Ultimate Guide to Prepare PAP-001 Certification Exam for Ping Identity PingAccess in 2026 [Q22-Q47]

Ultimate Guide to Prepare PAP-001 Certification Exam for Ping Identity PingAccess in 2026

Use Real PAP-001 Dumps - Ping Identity Correct Answers updated on 2026

Ping Identity PAP-001 Exam Syllabus Topics:

Topic	Details
Topic 1	Policies and Rules: This section of the exam measures the skills of Security Administrators and focuses on how PingAccess evaluates paths for applying policies and resources. It covers the role of different rule types, their configuration, and the implementation of rule sets and rule set groups for consistent policy enforcement.
Topic 2	Integrations: This section of the exam measures skills of System Engineers and explains how PingAccess integrates with token providers, OAuth and OpenID Connect configurations, and site authenticators. It also includes the use of agents and securing web, API, and combined applications through appropriate integration settings.
Topic 3	Product Overview: This section of the exam measures skills of Security Administrators and focuses on understanding PingAccess features, functionality, and its primary use cases. It also covers how PingAccess integrates with other Ping products to support secure access management solutions.

 

NEW QUESTION # 22
An administrator must onboard a new application from the application team. The application has multiple paths that will need different rules. What would be the first step in this process?

• A. Resource
• B. Identity mapping
• C. Web session
• D. Application

Answer: D

Explanation:
All onboarding in PingAccess begins with defining anApplication. Once the application exists, the administrator can defineResourceswithin it and assign different rules to those resources.
Exact Extract:
"Before you can configure resources and rules, you must first create an application in PingAccess."
* Option A (Identity Mapping)may be required later but not the first step.
* Option B (Web Session)can be shared but is not the first onboarding step.
* Option C (Application)is correct - the starting point for onboarding.
* Option D (Resource)comes after creating the application.
Reference:PingAccess Administration Guide -Creating Applications

NEW QUESTION # 23
According to a new business requirement, critical applications require dual-factor authentication when specific resources are accessed in those applications. Which configuration object should the administrator use in the applications?

• A. Authentication Challenge Policy
• B. Auth Token Management
• C. Authentication Requirements
• D. UI Authentication

Answer: C

Explanation:
PingAccess enforces step-up or multi-factor authentication usingAuthentication Requirements, which can be applied to specific resources within an application.
Exact Extract:
"Authentication requirements allow administrators to configure additional authentication (for example, MFA) when accessing sensitive application resources."
* Option A (UI Authentication)applies to access to theadmin console, not application resources.
* Option B (Auth Token Management)relates to OAuth token lifetimes and refresh, not MFA enforcement.
* Option C (Authentication Requirements)is correct - these rules enforce MFA or step-up auth for specific URLs/resources.
* Option D (Authentication Challenge Policy)governs how failed auth challenges are presented but does not enforce MFA.
Reference:PingAccess Administration Guide -Authentication Requirements

NEW QUESTION # 24
An auto parts company wants to protect the path/parts/suspension/struts/manufacturer. Resources appear under an applicationContext Root of/partswith default ordering.
Which resource will the policy engine select?

• A. //manufacturer
• B. //struts/manufacturer
• C. /suspension/struts/manufacturer
• D. ///manufacturer

Answer: C

Explanation:
Because the application context root is/parts, resource paths are defined relative to it. The correct relative path is:
* /suspension/struts/manufacturer
Exact Extract:
"Resource matching begins at the context root. The most specific matching path is selected."
* Option Ais incorrect -/*/struts/manufacturerdoes not match because it starts with a wildcard, not the defined path.
* Option Bis incorrect -/*/manufacturerwould match less specifically and at a different depth.
* Option Cis correct - exact match relative to/parts.
* Option Dis incorrect - too generic and not the best match.
Reference:PingAccess Administration Guide -Resource Path Matching and Ordering

NEW QUESTION # 25
The application team is requesting step-up authentication only for a few specific resources while maintaining previous authentication for other resources. What change would the administrator need to make?

