Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Ping Identity
  3. PAP-001

Ping Identity PAP-001 Exam (page: 1)
Ping Identity Certified Professional - PingAccess
Updated on: 24-Mar-2026

Viewing Page 1 of 10
PAP-001 PDF 70 Questions

What is the purpose of the admin.auth configuration setting?

  1. To configure SSO for the administrative user interface.
  2. To define the method to use for authenticating to the administrative API.
  3. To override the SSO configuration for the administrative user interface.
  4. To enable automatic authentication to the PingAccess administrative console.

Answer(s): C

Explanation:

The admin.auth setting in the run.properties file is used to specify a fallback authentication method for the administrative console.
Exact Extract from official documentation:
"To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication." This makes it clear that the purpose of admin.auth is to override any configured SSO for the admin UI and enforce native (basic) authentication instead.
Option A is incorrect because the admin.auth setting does not configure SSO. SSO for the admin UI is configured separately.
Option B is incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.
Option C is correct because it directly reflects the documented behavior: admin.auth overrides SSO configuration for the administrative UI and enables native authentication. Option D is incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.


Reference:

PingAccess User Interface Reference Guide ­ Configuring Admin UI SSO Authentication



An administrator is setting up a new PingAccess cluster with the following:

· Administrative node hostname: pa-admin.company.com
· Replica administrative node hostname: pa-admin2.company.com Which two options in the certificate would be valid for the administrative node key pair? (Choose 2.)

  1. Issuer = pa-admin.company.com
  2. Subject = *.company.com
  3. Subject = pa-admin.company.com
  4. Subject Alternative Names = pa-admin.company.com, pa-admin2.company.com
  5. Subject = pa-admin2.company.com

Answer(s): B,D

Explanation:

Exact Extract (from PingAccess documentation):
"The key pair that you create for the CONFIG QUERY listener must include both the administrative node and the replica administrative node. To make sure the replica administrative node is included, you can either use a wildcard certificate or define subject alternative names in the key pair that use the replica administrative node's DNS name."
Why B and D are correct:
*B . Subject = .company.com -- A wildcard certificate for *.company.com is valid for both pa- admin.company.com and pa-admin2.company.com, satisfying the documented requirement that the key pair include both hostnames for the CONFIG QUERY listener. D . Subject Alternative Names = pa-admin.company.com, pa-admin2.company.com -- Explicitly placing both DNS names in the SAN extension also satisfies the requirement that the certificate cover both the administrative node and the replica administrative node.

Why the other options are incorrect:
A . Issuer = pa-admin.company.com -- The Issuer field identifies the certificate authority (CA) that signed the certificate, not the service hostname. Setting the issuer to a host value is not how X.509 server certificates are validated and would not meet the hostname matching requirement. C . Subject = pa-admin.company.com -- While this covers the administrative node, it does not include the replica administrative node. Without a wildcard or SAN entries, it fails the requirement that the key pair include both hostnames.
E . Subject = pa-admin2.company.com -- Similarly, this would only cover the replica administrative node and not the primary administrative node, failing the requirement.


Reference:

Configuring replica administrative nodes (PingAccess User Interface Reference Guide) Configuring a PingAccess cluster (PingAccess documentation) Certificates (PingAccess User Interface Reference Guide)



An organization wants to take advantage of a new product feature that requires upgrading the PingAccess cluster from 7.3 to the current version. The administrator downloads the required files and places the files on the PingAccess servers.
What should the administrator do next?

  1. Upgrade the Admin Console.
  2. Disable cluster communication.
  3. Disable Key Rolling.
  4. Upgrade the Replica Admin.

