Practice Free PT-AM-CPE Exam Online Questions
Question #21
If there is a need to reset a registered device over the REST API, which one of the following statements is incorrect?
- A . Administrators can provide authenticated users with a self-service page to reset their devices via the REST API
- B . Administrators can call the REST API to reset a device that is out of sync, where the HOTP counter exceeds the HOTP threshold window and requires a reset
- C . Only administrator accounts, not user accounts, have the ability to use the REST API for resetting a device profile
- D . Administrators can call the REST API to reset a user’s device profile
Correct Answer: C
C
Explanation:
In PingAM 8.0.2, device management is a critical part of the Multi-Factor Authentication (MFA) lifecycle. When a user registers a device for Push, OATH, or WebAuthn, that information is stored as a part of their identity profile. There are many scenarios where a device might need to be reset―for example, if a phone is lost, if the ForgeRock/Ping Authenticator app is reinstalled, or if an HOTP (HMAC-based One-Time Password) counter becomes desynchronized beyond the allowed window. According to the PingAM documentation on "Managing Devices for MFA" and the "REST API for Device Management":
Administrator Capabilities: Administrators have the authority to manage device profiles for any user. They can list, rename, or delete (reset) device profiles using the /json/realms/root/realms/[realm]/users/[username]/devices endpoint. This is vital for helpdesk scenarios (Option D and B).
User Self-Service (The Incorrect Statement C): Statement C is technically incorrect because PingAM’s REST API specifically supports self-service device management. An authenticated end-user has the permission to manage their own devices. They can call the /json/realms/root/realms/[realm]/users/[username]/devices endpoint using their own valid SSO token to delete their own registered devices. This allows organizations to build self-service portals where users can "Unpair" a lost device without calling support (Option A).
The internal security of PingAM ensures that while a regular user can only access their own device sub-resource, an administrator with the appropriate amAdmin or Delegate Admin privileges can access the resources of all users. Therefore, the claim that only administrator accounts can use the REST API for these actions is false and contradicts the "User Self-Service" philosophy built into the PingAM 8 API architecture.
C
Explanation:
In PingAM 8.0.2, device management is a critical part of the Multi-Factor Authentication (MFA) lifecycle. When a user registers a device for Push, OATH, or WebAuthn, that information is stored as a part of their identity profile. There are many scenarios where a device might need to be reset―for example, if a phone is lost, if the ForgeRock/Ping Authenticator app is reinstalled, or if an HOTP (HMAC-based One-Time Password) counter becomes desynchronized beyond the allowed window. According to the PingAM documentation on "Managing Devices for MFA" and the "REST API for Device Management":
Administrator Capabilities: Administrators have the authority to manage device profiles for any user. They can list, rename, or delete (reset) device profiles using the /json/realms/root/realms/[realm]/users/[username]/devices endpoint. This is vital for helpdesk scenarios (Option D and B).
User Self-Service (The Incorrect Statement C): Statement C is technically incorrect because PingAM’s REST API specifically supports self-service device management. An authenticated end-user has the permission to manage their own devices. They can call the /json/realms/root/realms/[realm]/users/[username]/devices endpoint using their own valid SSO token to delete their own registered devices. This allows organizations to build self-service portals where users can "Unpair" a lost device without calling support (Option A).
The internal security of PingAM ensures that while a regular user can only access their own device sub-resource, an administrator with the appropriate amAdmin or Delegate Admin privileges can access the resources of all users. Therefore, the claim that only administrator accounts can use the REST API for these actions is false and contradicts the "User Self-Service" philosophy built into the PingAM 8 API architecture.
Question #22
When developing a PingAM may act script for OAuth2 token exchange patterns, which variables are made available for use in the script?
- A . clientProperties, identity, logger, requestProperties, scopes, scriptName, session, token
- B . clientProperties, identity, logger, requestProperties, scopes, scriptName, session, requestedToken
- C . clientProperties, identity, logger, requestProperties, scopeList, scriptName, session, requestedToken
- D . clientProperties, identity, logger, requestProperties, scopeList, scriptName, session, token
Correct Answer: B
B
Explanation:
The OAuth2 May Act script type in PingAM 8.0.2 allows administrators to programmatically determine if a token exchange request (impersonation or delegation) should be allowed by adding a may_act claim to the token.