• A. Change the Context Root
• B. Manual Resource Ordering
• C. Use context root as reserved resource base path
• D. Authentication Challenge Policy

Answer: D

Explanation:
To enforcestep-up authenticationfor selected resources, PingAccess usesAuthentication Challenge Policies
. These policies allow different challenge methods to be applied depending on the resource.
Exact Extract:
"Authentication challenge policies define how PingAccess challenges users for authentication and are often applied when step-up authentication is required for specific resources."
* Option A (Authentication Challenge Policy)is correct - it ensures only certain resources trigger step- up MFA.
* Option Bis incorrect; the reserved resource base path is unrelated to authentication.
* Option Cis incorrect; changing the context root just changes the URL path prefix.
* Option Dis incorrect; manual ordering of resources is unrelated to enforcing MFA.
Reference:PingAccess Administration Guide -Authentication Challenge Policies

NEW QUESTION # 26
The application team has changed their directory paths. An administrator must adjust the following paths:
* /images/sitel/
* /images/sitel/checkout/default.html
* /images/sitel/homepage/english/default.html
Which pattern would match the paths?

• A. /images/site*
• B. /images/sitel/*
• C. /images/sitel/english/*
• D. /images/aitel/checkout

Answer: B

Explanation:
The pattern/images/sitel/*matches all subpaths and files under the/images/sitel/directory, including nested paths.
Exact Extract:
"The asterisk (*) matches zero or more characters within the path. For example,/images/sitel/*matches all resources under thesitelfolder."
* Option Ais incorrect - it references/aitel/instead of/sitel/.
* Option Bis incorrect -/site*matches strings beginning with "site", but may also match "siteX" incorrectly.
* Option Cis incorrect - it only matches resources under/english/, missing other folders.
* Option Dis correct -/images/sitel/*covers all given examples.
Reference:PingAccess Administration Guide -Resource Path Matching

NEW QUESTION # 27
The performance testing team finds that an API hosted in a remote datacenter is experiencing higher response times compared to similar APIs hosted onsite. Which option in PingAccess can be used to improve performance in this scenario?

• A. Move the API to a separate Virtual Host
• B. Enable Cache Token on the OAuth Resource Server
• C. Reduce the Key Roll Interval on the web session
• D. Reduce the number of attributes in the ID Token

Answer: B

Explanation:
When APIs are remote, latency is introduced by frequent token validation requests. EnablingCache Tokenon the OAuth Resource Server reduces repeated validation calls and improves performance.
Exact Extract:
"The OAuth Resource Server configuration includes aCache Tokenoption that improves performance by reducing round trips for token validation."
* Option Ais incorrect - key rolling affects cryptographic keys, not API latency.
* Option Bis incorrect - virtual hosts control external FQDNs, not performance.
* Option Cis incorrect - token attribute size does not significantly affect remote latency.
* Option Dis correct - caching tokens reduces validation overhead.
Reference:PingAccess Administration Guide -OAuth Resource Server Settings

NEW QUESTION # 28
An administrator needs to use attributes that are not currently available in theIdentity Mapping Attribute Namedropdown. Which action should the administrator take?

• A. Request that the additional attributes be added by the token provider administrator
• B. Request that the additional attributes be added by the web developer
• C. Create a Rewrite Content rule for the additional attributes
• D. Create a Web Session Attribute rule for the additional attributes

Answer: A

Explanation:
Identity Mapping in PingAccess relies on attributes provided by thetoken provider(e.g., PingFederate, OIDC provider). If the desired attributes are not present in the dropdown, it means they are not being provided in the token or userinfo response.
Exact Extract:
"Attributes available in identity mappings are those provided in the web session by the token provider. If attributes are missing, they must be added to the token by the identity provider."
* Option Ais correct - the token provider administrator must configure the IdP to include the additional attributes.
* Option Bis incorrect - rewrite rules modify content but do not supply new identity attributes.
* Option Cis incorrect - developers cannot directly add identity attributes; they must come from the IdP.
* Option Dis incorrect - Web Session Attribute rules only evaluate available attributes; they don't create new ones.
Reference:PingAccess Administration Guide -Identity Mapping and Attributes

NEW QUESTION # 29
An administrator is preparing to rebuild an unrecoverable primary console and must promote the replica admin node. Which two actions must the administrator take? (Choose 2 answers.)

• A. Changepa.operational.modetoCLUSTERED_CONSOLEon the replica admin node.
• B. Changepa.operational.modetoCLUSTERED_CONSOLE_REPLICAon one of the engine nodes.
• C. Restart all nodes in the cluster.
• D. Modifybootstrap.propertiesand set theengine.admin.configuration.hostvalue to point at the replica admin node.
• E. Restart the replica admin node.

