Consider the following LDAP connection string:DS1.example.com:389|01, DS2.example.com:389|01, DS2.example.com:389|02, DS1.example.com:389|02This connection string can be used in:(A). Identity Store(B). Core Token Service(C). Configuration Data StoreWhich of the above options are correct?
Answer(s): B
The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues--where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node--PingAM uses "Affinity."16 According to the "CtsDataStoreProperties" and "CTS Deployment Architectures" documentation, this specialized string allows the AM instance to prioritize connections based on the Server ID and Site ID.17 The pipe (|) characters signify the optional affinity parameters:01/02: These represent the Server IDs of the underlying Directory Servers. Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use of server and site IDs within the connection string itself to manage LDAP request routing is a hallmark of the CTS affinity configuration.19 The documentation explicitly states that "Each connection string is composed as follows:HOST:PORT[|SERVERID[|SITEID]]" within the context of CTS external store configuration.20 Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.
Which OAuth2 flow is most appropriate to support the use case of a client application implemented in a browser using a scripted language such as JavaScript?
Answer(s): A
In PingAM 8.0.2, the recommended and most secure flow for "Public Clients"--such as Single Page Applications (SPAs) written in JavaScript--is the Authorization Code Grant Flow with PKCE (Proof Key for Code Exchange).Historically, the Implicit Grant Flow (Option B) was used for browser-based apps because they could not securely store a client_secret. However, the Implicit flow is now considered legacy and insecure due to the risk of access token leakage in the browser history or via referrer headers. The Resource Owner Password Credentials Grant (Option C) is also discouraged as it requires the application to handle user credentials directly, violating the core principle of delegated authorization. Client Credentials (Option D) is reserved strictly for machine-to-machine communication where no user is involved.The Authorization Code Grant with PKCE addresses the security limitations of public clients by replacing the static client_secret with a dynamically generated "code verifier" and "code challenge."The process works as follows:Challenge Generation: The JavaScript app creates a cryptographically strong random string (Verifier) and transforms it (Challenge).Authorization Request: The app sends the challenge to PingAM.21 Code Exchange: After user login, AM returns an authorization code. The app then sends the code and the original verifier to the token endpoint.Verification: AM verifies that the verifier matches the initial challenge before issuing the Access Token.This flow ensures that even if an attacker intercepts the authorization code, they cannot exchange it for a token without the original verifier, which never left the browser's execution context. PingAM 8.0.2 fully supports this flow and provides specific configuration options in the OAuth2 Provider settings to enforce PKCE for all public clients.
What are the possible outcomes of the Push Result Verifier node?
Answer(s): C
The Push Result Verifier node is a core component of the "MFA: Push Authentication" journey in PingAM 8.0.2. Its primary function is to check the status of a push notification that was previously dispatched to a user's mobile device (usually via the Push Sender node).22 According to the "Authentication Node Reference" for version 8.0.2, the node evaluates the state of the push request and yields exactly four distinct outcomes:Success: This path is followed if the user has actively approved the push notification on their registered device using the ForgeRock/Ping Authenticator app. Failure: This path is taken if the user explicitly denies or rejects the push notification on their device, indicating a potential unauthorized login attempt.Expired: This outcome occurs if the notification reaches its "Message Timeout" limit (defined in the Push Sender node) without any response from the user.23 In standard trees, this path often loops back to allow the user to try a different MFA method or resend the push. Waiting: This outcome is triggered if a response has not yet been received but the timeout has not yet been reached. This is used in conjunction with a Push Wait or Polling mechanism to create a "check-and-loop" logic until a final result (Success, Failure, or Expired) is determined. The Retry outcome (mentioned in other options) is notably absent from this specific node's metadata. While a "Retry" might be implemented in the overall tree logic (for example, by using a Retry Limit Decision node after an Expired outcome), the Push Result Verifier node itself only reports the state of the specific push transaction it is tracking. Understanding these four discrete states is vital for designing resilient authentication journeys that handle user delays or network issues gracefully.
In a default PingAM configuration, what type of keystore stores the secret ID named storepass, which contains the encrypted password of the default-keystore secret store?