According to the "Scripting" and "Token Exchange Scripting API" documentation, when this script is executed, the AM engine provides a specific set of "Bindings" or variables. These allow the script to inspect the context of the request before deciding to modify the token. The documented variables for the OAuth2 May Act script are:
clientProperties: A map of the OAuth2 client’s configuration properties.
identity: The identity object for the user/subject.
logger: The logging object for debugging within the script.
requestProperties: Properties of the incoming HTTP request.
scopes: The set of scopes requested or associated with the token.
scriptName: The name of the script being executed.
session: The user’s SSO session (if available).
requestedToken: This is the most important variable; it represents the token being issued. Methods like .addMayAct() or .setMayAct() are called on this specific object.
Why other options are incorrect:
Option B correctly lists the bindings.
Options A and D are incorrect because they use the variable name token. While token is a common variable name in other OAuth2 script types (like the Access Token Modification script), the Token Exchange script specifically uses requestedToken to distinguish the new token from the subject_token or actor_token provided in the request.
Option C uses scopeList, which is not the standard variable name for the scopes in this specific script context; the documentation defines it as scopes.
B
Explanation:
The OAuth2 May Act script type in PingAM 8.0.2 allows administrators to programmatically determine if a token exchange request (impersonation or delegation) should be allowed by adding a may_act claim to the token.
According to the "Scripting" and "Token Exchange Scripting API" documentation, when this script is executed, the AM engine provides a specific set of "Bindings" or variables. These allow the script to inspect the context of the request before deciding to modify the token. The documented variables for the OAuth2 May Act script are:
clientProperties: A map of the OAuth2 client’s configuration properties.
identity: The identity object for the user/subject.
logger: The logging object for debugging within the script.
requestProperties: Properties of the incoming HTTP request.
scopes: The set of scopes requested or associated with the token.
scriptName: The name of the script being executed.
session: The user’s SSO session (if available).
requestedToken: This is the most important variable; it represents the token being issued. Methods like .addMayAct() or .setMayAct() are called on this specific object.
Why other options are incorrect:
Option B correctly lists the bindings.
Options A and D are incorrect because they use the variable name token. While token is a common variable name in other OAuth2 script types (like the Access Token Modification script), the Token Exchange script specifically uses requestedToken to distinguish the new token from the subject_token or actor_token provided in the request.
Option C uses scopeList, which is not the standard variable name for the scopes in this specific script context; the documentation defines it as scopes.
Question #23
In an authentication tree process, considering best practice, where can the collected context data for mobile devices be persisted for subsequent risk analysis?
- A . In the session state
- B . In shared node state
- C . With the user profile
- D . In a browser cookie
Correct Answer: B
B
Explanation:
In PingAM 8.0.2, the Intelligent Access engine (Authentication Trees) uses a specific data-passing mechanism to move information between individual nodes within a single journey. When a journey involves collecting context―such as device metadata (OS, version, screen resolution), location data (IP, geofencing), or risk signals―this information must be stored temporarily while the tree evaluates the next steps.
According to the "Authentication Node Development" and "Nodes and Trees" documentation,
PingAM uses two primary transient storage objects during the authentication flow:
Shared State: This is the primary map used to share data between nodes in the same tree. Contextual data collected by nodes like the Device Profile Collector or Browser Capabilities nodes is stored here. It exists only for the duration of the authentication journey.
Transient State: Similar to shared state, but often used for sensitive data that should not be visible to certain types of nodes or scripts.
The documentation identifies Shared Node State (Option B) as the best practice for persisting collected context during the tree process.
Session State (Option A) is only available after the authentication is successful and a session has been created. It is not suitable for data needed by nodes within the tree to make a decision (like a risk engine node).
