Practice Free PT-AM-CPE Exam Online Questions
Question #31
In order to secure a PingAM deployment with an external configuration data store and user data store using server-side sessions, which of the following should be considered?
- A . Changing the default iPlanetDirectoryPro cookie name, Using your own key for signing, Using a specific bind account for LDAP connections, Renaming and reducing the assigned privileges of the amAdmin account
- B . Encrypting the iPlanetDirectoryPro cookie contents, Changing the default iPlanetDirectoryPro
cookie name, Using your own key for signing, Using a specific bind account for LDAP connections - C . Changing the default iPlanetDirectoryPro cookie name, Using your own key for signing, Using a
specific bind account for LDAP connections, Creation of a top-level administrator other than amAdmin - D . Changing the default iPlanetDirectoryPro cookie name, Using your own key for signing, Using a specific bind account for LDAP connections, Reducing the privileges of the amAdmin user in production
Correct Answer: C
C
Explanation:
Securing a PingAM 8.0.2 environment involves hardening multiple layers of the architecture, particularly when using external data stores and stateful sessions. According to the "General Security Considerations" and "Hardening PingAM" documentation, several key "Best Practices" must be applied.
Changing the SSO Cookie Name: By default, AM uses iPlanetDirectoryPro. Attackers often scan for this specific cookie name to identify ForgeRock/PingAM installations. Changing it provides "security through obscurity" and prevents some automated attacks.
Using Your Own Keys: PingAM ships with default test keys in the keystore. For production, you must generate your own cryptographic keys for signing and encrypting tokens (SSO, OIDC, SAML) to ensure the integrity of the environment.
Specific Bind Accounts: When connecting to an external PingDS or Active Directory, PingAM should never use a highly privileged account (like cn=Directory Manager). Instead, a dedicated account with limited, specific permissions (ACLs) should be created for AM’s use.
Top-Level Administrator Management: The amAdmin account is the "root" of the AM system. In a production environment, it is considered a significant security risk to use this account for daily operations.
Why Option C is the correct answer: The documentation specifically recommends creating a new top-level administrator and then securing or disabling the default amAdmin. This is more effective than simply "renaming" it (Option A) or "reducing privileges" (Options B and D). In PingAM, amAdmin has hardcoded superuser capabilities in many areas; therefore, the best practice is to create a new administrative user with the necessary roles and then protect the amAdmin credentials in a vault.
Option B is also incorrect because server-side sessions already store data on the server; the cookie only contains the session ID (the reference), so "encrypting the cookie contents" is redundant for server-side sessions compared to client-side sessions where the entire state is in the cookie.
C
Explanation:
Securing a PingAM 8.0.2 environment involves hardening multiple layers of the architecture, particularly when using external data stores and stateful sessions. According to the "General Security Considerations" and "Hardening PingAM" documentation, several key "Best Practices" must be applied.
Changing the SSO Cookie Name: By default, AM uses iPlanetDirectoryPro. Attackers often scan for this specific cookie name to identify ForgeRock/PingAM installations. Changing it provides "security through obscurity" and prevents some automated attacks.
Using Your Own Keys: PingAM ships with default test keys in the keystore. For production, you must generate your own cryptographic keys for signing and encrypting tokens (SSO, OIDC, SAML) to ensure the integrity of the environment.
Specific Bind Accounts: When connecting to an external PingDS or Active Directory, PingAM should never use a highly privileged account (like cn=Directory Manager). Instead, a dedicated account with limited, specific permissions (ACLs) should be created for AM’s use.
Top-Level Administrator Management: The amAdmin account is the "root" of the AM system. In a production environment, it is considered a significant security risk to use this account for daily operations.
Why Option C is the correct answer: The documentation specifically recommends creating a new top-level administrator and then securing or disabling the default amAdmin. This is more effective than simply "renaming" it (Option A) or "reducing privileges" (Options B and D). In PingAM, amAdmin has hardcoded superuser capabilities in many areas; therefore, the best practice is to create a new administrative user with the necessary roles and then protect the amAdmin credentials in a vault.
Option B is also incorrect because server-side sessions already store data on the server; the cookie only contains the session ID (the reference), so "encrypting the cookie contents" is redundant for server-side sessions compared to client-side sessions where the entire state is in the cookie.