In PingAM 8.0.2, the management of sensitive data such as passwords and cryptographic keys is handled through a unified Secret Store framework. This framework abstracts the source of the secret from the component that consumes it using Secret IDs. One of the most critical secret IDs in a standard installation is storepass.The storepass secret ID is specifically used by the default-keystore (which is typically a "Keystore secret store" pointing to keystore.jks or keystore.p12). Before AM can access the keys within the default-keystore to sign tokens or encrypt data, it must first unlock the keystore itself using the password mapped to the storepass secret ID.According to the PingAM "Secrets, certificates, and keys" documentation, in a default file-based configuration, PingAM initializes a Filesystem secret store as its primary global store. This store is configured to look into a specific directory within the AM configuration path (usually .../openam/secrets/). Inside this directory, AM expects to find files named after the secret IDs they contain. For the storepass ID, there is typically a corresponding file (such as storepass or .storepass) containing the cleartext or encrypted password required to open the primary keystore. While AM can be configured to use an Environment and system property secret store (Option B) for high-portability cloud deployments, the "out-of-the-box" default behavior during a standard installation relies on the filesystem. Option A is incorrect because the storepass is the key to the keystore, not a secret inside it, and Option D refers to specialized hardware integrations not used in a default software-only setup. Therefore, the Filesystem secret store is the correct technical answer for the default location of the storepass.
The Core Token Service (CTS) can be used for storing which of the following?
Answer(s): D
The Core Token Service (CTS) is a high-performance persistence layer in PingAM 8.0.2 designed to store short-lived, stateful data. Unlike the Configuration Store (which holds static system settings) or the Identity Store (which holds user profiles), the CTS is optimized for "token-like" data that is frequently created, updated, and deleted.According to the "Core Token Service (CTS) Overview" in the PingAM 8.0.2 documentation, the primary purpose of the CTS is to provide a centralized repository for:Session Tokens: For server-side sessions, the session state is stored in the CTS. OAuth 2.0 Tokens: This includes Access Tokens, Refresh Tokens, and Authorization Codes. When an OAuth2 client requests a token, AM generates it and, if configured for server-side storage, persists it in the CTS so that any node in an AM cluster can validate it. SAML 2.0 Tokens: Used for tracking assertions and managing Single Logout (SLO) states. UMA (User-Managed Access) Labels and Resources: Various state information for the UMA protocol. The documentation explicitly clarifies that the CTS is not a general-purpose database. Configuration (Option A) is strictly stored in the Configuration Data Store (usually a dedicated PingDS instance). Users (Option B) are stored in an Identity Store such as Active Directory or PingDS. Kerberos tokens (Option C) are part of a challenge-response handshake that is typically handled at the protocol layer and not stored as persistent records in the CTS. Therefore, OAuth2 tokens are the definitive type of data managed by the CTS among the choices provided. Utilizing the CTS for OAuth2 tokens is a prerequisite for supporting features like token revocation and refresh token persistence across multiple AM instances in a high-availability deployment.
A non-authenticated user requests a resource protected by PingGateway or a Web Agent. Put the following events of the authentication lifecycle in chronological order:User answers the "questions asked" (callbacks) by PingAM. User tries to access a resource protected by PingGateway or a Web Agent.Session reaches a timeout value or user logs out.PingGateway or the Web Agent validates the session.User is redirected to the authentication user interface of PingAM.User is redirected to the resource.
The authentication lifecycle in a Ping Identity environment follows a strict sequence to ensure that only authorized users can access protected resources. This process is governed by the interaction between a Policy Enforcement Point (PEP), such as a Web Agent or PingGateway, and the Policy Decision Point (PDP), which is PingAM.Following the chronological flow according to the PingAM 8.0.2 "Introduction to Authentication" and "Web Agent User Guide":Step 2: The process begins when an unauthenticated user attempts to access a protected URL. Step 5: The Agent/PingGateway intercepts the request, detects the absence of a valid session cookie, and redirects the user to the PingAM login URL (the UI). Step 1: The user interacts with the AM UI, providing the necessary credentials or answering the "callbacks" (username, password, MFA) defined in the authentication tree. Step 6: Upon successful authentication, PingAM issues a session token and redirects the user back to the original resource they were trying to access.Step 4: The Agent/PingGateway receives the request again, but this time it contains a session token. The agent then validates the session with PingAM to ensure it is still active and possesses the correct permissions.Step 3: Finally, the lifecycle ends when the session expires due to inactivity (Idle Timeout), reaches its Max Session Time, or the user explicitly logs out.Sequence 2-5-1-6-4-3 (Option B) accurately captures this "Round-Trip" nature of modern web authentication. Options A and D are incorrect because they place the callback interaction before the initial redirect or the resource access. Option C is incorrect because it suggests the session reaches a timeout before the agent has a chance to validate the session for the current request.
Which statement does not reflect best practice when configuring a PingAM cluster for secure communication with external servers?