User Profile (Option C) is for long-term persistence (LDAP/PingDS). Storing transient device context there would cause unnecessary database write overhead and privacy concerns.
Browser Cookies (Option D) are limited in size and pose security risks if used to store raw device data that could be tampered with by the client.
Therefore, for real-time risk analysis within a journey, nodes write data to the shared state, where subsequent nodes (like a Scripted Decision Node or Adaptive Risk Node) can retrieve and analyze it.
B
Explanation:
In PingAM 8.0.2, the Intelligent Access engine (Authentication Trees) uses a specific data-passing mechanism to move information between individual nodes within a single journey. When a journey involves collecting context―such as device metadata (OS, version, screen resolution), location data (IP, geofencing), or risk signals―this information must be stored temporarily while the tree evaluates the next steps.
According to the "Authentication Node Development" and "Nodes and Trees" documentation,
PingAM uses two primary transient storage objects during the authentication flow:
Shared State: This is the primary map used to share data between nodes in the same tree. Contextual data collected by nodes like the Device Profile Collector or Browser Capabilities nodes is stored here. It exists only for the duration of the authentication journey.
Transient State: Similar to shared state, but often used for sensitive data that should not be visible to certain types of nodes or scripts.
The documentation identifies Shared Node State (Option B) as the best practice for persisting collected context during the tree process.
Session State (Option A) is only available after the authentication is successful and a session has been created. It is not suitable for data needed by nodes within the tree to make a decision (like a risk engine node).
User Profile (Option C) is for long-term persistence (LDAP/PingDS). Storing transient device context there would cause unnecessary database write overhead and privacy concerns.
Browser Cookies (Option D) are limited in size and pose security risks if used to store raw device data that could be tampered with by the client.
Therefore, for real-time risk analysis within a journey, nodes write data to the shared state, where subsequent nodes (like a Scripted Decision Node or Adaptive Risk Node) can retrieve and analyze it.
Question #23
In an authentication tree process, considering best practice, where can the collected context data for mobile devices be persisted for subsequent risk analysis?
- A . In the session state
- B . In shared node state
- C . With the user profile
- D . In a browser cookie
Correct Answer: B
B
Explanation:
In PingAM 8.0.2, the Intelligent Access engine (Authentication Trees) uses a specific data-passing mechanism to move information between individual nodes within a single journey. When a journey involves collecting context―such as device metadata (OS, version, screen resolution), location data (IP, geofencing), or risk signals―this information must be stored temporarily while the tree evaluates the next steps.
According to the "Authentication Node Development" and "Nodes and Trees" documentation,
PingAM uses two primary transient storage objects during the authentication flow:
Shared State: This is the primary map used to share data between nodes in the same tree. Contextual data collected by nodes like the Device Profile Collector or Browser Capabilities nodes is stored here. It exists only for the duration of the authentication journey.
Transient State: Similar to shared state, but often used for sensitive data that should not be visible to certain types of nodes or scripts.
The documentation identifies Shared Node State (Option B) as the best practice for persisting collected context during the tree process.
Session State (Option A) is only available after the authentication is successful and a session has been created. It is not suitable for data needed by nodes within the tree to make a decision (like a risk engine node).
User Profile (Option C) is for long-term persistence (LDAP/PingDS). Storing transient device context there would cause unnecessary database write overhead and privacy concerns.
Browser Cookies (Option D) are limited in size and pose security risks if used to store raw device data that could be tampered with by the client.
Therefore, for real-time risk analysis within a journey, nodes write data to the shared state, where subsequent nodes (like a Scripted Decision Node or Adaptive Risk Node) can retrieve and analyze it.
B
Explanation:
In PingAM 8.0.2, the Intelligent Access engine (Authentication Trees) uses a specific data-passing mechanism to move information between individual nodes within a single journey. When a journey involves collecting context―such as device metadata (OS, version, screen resolution), location data (IP, geofencing), or risk signals―this information must be stored temporarily while the tree evaluates the next steps.
