Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Ping Identity
  5. PAP-001

Ping Identity PAP-001 Exam
Certified Professional - PingAccess (Page 5 )

Updated On: 7-Feb-2026
Page 3 of 15
PDF with 70 Questions

All style sheets should be accessible to all users without authentication across all applications.
Which configuration option should the administrator use?

  1. Define a Protocol Source for the resource.
  2. Define Authentication Challenge Policy of none for the resource.
  3. Define Global Unprotected Resources for the resource.
  4. Define a Default Availability Profile of on-demand for the resource.

Answer(s): C

Explanation:

The correct way to ensure resources such as CSS files, images, or JavaScript are accessible without authentication across all applications is to configure Global Unprotected Resources.
Exact Extract:
"Global unprotected resources define resources that do not require authentication and are accessible to all clients across applications."
Option A is incorrect; Protocol Sources define back-end host connections, not authentication. Option B would apply only per-resource, not across all applications. Option C is correct -- Global Unprotected Resources are designed for this exact purpose. Option D (Availability Profile) is related to application health checks and availability, not authentication.


Reference:

PingAccess Administration Guide ­ Global Unprotected Resources



An administrator is preparing to rebuild an unrecoverable primary console and must promote the replica admin node.
Which two actions must the administrator take? (Choose 2 answers.)

  1. Change pa.operational.mode to CLUSTERED_CONSOLE_REPLICA on one of the engine nodes.
  2. Restart all nodes in the cluster.
  3. Change pa.operational.mode to CLUSTERED_CONSOLE on the replica admin node.
  4. Restart the replica admin node.
  5. Modify bootstrap.properties and set the engine.admin.configuration.host value to point at the replica admin node.

Answer(s): C,E

Explanation:

From the "Promoting the replica administrative node" documentation:
Exact Extract:
"Open the <PA_HOME>/conf/run.properties file in a text editor. Locate the pa.operational.mode line and change the value from CLUSTERED_CONSOLE_REPLICA to CLUSTERED_CONSOLE. These properties are case-sensitive. Do not restart the replica node during the promotion process." Ping Identity Documentation
Also from the documentation under "Next steps" / manual promotion / "Using the admin API ..." When promoting the replica, there is also mention of setting the new host-port in the primary admin configuration so that engine nodes and configuration references now point to the promoted replica. One of the API properties is editRunPropertyFile (to flip the mode), another is editPrimaryHostPort, which causes the primary-admin host setting to be updated. Ping Identity Documentation Using those facts:
Why C is correct:
Option C says: Change pa.operational.mode to CLUSTERED_CONSOLE on the replica admin node. This directly matches the documented manual promotion step: switch pa.operational.mode from CLUSTERED_CONSOLE_REPLICA CLUSTERED_CONSOLE. Ping Identity Documentation+1 This is essential for promoting the replica to primary console.
Why E is correct:
Option E: Modify bootstrap.properties and set the engine.admin.configuration.host value to point at the replica admin node.
While the documentation doesn't always name the exact property engine.admin.configuration.host, the "promote via admin API" includes updating the "primary host:port" in the configuration so that engine nodes' configuration queries (or whatever is used by engines) point to the new primary. This maps to ensuring that engine nodes know that the promoted replica is now the administrative node. This requiring modifying the bootstrap or configuration that engine nodes use to find the administrative host is essential. Ping Identity Documentation Why the other options are incorrect:
A . Change pa.operational.mode to CLUSTERED_CONSOLE_REPLICA on one of the engine nodes. No. Engine nodes should have pa.operational.mode = CLUSTERED_ENGINE, not console modes. CLUSTERED_CONSOLE_REPLICA is an admin/replica console mode, not applicable for engines.
docs.ping.directory+2Ping Identity Documentation+2
B . Restart all nodes in the cluster.
The documentation explicitly says do not restart the replica node during the promotion process because restart can cause file corruption or failure to properly promote. Only certain restarts are needed after configuration updates. So restarting all nodes is not a correct required action. Ping Identity Documentation
D . Restart the replica admin node.
As above, for manual promotion, a restart of the replica admin node is not required (and is even discouraged during the promotion process). The change in run.properties is detected without restarting. Ping Identity Documentation


Reference:

PingAccess Reference Guide ­ Promoting the replica administrative node / Manually promoting the replica administrative node Ping Identity Documentation+1



An administrator needs to reduce the number of archive backups that are maintained in the data/archive folder.
Which file does the administrator need to modify to make this change?

