効率的なPT-AM-CPE合格体験記 & 資格試験のリーダープロバイダー & 無料ダウンロードPT-AM-CPE対応問題集有益な取引を行うだけでなく、Ping IdentityユーザーがPT-AM-CPE証明書を取得するまでの最短時間で試験に合格できるようにしたいと考えています。 PT-AM-CPE試験のプラクティスを選択すると、It-Passports試験の準備に20〜30時間しかかかりません。 PT-AM-CPEの学習教材は試験の概要とPT-AM-CPEガイドの質問の質問に密接に関連しているため、このような短い時間ですべてのコンテンツを終了できるかどうかを尋ねる場合があります。 最新の基本的なCertified Professional - PingAM Exam知識に関連しています。 PT-AM-CPE試験問題に合格した場合のみ、PT-AM-CPE試験に合格します。 Ping Identity Certified Professional - PingAM Exam 認定 PT-AM-CPE 試験問題 (Q59-Q64):質問 # 59
If PingAM is deployed in Apache Tomcat under /openam, what file system backups should be taken when PingAM needs to be upgraded?
A. Back up /path/to/tomcat/webapps/openam/ only
B. Back up /path/to/tomcat/webapps/openam/, <home directory>/openam/ and <home directory>/.openamcfg/
C. No explicit backups are required for PingAM as this is done automatically
D. Execute the PingAM backup script in /path/to/tomcat/webapps/openam/
正解:B
解説:
According to the PingAM 8.0.2 Upgrade Guide and the "Plan the upgrade" documentation, a successful upgrade and potential rollback strategy rely on capturing the complete state of the application across three distinct locations on the filesystem. When PingAM is deployed in a container like Apache Tomcat, the configuration is not stored within the WAR file itself but is distributed to maintain persistence across redeployments.
The three critical areas that must be backed up are:
The Web Application Directory (/path/to/tomcat/webapps/openam/): This contains the expanded binaries, JSPs, and web-level configurations. While the upgrade involves replacing the openam.war file, backing up this folder preserves any manual customizations made to the UI, CSS, or specific library additions (JARs) in the WEB-INF/lib folder.
The Configuration Directory (<home directory>/openam/ or similar): This is the most vital component. By default, PingAM stores its instance-specific configuration, cryptographic keys (keystores), and internal metadata here. For file-based configurations (FBC), this directory holds the entire system state. Even with an external PingDS configuration store, this directory contains the bootstrap file and security secrets required to connect to that store.
The Bootstrap Configuration File (<home directory>/.openamcfg/): This hidden directory contains a file (usually named after the deployment path, e.g., am or openam) that tells the PingAM binaries where the actual configuration directory is located. Without this pointer, a restored PingAM instance will behave like a fresh installation and prompt for a new setup.
The documentation explicitly warns: "Always back up your deployment before you upgrade... For AM servers, you can roll back by restoring from a file system backup of the deployed servers and their configuration directories." Relying only on the webapps folder (Option A) or assuming automatic backups (Option B) will lead to data loss or an unrecoverable state.
質問 # 60
In order to support rollback in case of a failed PingAM upgrade in a two server PingDS environment, what PingDS safety measure can be configured?
A. A PingAM upgrade in a two server PingDS environment does not support rollback
B. Stop replication between the two PingDS servers, stop a PingDS instance, upgrade against the active PingDS instance, and use the shutdown instance in case of rollback
C. Keep both PingDS instances active, upgrade against both PingDS instances, and use the PingDS ./uninstall.sh backout script if required
D. Stop replication between the two PingDS servers, stop a PingDS instance, upgrade against the active PingDS instance, and simply start up the shutdown PingDS instance
正解:B
解説:
Upgrading PingAM 8.0.2 in an environment with multiple PingDS (Directory Server) instances requires a careful strategy to ensure data integrity and to allow for an immediate Rollback if the upgrade fails or introduces instability.6 According to the PingAM "Plan for Rollback" and "Upgrade in a Replicated Environment" documentation, the recommended safety measure involves isolating one of the data store nodes to act as a "time-capsule" of the pre-upgrade state. The process is as follows:
Stop Replication: Before starting the upgrade, administrators should disable or stop replication between the PingDS nodes. This prevents any schema changes or data modifications performed during the AM upgrade from being propagated to the backup node.
Isolate a Node: One PingDS instance is shut down or taken out of the load balancer rotation. This instance remains in its original, healthy state.
Perform the Upgrade: The PingAM upgrade is performed against the remaining active PingDS instance. If the upgrade involves schema updates (which is common when moving to version 8.0.2), only the active node's data is modified.
Rollback Path: If the upgrade fails, the administrator can simply shut down the "corrupted" upgraded environment and restart the isolated PingDS instance along with the original PingAM WAR file. Because replication was stopped, the isolated node still contains the original configuration and user data.
Option D is the only answer that correctly identifies this "safety-net" architecture. Option A is risky because a failed upgrade would corrupt both instances. Option C is incomplete because simply "starting up" the shutdown instance after an upgrade doesn't account for how you handle the discrepancy between the upgraded and non-upgraded nodes. The goal is to keep the shutdown instance as a valid, un-touched recovery point.