Question #32
Which of the following would be a possible combination of fields in the JSON body when making a policy evaluation via REST?
- A . resources, subject, advices
- B . resources, subject, application
- C . resources, application, advices
- D . subject, application, advices
Correct Answer: B
B
Explanation:
In PingAM 8.0.2, requesting policy decisions via the REST API involves sending a POST request to the policies endpoint with the _action=evaluate parameter. To receive an accurate decision, the request body must provide the context of the access attempt.
According to the "Request policy decisions over REST" documentation, the JSON body typically includes the following core fields:
resources: (Required) An array of strings representing the URIs the user is attempting to access.
application: (Required) This field specifies the name of the Policy Set (formerly known as the application) that contains the relevant policies for the evaluation.
subject: (Optional, but usually required for user-specific policies) This object identifies the user or entity requesting access. It can include the user’s ssoToken or a set of claims if using JWT-based subjects.
Why other options are incorrect: Advices (Options A and C) are not inputs for a policy evaluation request. Instead, advices are returned by PingAM in the response if a policy condition fails (e.g., an Auth Level Condition Advice requesting the user to provide MFA). A request cannot "evaluate" an advice; it triggers one.
Option D is incorrect because the resources field is a mandatory requirement for any evaluation; without a target resource, the engine has nothing to compare against the defined policy rules. Therefore, the combination of resources, subject, and application represents the standard, valid structure for a policy decision request in PingAM 8.0.2.
B
Explanation:
In PingAM 8.0.2, requesting policy decisions via the REST API involves sending a POST request to the policies endpoint with the _action=evaluate parameter. To receive an accurate decision, the request body must provide the context of the access attempt.
According to the "Request policy decisions over REST" documentation, the JSON body typically includes the following core fields:
resources: (Required) An array of strings representing the URIs the user is attempting to access.
application: (Required) This field specifies the name of the Policy Set (formerly known as the application) that contains the relevant policies for the evaluation.
subject: (Optional, but usually required for user-specific policies) This object identifies the user or entity requesting access. It can include the user’s ssoToken or a set of claims if using JWT-based subjects.
Why other options are incorrect: Advices (Options A and C) are not inputs for a policy evaluation request. Instead, advices are returned by PingAM in the response if a policy condition fails (e.g., an Auth Level Condition Advice requesting the user to provide MFA). A request cannot "evaluate" an advice; it triggers one.
Option D is incorrect because the resources field is a mandatory requirement for any evaluation; without a target resource, the engine has nothing to compare against the defined policy rules. Therefore, the combination of resources, subject, and application represents the standard, valid structure for a policy decision request in PingAM 8.0.2.
Question #33
What is session denylisting used for?
- A . Keeping track of session inactivity
- B . Keeping track of restricted sessions
- C . Keeping track of logged out sessions
- D . Keeping track of absolute session timeouts
Correct Answer: C
C
Explanation:
Session Denylisting is a critical security feature in PingAM 8.0.2, primarily used when a realm is configured for client-side sessions.9 In a client-side session model, the session state is stored in a signed and encrypted JWT within the user’s browser cookie rather than in the server’s memory or the Core Token Service (CTS).10 Because the server does not "own" the session state, a logout event typically only involves deleting the cookie from the browser. However, if a malicious actor had previously copied that cookie, they could still use it until it naturally expires.
To solve this, PingAM uses Session Denylisting to keep track of logged out sessions.11 When a user logs out, or when a session is invalidated (e.g., during a session upgrade or administrative action), AM records the session identifier in a denylist stored within the Core Token Service (CTS).12 For every subsequent request, AM checks the incoming client-side session token against this denylist.13 If the session ID is found in the denylist, AM rejects the token as invalid, even if the cryptographic signature is correct and the expiration time has not passed.
The documentation emphasizes that this feature is essential for "tracking session logouts across multiple AM servers" in a cluster. Without denylisting, there would be no way to perform a "global logout" for client-side sessions that is immediately effective across all nodes.14 Administrators can configure properties such as the Denylist Purge Delay (to account for clock skew) and the Denylist Poll Interval (to balance security speed with system performance).15 By effectively managing the lifecycle of revoked tokens, session denylisting ensures that a logout is a cryptographically and operationally certain event.
