When a resource is configured asanonymous, PingAccess does not challenge the user for authentication. However, certain processing and identity propagation still occur.

Exact Extract:

“Anonymous resources do not require authentication. Identity mappings and request/response processing rules still apply.”

Option Ais incorrect because rules such as identity mappings and processing still apply.

Option Bis correct — Identity Mappings can still forward attributes, even for anonymous access.

Option Cis correct — Processing rules (e.g., request/response modifications) still apply.

Option Dis incorrect — requestsarelogged; anonymous does not disable logging.

Option Eis incorrect — access control rules (authorization) are not evaluated for anonymous resources.

Modern browsers enforce stricter cookie handling rules. If cookies are not configured correctly with theSameSiteattribute, behavior can differ across browsers, leading to inconsistent authentication and access denials. Security exceptions may appear when session cookies are blocked.

Exact Extract:

“The SameSite cookie setting defines how browsers send cookies in cross-site requests. Misconfigured SameSite values can lead to inconsistent application behavior across browsers.”

Option A (Enable PKCE)is related to OAuth flow security, not browser cookie behavior.

Option B (SameSite Cookie)is correct — this directly explains the inconsistent browser issues.

Option C (Request Preservation)ensures query parameters are kept, not related to cross-browser session handling.

Option D (Validate Session)checks session state but does not address browser inconsistencies.

Because the application context root is/parts, resource paths are defined relative to it. The correct relative path is:

/suspension/struts/manufacturer

Exact Extract:

“Resource matching begins at the context root. The most specific matching path is selected.”

Option Ais incorrect —/*/struts/manufacturerdoes not match because it starts with a wildcard, not the defined path.

Option Bis incorrect —/*/manufacturerwould match less specifically and at a different depth.

Option Cis correct — exact match relative to/parts.

Option Dis incorrect — too generic and not the best match.

Legacy PKIs often provide certificate chains that areout of orderor non-compliant with RFC-5280 path validation. PingAccess provides an option in Trusted Certificate Groups calledValidate disordered certificate chainsto allow chaining even if the order is not RFC-5280 compliant.

Exact Extract:

“EnableValidate disordered certificate chainswhen the certificate chain is not in RFC-5280 compliant order but should still be accepted.”

Option Ais incorrect; using the Java trust store is unrelated to PKI ordering.

Option Bis correct — this setting allows PingAccess to process disordered certificate chains.

Option Cis incorrect; date checks are unrelated to RFC-5280 path ordering.

Option Dis incorrect; revocation status handling does not address legacy PKI ordering issues.

PingAccess rules are categorized intoAccess Control RulesandProcessing Rules.

Processing Rulesmodify or add to HTTP requests and responses.

Cross-Origin Request (CORS)is specifically listed as aProcessing Rule, because it modifies response headers to support cross-origin requests.

Exact Extract:

“Processing rules apply to HTTP traffic, such as Cross-Origin Resource Sharing (CORS), header injection, or response modification.”

Option A (Web Session Attribute)is an access control rule.

Option B (Cross-Origin Request)is correct — this is a processing rule.

Option C (HTTP Request Parameter)is an access control rule.

Option D (HTTP Request Header)is an access control rule.

PingAccess service scripts depend on knowing:

Where the Java runtime is installed (JAVA_HOME)

Where PingAccess itself is installed (PA_HOME)

Exact Extract:

“The PingAccess startup scripts require theJAVA_HOMEenvironment variable to locate the JDK/JRE and thePA_HOMEvariable to locate the PingAccess installation directory.”

Option A (J2EE_HOME)is irrelevant to PingAccess.

Option B (JAVA_HOME)is correct — needed for Java execution.

Option C (PA_PATH)is not a standard variable.

Option D (PA_HOME)is correct — required to point to the PingAccess installation root.

Option E (JAVA_PATH)is not valid;PATHcan include Java, butJAVA_HOMEis the correct environment variable.

Exact Extract (from PingAccess documentation):

“The key pair that you create for theCONFIG QUERYlistener must include both the administrative node and the replica administrative node. To make sure the replica administrative node is included, you can eitheruse a wildcard certificateordefine subject alternative namesin the key pair that use the replica administrative node’s DNS name.”

Why B and D are correct:

*B. Subject = .company.com— A wildcard certificate for *.company.com is valid for both pa-admin.company.com and pa-admin2.company.com, satisfying the documented requirement that the key pair include both hostnames for the CONFIG QUERY listener.

D. Subject Alternative Names = pa-admin.company.com, pa-admin2.company.com— Explicitly placing both DNS names in the SAN extension also satisfies the requirement that the certificate cover both the administrative node and the replica administrative node.

Why the other options are incorrect:

A. Issuer = pa-admin.company.com— TheIssuerfield identifies the certificate authority (CA) that signed the certificate, not the service hostname. Setting the issuer to a host value is not how X.509 server certificates are validated and would not meet the hostname‑matching requirement.

C. Subject = pa-admin.company.com— While this covers the administrative node, itdoes not include the replica administrative node. Without a wildcard or SAN entries, it fails the requirement that the key pair include both hostnames.

E. Subject = pa-admin2.company.com— Similarly, this would only cover the replica administrative node andnotthe primary administrative node, failing the requirement.