According to the "Authentication Node Development" and "Nodes and Trees" documentation,
PingAM uses two primary transient storage objects during the authentication flow:
Shared State: This is the primary map used to share data between nodes in the same tree. Contextual data collected by nodes like the Device Profile Collector or Browser Capabilities nodes is stored here. It exists only for the duration of the authentication journey.
Transient State: Similar to shared state, but often used for sensitive data that should not be visible to certain types of nodes or scripts.
The documentation identifies Shared Node State (Option B) as the best practice for persisting collected context during the tree process.
Session State (Option A) is only available after the authentication is successful and a session has been created. It is not suitable for data needed by nodes within the tree to make a decision (like a risk engine node).
User Profile (Option C) is for long-term persistence (LDAP/PingDS). Storing transient device context there would cause unnecessary database write overhead and privacy concerns.
Browser Cookies (Option D) are limited in size and pose security risks if used to store raw device data that could be tampered with by the client.
Therefore, for real-time risk analysis within a journey, nodes write data to the shared state, where subsequent nodes (like a Scripted Decision Node or Adaptive Risk Node) can retrieve and analyze it.
Question #25
Which of the following tab pages in the PingAM admin UI can be used to configure the OAuth2 and OpenID Connect may act scripts used for token exchange requests?
A) The OAuth2 provider service > Advanced tab page
B) The OAuth2 provider service > Core tab page
C) The OAuth2 client profile > Advanced tab page
D) The OAuth2 client profile > OAuth2 Provider Overrides tab page
- A . B and D only
- B . A and D only
- C . A and C only
- D . B and C only
Correct Answer: B
B
Explanation:
The May Act script is a critical component of the OAuth 2.0 Token Exchange implementation in PingAM 8.0.2. It allows for the validation of impersonation or delegation requests. Because token exchange can be configured both globally for all clients and specifically for individual applications, the script can be attached at two different levels in the Administrative UI.
OAuth2 Provider Service > Advanced Tab (A): This is the global configuration level. If you want to apply a standard "May Act" validation script across the entire realm for any client performing a token exchange, you configure it here. This script will be the default unless specifically overridden. OAuth2 Client Profile > OAuth2 Provider Overrides Tab (D): PingAM allows for granular control per client. If a specific "Confidential Client" (like a backend microservice) requires unique logic for determining who it can act as, you can specify a different script or override the global setting. This is done in the "OAuth2 Provider Overrides" tab within that specific client’s configuration profile.
Why other options are incorrect: The Core tab (B) is used for basic settings like issuer names and token lifetimes, not for advanced scripting hooks. The Advanced tab of the Client Profile (C) contains settings like TTLs and Logout URLs, but the specific ability to override "Provider" level logic (like the May Act script) is moved to the specialized Overrides tab to keep the interface organized. Therefore, the correct locations are A and D, as identified in the "Token Exchange Configuration" guide for version 8.0.2.
B
Explanation:
The May Act script is a critical component of the OAuth 2.0 Token Exchange implementation in PingAM 8.0.2. It allows for the validation of impersonation or delegation requests. Because token exchange can be configured both globally for all clients and specifically for individual applications, the script can be attached at two different levels in the Administrative UI.
OAuth2 Provider Service > Advanced Tab (A): This is the global configuration level. If you want to apply a standard "May Act" validation script across the entire realm for any client performing a token exchange, you configure it here. This script will be the default unless specifically overridden. OAuth2 Client Profile > OAuth2 Provider Overrides Tab (D): PingAM allows for granular control per client. If a specific "Confidential Client" (like a backend microservice) requires unique logic for determining who it can act as, you can specify a different script or override the global setting. This is done in the "OAuth2 Provider Overrides" tab within that specific client’s configuration profile.
Why other options are incorrect: The Core tab (B) is used for basic settings like issuer names and token lifetimes, not for advanced scripting hooks. The Advanced tab of the Client Profile (C) contains settings like TTLs and Logout URLs, but the specific ability to override "Provider" level logic (like the May Act script) is moved to the specialized Overrides tab to keep the interface organized. Therefore, the correct locations are A and D, as identified in the "Token Exchange Configuration" guide for version 8.0.2.
