Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Ping Identity
  3. PT-AM-CPE

Ping Identity PT-AM-CPE Exam (page: 2)
Ping Identity Certified Professional - PingAM
Updated on: 24-Mar-2026

Viewing Page 2 of 14
PT-AM-CPE PDF 100 Questions

Consider the following LDAP connection string:
DS1.example.com:389|01, DS2.example.com:389|01, DS2.example.com:389|02, DS1.example.com:389|02
This connection string can be used in:

(A). Identity Store
(B). Core Token Service
(C). Configuration Data Store

Which of the above options are correct?

  1. Only A is correct
  2. Only B is correct
  3. Only C is correct
  4. A, B, and C are correct

Answer(s): B

Explanation:

The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues--where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node--PingAM uses "Affinity."16 According to the "CtsDataStoreProperties" and "CTS Deployment Architectures" documentation, this specialized string allows the AM instance to prioritize connections based on the Server ID and Site ID.17 The pipe (|) characters signify the optional affinity parameters:
01/02: These represent the Server IDs of the underlying Directory Servers. Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18
While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use of server and site IDs within the connection string itself to manage LDAP request routing is a hallmark of the CTS affinity configuration.19 The documentation explicitly states that "Each connection string is composed as follows:
HOST:PORT[|SERVERID[|SITEID]]" within the context of CTS external store configuration.20 Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.



Which OAuth2 flow is most appropriate to support the use case of a client application implemented in a browser using a scripted language such as JavaScript?

  1. Authorization code grant flow with PKCE
  2. Implicit grant flow
  3. Resource owner grant flow
  4. Client credentials grant flow

Answer(s): A

Explanation:

In PingAM 8.0.2, the recommended and most secure flow for "Public Clients"--such as Single Page Applications (SPAs) written in JavaScript--is the Authorization Code Grant Flow with PKCE (Proof Key for Code Exchange).
Historically, the Implicit Grant Flow (Option B) was used for browser-based apps because they could not securely store a client_secret. However, the Implicit flow is now considered legacy and insecure due to the risk of access token leakage in the browser history or via referrer headers. The Resource Owner Password Credentials Grant (Option C) is also discouraged as it requires the application to handle user credentials directly, violating the core principle of delegated authorization. Client Credentials (Option D) is reserved strictly for machine-to-machine communication where no user is involved.
The Authorization Code Grant with PKCE addresses the security limitations of public clients by replacing the static client_secret with a dynamically generated "code verifier" and "code challenge."

The process works as follows:
Challenge Generation: The JavaScript app creates a cryptographically strong random string (Verifier) and transforms it (Challenge).
Authorization Request: The app sends the challenge to PingAM.21 Code Exchange: After user login, AM returns an authorization code. The app then sends the code and the original verifier to the token endpoint.
Verification: AM verifies that the verifier matches the initial challenge before issuing the Access Token.
This flow ensures that even if an attacker intercepts the authorization code, they cannot exchange it for a token without the original verifier, which never left the browser's execution context. PingAM 8.0.2 fully supports this flow and provides specific configuration options in the OAuth2 Provider settings to enforce PKCE for all public clients.



What are the possible outcomes of the Push Result Verifier node?

  1. Success, Failure, Waiting, Retry
  2. Success, Failure, Expired, Retry
  3. Success, Failure, Expired, Waiting
  4. Success, Failure, Expired, Waiting, Retry

Answer(s): C

Explanation:

The Push Result Verifier node is a core component of the "MFA: Push Authentication" journey in PingAM 8.0.2. Its primary function is to check the status of a push notification that was previously dispatched to a user's mobile device (usually via the Push Sender node).22 According to the "Authentication Node Reference" for version 8.0.2, the node evaluates the state of the push request and yields exactly four distinct outcomes:
Success: This path is followed if the user has actively approved the push notification on their registered device using the ForgeRock/Ping Authenticator app. Failure: This path is taken if the user explicitly denies or rejects the push notification on their device, indicating a potential unauthorized login attempt.

Expired: This outcome occurs if the notification reaches its "Message Timeout" limit (defined in the Push Sender node) without any response from the user.23 In standard trees, this path often loops back to allow the user to try a different MFA method or resend the push. Waiting: This outcome is triggered if a response has not yet been received but the timeout has not yet been reached. This is used in conjunction with a Push Wait or Polling mechanism to create a "check-and-loop" logic until a final result (Success, Failure, or Expired) is determined. The Retry outcome (mentioned in other options) is notably absent from this specific node's metadata.
While a "Retry" might be implemented in the overall tree logic (for example, by using a Retry Limit Decision node after an Expired outcome), the Push Result Verifier node itself only reports the state of the specific push transaction it is tracking. Understanding these four discrete states is vital for designing resilient authentication journeys that handle user delays or network issues gracefully.