When configuring secure communication (LDAPS, HTTPS) in PingAM 8.0.2, managing the Truststore is a critical security task. The truststore contains the public certificates (trust anchors) of the servers PingAM needs to communicate with, such as PingDS or external Identity Providers. The PingAM "Secure Network Communication" documentation outlines several best practices:Avoid Modifying the JVM Truststore: One should not add internal certificates (like those for PingDS) to the default JVM cacerts file (Option D is a best practice). This prevents pollution of the system- wide Java environment.Use a Dedicated Truststore: Creating a fresh, minimal truststore containing only necessary certificates (Option B and C) ensures a "least privilege" approach to trust. Why Statement A is NOT a best practice: Statement A suggests that you should copy the JVM truststore to isolate it from changes made to the JVM container's truststore. In a production security context, this is a dangerous anti-pattern. The JVM's default truststore (e.g., cacerts) is frequently updated by Java maintainers and OS vendors to include new Root CAs and, more importantly, to remove/revoke compromised or untrustworthy CAs. By making a static copy to "isolate" AM from these updates, an administrator inadvertently keeps obsolete or insecure certificates in AM's trust list while missing out on critical security updates provided by the platform. Best practice dictates that AM should point to a truststore that is intentionally managed. If isolation is needed, it should be achieved by creating a new store for internal certificates and potentially using the -Djavax.net.ssl.trustStore property to manage the hierarchy, rather than cloning the system-wide CA bundle to avoid "changes." Therefore, Option A is the correct answer as it describes a maintenance and security risk.
Which of the following statements are correct regarding session upgrades in PingAM? A) An authenticated user is required to authenticate again either to the same or a different authentication service.B) The user must not change for the session upgrade to succeed. C) The only PingAM mechanism to do a session upgrade is the ForceAuth=true request parameter. D) A session upgrade is PingAM's mechanism to perform what is called step-up authentication.1
In PingAM 8.0.2, Session Upgrade (often referred to as Step-up Authentication) is the process of increasing the "Authentication Level" (Auth Level) associated with a user's session.2 This is common when a user has logged in with a basic method (like username/password) but attempts to access a resource that requires a stronger method (like MFA).Regarding the statements:Statement A is correct: To upgrade a session, PingAM requires the user to satisfy the requirements of an authentication tree or module that has a higher Auth Level than the current session.3 This technically involves a "re-authentication" event specifically for the higher-level requirement. Statement B is correct: Crucially, the identity authenticated during the upgrade must match the identity of the existing session. If a different user attempts to authenticate during an upgrade process, PingAM will reject the upgrade to prevent session hijacking or identity swapping.4 Statement D is correct: Session upgrade is indeed the technical implementation of the industry- standard "step-up authentication" concept.Statement C is incorrect because ForceAuth=true is not the only mechanism for a session upgrade.While ForceAuth=true (in SAML2 or OIDC) or the prompt=login parameter can force a fresh authentication, PingAM also supports upgrades via Policy Advice.5 When a policy engine determines that a resource requires a higher Auth Level, it sends an "advice" to the client, triggering a session upgrade journey.6 Additionally, authentication trees can be configured to perform upgrades natively using the Session Upgrade configuration in the realm settings. Therefore, since A, B, and D are technically accurate descriptions of the AM 8.0.2 lifecycle, Option C is the correct choice.
Share your comments for Ping Identity PT-AM-CPE exam with other users:
great exam prep
i require dump
good morning, could you please upload this exam again,
hi can you please upload the dumps for sap contingent module. thanks
good questions
looking forward to the real exam
good ones for exam preparation
this is a good experience
hi everyone
waiting for the dump. please upload.
upload cks exam questions
awesome training material
where is dump
q. 289 - the correct answer should be b not d, since the question asks for the most secure way to provide access to a s3 bucket (a single one), and by principle of the least privilege you should not be giving access to all buckets.
please i need if possible h12-831,
good collection of questions and solution for pl500 certification
i would like to appear the exam.
i am very happy as i cleared my comptia a+ 220-1101 exam. i studied from as it has all exam dumps and mock tests available. i got 91% on the test.
need this dump
its really good to eventuate knowledge before appearing for the actual exam.
this is great
please i want the questions to pass the exam
i need to pass exam
great, i appreciate it.
please could you upload (isc)2 certified in cybersecurity (cc) exam questions
good questions, wrong answers
im preparing for exams
question no: 42 isnt azure vm an iaas solution? so, shouldnt the answer be "no"?
im study azure
i need this now
i took the aws saa-c03 test and scored 935/1000. it has all the exam dumps and important info.
well explained
i got the full version and it helped me pass the exam. pdf version is very good.