Answer: A,D

Explanation:
From the "Promoting the replica administrative node" documentation:
* Exact Extract:
"Open the<PA_HOME>/conf/run.propertiesfile in a text editor. Locate thepa.operational.modeline and change the value fromCLUSTERED_CONSOLE_REPLICAtoCLUSTERED_CONSOLE. These properties are case-sensitive. Do not restart the replica node during the promotion process."Ping Identity Documentation
* Also from the documentation under "Next steps" / manual promotion / "Using the admin API ..."When promoting the replica, there is also mention of setting the new host-port in the primary admin configuration so that engine nodes and configuration references now point to the promoted replica. One of the API properties iseditRunPropertyFile(to flip the mode), another iseditPrimaryHostPort, which causes the primary-admin host setting to be updated.Ping Identity Documentation Using those facts:
Why C is correct:
* Option C says:Changepa.operational.modetoCLUSTERED_CONSOLEon the replica admin node.
This directly matches the documented manual promotion step: switchpa.operational.
modefromCLUSTERED_CONSOLE_REPLICA#CLUSTERED_CONSOLE.Ping Identity
Documentation+1
* This is essential for promoting the replica to primary console.
Why E is correct:
* Option E:Modifybootstrap.propertiesand set theengine.admin.configuration.hostvalue to point at the replica admin node.While the documentation doesn't always name the exact propertyengine.admin.
configuration.host, the "promote via admin API" includes updating the "primary host:port" in the configuration so that engine nodes' configuration queries (or whatever is used by engines) point to the new primary. This maps to ensuring that engine nodes know that the promoted replica is now the administrative node. This requiring modifying the bootstrap or configuration that engine nodes use to find the administrative host is essential.Ping Identity Documentation Why the other options are incorrect:
* A.Changepa.operational.modetoCLUSTERED_CONSOLE_REPLICAon one of the engine nodes.No.
Engine nodes should havepa.operational.mode = CLUSTERED_ENGINE, not console modes.
CLUSTERED_CONSOLE_REPLICAis an admin/replica console mode, not applicable for engines.
docs.ping.directory+2Ping Identity Documentation+2
* B.Restart all nodes in the cluster.The documentation explicitly saysdo not restartthe replica node during the promotion process because restart can cause file corruption or failure to properly promote.
Only certain restarts are neededafterconfiguration updates. So restarting all nodes is not a correct required action.Ping Identity Documentation
* D.Restart the replica admin node.As above, for manual promotion, a restart of the replica admin node is notrequired (and is even discouraged during the promotion process). The change inrun.propertiesis detected without restarting.Ping Identity Documentation Reference:PingAccess Reference Guide -Promoting the replica administrative node / Manually promoting the replica administrative nodePing Identity Documentation+1

NEW QUESTION # 30
A modified application now requires additional attributes to be passed in the headers. What needs to be modified in order to pass the additional attributes?

• A. HTTP Request Header Rule
• B. JWT Identity Mapping
• C. Web Session Attribute Rule
• D. Header Identity Mapping

Answer: D

Explanation:
To pass user attributes into HTTP headers for applications, PingAccess usesIdentity Mappings. When attributes need to be passed specifically as headers, the administrator must update theHeader Identity Mapping.
Exact Extract:
"Header identity mappings map attributes from a user's web session to HTTP headers that are then sent to the back-end application."
* Option A (HTTP Request Header Rule)is incorrect - this adds or modifies static request headers, not user attributes.
* Option B (Header Identity Mapping)is correct - this maps identity attributes into headers dynamically.
* Option C (JWT Identity Mapping)is incorrect - that's used for passing attributes as claims in JWTs.
* Option D (Web Session Attribute Rule)is incorrect - that is for access control evaluation, not propagation of attributes.
Reference:PingAccess Administration Guide -Identity Mapping (Header Identity Mapping)

NEW QUESTION # 31
A protected web application requires that additional attributes be provided once the user is authenticated.
Which two steps must the administrator perform to meet this requirement? (Choose 2 answers.)

• A. Request that the token provider update the ID token with the additional attributes.
• B. Update the Site Authenticator.
• C. Update the Identity Mapping.
• D. Request that the token provider update the access token with the additional attributes.
• E. Update the Web Session.

