PAP-001 Exam Dumps - Certified Professional - PingAccess

To prevent CORS errors, administrators must configure aCross-Origin Request (CORS) Processing Rule. The secure practice is to allow thespecific trusted domain(www.anycompany.com ) and, when cookies or credentials are required, to enableAllow Credentials.

Exact Extract:

“For secure CORS, specify exact origins rather than wildcards. Enable ‘Allow Credentials’ when client-side resources must include cookies or authentication data.”

Option Ais incomplete — multiple values are possible, but in this case onlywww.anycompany.com is required.

Option Bis less secure — using a wildcard (*.anycompany.com) broadens exposure unnecessarily.

Option Cis insecure —*with credentials is disallowed by CORS specifications.

Option Dis correct — restricts access to the trusted domain and allows credentialed requests.

The Rule Set GroupC(ALL) requiresboth Rule Set A and Rule Set Bto evaluate to true.

Rule Set A (ALL)requirescan_read=yes.

Rule Set B (ANY)requireseitherOpt-in=yesORgroup=customerService.

Together in Rule Set Group C (ALL), both conditions must hold:

can_read=yesmust be present in the request.

User must have eitheropt-in=yesor be in thecustomerServicegroup.

This matchesOption Dexactly.

Option Ais incorrect; it requires both attributes in Rule Set B, but B is ANY (either is sufficient).

Option Bis incorrect; the “unless” wording is misleading — the parameter is always required because Rule Set A uses ALL.

Option Cis incorrect; same reasoning as above, B is ANY not AND.

Option Dis correct —can_read=yesAND(opt-in=yesORgroup=customerService).

PingAccess usesobfuscated keysto secure sensitive configuration values (like passwords). Theobfuscate.bat(Windows) orobfuscate.sh(Linux) script is used to generate a new key and protect sensitive data.

Exact Extract:

“Useobfuscate.[bat|sh]to generate a new obfuscation key for protecting configuration values.”

Option A (db-passwd-rotate.bat)is not a valid PingAccess script.

Option B (memoryoptions.bat)configures JVM memory, not encryption.

Option C (run.bat)starts PingAccess.

Option D (obfuscate.bat)is correct — it is used to protect sensitive configuration.

When applications require additional attributes:

TheWeb Sessionmust be configured to retrieve those attributes from the token provider (OIDC or PingFederate).

TheIdentity Mappingmust be updated to forward those attributes to the application (e.g., as headers).

Exact Extract:

“Web sessions define how user attributes are retrieved from the token provider. Identity mappings determine how those attributes are inserted into requests to applications.”

Option Ais not necessarily required; attributes can be retrieved via userinfo endpoint or access token, not only ID tokens.

Option Bis correct — Identity Mappings must be updated to pass attributes to the app.

Option Cis incorrect — Site Authenticators define how PingAccess authenticates to apps, not attribute handling.

Option Dis incorrect unless the architecture specifically requires access token updates; PingAccess often uses the Web Session to fetch attributes.

Option Eis correct — Web Session must be updated to retrieve additional attributes.

All onboarding in PingAccess begins with defining anApplication. Once the application exists, the administrator can defineResourceswithin it and assign different rules to those resources.

Exact Extract:

“Before you can configure resources and rules, you must first create an application in PingAccess.”

Option A (Identity Mapping)may be required later but not the first step.

Option B (Web Session)can be shared but is not the first onboarding step.

Option C (Application)is correct — the starting point for onboarding.

Option D (Resource)comes after creating the application.

When upgrading a PingAccess cluster, theAdmin Console node must always be upgraded firstbefore any replica admin or engine nodes. This ensures that the configuration and schema changes introduced in the new version are properly applied and replicated.

Exact Extract (from PingAccess documentation):

“In a clustered environment, you must first upgrade theadministrative console nodebefore upgrading any replica administrative nodes or engine nodes.”

Why A is correct:

A. Upgrade the Admin Console— This is correct because the admin console node acts as the configuration master in a PingAccess cluster. Upgrading it first ensures the new version schema is available to replicas and engines.

Why the other options are incorrect:

B. Disable cluster communication— This is not required for standard upgrades. Cluster communication remains in place to synchronize changes after the upgrade.

C. Disable Key Rolling— Key rolling is unrelated to the upgrade process. It is a feature used for key rotation, not version upgrades.

D. Upgrade the Replica Admin— This is incorrect because upgrading a replica admin before the primary administrative console is against the documented procedure and would cause replication issues.

PingAccess must trust the back-end site’s certificate to establish TLS. For internally issued certificates, the administrator imports thecertificate chaininto aTrusted Certificate Group.

Exact Extract:

“When a target site uses an internal CA, import the certificate or chain into a Trusted Certificate Group and assign that group to the site.”

Option Ais incorrect — the Java trust store does not contain the internal CA by default.

Option Bis incorrect — Key Pairs store private keys for SSL termination, not trusted CA certs.

Option Cis incorrect — engine listeners use key pairs for inbound SSL, not site trust.

Option Dis correct — the certificate must be imported into Trusted Certificate Groups.

To pass user attributes into HTTP headers for applications, PingAccess usesIdentity Mappings. When attributes need to be passed specifically as headers, the administrator must update theHeader Identity Mapping.

Exact Extract:

“Header identity mappings map attributes from a user’s web session to HTTP headers that are then sent to the back-end application.”

Option A (HTTP Request Header Rule)is incorrect — this adds or modifies static request headers, not user attributes.

Option B (Header Identity Mapping)is correct — this maps identity attributes into headers dynamically.

Option C (JWT Identity Mapping)is incorrect — that’s used for passing attributes as claims in JWTs.

Option D (Web Session Attribute Rule)is incorrect — that is for access control evaluation, not propagation of attributes.