Answer(s): A

Explanation:

When upgrading a PingAccess cluster, the Admin Console node must always be upgraded first before any replica admin or engine nodes. This ensures that the configuration and schema changes introduced in the new version are properly applied and replicated.
Exact Extract (from PingAccess documentation):
"In a clustered environment, you must first upgrade the administrative console node before upgrading any replica administrative nodes or engine nodes." Why A is correct:
A . Upgrade the Admin Console -- This is correct because the admin console node acts as the configuration master in a PingAccess cluster. Upgrading it first ensures the new version schema is available to replicas and engines.
Why the other options are incorrect:
B . Disable cluster communication -- This is not required for standard upgrades. Cluster communication remains in place to synchronize changes after the upgrade. C . Disable Key Rolling -- Key rolling is unrelated to the upgrade process. It is a feature used for key rotation, not version upgrades.
D . Upgrade the Replica Admin -- This is incorrect because upgrading a replica admin before the primary administrative console is against the documented procedure and would cause replication issues.


Reference:

Upgrading PingAccess in a Clustered Environment (PingAccess Upgrade Guide) PingAccess Administration Guide ­ Upgrade Process



Where in the administrative console should an administrator make user attributes available as HTTP request headers?

  1. Site Authenticators
  2. Identity Mappings
  3. Web Sessions
  4. HTTP Requests

Answer(s): B

Explanation:

PingAccess uses Identity Mappings to take identity attributes provided by the authentication source

(e.g., PingFederate, OpenID Connect) and map them into HTTP request headers for back-end applications.
Exact Extract:
"An identity mapping allows you to map identity attributes from the user's session to HTTP headers, cookies, or query parameters that are then forwarded to the target application." Option A (Site Authenticators) is incorrect because Site Authenticators configure how PingAccess communicates with applications requiring authentication, not how attributes are inserted into headers.
Option B (Identity Mappings) is correct -- this is the feature designed specifically to expose user attributes to applications via HTTP headers.
Option C (Web Sessions) manages how sessions are stored and validated, but not the mapping of attributes into requests.
Option D (HTTP Requests) refers to request/response processing rules, but attributes are not mapped here.


Reference:

PingAccess Administration Guide ­ Identity Mapping



An application requires MFA for URLs that are considered high risk.
Which action should the administrator take to meet this requirement?

  1. Create an Authentication Requirement named MFA_Required.
  2. Apply an Authentication Requirements rule to the resource.
  3. Apply a Web Session Attribute rule to the resource.
  4. Apply an HTTP Request Parameter rule to the resource.

Answer(s): B

Explanation:

PingAccess allows fine-grained authentication enforcement by applying Authentication Requirement rules at the resource level. These rules can invoke MFA flows based on request context or policy.
Exact Extract:
"Authentication requirement rules determine whether PingAccess challenges a user to authenticate again (for example, with MFA) before allowing access to a protected resource."

Option A is incomplete. Creating a requirement does nothing unless it is applied. Option B is correct because applying the Authentication Requirement rule to the specific resource (URL) enforces MFA only for that resource.
Option C is incorrect; Web Session Attribute rules are about evaluating existing session attributes, not triggering MFA.
Option D is incorrect; HTTP Request Parameter rules are used to evaluate request data, not enforce MFA policies.


Reference:

PingAccess Administration Guide ­ Authentication Requirements



All style sheets should be accessible to all users without authentication across all applications.
Which configuration option should the administrator use?

  1. Define a Protocol Source for the resource.
  2. Define Authentication Challenge Policy of none for the resource.
  3. Define Global Unprotected Resources for the resource.
  4. Define a Default Availability Profile of on-demand for the resource.

Answer(s): C

Explanation:

The correct way to ensure resources such as CSS files, images, or JavaScript are accessible without authentication across all applications is to configure Global Unprotected Resources.
Exact Extract:
"Global unprotected resources define resources that do not require authentication and are accessible to all clients across applications."
Option A is incorrect; Protocol Sources define back-end host connections, not authentication. Option B would apply only per-resource, not across all applications. Option C is correct -- Global Unprotected Resources are designed for this exact purpose. Option D (Availability Profile) is related to application health checks and availability, not authentication.


Reference:

PingAccess Administration Guide ­ Global Unprotected Resources



An administrator is preparing to rebuild an unrecoverable primary console and must promote the replica admin node.
Which two actions must the administrator take? (Choose 2 answers.)