Answer: C,E

Explanation:
When applications require additional attributes:
* TheWeb Sessionmust be configured to retrieve those attributes from the token provider (OIDC or PingFederate).
* TheIdentity Mappingmust be updated to forward those attributes to the application (e.g., as headers).
Exact Extract:
"Web sessions define how user attributes are retrieved from the token provider. Identity mappings determine how those attributes are inserted into requests to applications."
* Option Ais not necessarily required; attributes can be retrieved via userinfo endpoint or access token, not only ID tokens.
* Option Bis correct - Identity Mappings must be updated to pass attributes to the app.
* Option Cis incorrect - Site Authenticators define how PingAccess authenticates to apps, not attribute handling.
* Option Dis incorrect unless the architecture specifically requires access token updates; PingAccess often uses the Web Session to fetch attributes.
* Option Eis correct - Web Session must be updated to retrieve additional attributes.
Reference:PingAccess Administration Guide -Web Sessions and Identity Mapping

NEW QUESTION # 32
An administrator needs to support SLO (Single Logout) for a protected web application. What must be configured in a PingAccess Web Session in this situation?

• A. SLO scope
• B. Idle timeout
• C. Refresh User Attributes
• D. Validate Session

Answer: A

Explanation:
To enableSingle Logout (SLO), theSLO scopemust be defined in the PingAccess Web Session configuration. This determines which sessions are ended when a logout request occurs.
Exact Extract:
"The SLO scope option in a web session specifies which applications are included in a logout event when Single Logout is triggered."
* Option A (SLO scope)is correct; it explicitly enables SLO support by linking session termination across apps.
* Option B (Idle timeout)is unrelated; this controls session expiration, not SLO.
* Option C (Validate Session)ensures session state is synchronized but does not configure SLO.
* Option D (Refresh User Attributes)is unrelated; it only controls whether attributes are reloaded.
Reference:PingAccess Administration Guide -Configuring Web Sessions

NEW QUESTION # 33
A business requires logs to be written to a centralized Oracle database. Which two actions must the PingAccess administrator take to enable this? (Choose 2 answers.)

• A. Enable the Audit flag in the Resource.
• B. Configure log4j2.xml and log4j2.db.properties.
• C. Remove the logs located in PA_HOME/log.
• D. Copy the database driver JAR file to the PA_HOME/lib directory.
• E. Import the database certificate into the Trusted Certificate Group.

Answer: B,D

Explanation:
PingAccess supports logging directly to a relational database usingLog4j database appenders. To enable this:
* Configurelog4j2.xmlto use a JDBC Appender.
* Configurelog4j2.db.propertieswith the database connection information.
* Provide the appropriate database driver in thePA_HOME/libdirectory.
Exact Extract:
"To log to a database, configure log4j2.xml and log4j2.db.properties, and place the JDBC driver JAR file in PA_HOME/lib."
* Option Ais correct - both files must be configured.
* Option Bis incorrect - existing logs do not need removal.
* Option Cis incorrect - enabling audit is unrelated to database logging.
* Option Dis correct - the Oracle JDBC driver must be installed in PA_HOME/lib.
* Option Eis incorrect unless TLS is used to connect to the DB, but it is not required for standard DB logging setup.
Reference:PingAccess Administration Guide -Log Configuration

NEW QUESTION # 34
Where should an administrator adjustSameSite Cookiesettings?

• A. Rules
• B. Applications
• C. Sites
• D. Web Sessions

Answer: D

Explanation:
TheSameSiteattribute is applied to session cookies to control cross-site behavior. In PingAccess, session cookie configuration (includingSameSite) is defined at theWeb Sessionlevel.
Exact Extract:
"Web session configuration includes cookie attributes such as name, domain, secure flag, HTTPOnly, and SameSite."
* Option A (Rules)is incorrect - rules govern access control, not cookies.
* Option B (Sites)defines backend connections, not session cookies.
* Option C (Applications)ties resources to sessions but does not define cookie behavior.
* Option D (Web Sessions)is correct - session cookie SameSite settings are configured here.
Reference:PingAccess Administration Guide -Web Session Cookies

NEW QUESTION # 35
What is the purpose of theengine.ssl.protocolsin therun.propertiesfile?