質問 # 61
A PingAM administrator wants to deny access to an area of a protected application if the end user has been logged in for more than 10 minutes. How can this be achieved?
A. Use a policy with a Current session properties environment condition
B. Use a policy with an Active session time environment condition
C. Use a policy with a Time environment condition
D. Use a policy with a Scripted environment condition
正解:D
解説:
To enforce complex authorization logic based on session duration, PingAM 8.0.2 administrators must move beyond the static "Out-of-the-Box" conditions.
Analysis of the options based on the "Policy Conditions" documentation:
Time Condition (Option A): This condition is used to restrict access based on the clock time of day or day of the week (e.g., "Allow access only between 9 AM and 5 PM"). It does not track the elapsed time of a specific user session.
Current Session Properties (Option B): This condition checks for the presence of specific key-value pairs in a session. While a session contains a startTime property, this condition is designed for matching static values (like department=HR), not for performing mathematical time calculations.
Active Session Time (Option D): This is not a standard default condition name in the PingAM 8.0.2 policy engine.
The Correct Approach (Option C): A Scripted Policy Condition is required for this use case. Within a Policy Condition script, the administrator has access to the session object. The script can retrieve the startTime (or creationTime) of the session and compare it against the current system time (currentTime).
Example logic in the script:
var sessionStartTime = session.getProperty("startTime");
var maxDuration = 10 * 60 * 1000; // 10 minutes in milliseconds
if ((currentTime - sessionStartTime) > maxDuration) { authorized = false; } By using a script, PingAM can dynamically calculate the age of the session at the moment of the access request and return a "Deny" decision if the 10-minute threshold has been exceeded. This provides the granular control needed for high-security environments where "session freshness" is a requirement for specific sensitive resources.
質問 # 62
In PingAM, which OpenID Connect endpoint can be used to validate an unencrypted ID token?
A. /oauth2/idtokeninfo
B. /oauth2/tokeninfo
C. /oauth2/userinfo
D. /oauth2/introspect
正解:A
解説:
While OpenID Connect (OIDC) is built on top of OAuth2, it introduces specific endpoints for handling ID Tokens (the identity layer). In PingAM 8.0.2, when a client receives an ID Token, it is recommended to validate it locally using the provider's public keys. However, PingAM also provides a convenience endpoint for validation.
According to the "OpenID Connect 1.0 Endpoints" documentation:
/oauth2/idtokeninfo (Option A): This is the dedicated endpoint designed to receive an ID Token as a parameter.8 It validates the token's signature, checks the expiration and audience, and returns the claims contained within the token in a JSON format. This is specifically used for unencrypted ID tokens.
/oauth2/userinfo (Option B): This endpoint returns claims about the authenticated user but requires a valid Access Token in the authorization header, not an ID Token.9
/oauth2/introspect (Option C): This is a standard OAuth2 endpoint (RFC 7662) used to check the metadata and "activeness" of Access Tokens or Refresh Tokens, not the internal identity claims of an OIDC ID Token.10
/oauth2/tokeninfo (Option D): This is a legacy/non-standard endpoint that was used in older versions for Access Token validation and is not the primary OIDC validation endpoint in version 8.0.2.11 Therefore, for the specific task of validating an ID Token and retrieving its claims, /oauth2/idtokeninfo is the correct and authoritative endpoint in the PingAM 8.0.2 OIDC implementation.
質問 # 63
Examining the following JSON object, what is a valid value for the type part (shown in bold font) of the claim value in a PingAM implementation?
JSON
JSON
"act": {
"sub": "(type!subject)"
}
A. uid
B. agent
C. usr
D. user
正解:C
解説:
The JSON object structure provided refers to the Actor (act) claim used in OAuth 2.0 Token Exchange (RFC 8693) within PingAM 8.0.2. This claim is essential for scenarios involving delegation or impersonation, where one entity (the actor) is performing an action on behalf of another (the subject). In PingAM, the sub (subject) field within the act claim follows a specific internal format: (type!subject).
According to the PingAM 8.0.2 documentation regarding Token Exchange Configuration, the type part of this string is a mandatory prefix that identifies the category of the identity acting as the delegate. The documentation explicitly defines two primary valid values for this type field:
usr: This specifies that the subject is a user/identity from an identity store. For instance, if a user is acting on behalf of another user, the claim would appear as "(usr!username)".
age: This specifies that the subject is an OAuth 2.0/OpenID Connect-related agent or client. Examples include an OAuth 2.0 client, a Remote Consent Service agent, or a Web/Java Agent internal client. An example would be "(age!myClientID)".
While "user" and "agent" are the descriptive terms for these categories, the actual technical values recognized and emitted by PingAM in the claim string are the three-letter shorthand codes. Therefore, usr (Option B) is the correct valid value. Choosing "user" (Option D) would be technically incorrect in the context of the exact string format required by the AM engine. This formatting ensures that when the token is introspected or validated, the resource server can correctly parse whether the actor is a human user or a machine client.