Question #26
What should be executed to ensure a successful upgrade when PingAM requires a version upgrade?
- A . Post-upgrade, run a set of functional tests
- B . Post-upgrade, run a set of functional and non-functional tests
- C . Post-upgrade, run a set of non-functional tests
- D . Post-upgrade, set the PingAM Version Control Flag to the correct version
Correct Answer: B
B
Explanation:
Upgrading PingAM 8.0.2 is a complex process that involves updating binaries, modifying schemas in the configuration store, and potentially migrating scripts to the "Next-Generation" scripting engine. To ensure that the system is not only "running" but also "production-ready," a comprehensive testing phase is required.
According to the "Post-Upgrade Tasks" and "Best Practices for Upgrading" documentation:
A successful upgrade verification must cover two distinct categories of testing:
Functional Tests: These verify that the core features still work as intended. Can users log in? Do the authentication trees execute correctly? Are SAML assertions being generated? This ensures the "Logic" of the identity platform is intact.
Non-Functional Tests: These are equally critical in an upgrade scenario. An upgrade can sometimes introduce performance regressions, change the way memory is utilized by the JVM, or alter the connection pool behavior to the CTS. Testing for performance, high availability (failover), security (vulnerability scanning), and monitoring ensures the system can handle production loads and meets the organization’s Service Level Agreements (SLAs).
While setting version flags (Option D) might be a technical step in some internal processes, it does not "ensure a successful upgrade" in the way that rigorous validation does. Running only functional tests (Option A) or only non-functional tests (Option C) leaves the environment vulnerable to either logic errors or system crashes. Thus, the verified best practice is to run both functional and non-functional tests (Option B) before redirecting production traffic to the upgraded instances.
B
Explanation:
Upgrading PingAM 8.0.2 is a complex process that involves updating binaries, modifying schemas in the configuration store, and potentially migrating scripts to the "Next-Generation" scripting engine. To ensure that the system is not only "running" but also "production-ready," a comprehensive testing phase is required.
According to the "Post-Upgrade Tasks" and "Best Practices for Upgrading" documentation:
A successful upgrade verification must cover two distinct categories of testing:
Functional Tests: These verify that the core features still work as intended. Can users log in? Do the authentication trees execute correctly? Are SAML assertions being generated? This ensures the "Logic" of the identity platform is intact.
Non-Functional Tests: These are equally critical in an upgrade scenario. An upgrade can sometimes introduce performance regressions, change the way memory is utilized by the JVM, or alter the connection pool behavior to the CTS. Testing for performance, high availability (failover), security (vulnerability scanning), and monitoring ensures the system can handle production loads and meets the organization’s Service Level Agreements (SLAs).
While setting version flags (Option D) might be a technical step in some internal processes, it does not "ensure a successful upgrade" in the way that rigorous validation does. Running only functional tests (Option A) or only non-functional tests (Option C) leaves the environment vulnerable to either logic errors or system crashes. Thus, the verified best practice is to run both functional and non-functional tests (Option B) before redirecting production traffic to the upgraded instances.
Question #27
Which of the following code examples inserts a may_act claim to the resulting token in a PingAM implementation?
- A . var mayAct = /* is a JSON object with may act property data */ token.addMayAct(mayAct)
- B . var mayAct = /* is a JSON object with may act property data */ requestedToken.addMayAct(mayAct)
- C . var mayAct = /* is a JSON object with may act property data */ requestedToken.setMayAct(mayAct)
- D . var mayAct = /* is a JSON object with may act property data */ token.setMayAct(mayAct)
Correct Answer: B
B
Explanation:
In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) implementation allows for complex identity delegation scenarios. The may_act claim is a specific claim used to indicate that one entity is authorized to act on behalf of another. When customizing the behavior of token exchange via the OAuth2 Token Exchange Script, developers interact with specific scriptable objects provided by the PingAM engine.
