Legacy PKIs often provide certificate chains that are out of order or non-compliant with RFC-5280 path validation. PingAccess provides an option in Trusted Certificate Groups called Validate disordered certificate chains to allow chaining even if the order is not RFC-5280 compliant.

Exact Extract:

“Enable Validate disordered certificate chains when the certificate chain is not in RFC-5280 compliant order but should still be accepted.”

Option A is incorrect; using the Java trust store is unrelated to PKI ordering.

Option B is correct — this setting allows PingAccess to process disordered certificate chains.

Option C is incorrect; date checks are unrelated to RFC-5280 path ordering.

Option D is incorrect; revocation status handling does not address legacy PKI ordering issues.

In Log4j2, the Logger element controls the log level ( INFO , DEBUG , ERROR , etc.) for specific packages or classes.

Exact Extract:

“To modify logging levels, edit the < Logger > element in log4j2.xml and change the level attribute.”

Option A (AsyncLogger) is a performance optimization, not for changing levels.

Option B (RollingFile) defines file rotation, not log levels.

Option C (Logger) is correct — this is where log levels are defined.

Option D (Appenders) define output destinations, not severity levels.

PingAccess enforces step-up or multi-factor authentication using Authentication Requirements , which can be applied to specific resources within an application.

Exact Extract:

“Authentication requirements allow administrators to configure additional authentication (for example, MFA) when accessing sensitive application resources.”

Option A (UI Authentication) applies to access to the admin console , not application resources.

Option B (Auth Token Management) relates to OAuth token lifetimes and refresh, not MFA enforcement.

Option C (Authentication Requirements) is correct — these rules enforce MFA or step-up auth for specific URLs/resources.

Option D (Authentication Challenge Policy) governs how failed auth challenges are presented but does not enforce MFA.

For SSL termination, PingAccess requires a Key Pair (certificate + private key). During a POC/demo, when a self-signed certificate is used, the administrator can create it directly in the Key Pairs section of the console.

Exact Extract:

“Use the Key Pairs section to create self-signed certificates for testing or proof-of-concept deployments. For production, import a PKCS#12 file containing a certificate chain and private key.”

Option A is incorrect — Certificates store trust anchors (CAs), not SSL termination certs.

Option B is incorrect — an internal CA-signed cert requires PKCS#12 import, not self-signed creation.

Option C is incorrect — a publicly trusted CA is not used for a demo phase.

Option D is correct — creating a new certificate in Key Pairs generates a self-signed cert suitable for demos.

PingAccess terminates SSL at the Virtual Host level. To configure an existing certificate, the administrator must assign the appropriate Key Pair (which contains the certificate and private key) to the Virtual Host.

Exact Extract:

“SSL termination occurs on the engine listener through virtual hosts. Assign the certificate’s key pair to the virtual host to secure proxied applications.”

Option A is correct — assign the key pair to the Virtual Host for SSL termination.

Option B is incorrect — Require HTTPS enforces secure access but does not configure SSL termination.

Option C is incorrect — Agent Listener is for PingAccess Agents, not proxied apps.

Option D is incorrect — secure flag affects cookie settings, not SSL certificates.

PingAccess automatically creates configuration archive backups whenever changes are made. These are stored in the data/archive directory.

Exact Extract:

“PingAccess stores configuration archive files in the PA_HOME/data/archive directory.”

Option A (tools) is incorrect — contains administrative scripts.

Option B (conf) is incorrect — holds configuration files like run.properties .

Option C (data) is correct — archives are stored under data/archive .

Option D (bin) is incorrect — contains executables and scripts.

When using HTTP Basic Authentication ( admin.auth=native ), PingAccess only supports a single administrative account (the default admin user). For multiple administrators, SSO integration (e.g., OIDC) is required.

Exact Extract:

“When admin authentication is set to native (HTTP Basic), only one administrative user is supported. For multiple admins, configure UI authentication with an OIDC provider.”

Option A (1000) is incorrect.

Option B (1) is correct — only one basic auth admin account.

Option C (10) and Option D (100) are incorrect.

PingAccess rules are categorized into Access Control Rules and Processing Rules .

Processing Rules modify or add to HTTP requests and responses.

Cross-Origin Request (CORS) is specifically listed as a Processing Rule , because it modifies response headers to support cross-origin requests.

Exact Extract:

“Processing rules apply to HTTP traffic, such as Cross-Origin Resource Sharing (CORS), header injection, or response modification.”

Option A (Web Session Attribute) is an access control rule.

Option B (Cross-Origin Request) is correct — this is a processing rule.

Option C (HTTP Request Parameter) is an access control rule.

Option D (HTTP Request Header) is an access control rule.

Because the application context root is /parts , resource paths are defined relative to it. The correct relative path is:

/suspension/struts/manufacturer

Exact Extract:

“Resource matching begins at the context root. The most specific matching path is selected.”

Option A is incorrect — /*/struts/manufacturer does not match because it starts with a wildcard, not the defined path.

Option B is incorrect — /*/manufacturer would match less specifically and at a different depth.

Option C is correct — exact match relative to /parts .

Option D is incorrect — too generic and not the best match.

PingAccess uses Engine Listeners for SSL termination of proxied applications. To minimize the number of certificates, administrators can:

Use a wildcard certificate (e.g., *.customer.com ) on the engine listener.

Use a Subject Alternative Name (SAN) certificate that covers multiple FQDNs under the customer.com domain.

Exact Extract:

“PingAccess engine listeners can use certificates containing either wildcard entries or Subject Alternative Names to secure multiple applications under a single domain.”

Option A is incorrect — assigning unique key pairs increases, not decreases, certificate management overhead.

Option B is correct — a wildcard certificate covers all subdomains (e.g., app1.customer.com , app2.customer.com ).

Option C is correct — a SAN certificate lists multiple FQDNs explicitly.

Option D is incorrect — agent listeners don’t handle SSL termination for proxied apps.

Option E is incorrect for the same reason — agent listeners aren’t used for SSL.