  1. log4j2.db.properties
  2. jvm-memory.options
  3. run.properties
  4. log4j2.xml

Answer(s): C

Explanation:

PingAccess retains backup archives of its configuration in the data/archive directory. The number of retained backups is controlled in the run.properties file.
Exact Extract:
"The number of configuration backups retained in the data/archive directory is controlled by the archive.maxCount property in run.properties."
Option A (log4j2.db.properties) is incorrect; this file controls database logging, not archive retention. Option B (jvm-memory.options) is incorrect; this file sets JVM heap and memory arguments. Option C (run.properties) is correct -- it contains system-level settings including archive.maxCount. Option D (log4j2.xml) is incorrect; this file configures log appenders and levels, not archive backups.


Reference:

PingAccess Administration Guide ­ Configuration Backup Management



Which two options can be changed in the run.properties file? (Choose 2 answers.)

  1. Default logs location
  2. URL for heartbeat endpoint
  3. Operational mode for PingAccess
  4. X-Frame-Options header
  5. Logging levels

Answer(s): C,E

Explanation:

The run.properties file in PingAccess is the primary configuration file that defines system-level runtime behavior. According to PingAccess documentation:
Exact Extract:
"The run.properties file contains configuration properties for PingAccess, including operational mode, logging levels, admin authentication fallback, cluster settings, and system defaults." (PingAccess Administrator's Guide ­ run.properties Reference) From this, we can determine:
C . Operational mode for PingAccess Correct
The property pa.operational.mode in run.properties defines whether the node operates as STANDALONE, CLUSTERED_CONSOLE, CLUSTERED_CONSOLE_REPLICA, or CLUSTERED_ENGINE. This is one of the core configurable options.

E . Logging levels Correct
Properties such as log.level and other logging configurations are explicitly defined in run.properties, allowing administrators to adjust the verbosity of logs (DEBUG, INFO, WARN, ERROR).

Why the others are incorrect:
A . Default logs location Incorrect
The log file path is not controlled via run.properties. It is defined in log4j2.xml, not in run.properties.
B . URL for heartbeat endpoint Incorrect
The heartbeat endpoint (/pa/heartbeat.ping) is a fixed system endpoint and is not configurable in run.properties.
D . X-Frame-Options header Incorrect
Security headers like X-Frame-Options are managed under application security policies or global response headers, not in run.properties.


Reference:

PingAccess Administrator's Guide ­ run.properties Reference (section describing pa.operational.mode and logging configuration properties).



An administrator needs to support SLO (Single Logout) for a protected web application.
What must be configured in a PingAccess Web Session in this situation?

  1. SLO scope
  2. Idle timeout
  3. Validate Session
  4. Refresh User Attributes

Answer(s): A

Explanation:

To enable Single Logout (SLO), the SLO scope must be defined in the PingAccess Web Session configuration. This determines which sessions are ended when a logout request occurs.
Exact Extract:

"The SLO scope option in a web session specifies which applications are included in a logout event when Single Logout is triggered."
Option A (SLO scope) is correct; it explicitly enables SLO support by linking session termination across apps.
Option B (Idle timeout) is unrelated; this controls session expiration, not SLO. Option C (Validate Session) ensures session state is synchronized but does not configure SLO. Option D (Refresh User Attributes) is unrelated; it only controls whether attributes are reloaded.


Reference:

PingAccess Administration Guide ­ Configuring Web Sessions



Viewing page 5 of 15
Viewing questions 21 - 25 out of 70 questions



Post your Comments and Discuss Ping Identity PAP-001 exam prep with other Community members:

Join the PAP-001 Discussion