According to the "Scripting API" for OAuth2 and the "Token Exchange" developer guide, the requestedToken object is the primary interface used to modify the structure of the token being issued during the exchange. To insert the may_act claim, the API provides the addMayAct() method. The may_act claim is technically a JSON object that contains a sub (subject) claim of the entity that is allowed to act as the subject of the token. In the scripting environment: The requestedToken variable represents the token currently being minted.
The .addMayAct() method is the defined function signature to append this delegation metadata.
Why other options are incorrect:
Options A and D: The object name token is not the standard binding used for the target token in the Token Exchange script context; requestedToken is the correct binding.
Option C: The method name setMayAct is incorrect. The PingAM API uses the add prefix for these types of claims (similar to addActor), reflecting the underlying structure where these claims are added to the claim set of the JWT.
Using the correct syntax requestedToken.addMayAct(mayAct) ensures that the resulting Access Token or ID Token contains the correctly formatted delegation information required by resource servers to validate that the "Actor" has the permission to represent the "Subject."
B
Explanation:
In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) implementation allows for complex identity delegation scenarios. The may_act claim is a specific claim used to indicate that one entity is authorized to act on behalf of another. When customizing the behavior of token exchange via the OAuth2 Token Exchange Script, developers interact with specific scriptable objects provided by the PingAM engine.
According to the "Scripting API" for OAuth2 and the "Token Exchange" developer guide, the requestedToken object is the primary interface used to modify the structure of the token being issued during the exchange. To insert the may_act claim, the API provides the addMayAct() method. The may_act claim is technically a JSON object that contains a sub (subject) claim of the entity that is allowed to act as the subject of the token. In the scripting environment: The requestedToken variable represents the token currently being minted.
The .addMayAct() method is the defined function signature to append this delegation metadata.
Why other options are incorrect:
Options A and D: The object name token is not the standard binding used for the target token in the Token Exchange script context; requestedToken is the correct binding.
Option C: The method name setMayAct is incorrect. The PingAM API uses the add prefix for these types of claims (similar to addActor), reflecting the underlying structure where these claims are added to the claim set of the JWT.
Using the correct syntax requestedToken.addMayAct(mayAct) ensures that the resulting Access Token or ID Token contains the correctly formatted delegation information required by resource servers to validate that the "Actor" has the permission to represent the "Subject."
Question #27
Which of the following code examples inserts a may_act claim to the resulting token in a PingAM implementation?
- A . var mayAct = /* is a JSON object with may act property data */ token.addMayAct(mayAct)
- B . var mayAct = /* is a JSON object with may act property data */ requestedToken.addMayAct(mayAct)
- C . var mayAct = /* is a JSON object with may act property data */ requestedToken.setMayAct(mayAct)
- D . var mayAct = /* is a JSON object with may act property data */ token.setMayAct(mayAct)
Correct Answer: B
B
Explanation:
In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) implementation allows for complex identity delegation scenarios. The may_act claim is a specific claim used to indicate that one entity is authorized to act on behalf of another. When customizing the behavior of token exchange via the OAuth2 Token Exchange Script, developers interact with specific scriptable objects provided by the PingAM engine.
According to the "Scripting API" for OAuth2 and the "Token Exchange" developer guide, the requestedToken object is the primary interface used to modify the structure of the token being issued during the exchange. To insert the may_act claim, the API provides the addMayAct() method. The may_act claim is technically a JSON object that contains a sub (subject) claim of the entity that is allowed to act as the subject of the token. In the scripting environment: The requestedToken variable represents the token currently being minted.
The .addMayAct() method is the defined function signature to append this delegation metadata.
Why other options are incorrect:
Options A and D: The object name token is not the standard binding used for the target token in the Token Exchange script context; requestedToken is the correct binding.
Option C: The method name setMayAct is incorrect. The PingAM API uses the add prefix for these types of claims (similar to addActor), reflecting the underlying structure where these claims are added to the claim set of the JWT.
