Ping Identity PT-AM-CPE - Certified Professional - PingAM Exam

In a high-availability PingAM 8.0.2 cluster, the Load Balancer (LB) is responsible for distributing traffic across multiple AM instances. Session Stickiness (also known as session affinity) ensures that all requests from a specific user session are routed to the same AM server that initially created the session.

According to the PingAM "Deployment Planning" and "Load Balancing" documentation, PingAM is designed to be "sticky-preferred" but not "sticky-required" if theCore Token Service (CTS)is used. If stickiness isnotensured:

Performance Impact: Every time a user request lands on adifferentAM server (Server B) than the one that holds the session in local memory (Server A), Server B must query theCTS (External Store)to retrieve the session details, deserialize the object, and reconstruct the session state. This cross-server look-up introduces significant latency and increases the load on the PingDS instances hosting the CTS.

CTS Load: Without stickiness, every single request becomes a "Global" session lookup. This drastically increases the I/O and CPU overhead on the back-end directory servers, potentially leading to performance degradation of the entire identity platform.

Why other options are incorrect:

Option A: Session failoverrequiresthe CTS, but stickiness actuallyminimizesthe need for failover logic during normal operation. Failover still works without stickiness, it just becomes the "default" behavior for every request.

Option B: AM servers in a cluster share the same encryption keys and back-end stores. Any server can technically validate a session by looking it up in the CTS; the browser doesn't "know" which server is correct.

Option C: Redirects are handled at the application logic level. While some internal processing changes, it doesn't necessarily result in extra browser-level HTTP redirects.

Thus, the primary negative impact of lacking stickiness in a correctly configured cluster is adecrease in performance(Option D) due to the constant session synchronization overhead.

============

PingAM 8.0.2 supports advanced client authentication methods defined in the OpenID Connect and OAuth 2.0 specifications, including private_key_jwt and client_secret_jwt. These methods allow a client to authenticate without sending a static password/secret in the request. Instead, the client generates and signs a JSON Web Token (JWT).

According to the "OAuth 2.0 Client Authentication" and "JWT Profile for Client Authentication" (RFC 7523) documentation, when a client sends this JWT to the /oauth2/access_token endpoint, it must use theclient_assertionparameter.

The request must also include theclient_assertion_typeparameter, which must be set to the constant value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

Option A (client_credentials)is a grant type, not a parameter for providing a JWT.

Option B (client_token_value)is not a standard OAuth2 parameter name.

Option C (client_id)is often included in the request, but it is the identifier of the client, not the container for the cryptographic assertion itself.

When PingAM receives a request with a client_assertion, it extracts the JWT, verifies the signature using the client's public key (stored in the client's profile or retrieved via a JWKS URI), and validates the standard claims (iss, sub, aud, exp). This method is significantly more secure than simple secrets because it proves the client possesses the private key and limits the window for replay attacks through the token's expiration claim.

In PingAM 8.0.2, requesting policy decisions via the REST API involves sending a POST request to the policies endpoint with the _action=evaluate parameter. To receive an accurate decision, the request body must provide the context of the access attempt.

According to the "Request policy decisions over REST" documentation, the JSON body typically includes the following core fields:

resources: (Required) An array of strings representing the URIs the user is attempting to access.

application: (Required) This field specifies the name of thePolicy Set(formerly known as the application) that contains the relevant policies for the evaluation.

subject: (Optional, but usually required for user-specific policies) This object identifies the user or entity requesting access. It can include the user's ssoToken or a set of claims if using JWT-based subjects.

Why other options are incorrect:Advices(Options A and C) are not inputs for a policy evaluation request. Instead, advices arereturnedby PingAM in the response if a policy condition fails (e.g., an AuthLevelConditionAdvice requesting the user to provide MFA). A request cannot "evaluate" an advice; it triggers one. Option D is incorrect because the resources field is a mandatory requirement for any evaluation; without a target resource, the engine has nothing to compare against the defined policy rules. Therefore, the combination ofresources, subject, and applicationrepresents the standard, valid structure for a policy decision request in PingAM 8.0.2.