C
Explanation:
Session Denylisting is a critical security feature in PingAM 8.0.2, primarily used when a realm is configured for client-side sessions.9 In a client-side session model, the session state is stored in a signed and encrypted JWT within the user’s browser cookie rather than in the server’s memory or the Core Token Service (CTS).10 Because the server does not "own" the session state, a logout event typically only involves deleting the cookie from the browser. However, if a malicious actor had previously copied that cookie, they could still use it until it naturally expires.
To solve this, PingAM uses Session Denylisting to keep track of logged out sessions.11 When a user logs out, or when a session is invalidated (e.g., during a session upgrade or administrative action), AM records the session identifier in a denylist stored within the Core Token Service (CTS).12 For every subsequent request, AM checks the incoming client-side session token against this denylist.13 If the session ID is found in the denylist, AM rejects the token as invalid, even if the cryptographic signature is correct and the expiration time has not passed.
The documentation emphasizes that this feature is essential for "tracking session logouts across multiple AM servers" in a cluster. Without denylisting, there would be no way to perform a "global logout" for client-side sessions that is immediately effective across all nodes.14 Administrators can configure properties such as the Denylist Purge Delay (to account for clock skew) and the Denylist Poll Interval (to balance security speed with system performance).15 By effectively managing the lifecycle of revoked tokens, session denylisting ensures that a logout is a cryptographically and operationally certain event.
Question #34
Which multi-factor authentication methods require a separate device and an application?
- A . Push, WebAuthn
- B . Push, WebAuthn, Open Authentication
- C . WebAuthn, Open Authentication
- D . Open Authentication, Push
Correct Answer: D
D
Explanation:
PingAM 8.0.2 supports various Multi-Factor Authentication (MFA) methods, each with different hardware and software requirements.7 The question asks specifically for methods that require both a separate device and a specific application.
Push Authentication: This requires a mobile device (separate from the computer used to log in) and the ForgeRock/Ping Authenticator app (or a custom app using the SDK) to receive and approve the notification.8
Open Authentication (OATH): This refers to TOTP (Time-based One-Time Password). It requires a separate device (smartphone or hardware token) and an application (like ForgeRock Authenticator, Google Authenticator, or Authy) to generate the 6-digit rotating codes.
Why WebAuthn is excluded: While WebAuthn (Option A, B, and C) can use separate devices (like a YubiKey or a secondary phone), it is specifically designed to work natively with the browser and the operating system (using the FIDO2 standard). It does not require a specific "Authenticator Application" to be installed by the user; instead, it uses the platform’s built-in authenticators (like TouchID, FaceID, or Windows Hello) or a hardware key handled directly by the browser’s WebAuthn API.
Therefore, the two methods that strictly fit the "Separate Device + App" criteria in the PingAM ecosystem are Open Authentication and Push, making Option D the correct answer.
D
Explanation:
PingAM 8.0.2 supports various Multi-Factor Authentication (MFA) methods, each with different hardware and software requirements.7 The question asks specifically for methods that require both a separate device and a specific application.
Push Authentication: This requires a mobile device (separate from the computer used to log in) and the ForgeRock/Ping Authenticator app (or a custom app using the SDK) to receive and approve the notification.8
Open Authentication (OATH): This refers to TOTP (Time-based One-Time Password). It requires a separate device (smartphone or hardware token) and an application (like ForgeRock Authenticator, Google Authenticator, or Authy) to generate the 6-digit rotating codes.
Why WebAuthn is excluded: While WebAuthn (Option A, B, and C) can use separate devices (like a YubiKey or a secondary phone), it is specifically designed to work natively with the browser and the operating system (using the FIDO2 standard). It does not require a specific "Authenticator Application" to be installed by the user; instead, it uses the platform’s built-in authenticators (like TouchID, FaceID, or Windows Hello) or a hardware key handled directly by the browser’s WebAuthn API.
Therefore, the two methods that strictly fit the "Separate Device + App" criteria in the PingAM ecosystem are Open Authentication and Push, making Option D the correct answer.
Question #35
Which statement does not reflect best practice when configuring a PingAM cluster for secure communication with external servers?