  1. Change pa.operational.mode to CLUSTERED_CONSOLE_REPLICA on one of the engine nodes.
  2. Restart all nodes in the cluster.
  3. Change pa.operational.mode to CLUSTERED_CONSOLE on the replica admin node.
  4. Restart the replica admin node.
  5. Modify bootstrap.properties and set the engine.admin.configuration.host value to point at the replica admin node.

Answer(s): C,E

Explanation:

From the "Promoting the replica administrative node" documentation:
Exact Extract:
"Open the <PA_HOME>/conf/run.properties file in a text editor. Locate the pa.operational.mode line and change the value from CLUSTERED_CONSOLE_REPLICA to CLUSTERED_CONSOLE. These properties are case-sensitive. Do not restart the replica node during the promotion process." Ping Identity Documentation
Also from the documentation under "Next steps" / manual promotion / "Using the admin API ..." When promoting the replica, there is also mention of setting the new host-port in the primary admin configuration so that engine nodes and configuration references now point to the promoted replica. One of the API properties is editRunPropertyFile (to flip the mode), another is editPrimaryHostPort, which causes the primary-admin host setting to be updated. Ping Identity Documentation Using those facts:
Why C is correct:
Option C says: Change pa.operational.mode to CLUSTERED_CONSOLE on the replica admin node. This directly matches the documented manual promotion step: switch pa.operational.mode from CLUSTERED_CONSOLE_REPLICA CLUSTERED_CONSOLE. Ping Identity Documentation+1 This is essential for promoting the replica to primary console.
Why E is correct:
Option E: Modify bootstrap.properties and set the engine.admin.configuration.host value to point at the replica admin node.
While the documentation doesn't always name the exact property engine.admin.configuration.host, the "promote via admin API" includes updating the "primary host:port" in the configuration so that engine nodes' configuration queries (or whatever is used by engines) point to the new primary. This maps to ensuring that engine nodes know that the promoted replica is now the administrative node. This requiring modifying the bootstrap or configuration that engine nodes use to find the administrative host is essential. Ping Identity Documentation Why the other options are incorrect:
A . Change pa.operational.mode to CLUSTERED_CONSOLE_REPLICA on one of the engine nodes. No. Engine nodes should have pa.operational.mode = CLUSTERED_ENGINE, not console modes. CLUSTERED_CONSOLE_REPLICA is an admin/replica console mode, not applicable for engines.
docs.ping.directory+2Ping Identity Documentation+2
B . Restart all nodes in the cluster.
The documentation explicitly says do not restart the replica node during the promotion process because restart can cause file corruption or failure to properly promote. Only certain restarts are needed after configuration updates. So restarting all nodes is not a correct required action. Ping Identity Documentation
D . Restart the replica admin node.
As above, for manual promotion, a restart of the replica admin node is not required (and is even discouraged during the promotion process). The change in run.properties is detected without restarting. Ping Identity Documentation


Reference:

PingAccess Reference Guide ­ Promoting the replica administrative node / Manually promoting the replica administrative node Ping Identity Documentation+1



An administrator needs to reduce the number of archive backups that are maintained in the data/archive folder.
Which file does the administrator need to modify to make this change?

  1. log4j2.db.properties
  2. jvm-memory.options
  3. run.properties
  4. log4j2.xml

Answer(s): C

Explanation:

PingAccess retains backup archives of its configuration in the data/archive directory. The number of retained backups is controlled in the run.properties file.
Exact Extract:
"The number of configuration backups retained in the data/archive directory is controlled by the archive.maxCount property in run.properties."
Option A (log4j2.db.properties) is incorrect; this file controls database logging, not archive retention. Option B (jvm-memory.options) is incorrect; this file sets JVM heap and memory arguments. Option C (run.properties) is correct -- it contains system-level settings including archive.maxCount. Option D (log4j2.xml) is incorrect; this file configures log appenders and levels, not archive backups.