• A. To configure the supported ciphers
• B. To configure SSL protocols used for clustering
• C. To configure the supported TLS versions
• D. To configure the supported HTTPS port

Answer: C

Explanation:
The propertyengine.ssl.protocolsinrun.propertiesspecifies the TLS protocol versions that PingAccess engines will support for incoming HTTPS traffic.
Exact Extract:
"Theengine.ssl.protocolsproperty configures which TLS versions are enabled for HTTPS listeners."
* Option A (ciphers)is incorrect - cipher suites are defined separately, not in this property.
* Option B (HTTPS port)is incorrect - the port is defined in the engine listener, not here.
* Option C (TLS versions)is correct - this property controls TLS version support (e.g., TLSv1.2, TLSv1.3).
* Option D (clustering)is incorrect - clustering does not depend on this property.
Reference:PingAccess Administration Guide -run.properties settings

NEW QUESTION # 36
All style sheets should be accessible to all users without authentication across all applications. Which configuration option should the administrator use?

• A. Define a Default Availability Profile of on-demand for the resource.
• B. Define Authentication Challenge Policy of none for the resource.
• C. Define Global Unprotected Resources for the resource.
• D. Define a Protocol Source for the resource.

Answer: C

Explanation:
The correct way to ensure resources such as CSS files, images, or JavaScript are accessible without authentication acrossallapplications is to configureGlobal Unprotected Resources.
Exact Extract:
"Global unprotected resources define resources that do not require authentication and are accessible to all clients across applications."
* Option Ais incorrect; Protocol Sources define back-end host connections, not authentication.
* Option Bwould apply only per-resource, not across all applications.
* Option Cis correct - Global Unprotected Resources are designed for this exact purpose.
* Option D(Availability Profile) is related to application health checks and availability, not authentication.
Reference:PingAccess Administration Guide -Global Unprotected Resources

NEW QUESTION # 37
A PingAccess administrator needs to configure PingAccess to validate tokens. Which two options can the administrator use? (Choose 2 answers)

• A. Kerberos
• B. Common OIDC provider
• C. PingFederate
• D. Common SAML provider
• E. PingAuthorize

Answer: B,C

Explanation:
PingAccess validates access tokens usingAccess Token Managers, which are typically backed by PingFederateor ageneric OIDC provider.
Exact Extract:
"PingAccess validates tokens through Access Token Managers, which can be configured against PingFederate or a common OIDC provider."
* Option A (PingFederate)is correct - the most common token provider.
* Option B (Kerberos)is not supported for token validation.
* Option C (SAML provider)is incorrect - PingAccess does not natively consume SAML assertions.
* Option D (Common OIDC provider)is correct - tokens can be validated against any OIDC- compliant IdP.
* Option E (PingAuthorize)is an authorization engine, not a token provider.
Reference:PingAccess Administration Guide -Access Token Managers

NEW QUESTION # 38
Developers report an issue with an application that is protected by PingAccess. Certain requests are not providing claims that are part of the access token.
What should the administrator add for the access token claims?

• A. A web session attribute rule
• B. An authentication requirement definition
• C. An identity mapping definition
• D. An OAuth attribute rule

Answer: D

Explanation:
In PingAccess, when an application relies on claims from an OAuth access token, you must configure PingAccess to evaluate those claims and potentially inject them into headers for the backend application.
* Exact Extract from PingAccess documentation:
"OAuth rules allow you to evaluate claims in OAuth access tokens. You can configure PingAccess to look at specific claims and enforce policies or pass them to target applications."
"To extract attributes from an access token, configure anOAuth Attribute Rule." This clearly matches optionD.
Analysis of each option:
* A. An authentication requirement definition
* Incorrect. Authentication requirements determine how users authenticate to applications (OIDC provider, etc.), but do not manage access token claims.
* B. A web session attribute rule
* Incorrect. Web session attribute rules map attributes from the authenticated user's web session (SSO session), not from OAuth access tokens.
* C. An identity mapping definition
* Incorrect. Identity mappings transform user attributes (from IdP to app), but they don't directly pull claims from OAuth tokens.
* D. An OAuth attribute rule
* Correct. This rule is specifically designed to extract and enforce policies onclaims from OAuth access tokens.
Therefore, the correct answer isD. An OAuth attribute rule.
Reference:PingAccess Administration Guide-Rules # OAuth Attribute Rules.

NEW QUESTION # 39
What is the default port for the administrative console?