In PingAM 8.0.2, especially when utilizing File-Based Configuration (FBC), the startup sequence relies on a "bootstrap" phase to locate the system's configuration. According to the "Installation Guide" and "Configuration Directory Structure," the primary file involved in this process is named boot.json.

The boot.json file contains the essential connection details required for the AM binaries to find and unlock the configuration store (usually PingDS). This includes the LDAP host, port, bind DN, and references to the secret stores needed to decrypt the configuration.

The location of this file is determined by theConfiguration Directorypath specified during the initial setup. By default, PingAM creates its configuration directory in the home directory of the user running the web container. The standard path structure is //. Therefore, the boot.json file is located at the root of this instance directory:<user-home>/<am-instance-dir>/boot.json.

Options A and Dare incorrect because they place the file inside a /config subdirectory; while AM has many config files in subdirectories, the boot.json sits at the root to be accessible as the first point of entry.

Option Bis incorrect because it suggests the file is stored within the Tomcat webapps folder. PingAM specifically avoids storing configuration data within the web application binaries to ensure that configuration persists even if the .war file is deleted or redeployed.

Understanding the location of boot.json is vital for DevOps engineers who need to automate the deployment of PingAM using tools like Amster or when troubleshooting a "Failed to connect to the configuration store" error during server startup.

Audit logging is a vital security feature in PingAM 8.0.2 that provides a record of system activity. To make these logs useful for modern analysis tools and to ensure they contain rich metadata, PingAM utilizes structured logging.

According to the PingAM "Audit Logging Service" documentation:

When an administrator enables audit logging in a new installation, the system is pre-configured with the JSON audit event handler as the default. This handler writes log entries to the local filesystem in a structured JSON format (e.g., access.audit.json).

The choice ofJSON(Option D) as the default is strategic:

Structure: JSON allows for complex, nested data structures, which is necessary to capture the full context of an authentication journey or a policy decision.

Interoperability: JSON is the "native language" of modern log aggregators and SIEM platforms like Splunk, ELK (Elasticsearch/Logstash/Kibana), and Sumo Logic.

Readability: While structured, it remains human-readable for quick manual inspection.

Why other options are incorrect:

CSV (B)andSyslog (C)are available handlers but must be explicitly added or configured; they are not the primary default.

Elasticsearch (A)is a powerful target for audit logs, but PingAM typically sends data there via an external collector reading the JSON files or via a specifically configured Elasticsearch handler, rather than it being the out-of-the-box default for a local installation.

The JSON handler ensures that from the moment logging is turned on, the data is stored in a format that balances detailed reporting with ease of integration.

In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) supports two primary patterns: delegation and impersonation. Understanding the difference between these is critical for secure microservices architecture.

According to the "Demonstrate Impersonation" section of the PingAM documentation,impersonationis a pattern where a client (the "Actor") acts as another identity (the "Subject") in a way that the downstream resource server sees only the Subject's identity.

Statement A is correct: In an impersonation flow, the client (which has been authorized by the user or is a trusted service) requests a token where it effectively "becomes" the subject to interact with another service. The downstream service treats the request as if it were coming directly from the subject, often with the same set of permissions.

Statement D is correct: To perform a token exchange for impersonation, the client must provide specific parameters to the /oauth2/access_token endpoint. It provides thesubject_token(representing the identity to be impersonated) and theactor_token(representing the identity of the client/service that is performing the impersonation). PingAM validates both tokens to ensure the "Actor" has the permission to impersonate the "Subject."

Why other statements are incorrect: Statement B describesdelegation(where an actor actson behalf ofa subject but maintains their own identity in the act claim). Statement C is incorrect because a token exchange inherently requires proving who the requester is (the actor) and whom they represent (the subject). Without both tokens, the AM server cannot verify the authorization relationship required for impersonation. Therefore, the combination ofA and Daccurately reflects the impersonation pattern in PingAM 8.0.2.