- A . Create the new truststore as a copy of the JVM container truststore to isolate the PingAM truststore from changes to the JVM container’s truststore when the JVM container’s truststore is updated
- B . Create a new truststore with the certificates needed in the environment, and configure the container to use it
- C . Create a new truststore using a copy of the JVM container truststore and add the PingDS instances certificates to the new truststore
- D . Don’t add PingDS instances certificates to the JVM container truststore
Correct Answer: A
A
Explanation:
When configuring secure communication (LDAPS, HTTPS) in PingAM 8.0.2, managing the Truststore is a critical security task. The truststore contains the public certificates (trust anchors) of the servers PingAM needs to communicate with, such as PingDS or external Identity Providers.
The PingAM "Secure Network Communication" documentation outlines several best practices: Avoid Modifying the JVM Truststore: One should not add internal certificates (like those for PingDS) to the default JVM cacerts file (Option D is a best practice). This prevents pollution of the system-wide Java environment.
Use a Dedicated Truststore: Creating a fresh, minimal truststore containing only necessary certificates (Option B and C) ensures a "least privilege" approach to trust.
Why Statement A is NOT a best practice: Statement A suggests that you should copy the JVM truststore to isolate it from changes made to the JVM container’s truststore. In a production security context, this is a dangerous anti-pattern. The JVM’s default truststore (e.g., cacerts) is frequently updated by Java maintainers and OS vendors to include new Root CAs and, more importantly, to remove/revoke compromised or untrustworthy CAs. By making a static copy to "isolate" AM from these updates, an administrator inadvertently keeps obsolete or insecure certificates in AM’s trust list while missing out on critical security updates provided by the platform.
Best practice dictates that AM should point to a truststore that is intentionally managed. If isolation is needed, it should be achieved by creating a new store for internal certificates and potentially using the -Djavax.net.ssl.trustStore property to manage the hierarchy, rather than cloning the system-wide CA bundle to avoid "changes." Therefore, Option A is the correct answer as it describes a maintenance and security risk.
A
Explanation:
When configuring secure communication (LDAPS, HTTPS) in PingAM 8.0.2, managing the Truststore is a critical security task. The truststore contains the public certificates (trust anchors) of the servers PingAM needs to communicate with, such as PingDS or external Identity Providers.
The PingAM "Secure Network Communication" documentation outlines several best practices: Avoid Modifying the JVM Truststore: One should not add internal certificates (like those for PingDS) to the default JVM cacerts file (Option D is a best practice). This prevents pollution of the system-wide Java environment.
Use a Dedicated Truststore: Creating a fresh, minimal truststore containing only necessary certificates (Option B and C) ensures a "least privilege" approach to trust.
Why Statement A is NOT a best practice: Statement A suggests that you should copy the JVM truststore to isolate it from changes made to the JVM container’s truststore. In a production security context, this is a dangerous anti-pattern. The JVM’s default truststore (e.g., cacerts) is frequently updated by Java maintainers and OS vendors to include new Root CAs and, more importantly, to remove/revoke compromised or untrustworthy CAs. By making a static copy to "isolate" AM from these updates, an administrator inadvertently keeps obsolete or insecure certificates in AM’s trust list while missing out on critical security updates provided by the platform.
Best practice dictates that AM should point to a truststore that is intentionally managed. If isolation is needed, it should be achieved by creating a new store for internal certificates and potentially using the -Djavax.net.ssl.trustStore property to manage the hierarchy, rather than cloning the system-wide CA bundle to avoid "changes." Therefore, Option A is the correct answer as it describes a maintenance and security risk.
Question #35
Which statement does not reflect best practice when configuring a PingAM cluster for secure communication with external servers?
- A . Create the new truststore as a copy of the JVM container truststore to isolate the PingAM truststore from changes to the JVM container’s truststore when the JVM container’s truststore is updated
- B . Create a new truststore with the certificates needed in the environment, and configure the container to use it
- C . Create a new truststore using a copy of the JVM container truststore and add the PingDS instances certificates to the new truststore
- D . Don’t add PingDS instances certificates to the JVM container truststore
Correct Answer: A
A
Explanation:
When configuring secure communication (LDAPS, HTTPS) in PingAM 8.0.2, managing the Truststore is a critical security task. The truststore contains the public certificates (trust anchors) of the servers PingAM needs to communicate with, such as PingDS or external Identity Providers.