In a default PingAM configuration, what type of keystore stores the secret ID named storepass, which contains the encrypted password of the default-keystore secret store?

  1. Keystore secret store
  2. Environment and system property secret store
  3. Filesystem secret store
  4. Hardware Security Module secret store

Answer(s): C

Explanation:

In PingAM 8.0.2, the management of sensitive data such as passwords and cryptographic keys is handled through a unified Secret Store framework. This framework abstracts the source of the secret from the component that consumes it using Secret IDs. One of the most critical secret IDs in a standard installation is storepass.
The storepass secret ID is specifically used by the default-keystore (which is typically a "Keystore secret store" pointing to keystore.jks or keystore.p12). Before AM can access the keys within the default-keystore to sign tokens or encrypt data, it must first unlock the keystore itself using the password mapped to the storepass secret ID.
According to the PingAM "Secrets, certificates, and keys" documentation, in a default file-based configuration, PingAM initializes a Filesystem secret store as its primary global store. This store is configured to look into a specific directory within the AM configuration path (usually .../openam/secrets/). Inside this directory, AM expects to find files named after the secret IDs they contain. For the storepass ID, there is typically a corresponding file (such as storepass or .storepass) containing the cleartext or encrypted password required to open the primary keystore.
While AM can be configured to use an Environment and system property secret store (Option B) for high-portability cloud deployments, the "out-of-the-box" default behavior during a standard installation relies on the filesystem. Option A is incorrect because the storepass is the key to the keystore, not a secret inside it, and Option D refers to specialized hardware integrations not used in a default software-only setup. Therefore, the Filesystem secret store is the correct technical answer for the default location of the storepass.



The Core Token Service (CTS) can be used for storing which of the following?

  1. Configuration
  2. Users
  3. Kerberos tokens
  4. OAuth2 tokens

Answer(s): D

Explanation:

The Core Token Service (CTS) is a high-performance persistence layer in PingAM 8.0.2 designed to store short-lived, stateful data. Unlike the Configuration Store (which holds static system settings) or the Identity Store (which holds user profiles), the CTS is optimized for "token-like" data that is frequently created, updated, and deleted.
According to the "Core Token Service (CTS) Overview" in the PingAM 8.0.2 documentation, the primary purpose of the CTS is to provide a centralized repository for:
Session Tokens: For server-side sessions, the session state is stored in the CTS. OAuth 2.0 Tokens: This includes Access Tokens, Refresh Tokens, and Authorization Codes.
When an OAuth2 client requests a token, AM generates it and, if configured for server-side storage, persists it in the CTS so that any node in an AM cluster can validate it. SAML 2.0 Tokens: Used for tracking assertions and managing Single Logout (SLO) states. UMA (User-Managed Access) Labels and Resources: Various state information for the UMA protocol. The documentation explicitly clarifies that the CTS is not a general-purpose database. Configuration (Option A) is strictly stored in the Configuration Data Store (usually a dedicated PingDS instance). Users (Option B) are stored in an Identity Store such as Active Directory or PingDS. Kerberos tokens (Option C) are part of a challenge-response handshake that is typically handled at the protocol layer and not stored as persistent records in the CTS. Therefore, OAuth2 tokens are the definitive type of data managed by the CTS among the choices provided. Utilizing the CTS for OAuth2 tokens is a prerequisite for supporting features like token revocation and refresh token persistence across multiple AM instances in a high-availability deployment.



A non-authenticated user requests a resource protected by PingGateway or a Web Agent. Put the following events of the authentication lifecycle in chronological order:
User answers the "questions asked" (callbacks) by PingAM. User tries to access a resource protected by PingGateway or a Web Agent.
Session reaches a timeout value or user logs out.
PingGateway or the Web Agent validates the session.
User is redirected to the authentication user interface of PingAM.
User is redirected to the resource.

  1. 2-1-4-3-5-6
  2. 2-5-1-6-4-3
  3. 2-5-1-6-3-4
  4. 2-1-5-6-4-3

Answer(s): B

Explanation:

The authentication lifecycle in a Ping Identity environment follows a strict sequence to ensure that only authorized users can access protected resources. This process is governed by the interaction between a Policy Enforcement Point (PEP), such as a Web Agent or PingGateway, and the Policy Decision Point (PDP), which is PingAM.
Following the chronological flow according to the PingAM 8.0.2 "Introduction to Authentication" and "Web Agent User Guide":
Step 2: The process begins when an unauthenticated user attempts to access a protected URL. Step 5: The Agent/PingGateway intercepts the request, detects the absence of a valid session cookie, and redirects the user to the PingAM login URL (the UI). Step 1: The user interacts with the AM UI, providing the necessary credentials or answering the "callbacks" (username, password, MFA) defined in the authentication tree. Step 6: Upon successful authentication, PingAM issues a session token and redirects the user back to the original resource they were trying to access.
Step 4: The Agent/PingGateway receives the request again, but this time it contains a session token. The agent then validates the session with PingAM to ensure it is still active and possesses the correct permissions.
Step 3: Finally, the lifecycle ends when the session expires due to inactivity (Idle Timeout), reaches its Max Session Time, or the user explicitly logs out.
Sequence 2-5-1-6-4-3 (Option B) accurately captures this "Round-Trip" nature of modern web authentication. Options A and D are incorrect because they place the callback interaction before the initial redirect or the resource access. Option C is incorrect because it suggests the session reaches a timeout before the agent has a chance to validate the session for the current request.



Which statement does not reflect best practice when configuring a PingAM cluster for secure communication with external servers?

  1. Create the new truststore as a copy of the JVM container truststore to isolate the PingAM truststore from changes to the JVM container's truststore when the JVM container's truststore is updated
  2. Create a new truststore with the certificates needed in the environment, and configure the container to use it
  3. Create a new truststore using a copy of the JVM container truststore and add the PingDS instances certificates to the new truststore
  4. Don't add PingDS instances certificates to the JVM container truststore

Answer(s): A

Explanation:

When configuring secure communication (LDAPS, HTTPS) in PingAM 8.0.2, managing the Truststore is a critical security task. The truststore contains the public certificates (trust anchors) of the servers PingAM needs to communicate with, such as PingDS or external Identity Providers. The PingAM "Secure Network Communication" documentation outlines several best practices:
Avoid Modifying the JVM Truststore: One should not add internal certificates (like those for PingDS) to the default JVM cacerts file (Option D is a best practice). This prevents pollution of the system- wide Java environment.

Use a Dedicated Truststore: Creating a fresh, minimal truststore containing only necessary certificates (Option B and C) ensures a "least privilege" approach to trust.
Why Statement A is NOT a best practice: Statement A suggests that you should copy the JVM truststore to isolate it from changes made to the JVM container's truststore. In a production security context, this is a dangerous anti-pattern. The JVM's default truststore (e.g., cacerts) is frequently updated by Java maintainers and OS vendors to include new Root CAs and, more importantly, to remove/revoke compromised or untrustworthy CAs. By making a static copy to "isolate" AM from these updates, an administrator inadvertently keeps obsolete or insecure certificates in AM's trust list while missing out on critical security updates provided by the platform. Best practice dictates that AM should point to a truststore that is intentionally managed. If isolation is needed, it should be achieved by creating a new store for internal certificates and potentially using the -Djavax.net.ssl.trustStore property to manage the hierarchy, rather than cloning the system-wide CA bundle to avoid "changes." Therefore, Option A is the correct answer as it describes a maintenance and security risk.



Which of the following statements are correct regarding session upgrades in PingAM? A) An authenticated user is required to authenticate again either to the same or a different authentication service.
B) The user must not change for the session upgrade to succeed. C) The only PingAM mechanism to do a session upgrade is the ForceAuth=true request parameter. D) A session upgrade is PingAM's mechanism to perform what is called step-up authentication.1

  1. A, C, and D
  2. B, C, and D
  3. A, B, and D
  4. A, B, and C

Answer(s): C

Explanation:

In PingAM 8.0.2, Session Upgrade (often referred to as Step-up Authentication) is the process of increasing the "Authentication Level" (Auth Level) associated with a user's session.2 This is common when a user has logged in with a basic method (like username/password) but attempts to access a resource that requires a stronger method (like MFA).
Regarding the statements:
Statement A is correct: To upgrade a session, PingAM requires the user to satisfy the requirements of an authentication tree or module that has a higher Auth Level than the current session.3 This technically involves a "re-authentication" event specifically for the higher-level requirement. Statement B is correct: Crucially, the identity authenticated during the upgrade must match the identity of the existing session. If a different user attempts to authenticate during an upgrade process, PingAM will reject the upgrade to prevent session hijacking or identity swapping.4 Statement D is correct: Session upgrade is indeed the technical implementation of the industry- standard "step-up authentication" concept.
Statement C is incorrect because ForceAuth=true is not the only mechanism for a session upgrade.

While ForceAuth=true (in SAML2 or OIDC) or the prompt=login parameter can force a fresh authentication, PingAM also supports upgrades via Policy Advice.5 When a policy engine determines that a resource requires a higher Auth Level, it sends an "advice" to the client, triggering a session upgrade journey.6 Additionally, authentication trees can be configured to perform upgrades natively using the Session Upgrade configuration in the realm settings. Therefore, since A, B, and D are technically accurate descriptions of the AM 8.0.2 lifecycle, Option C is the correct choice.