According to the PingAM 8.0.2 Installation Guide, the user account on the operating system that runs the web application container (such as Apache Tomcat) must have a home directory. This requirement is critical for the "Bootstrap" process of the application.

When PingAM starts for the first time or after a restart, the binaries need to know where the configuration data resides. PingAM looks for a hidden directory in the user's home directory named.openamcfg(or a similar name based on the deployment path). Inside this directory, AM creates and reads a file that contains the absolute path to the actualconfiguration directory(e.g., /home/tomcat/openam). This file acts as thepointeror "bootstrap" record.

If the user running the process does not have a home directory, the AM application will fail to initialize because it cannot create this bootstrap pointer. This often results in a "Configuration failed" error or the application reverting to an "unconfigured" state upon every restart. While it is possible to override the location of the configuration directory using JVM system properties (like -Dcom.sun.identity.configuration.directory), the default behavior and best practice documented for standard deployments assume the existence of a home directory for the service user. This ensures that configuration remains persistent and isolated from the web container's temporary application files. Option C is incorrect as port listening restrictions are handled by the OS kernel/root privileges, not the existence of a home directory.

In PingAM 8.0.2, the management of cryptographic material has evolved toward the Secret Store framework, which allows secrets to be stored in various locations (Filesystem, HSM, or Environment Variables). However, for specific core features, the internal PingAM keystore (historically keystore.jks) remains the primary repository for the keys used to protect session integrity.

According to the "Client-side Session Security" documentation, when a realm is configured forClient-side sessions, the entire state of the user's session is encapsulated within a signed and encrypted JSON Web Token (JWT). This JWT is then stored in the user's browser cookie. To ensure that this token cannot be tampered with or read by unauthorized parties, PingAM must sign and encrypt the payload. The AM engine is hardcoded to look for the specific aliases (such as am.services.session.encryption and am.services.session.signing) within thedefault-keystoresecret store, which points directly to the PingAM keystore.

While other features likeOAuth2 providers(Option D) and thePersistent Cookie node(Option B) utilize secret stores, they are designed to be highly flexible and can be configured to use keys from any defined secret store in the realm.Authentication trees(Option C) are logical constructs and do not "use" the keystore directly, although individual nodes within a tree might. The distinction forClient-side sessionsis that the feature's fundamental security model is built specifically around the cryptographic keys managed within the AM keystore to provide "stateless" session management. Administrators must ensure that the same keystore and aliases are shared across all nodes in a cluster to allow any AM instance to validate a client-side session token issued by another node.

PingAM 8.0.2 provides a robust framework for Multi-Factor Authentication (MFA) centered around modern, secure protocols and the Intelligent Access (Authentication Trees) engine. When discussing supported "protocols" in the context of MFA in PingAM documentation, the focus is on standardized methods for secondary verification.

The primary supported MFA pillars in PingAM 8.0.2 are:

Open Authentication (OATH): AM supports the OATH standards, specificallyTOTP(Time-based One-Time Password) andHOTP(HMAC-based One-Time Password). This is implemented through the "OATH" authentication nodes, allowing users to use apps like ForgeRock Authenticator, Google Authenticator, or YubiKeys in OATH mode.

Web Authentication (WebAuthn): This is the implementation of theFIDO2standard. It allows for passwordless and secure second-factor authentication using biometrics (like TouchID/FaceID) or hardware security keys (like YubiKeys). It is the successor to older standards and is natively supported via WebAuthn nodes.

Push Authentication: This is a proprietary but highly secure protocol used specifically with theForgeRock/Ping Authenticator app. It allows a "Push" notification to be sent to a registered mobile device, which the user then approves or denies.

Why others are excluded from the selection:While PingAM supportsSecurity Questions(KBA) andUniversal 2nd Factor(U2F), they are often categorized differently in the 8.0.2 documentation. Security Questions are considered a "User Self-Service" or "Legacy" validation method rather than a modern MFA protocol. U2F is technically superseded by and included within theWebAuthnframework in PingAM 8.0.2. Thus, the most accurate grouping of distinct, core MFA protocols supported in the current version isA, C, and E, making Option C the correct answer.