The PingAM "Secure Network Communication" documentation outlines several best practices: Avoid Modifying the JVM Truststore: One should not add internal certificates (like those for PingDS) to the default JVM cacerts file (Option D is a best practice). This prevents pollution of the system-wide Java environment.
Use a Dedicated Truststore: Creating a fresh, minimal truststore containing only necessary certificates (Option B and C) ensures a "least privilege" approach to trust.
Why Statement A is NOT a best practice: Statement A suggests that you should copy the JVM truststore to isolate it from changes made to the JVM container’s truststore. In a production security context, this is a dangerous anti-pattern. The JVM’s default truststore (e.g., cacerts) is frequently updated by Java maintainers and OS vendors to include new Root CAs and, more importantly, to remove/revoke compromised or untrustworthy CAs. By making a static copy to "isolate" AM from these updates, an administrator inadvertently keeps obsolete or insecure certificates in AM’s trust list while missing out on critical security updates provided by the platform.
Best practice dictates that AM should point to a truststore that is intentionally managed. If isolation is needed, it should be achieved by creating a new store for internal certificates and potentially using the -Djavax.net.ssl.trustStore property to manage the hierarchy, rather than cloning the system-wide CA bundle to avoid "changes." Therefore, Option A is the correct answer as it describes a maintenance and security risk.
A
Explanation:
When configuring secure communication (LDAPS, HTTPS) in PingAM 8.0.2, managing the Truststore is a critical security task. The truststore contains the public certificates (trust anchors) of the servers PingAM needs to communicate with, such as PingDS or external Identity Providers.
The PingAM "Secure Network Communication" documentation outlines several best practices: Avoid Modifying the JVM Truststore: One should not add internal certificates (like those for PingDS) to the default JVM cacerts file (Option D is a best practice). This prevents pollution of the system-wide Java environment.
Use a Dedicated Truststore: Creating a fresh, minimal truststore containing only necessary certificates (Option B and C) ensures a "least privilege" approach to trust.
Why Statement A is NOT a best practice: Statement A suggests that you should copy the JVM truststore to isolate it from changes made to the JVM container’s truststore. In a production security context, this is a dangerous anti-pattern. The JVM’s default truststore (e.g., cacerts) is frequently updated by Java maintainers and OS vendors to include new Root CAs and, more importantly, to remove/revoke compromised or untrustworthy CAs. By making a static copy to "isolate" AM from these updates, an administrator inadvertently keeps obsolete or insecure certificates in AM’s trust list while missing out on critical security updates provided by the platform.
Best practice dictates that AM should point to a truststore that is intentionally managed. If isolation is needed, it should be achieved by creating a new store for internal certificates and potentially using the -Djavax.net.ssl.trustStore property to manage the hierarchy, rather than cloning the system-wide CA bundle to avoid "changes." Therefore, Option A is the correct answer as it describes a maintenance and security risk.
Question #37
Which of the following multi-factor authentication protocols are supported by PingAM?
A) Open authentication
B) Security questions
C) Web authentication
D) Universal 2nd factor authentication
E) Push authentication
- A . B, C, and D
- B . A, B, and E
- C . A, C, and E
- D . A, B, and C
Correct Answer: C
C
Explanation:
PingAM 8.0.2 provides a robust framework for Multi-Factor Authentication (MFA) centered around modern, secure protocols and the Intelligent Access (Authentication Trees) engine. When discussing supported "protocols" in the context of MFA in PingAM documentation, the focus is on standardized methods for secondary verification.
The primary supported MFA pillars in PingAM 8.0.2 are:
Open Authentication (OATH): AM supports the OATH standards, specifically TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password). This is implemented through the "OATH" authentication nodes, allowing users to use apps like ForgeRock Authenticator, Google Authenticator, or YubiKeys in OATH mode.
Web Authentication (WebAuthn): This is the implementation of the FIDO2 standard. It allows for passwordless and secure second-factor authentication using biometrics (like TouchID/FaceID) or hardware security keys (like YubiKeys). It is the successor to older standards and is natively supported via WebAuthn nodes.
Push Authentication: This is a proprietary but highly secure protocol used specifically with the ForgeRock/Ping Authenticator app. It allows a "Push" notification to be sent to a registered mobile device, which the user then approves or denies.
