabling access from the load balancer (specifically, by draining connections or marking nodes as "out of service"), administrators can gracefully prevent new external users from reaching the servers undergoing the upgrade. This approach is superior to shutting down the PingAM instances (Option A) immediately, as it allows existing sessions to complete their current operations or be handled by other nodes in the cluster if a "rolling upgrade" strategy is being used.
Shutting down the PingDS instances (Option B) is dangerous, as the directory service is required by PingAM for both configuration and user data; losing the data store while the AM application is still active can lead to severe system errors and data corruption. While a firewall (Option C) can block traffic, it is generally a "blunt instrument" that does not provide the sophisticated session management or health-probe handling that a load balancer offers. The load balancer allows for a "Maintenance Page" to be displayed to users, providing a better user experience during the downtime. Therefore, for a professional multi-server upgrade, managing the traffic flow at the load balancer layer is the verified best practice in PingAM 8 documentation.
NEW QUESTION # 74
Which of the following would be a possible combination of fields in the JSON body when making a policy evaluation via REST?
- A. resources, application, advices
- B. resources, subject, advices
- C. resources, subject, application
- D. subject, application, advices
Answer: C
Explanation:
In PingAM 8.0.2, requesting policy decisions via the REST API involves sending a POST request to the policies endpoint with the _action=evaluate parameter. To receive an accurate decision, the request body must provide the context of the access attempt.
According to the "Request policy decisions over REST" documentation, the JSON body typically includes the following core fields:
resources: (Required) An array of strings representing the URIs the user is attempting to access.
application: (Required) This field specifies the name of the Policy Set (formerly known as the application) that contains the relevant policies for the evaluation.
subject: (Optional, but usually required for user-specific policies) This object identifies the user or entity requesting access. It can include the user's ssoToken or a set of claims if using JWT-based subjects.
Why other options are incorrect: Advices (Options A and C) are not inputs for a policy evaluation request. Instead, advices are returned by PingAM in the response if a policy condition fails (e.g., an AuthLevelConditionAdvice requesting the user to provide MFA). A request cannot "evaluate" an advice; it triggers one. Option D is incorrect because the resources field is a mandatory requirement for any evaluation; without a target resource, the engine has nothing to compare against the defined policy rules. Therefore, the combination of resources, subject, and application represents the standard, valid structure for a policy decision request in PingAM 8.0.2.
NEW QUESTION # 75
In order to support rollback in case of a failed PingAM upgrade in a two server PingDS environment, what PingDS safety measure can be configured?
- A. A PingAM upgrade in a two server PingDS environment does not support rollback
- B. Stop replication between the two PingDS servers, stop a PingDS instance, upgrade against the active PingDS instance, and use the shutdown instance in case of rollback
- C. Keep both PingDS instances active, upgrade against both PingDS instances, and use the PingDS ./uninstall.sh backout script if required
- D. Stop replication between the two PingDS servers, stop a PingDS instance, upgrade against the active PingDS instance, and simply start up the shutdown PingDS instance
Answer: B
Explanation:
Upgrading PingAM 8.0.2 in an environment with multiple PingDS (Directory Server) instances requires a careful strategy to ensure data integrity and to allow for an immediate Rollback if the upgrade fails or introduces instability.6 According to the PingAM "Plan for Rollback" and "Upgrade in a Replicated Environment" documentation, the recommended safety measure involves isolating one of the data store nodes to act as a "time-capsule" of the pre-upgrade state. The process is as follows:
Stop Replication: Before starting the upgrade, administrators should disable or stop replication between the PingDS nodes. This prevents any schema changes or data modifications performed during the AM upgrade from being propagated to the backup node.
Isolate a Node: One PingDS instance is shut down or taken out of the load balancer rotation. This instance remains in its original, healthy state.
Perform the Upgrade: The PingAM upgrade is performed against the remaining active PingDS instance. If the upgrade involves schema updates (which is common when moving to version 8.0.2), only the active node's data is modified.
Rollback Path: If the upgrade fails, the administrator can simply shut down the "corrupted" upgraded environment and restart the isolated PingDS instance along with the original PingAM WAR file. Because replication was stopped, the isolated node still contains the original configuration and user data.
Option D is the only answer that correctly identifies this "safety-net" architecture. Option A is risky because a failed upgrade would corrupt both instances. Option C is incomplete because simply "starting up" the shutdown instance after an upgrade doesn't account for how you handle the discrepancy between the upgraded and non-upgraded nodes. The goal is to keep the shutdown instance as a valid, un-touched recovery point.
NEW QUESTION # 76
In order to secure a PingAM deployment with an external configuration data store and user data store using server-side sessions, which of the following should be considered?
- A. Changing the default iPlanetDirectoryPro cookie name, Using your own key for signing, Using a specific bind account for LDAP connections, Renaming and reducing the assigned privileges of the amAdmin account
- B. Encrypting the iPlanetDirectoryPro cookie contents, Changing the default iPlanetDirectoryPro cookie name, Using your own key for signing, Using a specific bind account for LDAP connections
- C. Changing the default iPlanetDirectoryPro cookie name, Using your own key for signing, Using a specific bind account for LDAP connections, Creation of a top-level administrator other than amAdmin
- D. Changing the default iPlanetDirectoryPro cookie name, Using your own key for signing, Using a specific bind account for LDAP connections, Reducing the privileges of the amAdmin user in production
Answer: C
Explanation:
Securing a PingAM 8.0.2 environment involves hardening multiple layers of the architecture, particularly when using external data stores and stateful sessions. According to the "General Security Considerations" and "Hardening PingAM" documentation, several key "Best Practices" must be applied.
Changing the SSO Cookie Name: By default, AM uses iPlanetDirectoryPro. Attackers often scan for this specific cookie name to identify ForgeRock/PingAM installations. Changing it provides "security through obscurity" and prevents some automated attacks.
Using Your Own Keys: PingAM ships with default test keys in the keystore. For production, you must generate your own cryptographic keys for signing and encrypting tokens (SSO, OIDC, SAML) to ensure the integrity of the environment.
Specific Bind Accounts: When connecting to an external PingDS or Active Directory, PingAM should never use a highly privileged account (like cn=Directory Manager). Instead, a dedicated account with limited, specific permissions (ACLs) should be created for AM's use.
Top-Level Administrator Management: The amAdmin account is the "root" of the AM system. In a production environment, it is considered a significant security risk to use this account for daily operations.
Why Option C is the correct answer: The documentation specifically recommends creating a new top-level administrator and then securing or disabling the default amAdmin. This is more effective than simply "renaming" it (Option A) or "reducing privileges" (Options B and D). In PingAM, amAdmin has hardcoded superuser capabilities in many areas; therefore, the best practice is to create a new administrative user with the necessary roles and then protect the amAdmin credentials in a vault. Option B is also incorrect because server-side sessions already store data on the server; the cookie only contains the session ID (the reference), so "encrypting the cookie contents" is redundant for server-side sessions compared to client-side sessions where the entire state is in the cookie.
NEW QUESTION # 77
......
Cover PT-AM-CPE Exam Questions Make Sure You 100% Pass: https://www.validtorrent.com/PT-AM-CPE-valid-exam-torrent.html
New PT-AM-CPE exam Free Sample Questions to Practice: https://drive.google.com/open?id=1JMmJ36-P1aFW0u0B7bj4XkSpJzWLxRPx