• A. 0
• B. 1
• C. 2
• D. 3

Answer: A

Explanation:
When PingAccess is first installed, theAdministrative Console(the web-based UI for managing configuration) is bound to adefault port of 9000. This is documented in the installation and configuration guides:
* Exact Extract from documentation:
"By default, the administrative console is available athttps://<host>:9000." (PingAccess Installation Guide - Default Ports) This means that unless the administrator has explicitly changed the port inrun.propertiesor during installation, the console will always be available onport 9000.
Option Analysis:
* A. 9000#Correct. Default administrative console port.
* B. 3000#Incorrect. This is not a PingAccess default port.
* C. 9090#Incorrect. Sometimes used by other Ping products for APIs, but not the PingAccess admin console.
* D. 3030#Incorrect. Not a default PingAccess port.
Reference:PingAccess Installation Guide -Default Administrative Console Port (9000).

NEW QUESTION # 40
An internal audit reveals that an agent has been compromised. What action must be taken to re-secure the agent?

• A. Select a new Agent Trusted Certificate
• B. Change theagent.engine.configuration.shared.secretvalue in theagent.propertiesfile
• C. Download and apply a newagent.propertiesfile
• D. Reinstall the agent

Answer: C

Explanation:
When a PingAccess agent is compromised, the secure approach is toinvalidate the existing credentials and issue a new configuration filefrom the PingAccess Admin Console. This provides a freshagent.propertiesfile with new secrets, ensuring compromised keys cannot be reused.
Exact Extract:
"If an agent is compromised, revoke and regenerate the agent configuration by downloading a newagent.
propertiesfile from the administrative console."
* Option Ais incorrect - manually changing the secret in the file does not propagate it to PingAccess.
* Option Bis incorrect - trusted certificates are not tied to agent authentication.
* Option Cis unnecessary - reinstalling the agent does not reset credentials.
* Option Dis correct - downloading a newagent.propertiesfile re-secures the agent.
Reference:PingAccess Administration Guide -Agent Management

NEW QUESTION # 41
An administrator must protect a configuration by changing the default key. Which script can be used to meet this goal?

• A. obfuscate.bat
• B. db-passwd-rotate.bat
• C. memoryoptions.bat
• D. run.bat

Answer: A

Explanation:
PingAccess usesobfuscated keysto secure sensitive configuration values (like passwords). Theobfuscate.bat (Windows) orobfuscate.sh(Linux) script is used to generate a new key and protect sensitive data.
Exact Extract:
"Useobfuscate.[bat|sh]to generate a new obfuscation key for protecting configuration values."
* Option A (db-passwd-rotate.bat)is not a valid PingAccess script.
* Option B (memoryoptions.bat)configures JVM memory, not encryption.
* Option C (run.bat)starts PingAccess.
* Option D (obfuscate.bat)is correct - it is used to protect sensitive configuration.
Reference:PingAccess Administration Guide -Configuration Security and Obfuscation

NEW QUESTION # 42
An administrator is integrating a new PingAccess Proxied Application. The application will temporarily need a self-signed certificate during the POC/demo phase. PingAccess is terminating SSL and is responsible for loading the SSL certificate for the application.
What initial action must the administrator take in PingAccess in this situation?

• A. Go to the Key Pairs section and create a new certificate
• B. Go to the Key Pairs section and import the PKCS#12 file provided by the publicly trusted Certificate Authority
• C. Go to the Key Pairs section and import the PKCS#12 file provided by the customer's internal Certificate Authority
• D. Go to the Certificates section and create a new certificate

Answer: A

Explanation:
For SSL termination, PingAccess requires aKey Pair(certificate + private key). During a POC/demo, when a self-signed certificateis used, the administrator can create it directly in theKey Pairssection of the console.
Exact Extract:
"Use the Key Pairs section to create self-signed certificates for testing or proof-of-concept deployments. For production, import a PKCS#12 file containing a certificate chain and private key."
* Option Ais incorrect - Certificates store trust anchors (CAs), not SSL termination certs.
* Option Bis incorrect - an internal CA-signed cert requires PKCS#12 import, not self-signed creation.
* Option Cis incorrect - a publicly trusted CA is not used for a demo phase.
* Option Dis correct - creating a new certificate in Key Pairs generates a self-signed cert suitable for demos.
Reference:PingAccess Administration Guide -Key Pairs and Certificates

NEW QUESTION # 43
How many administrators are supported using HTTP Basic Authentication in the Administrative Console?

