Ping Identity Certified Professional - PingAccess PAP-001 Exam Questions

Answer : D

All administrative API calls that change PingAccess configuration are logged in pingaccess_api_audit.log. This allows administrators to track who made configuration changes.

Exact Extract:

''The pingaccess_api_audit.log file contains entries for all administrative API calls and is used to audit configuration changes.''

Option A (pingaccess.log) contains runtime system messages but not detailed API audit entries.

Option B (pingaccess_engine_audit.log) is specific to engine request/response audit logging.

Option C (pingaccess_agent_audit.log) is used for PingAccess Agent traffic auditing, not administrative changes.

Option D (pingaccess_api_audit.log) is correct --- it tracks admin API modifications.

Answer : C

The property engine.ssl.protocols in run.properties specifies the TLS protocol versions that PingAccess engines will support for incoming HTTPS traffic.

Exact Extract:

''The engine.ssl.protocols property configures which TLS versions are enabled for HTTPS listeners.''

Option A (ciphers) is incorrect --- cipher suites are defined separately, not in this property.

Option B (HTTPS port) is incorrect --- the port is defined in the engine listener, not here.

Option C (TLS versions) is correct --- this property controls TLS version support (e.g., TLSv1.2, TLSv1.3).

Option D (clustering) is incorrect --- clustering does not depend on this property.

Answer : C

PingAccess enforces step-up or multi-factor authentication using Authentication Requirements, which can be applied to specific resources within an application.

Exact Extract:

''Authentication requirements allow administrators to configure additional authentication (for example, MFA) when accessing sensitive application resources.''

Option A (UI Authentication) applies to access to the admin console, not application resources.

Option B (Auth Token Management) relates to OAuth token lifetimes and refresh, not MFA enforcement.

Option C (Authentication Requirements) is correct --- these rules enforce MFA or step-up auth for specific URLs/resources.

Option D (Authentication Challenge Policy) governs how failed auth challenges are presented but does not enforce MFA.

Answer : B

Legacy PKIs often provide certificate chains that are out of order or non-compliant with RFC-5280 path validation. PingAccess provides an option in Trusted Certificate Groups called Validate disordered certificate chains to allow chaining even if the order is not RFC-5280 compliant.

Exact Extract:

''Enable Validate disordered certificate chains when the certificate chain is not in RFC-5280 compliant order but should still be accepted.''

Option A is incorrect; using the Java trust store is unrelated to PKI ordering.

Option B is correct --- this setting allows PingAccess to process disordered certificate chains.

Option C is incorrect; date checks are unrelated to RFC-5280 path ordering.

Option D is incorrect; revocation status handling does not address legacy PKI ordering issues.

Answer : B

Modern browsers enforce stricter cookie handling rules. If cookies are not configured correctly with the SameSite attribute, behavior can differ across browsers, leading to inconsistent authentication and access denials. Security exceptions may appear when session cookies are blocked.

Exact Extract:

''The SameSite cookie setting defines how browsers send cookies in cross-site requests. Misconfigured SameSite values can lead to inconsistent application behavior across browsers.''

Option A (Enable PKCE) is related to OAuth flow security, not browser cookie behavior.

Option B (SameSite Cookie) is correct --- this directly explains the inconsistent browser issues.

Option C (Request Preservation) ensures query parameters are kept, not related to cross-browser session handling.

Option D (Validate Session) checks session state but does not address browser inconsistencies.

Answer : B, C

PingAccess uses Engine Listeners for SSL termination of proxied applications. To minimize the number of certificates, administrators can:

Use a wildcard certificate (e.g., *.customer.com) on the engine listener.

Use a Subject Alternative Name (SAN) certificate that covers multiple FQDNs under the customer.com domain.

Exact Extract:

''PingAccess engine listeners can use certificates containing either wildcard entries or Subject Alternative Names to secure multiple applications under a single domain.''

Option A is incorrect --- assigning unique key pairs increases, not decreases, certificate management overhead.

Option B is correct --- a wildcard certificate covers all subdomains (e.g., app1.customer.com, app2.customer.com).

Option C is correct --- a SAN certificate lists multiple FQDNs explicitly.

Option D is incorrect --- agent listeners don't handle SSL termination for proxied apps.

Option E is incorrect for the same reason --- agent listeners aren't used for SSL.

Answer : A

To transmit the id_token via a back channel according to OIDC best practices, the application must use the Authorization Code Flow (login type = code). This ensures tokens are retrieved securely via the back channel instead of being exposed in the browser.

Exact Extract:

''For back-channel transmission of ID tokens, configure the OIDC login type as Authorization Code.''

Option A is correct --- setting login type to code ensures back-channel delivery.

Option B is incorrect --- request preservation concerns request method persistence, not OIDC flow.

Option C is incorrect --- POST is not a valid login type; only Code, Implicit, or Hybrid.

Option D is incorrect --- request preservation has no bearing on token delivery.