Ping Identity PAP-001 - Certified Professional - PingAccess

When configuring PingAccess to use PingFederate as theStandard Token Providerfor runtime engines, PingAccess must know how to contact PingFederate. The configuration requires theHost(PingFederate base URL).

Exact Extract:

“When configuring the Standard Token Provider, specify the PingFederate host to which PingAccess engines will connect for token validation.”

Option A (Issuer)is part of OIDC metadata but not required explicitly in this configuration.

Option B (Client ID)is needed for OAuth clients but not when defining the token provider connection itself.

Option C (Host)is correct — this is required to connect to PingFederate.

Option D (Port)may be included within the host definition (host:port) but is not the required field.

For multiple subdomains to share the same PingAccess session, theCookie Domainmust be configured so that the session cookie is valid across all listed applications.

Exact Extract:

“Set the Cookie Domain in the web session configuration to a parent domain (for example, .company.com) to enable applications in different subdomains to share the same session.”

Option A (Set Audience option)applies to OAuth token validation, not cookie sharing.

Option B (Set Cookie Domain option)is correct — e.g., setting.company.comallows session cookies to be shared.

Option C (Rewrite Cookie Domain rule)modifies upstream cookies for back-end applications, not PingAccess session cookies.

Option D (Rewrite Cookie Path rule)is unrelated; it modifies paths for cookies, not domains.

Because the application context root is/parts, resource paths are defined relative to it. The correct relative path is:

/suspension/struts/manufacturer

Exact Extract:

“Resource matching begins at the context root. The most specific matching path is selected.”

Option Ais incorrect —/*/struts/manufacturerdoes not match because it starts with a wildcard, not the defined path.

Option Bis incorrect —/*/manufacturerwould match less specifically and at a different depth.

Option Cis correct — exact match relative to/parts.

Option Dis incorrect — too generic and not the best match.

Applications in PingAccess can be associated with multipleVirtual Hosts. Each virtual host defines an FQDN and port combination through which the application is exposed, allowing protection across multiple domains or hostnames.

Exact Extract:

“Virtual hosts specify the fully qualified domain names (FQDNs) and ports that PingAccess uses to expose applications.”

Option A (Sites)represent the target back-end servers, not the external FQDN.

Option B (Virtual Hosts)is correct — use multiple virtual hosts for multiple domains.

Option C (Redirects)are unrelated to multi-domain application protection.

Option D (Rules)define access policies, not hostnames.

When PingAccess is first installed, theAdministrative Console(the web-based UI for managing configuration) is bound to adefault port of 9000. This is documented in the installation and configuration guides:

Exact Extract from documentation:

“By default, the administrative console is available athttps:// :9000.”

(PingAccess Installation Guide – Default Ports)

This means that unless the administrator has explicitly changed the port inrun.propertiesor during installation, the console will always be available onport 9000.

Option Analysis:

A. 9000✅Correct. Default administrative console port.

B. 3000❌Incorrect. This is not a PingAccess default port.

C. 9090❌Incorrect. Sometimes used by other Ping products for APIs, but not the PingAccess admin console.

D. 3030❌Incorrect. Not a default PingAccess port.

PingAccess supports logging directly to a relational database usingLog4j database appenders. To enable this:

Configurelog4j2.xmlto use a JDBC Appender.

Configurelog4j2.db.propertieswith the database connection information.

Provide the appropriate database driver in thePA_HOME/libdirectory.

Exact Extract:

“To log to a database, configure log4j2.xml and log4j2.db.properties, and place the JDBC driver JAR file in PA_HOME/lib.”

Option Ais correct — both files must be configured.

Option Bis incorrect — existing logs do not need removal.

Option Cis incorrect — enabling audit is unrelated to database logging.

Option Dis correct — the Oracle JDBC driver must be installed in PA_HOME/lib.

Option Eis incorrect unless TLS is used to connect to the DB, but it is not required for standard DB logging setup.

PingAccess must trust the back-end site’s certificate to establish TLS. For internally issued certificates, the administrator imports thecertificate chaininto aTrusted Certificate Group.

Exact Extract:

“When a target site uses an internal CA, import the certificate or chain into a Trusted Certificate Group and assign that group to the site.”

Option Ais incorrect — the Java trust store does not contain the internal CA by default.

Option Bis incorrect — Key Pairs store private keys for SSL termination, not trusted CA certs.

Option Cis incorrect — engine listeners use key pairs for inbound SSL, not site trust.

Option Dis correct — the certificate must be imported into Trusted Certificate Groups.

When using theAuthorization Code Flowfor authentication, PingAccess must be configured with:

AnOAuth Client IDthat identifies the application to the IdP.

TheOpenID Connect Login Typeset to Authorization Code.

Exact Extract:

“When configuring an OIDC web session, specify the OAuth client ID and select the OpenID Connect login type (Authorization Code, Hybrid, or Implicit).”

Option A (OAuth Token Introspection Endpoint)is not required for Authorization Code flow — token introspection is used in other cases.

Option B (OAuth Client ID)is correct — required for OIDC authorization requests.

Option C (OpenID Connect Issuer)is discovered automatically via metadata when you configure the token provider.

Option D (Virtual Host)is required for application exposure but not specific to OIDC flow.

Option E (OpenID Connect Login Type)is correct — must be set to “Authorization Code.”

Exact Extract (from PingAccess documentation):

“The key pair that you create for theCONFIG QUERYlistener must include both the administrative node and the replica administrative node. To make sure the replica administrative node is included, you can eitheruse a wildcard certificateordefine subject alternative namesin the key pair that use the replica administrative node’s DNS name.”

Why B and D are correct:

*B. Subject = .company.com— A wildcard certificate for *.company.com is valid for both pa-admin.company.com and pa-admin2.company.com, satisfying the documented requirement that the key pair include both hostnames for the CONFIG QUERY listener.

D. Subject Alternative Names = pa-admin.company.com, pa-admin2.company.com— Explicitly placing both DNS names in the SAN extension also satisfies the requirement that the certificate cover both the administrative node and the replica administrative node.

Why the other options are incorrect:

A. Issuer = pa-admin.company.com— TheIssuerfield identifies the certificate authority (CA) that signed the certificate, not the service hostname. Setting the issuer to a host value is not how X.509 server certificates are validated and would not meet the hostname‑matching requirement.

C. Subject = pa-admin.company.com— While this covers the administrative node, itdoes not include the replica administrative node. Without a wildcard or SAN entries, it fails the requirement that the key pair include both hostnames.

E. Subject = pa-admin2.company.com— Similarly, this would only cover the replica administrative node andnotthe primary administrative node, failing the requirement.

PingAccess is designed to work with modern identity protocols. It doesnotsupport legacy WS-* protocols directly.

Exact Extract:

“PingAccess integrates with OAuth 2.0 and OpenID Connect (OIDC) to provide authentication and authorization for web and API resources.”

Option A (SAML)is incorrect — PingAccess does not natively consume SAML assertions; SAML can be used indirectly via PingFederate.

Option B (WS-Fed)is not supported.

Option C (WS-Trust)is not supported.

Option D (OAuth2)is correct — used for authorization and token validation.

Option E (OIDC)is correct — used for user authentication and sessions.