• A. 0
• B. 1
• C. 2
• D. 3

Answer: B

Explanation:
When usingHTTP Basic Authentication(admin.auth=native), PingAccess only supports asingle administrative account(the default admin user). For multiple administrators, SSO integration (e.g., OIDC) is required.
Exact Extract:
"When admin authentication is set to native (HTTP Basic), only one administrative user is supported. For multiple admins, configure UI authentication with an OIDC provider."
* Option A (1000)is incorrect.
* Option B (1)is correct - only one basic auth admin account.
* Option C (10)andOption D (100)are incorrect.
Reference:PingAccess Administration Guide -Admin Authentication

NEW QUESTION # 44
What is the purpose of the Mutual TLS Site Authenticator?

• A. Allows PingAccess to authenticate to the backend server
• B. Allows the backend server to authenticate to PingAccess
• C. Allows the user to authenticate to the backend server
• D. Allows PingAccess to authenticate to the token provider

Answer: A

Explanation:
Mutual TLS (mTLS) is used to establishtwo-way authenticationwhere both the client and the server present certificates to prove their identity. In the case of PingAccess, aMutual TLS Site Authenticatoris configured when PingAccess acts as a reverse proxy making requests to a backend (target) server.
* Exact Extract from PingAccess documentation:
"Mutual TLS site authenticators provide client certificate authentication when PingAccess connects to a backend site. This allows PingAccess to present its certificate to the target server during the TLS handshake." This means the purpose is forPingAccess (client) to authenticate itself to the backend server (target resource)when establishing a secure connection.
Why other options are wrong:
* A. Allows the backend server to authenticate to PingAccess
* Incorrect. That's normal server-side TLS authentication (the server presents a cert to the client), not mutual TLS initiated by PingAccess.
* B. Allows the user to authenticate to the backend server
* Incorrect. End users do not directly use this setting; this is between PingAccess and the backend application server.
* C. Allows PingAccess to authenticate to the backend server
* Correct. This is exactly the definition of a Mutual TLS Site Authenticator in PingAccess.
* D. Allows PingAccess to authenticate to the token provider
* Incorrect. That would involve OIDC/OAuth token exchange and possibly TLS trust, but it's not the role of the Site Authenticator.
Thus, the correct answer isC. Allows PingAccess to authenticate to the backend server.
Reference:PingAccess Administration Guide-Configuring Site Authenticators (Mutual TLS).

NEW QUESTION # 45
What is the purpose of theadmin.authconfiguration setting?

• A. To define the method to use for authenticating to the administrative API.
• B. To configure SSO for the administrative user interface.
• C. To enable automatic authentication to the PingAccess administrative console.
• D. To override the SSO configuration for the administrative user interface.

Answer: D

Explanation:
Theadmin.authsetting in therun.propertiesfile is used to specify a fallback authentication method for the administrative console.
Exact Extract from official documentation:
"To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication." This makes it clear that the purpose ofadmin.authis tooverrideany configured SSO for the admin UI and enforce native (basic) authentication instead.
* Option Ais incorrect because theadmin.authsetting does not configure SSO. SSO for the admin UI is configured separately.
* Option Bis incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.
* Option Cis correct because it directly reflects the documented behavior:admin.authoverrides SSO configuration for the administrative UI and enables native authentication.
* Option Dis incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.
Reference:PingAccess User Interface Reference Guide -Configuring Admin UI SSO Authentication

NEW QUESTION # 46
An administrator needs to add a set of rules to an application protected by a PingAccess agent. Which rule will be unavailable to add to the application?

• A. Rate Limiting
• B. Rewrite Cookie Domain
• C. Cross-Origin Request
• D. Network Range

Answer: B

Explanation:
PingAccess distinguishes betweengateway rulesandagent rules. Some processing rules, such asRewrite Cookie Domain, only apply when PingAccess is acting as areverse proxy (gateway), not when protecting applications viaagents.
Exact Extract:
"Rewrite Cookie Domain rules are not supported for agent applications. They are only available for proxied (gateway) applications."
* Option A (Rewrite Cookie Domain)is correct - unavailable with agent applications.
* Option B (Network Range)is available for both agents and gateways.
* Option C (Rate Limiting)is supported on both application types.
* Option D (Cross-Origin Request)is also supported in both.
Reference:PingAccess Administration Guide -Agent vs. Gateway Rules

NEW QUESTION # 47
......

Ping Identity PingAccess -PAP-001 Exam-Practice-Dumps: https://www.testinsides.top/PAP-001-dumps-review.html

PAP-001 Premium Files Test pdf - Free Dumps Collection: https://drive.google.com/open?id=1AyZoEQNRMWQUgzgft4o760Fzhi1E5JLo