Why others are excluded from the selection: While PingAM supports Security Questions (KBA) and Universal 2nd Factor (U2F), they are often categorized differently in the 8.0.2 documentation. Security Questions are considered a "User Self-Service" or "Legacy" validation method rather than a modern MFA protocol. U2F is technically superseded by and included within the WebAuthn framework in PingAM 8.0.2. Thus, the most accurate grouping of distinct, core MFA protocols supported in the current version is A, C, and E, making Option C the correct answer.
C
Explanation:
PingAM 8.0.2 provides a robust framework for Multi-Factor Authentication (MFA) centered around modern, secure protocols and the Intelligent Access (Authentication Trees) engine. When discussing supported "protocols" in the context of MFA in PingAM documentation, the focus is on standardized methods for secondary verification.
The primary supported MFA pillars in PingAM 8.0.2 are:
Open Authentication (OATH): AM supports the OATH standards, specifically TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password). This is implemented through the "OATH" authentication nodes, allowing users to use apps like ForgeRock Authenticator, Google Authenticator, or YubiKeys in OATH mode.
Web Authentication (WebAuthn): This is the implementation of the FIDO2 standard. It allows for passwordless and secure second-factor authentication using biometrics (like TouchID/FaceID) or hardware security keys (like YubiKeys). It is the successor to older standards and is natively supported via WebAuthn nodes.
Push Authentication: This is a proprietary but highly secure protocol used specifically with the ForgeRock/Ping Authenticator app. It allows a "Push" notification to be sent to a registered mobile device, which the user then approves or denies.
Why others are excluded from the selection: While PingAM supports Security Questions (KBA) and Universal 2nd Factor (U2F), they are often categorized differently in the 8.0.2 documentation. Security Questions are considered a "User Self-Service" or "Legacy" validation method rather than a modern MFA protocol. U2F is technically superseded by and included within the WebAuthn framework in PingAM 8.0.2. Thus, the most accurate grouping of distinct, core MFA protocols supported in the current version is A, C, and E, making Option C the correct answer.
Question #38
What is the Default Failure Login URL?
- A . It is the default value of the gotoOnFail parameter
- B . It is the URL where users are redirected by default in case of failed authentication
- C . It is the URL value that is populated automatically when adding a Failure URL node to a tree
- D . It is the default URL of the page that displays authentication error messages
Correct Answer: B
B
Explanation:
In PingAM 8.0.2, the Default Failure Login URL is a global or realm-level configuration attribute that defines the fallback destination for a user whose authentication journey has ended unsuccessfully. According to the "Core Authentication Attributes" documentation:
When an authentication tree or chain completes with a "Failure" outcome, PingAM needs to know where to send the user’s browser. The logic follows a specific hierarchy:
If the initial request included a specific redirect parameter (like gotoOnFail), PingAM will use that. If the authentication tree ends with a Failure URL node, the URL configured in that specific node will be used.
If no specific instructions are provided at the request or tree level, PingAM reverts to the Default Failure Login URL.
This URL is typically configured to point back to the login page with an error flag (e.g., …/XUI/#login/&error=true) or to a custom help page where the user can find instructions on how to reset their password or contact the helpdesk. It is essentially the "safety net" for the user experience during a failed login attempt.
Option A is incorrect because gotoOnFail is a parameter that overrides the default, not the default itself.
Option C is incorrect as nodes are configured individually and do not "automatically populate" from global settings.
Option D is incorrect because the URL defines the destination of the redirect, not the internal error message display logic itself.
B
Explanation:
In PingAM 8.0.2, the Default Failure Login URL is a global or realm-level configuration attribute that defines the fallback destination for a user whose authentication journey has ended unsuccessfully. According to the "Core Authentication Attributes" documentation:
When an authentication tree or chain completes with a "Failure" outcome, PingAM needs to know where to send the user’s browser. The logic follows a specific hierarchy:
If the initial request included a specific redirect parameter (like gotoOnFail), PingAM will use that. If the authentication tree ends with a Failure URL node, the URL configured in that specific node will be used.
If no specific instructions are provided at the request or tree level, PingAM reverts to the Default Failure Login URL.