Using the correct syntax requestedToken.addMayAct(mayAct) ensures that the resulting Access Token or ID Token contains the correctly formatted delegation information required by resource servers to validate that the "Actor" has the permission to represent the "Subject."
B
Explanation:
In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) implementation allows for complex identity delegation scenarios. The may_act claim is a specific claim used to indicate that one entity is authorized to act on behalf of another. When customizing the behavior of token exchange via the OAuth2 Token Exchange Script, developers interact with specific scriptable objects provided by the PingAM engine.
According to the "Scripting API" for OAuth2 and the "Token Exchange" developer guide, the requestedToken object is the primary interface used to modify the structure of the token being issued during the exchange. To insert the may_act claim, the API provides the addMayAct() method. The may_act claim is technically a JSON object that contains a sub (subject) claim of the entity that is allowed to act as the subject of the token. In the scripting environment: The requestedToken variable represents the token currently being minted.
The .addMayAct() method is the defined function signature to append this delegation metadata.
Why other options are incorrect:
Options A and D: The object name token is not the standard binding used for the target token in the Token Exchange script context; requestedToken is the correct binding.
Option C: The method name setMayAct is incorrect. The PingAM API uses the add prefix for these types of claims (similar to addActor), reflecting the underlying structure where these claims are added to the claim set of the JWT.
Using the correct syntax requestedToken.addMayAct(mayAct) ensures that the resulting Access Token or ID Token contains the correctly formatted delegation information required by resource servers to validate that the "Actor" has the permission to represent the "Subject."
Question #29
Which PingAM feature only uses the PingAM keystore?
- A . Client-side sessions
- B . Persistent Cookie node
- C . Authentication trees
- D . OAuth2 providers
Correct Answer: A
A
Explanation:
In PingAM 8.0.2, the management of cryptographic material has evolved toward the Secret Store framework, which allows secrets to be stored in various locations (Filesystem, HSM, or Environment Variables). However, for specific core features, the internal PingAM keystore (historically keystore.jks) remains the primary repository for the keys used to protect session integrity. According to the "Client-side Session Security" documentation, when a realm is configured for Client-side sessions, the entire state of the user’s session is encapsulated within a signed and encrypted JSON Web Token (JWT). This JWT is then stored in the user’s browser cookie. To ensure that this token cannot be tampered with or read by unauthorized parties, PingAM must sign and encrypt the payload. The AM engine is hardcoded to look for the specific aliases (such as am.services.session.encryption and am.services.session.signing) within the default-keystore secret store, which points directly to the PingAM keystore.
While other features like OAuth2 providers (Option D) and the Persistent Cookie node (Option B) utilize secret stores, they are designed to be highly flexible and can be configured to use keys from any defined secret store in the realm. Authentication trees (Option C) are logical constructs and do not "use" the keystore directly, although individual nodes within a tree might. The distinction for Client-side sessions is that the feature’s fundamental security model is built specifically around the cryptographic keys managed within the AM keystore to provide "stateless" session management. Administrators must ensure that the same keystore and aliases are shared across all nodes in a cluster to allow any AM instance to validate a client-side session token issued by another node.
A
Explanation:
In PingAM 8.0.2, the management of cryptographic material has evolved toward the Secret Store framework, which allows secrets to be stored in various locations (Filesystem, HSM, or Environment Variables). However, for specific core features, the internal PingAM keystore (historically keystore.jks) remains the primary repository for the keys used to protect session integrity. According to the "Client-side Session Security" documentation, when a realm is configured for Client-side sessions, the entire state of the user’s session is encapsulated within a signed and encrypted JSON Web Token (JWT). This JWT is then stored in the user’s browser cookie. To ensure that this token cannot be tampered with or read by unauthorized parties, PingAM must sign and encrypt the payload. The AM engine is hardcoded to look for the specific aliases (such as am.services.session.encryption and am.services.session.signing) within the default-keystore secret store, which points directly to the PingAM keystore.
