The pattern/images/sitel/*matches all subpaths and files under the/images/sitel/directory, including nested paths.

Exact Extract:

“The asterisk (*) matches zero or more characters within the path. For example,/images/sitel/*matches all resources under thesitelfolder.”

Option Ais incorrect — it references/aitel/instead of/sitel/.

Option Bis incorrect —/site*matches strings beginning with “site”, but may also match “siteX” incorrectly.

Option Cis incorrect — it only matches resources under/english/, missing other folders.

Option Dis correct —/images/sitel/*covers all given examples.

PingAccess validates access tokens usingAccess Token Managers, which are typically backed byPingFederateor ageneric OIDC provider.

Exact Extract:

“PingAccess validates tokens through Access Token Managers, which can be configured against PingFederate or a common OIDC provider.”

Option A (PingFederate)is correct — the most common token provider.

Option B (Kerberos)is not supported for token validation.

Option C (SAML provider)is incorrect — PingAccess does not natively consume SAML assertions.

Option D (Common OIDC provider)is correct — tokens can be validated against any OIDC-compliant IdP.

Option E (PingAuthorize)is an authorization engine, not a token provider.

Applications consuming signed JWTs need theJSON Web Key Set (JWKS)endpoint to retrieve the public keys used for validating JWT signatures. PingAccess exposes this at/pa/authtoken/JWKS.

Exact Extract:

“When using JWT identity mapping, applications can obtain the signing keys from the/pa/authtoken/JWKSendpoint to validate the JWT signature.”

Option Ais correct —/pa/authtoken/JWKSprovides the key set for signature validation.

Option Bis incorrect — that’s an administrative API for configuring identity mappings, not a runtime validation endpoint.

Option Cis incorrect —/pa/aidc/cbis the OIDC callback endpoint.

Option Dis incorrect —/pa-admin-api/v3/authTokenManagementis for admin token management, not JWT validation.

PingAccess usesEngine Listenersfor SSL termination of proxied applications. To minimize the number of certificates, administrators can:

Use awildcard certificate(e.g.,*.customer.com) on the engine listener.

Use aSubject Alternative Name (SAN) certificatethat covers multiple FQDNs under thecustomer.comdomain.

Exact Extract:

“PingAccess engine listeners can use certificates containing either wildcard entries or Subject Alternative Names to secure multiple applications under a single domain.”

Option Ais incorrect — assigning unique key pairs increases, not decreases, certificate management overhead.

Option Bis correct — a wildcard certificate covers all subdomains (e.g.,app1.customer.com,app2.customer.com).

Option Cis correct — a SAN certificate lists multiple FQDNs explicitly.

Option Dis incorrect — agent listeners don’t handle SSL termination for proxied apps.

Option Eis incorrect for the same reason — agent listeners aren’t used for SSL.

PingAccess service scripts depend on knowing:

Where the Java runtime is installed (JAVA_HOME)

Where PingAccess itself is installed (PA_HOME)

Exact Extract:

“The PingAccess startup scripts require theJAVA_HOMEenvironment variable to locate the JDK/JRE and thePA_HOMEvariable to locate the PingAccess installation directory.”

Option A (J2EE_HOME)is irrelevant to PingAccess.

Option B (JAVA_HOME)is correct — needed for Java execution.

Option C (PA_PATH)is not a standard variable.

Option D (PA_HOME)is correct — required to point to the PingAccess installation root.

Option E (JAVA_PATH)is not valid;PATHcan include Java, butJAVA_HOMEis the correct environment variable.

Because the application context root is/parts, resource paths are defined relative to it. The correct relative path is:

/suspension/struts/manufacturer

Exact Extract:

“Resource matching begins at the context root. The most specific matching path is selected.”

Option Ais incorrect —/*/struts/manufacturerdoes not match because it starts with a wildcard, not the defined path.

Option Bis incorrect —/*/manufacturerwould match less specifically and at a different depth.

Option Cis correct — exact match relative to/parts.

Option Dis incorrect — too generic and not the best match.

All onboarding in PingAccess begins with defining anApplication. Once the application exists, the administrator can defineResourceswithin it and assign different rules to those resources.

Exact Extract:

“Before you can configure resources and rules, you must first create an application in PingAccess.”

Option A (Identity Mapping)may be required later but not the first step.

Option B (Web Session)can be shared but is not the first onboarding step.

Option C (Application)is correct — the starting point for onboarding.

Option D (Resource)comes after creating the application.