This URL is typically configured to point back to the login page with an error flag (e.g., …/XUI/#login/&error=true) or to a custom help page where the user can find instructions on how to reset their password or contact the helpdesk. It is essentially the "safety net" for the user experience during a failed login attempt.
Option A is incorrect because gotoOnFail is a parameter that overrides the default, not the default itself.
Option C is incorrect as nodes are configured individually and do not "automatically populate" from global settings.
Option D is incorrect because the URL defines the destination of the redirect, not the internal error message display logic itself.
Question #39
In order to support rollback in case of a failed PingAM upgrade in a two server PingDS environment, what PingDS safety measure can be configured?
- A . Keep both PingDS instances active, upgrade against both PingDS instances, and use the PingDS ./uninstall.sh backout script if required
- B . A PingAM upgrade in a two server PingDS environment does not support rollback
- C . Stop replication between the two PingDS servers, stop a PingDS instance, upgrade against the active PingDS instance, and simply start up the shutdown PingDS instance
- D . Stop replication between the two PingDS servers, stop a PingDS instance, upgrade against the active PingDS instance, and use the shutdown instance in case of rollback
Correct Answer: D
D
Explanation:
Upgrading PingAM 8.0.2 in an environment with multiple PingDS (Directory Server) instances requires a careful strategy to ensure data integrity and to allow for an immediate Rollback if the upgrade fails or introduces instability.6
According to the PingAM "Plan for Rollback" and "Upgrade in a Replicated Environment" documentation, the recommended safety measure involves isolating one of the data store nodes to act as a "time-capsule" of the pre-upgrade state. The process is as follows:
Stop Replication: Before starting the upgrade, administrators should disable or stop replication between the PingDS nodes. This prevents any schema changes or
moving to version 8.0.2), only the active node’s data is modified. data modifications performed during the AM upgrade from being propagated to the backup node.
Isolate a Node: One PingDS instance is shut down or taken out of the load balancer rotation. This instance remains in its original, healthy state.
Perform the Upgrade: The PingAM upgrade is performed against the remaining active PingDS instance. If the upgrade involves schema updates (which is common when Rollback Path: If the upgrade fails, the administrator can simply shut down the "corrupted" upgraded environment and restart the isolated PingDS instance along with the original PingAM WAR file. Because replication was stopped, the isolated node still contains the original configuration and user data.
Option D is the only answer that correctly identifies this "safety-net" architecture.
Option A is risky because a failed upgrade would corrupt both instances.
Option C is incomplete because simply "starting up" the shutdown instance after an upgrade doesn’t account for how you handle the discrepancy between the upgraded and non-upgraded nodes. The goal is to keep the shutdown instance as a valid, un-touched recovery point.
D
Explanation:
Upgrading PingAM 8.0.2 in an environment with multiple PingDS (Directory Server) instances requires a careful strategy to ensure data integrity and to allow for an immediate Rollback if the upgrade fails or introduces instability.6
According to the PingAM "Plan for Rollback" and "Upgrade in a Replicated Environment" documentation, the recommended safety measure involves isolating one of the data store nodes to act as a "time-capsule" of the pre-upgrade state. The process is as follows:
Stop Replication: Before starting the upgrade, administrators should disable or stop replication between the PingDS nodes. This prevents any schema changes or
moving to version 8.0.2), only the active node’s data is modified. data modifications performed during the AM upgrade from being propagated to the backup node.
Isolate a Node: One PingDS instance is shut down or taken out of the load balancer rotation. This instance remains in its original, healthy state.
Perform the Upgrade: The PingAM upgrade is performed against the remaining active PingDS instance. If the upgrade involves schema updates (which is common when Rollback Path: If the upgrade fails, the administrator can simply shut down the "corrupted" upgraded environment and restart the isolated PingDS instance along with the original PingAM WAR file. Because replication was stopped, the isolated node still contains the original configuration and user data.
Option D is the only answer that correctly identifies this "safety-net" architecture.
Option A is risky because a failed upgrade would corrupt both instances.
Option C is incomplete because simply "starting up" the shutdown instance after an upgrade doesn’t account for how you handle the discrepancy between the upgraded and non-upgraded nodes. The goal is to keep the shutdown instance as a valid, un-touched recovery point.