Viewing Page 2 of 14



Share your comments for Ping Identity PT-AM-CPE exam with other users:

Cheers 12/13/2023 9:55:00 AM

sometimes it may be good some times it may be
GERMANY


Sumita Bose 7/21/2023 1:01:00 AM

qs 4 answer seems wrong- please check
AUSTRALIA


Amit 9/7/2023 12:53:00 AM

very detailed explanation !
HONG KONG


FisherGirl 5/16/2022 10:36:00 PM

the interactive nature of the test engine application makes the preparation process less boring.
NETHERLANDS


Chiranthaka 9/20/2023 11:15:00 AM

very useful.
Anonymous


SK 7/15/2023 3:51:00 AM

complete question dump should be made available for practice.
Anonymous


Gamerrr420 5/25/2022 9:38:00 PM

i just passed my first exam. i got 2 exam dumps as part of the 50% sale. my second exam is under work. once i write that exam i report my result. but so far i am confident.
AUSTRALIA


Kudu hgeur 9/21/2023 5:58:00 PM

nice create dewey stefen
CZECH REPUBLIC


Anorag 9/6/2023 9:24:00 AM

i just wrote this exam and it is still valid. the questions are exactly the same but there are about 4 or 5 questions that are answered incorrectly. so watch out for those. best of luck with your exam.
CANADA


Nathan 1/10/2023 3:54:00 PM

passed my exam today. this is a good start to 2023.
UNITED STATES


1 10/28/2023 7:32:00 AM

great sharing
Anonymous


Anand 1/20/2024 10:36:00 AM

very helpful
UNITED STATES


Kumar 6/23/2023 1:07:00 PM

thanks.. very helpful
FRANCE


User random 11/15/2023 3:01:00 AM

i registered for 1z0-1047-23 but dumps qre available for 1z0-1047-22. help me with this...
UNITED STATES


kk 1/17/2024 3:00:00 PM

very helpful
UNITED STATES


Raj 7/24/2023 10:20:00 AM

please upload oracle 1z0-1110-22 exam pdf
INDIA


Blessious Phiri 8/13/2023 11:58:00 AM

becoming interesting on the logical part of the cdbs and pdbs
Anonymous


LOL what a joke 9/10/2023 9:09:00 AM

some of the answers are incorrect, i would be wary of using this until an admin goes back and reviews all the answers
UNITED STATES


Muhammad Rawish Siddiqui 12/9/2023 7:40:00 AM

question # 267: federated operating model is also correct.
SAUDI ARABIA


Mayar 9/22/2023 4:58:00 AM

its helpful alot.
Anonymous


Sandeep 7/25/2022 11:58:00 PM

the questiosn from this braindumps are same as in the real exam. my passing mark was 84%.
INDIA


Eman Sawalha 6/10/2023 6:09:00 AM

it is an exam that measures your understanding of cloud computing resources provided by aws. these resources are aligned under 6 categories: storage, compute, database, infrastructure, pricing and network. with all of the services and typees of services under each category
GREECE


Mars 11/16/2023 1:53:00 AM

good and very useful
TAIWAN PROVINCE OF CHINA


ronaldo7 10/24/2023 5:34:00 AM

i cleared the az-104 exam by scoring 930/1000 on the exam. it was all possible due to this platform as it provides premium quality service. thank you!
UNITED STATES


Palash Ghosh 9/11/2023 8:30:00 AM

easy questions
Anonymous


Noor 10/2/2023 7:48:00 AM

could you please upload ad0-127 dumps
INDIA


Kotesh 7/27/2023 2:30:00 AM

good content
Anonymous


Biswa 11/20/2023 9:07:00 AM

understanding about joins
Anonymous


Jimmy Lopez 8/25/2023 10:19:00 AM

please upload oracle cloud infrastructure 2023 foundations associate exam braindumps. thank you.
Anonymous


Lily 4/24/2023 10:50:00 PM

questions made studying easy and enjoyable, passed on the first try!
UNITED STATES


John 8/7/2023 12:12:00 AM

has anyone recently attended safe 6.0 exam? did you see any questions from here?
Anonymous


Big Dog 6/24/2023 4:47:00 PM

question 13 should be dhcp option 43, right?
UNITED STATES


B.Khan 4/19/2022 9:43:00 PM

the buy 1 get 1 is a great deal. so far i have only gone over exam. it looks promissing. i report back once i write my exam.
INDIA


Ganesh 12/24/2023 11:56:00 PM

is this dump good
Anonymous