Reference:

PingAccess Administration Guide ­ Configuration Backup Management



Viewing Page 1 of 10



Share your comments for Ping Identity PAP-001 exam with other users:

Rizwan 1/6/2024 2:18:00 AM

very helpful
INDIA


Yady 5/24/2023 10:40:00 PM

these questions look good.
SINGAPORE


Kettie 10/12/2023 1:18:00 AM

this is very helpful content
Anonymous


SB 7/21/2023 3:18:00 AM

please provide the dumps
UNITED STATES


David 8/2/2023 8:20:00 AM

it is amazing
Anonymous


User 8/3/2023 3:32:00 AM

quesion 178 about "a banking system that predicts whether a loan will be repaid is an example of the" the answer is classification. not regresion, you should fix it.
EUROPEAN UNION


quen 7/26/2023 10:39:00 AM

please upload apache spark dumps
Anonymous


Erineo 11/2/2023 5:34:00 PM

q14 is b&c to reduce you will switch off mail for every single alert and you will switch on daily digest to get a mail once per day, you might even skip the empty digest mail but i see this as a part of the daily digest adjustment
Anonymous


Paul 10/21/2023 8:25:00 AM

i think it is good question
Anonymous


Unknown 8/15/2023 5:09:00 AM

good for students who wish to give certification.
INDIA


Ch 11/20/2023 10:56:00 PM

is there a google drive link to the images? the links in questions are not working.
AUSTRALIA


Joey 5/16/2023 5:25:00 AM

very promising, looks great, so much wow!
Anonymous


alaska 10/24/2023 5:48:00 AM

i scored 87% on the az-204 exam. thanks! i always trust
GERMANY


nnn 7/9/2023 11:09:00 PM

good need more
Anonymous


User-sfdc 12/29/2023 7:21:00 AM

sample questions seems good
Anonymous


Tamer dam 8/4/2023 10:21:00 AM

huawei is ok
UNITED STATES


YK 12/11/2023 1:10:00 AM

good one nice
JAPAN


de 8/28/2023 2:38:00 AM

please continue
GERMANY


DMZ 6/25/2023 11:56:00 PM

this exam dumps just did the job. i donot want to ruffle your feathers but your exam dumps and mock test engine is amazing.
UNITED KINGDOM


Jose 8/30/2023 6:14:00 AM

nice questions
PORTUGAL


Tar01 7/24/2023 7:07:00 PM

the explanation are really helpful
Anonymous


DaveG 12/15/2023 4:50:00 PM

just passed my exam yesterday on my first attempt. these dumps were extremely helpful in passing first time. the questions were very, very similar to these questions!
Anonymous


A.K. 6/30/2023 6:34:00 AM

cosmos db is paas not saas
Anonymous


S Roychowdhury 6/26/2023 5:27:00 PM

what is the percentage of common questions in gcp exam compared to 197 dump questions? are they 100% matching with real gcp exam?
Anonymous


Bella 7/22/2023 2:05:00 AM

not able to see questions
Anonymous


Scott 9/8/2023 7:19:00 AM

by far one of the best sites for free questions. i have pass 2 exams with the help of this website.
CANADA


donald 8/19/2023 11:05:00 AM

excellent question bank.
Anonymous


Ashwini 8/22/2023 5:13:00 AM

it really helped
Anonymous


sk 5/13/2023 2:07:00 AM

excelent material
INDIA


Christopher 9/5/2022 10:54:00 PM

the new versoin of this exam which i downloaded has all the latest questions from the exam. i only saw 3 new questions in the exam which was not in this dump.
CANADA


Sam 9/7/2023 6:51:00 AM

question 8 - can cloudtrail be used for storing jobs? based on aws - aws cloudtrail is used for governance, compliance and investigating api usage across all of our aws accounts. every action that is taken by a user or script is an api call so this is logged to [aws] cloudtrail. something seems incorrect here.
UNITED STATES


Tanvi Rajput 8/14/2023 10:55:00 AM

question 13 tda - c01 answer : quick table calculation -> percentage of total , compute using table down
UNITED KINGDOM


PMSAGAR 9/19/2023 2:48:00 AM

pls share teh dump
UNITED STATES


zazza 6/16/2023 10:47:00 AM

question 44 answer is user risk
ITALY