While other features like OAuth2 providers (Option D) and the Persistent Cookie node (Option B) utilize secret stores, they are designed to be highly flexible and can be configured to use keys from any defined secret store in the realm. Authentication trees (Option C) are logical constructs and do not "use" the keystore directly, although individual nodes within a tree might. The distinction for Client-side sessions is that the feature’s fundamental security model is built specifically around the cryptographic keys managed within the AM keystore to provide "stateless" session management. Administrators must ensure that the same keystore and aliases are shared across all nodes in a cluster to allow any AM instance to validate a client-side session token issued by another node.
Question #30
In a multi-server deployment, what is the impact of not ensuring stickiness in the load balancer configuration?
- A . Session failover will not work
- B . The browser will not be able to validate the user session with the correct PingAM server
- C . The user will see more redirects in their browser
- D . Performance may decrease as load on the system will be higher
Correct Answer: D
D
Explanation:
In a high-availability PingAM 8.0.2 cluster, the Load Balancer (LB) is responsible for distributing traffic across multiple AM instances. Session Stickiness (also known as session affinity) ensures that all requests from a specific user session are routed to the same AM server that initially created the session.
According to the PingAM "Deployment Planning" and "Load Balancing" documentation, PingAM is designed to be "sticky-preferred" but not "sticky-required" if the Core Token Service (CTS) is used. If stickiness is not ensured:
Performance Impact: Every time a user request lands on a different AM server (Server B) than the one that holds the session in local memory (Server A), Server B must query the CTS (External Store) to retrieve the session details, deserialize the object, and reconstruct the session state. This cross-server look-up introduces significant latency and increases the load on the PingDS instances hosting the CTS.
CTS Load: Without stickiness, every single request becomes a "Global" session lookup. This drastically increases the I/O and CPU overhead on the back-end directory servers, potentially leading to performance degradation of the entire identity platform.
Why other options are incorrect:
Option A: Session failover requires the CTS, but stickiness actually minimizes the need for failover logic during normal operation. Failover still works without stickiness, it just becomes the "default" behavior for every request.
Option B: AM servers in a cluster share the same encryption keys and back-end stores. Any server can technically validate a session by looking it up in the CTS; the browser doesn’t "know" which server is correct.
Option C: Redirects are handled at the application logic level. While some internal processing changes, it doesn’t necessarily result in extra browser-level HTTP redirects.
Thus, the primary negative impact of lacking stickiness in a correctly configured cluster is a decrease in performance (Option D) due to the constant session synchronization overhead.
D
Explanation:
In a high-availability PingAM 8.0.2 cluster, the Load Balancer (LB) is responsible for distributing traffic across multiple AM instances. Session Stickiness (also known as session affinity) ensures that all requests from a specific user session are routed to the same AM server that initially created the session.
According to the PingAM "Deployment Planning" and "Load Balancing" documentation, PingAM is designed to be "sticky-preferred" but not "sticky-required" if the Core Token Service (CTS) is used. If stickiness is not ensured:
Performance Impact: Every time a user request lands on a different AM server (Server B) than the one that holds the session in local memory (Server A), Server B must query the CTS (External Store) to retrieve the session details, deserialize the object, and reconstruct the session state. This cross-server look-up introduces significant latency and increases the load on the PingDS instances hosting the CTS.
CTS Load: Without stickiness, every single request becomes a "Global" session lookup. This drastically increases the I/O and CPU overhead on the back-end directory servers, potentially leading to performance degradation of the entire identity platform.
Why other options are incorrect:
Option A: Session failover requires the CTS, but stickiness actually minimizes the need for failover logic during normal operation. Failover still works without stickiness, it just becomes the "default" behavior for every request.
Option B: AM servers in a cluster share the same encryption keys and back-end stores. Any server can technically validate a session by looking it up in the CTS; the browser doesn’t "know" which server is correct.
Option C: Redirects are handled at the application logic level. While some internal processing changes, it doesn’t necessarily result in extra browser-level HTTP redirects.
Thus, the primary negative impact of lacking stickiness in a correctly configured cluster is a decrease in performance (Option D) due to the constant session synchronization overhead.