Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Ping Identity
  5. PT-AM-CPE

Ping Identity PT-AM-CPE Exam Questions
Certified Professional - PingAM (Page 4 )

Updated On: 27-Feb-2026
Page 4 of 21
PDF with 100 Questions

What are the possible outcomes of the Push Result Verifier node?

  1. Success, Failure, Waiting, Retry
  2. Success, Failure, Expired, Retry
  3. Success, Failure, Expired, Waiting
  4. Success, Failure, Expired, Waiting, Retry

Answer(s): C

Explanation:

The Push Result Verifier node is a core component of the "MFA: Push Authentication" journey in PingAM 8.0.2. Its primary function is to check the status of a push notification that was previously dispatched to a user's mobile device (usually via the Push Sender node).22 According to the "Authentication Node Reference" for version 8.0.2, the node evaluates the state of the push request and yields exactly four distinct outcomes:
Success: This path is followed if the user has actively approved the push notification on their registered device using the ForgeRock/Ping Authenticator app. Failure: This path is taken if the user explicitly denies or rejects the push notification on their device, indicating a potential unauthorized login attempt.

Expired: This outcome occurs if the notification reaches its "Message Timeout" limit (defined in the Push Sender node) without any response from the user.23 In standard trees, this path often loops back to allow the user to try a different MFA method or resend the push. Waiting: This outcome is triggered if a response has not yet been received but the timeout has not yet been reached. This is used in conjunction with a Push Wait or Polling mechanism to create a "check-and-loop" logic until a final result (Success, Failure, or Expired) is determined. The Retry outcome (mentioned in other options) is notably absent from this specific node's metadata.
While a "Retry" might be implemented in the overall tree logic (for example, by using a Retry Limit Decision node after an Expired outcome), the Push Result Verifier node itself only reports the state of the specific push transaction it is tracking. Understanding these four discrete states is vital for designing resilient authentication journeys that handle user delays or network issues gracefully.



In a default PingAM configuration, what type of keystore stores the secret ID named storepass, which contains the encrypted password of the default-keystore secret store?

  1. Keystore secret store
  2. Environment and system property secret store
  3. Filesystem secret store
  4. Hardware Security Module secret store

Answer(s): C

Explanation:

In PingAM 8.0.2, the management of sensitive data such as passwords and cryptographic keys is handled through a unified Secret Store framework. This framework abstracts the source of the secret from the component that consumes it using Secret IDs. One of the most critical secret IDs in a standard installation is storepass.
The storepass secret ID is specifically used by the default-keystore (which is typically a "Keystore secret store" pointing to keystore.jks or keystore.p12). Before AM can access the keys within the default-keystore to sign tokens or encrypt data, it must first unlock the keystore itself using the password mapped to the storepass secret ID.
According to the PingAM "Secrets, certificates, and keys" documentation, in a default file-based configuration, PingAM initializes a Filesystem secret store as its primary global store. This store is configured to look into a specific directory within the AM configuration path (usually .../openam/secrets/). Inside this directory, AM expects to find files named after the secret IDs they contain. For the storepass ID, there is typically a corresponding file (such as storepass or .storepass) containing the cleartext or encrypted password required to open the primary keystore.
While AM can be configured to use an Environment and system property secret store (Option B) for high-portability cloud deployments, the "out-of-the-box" default behavior during a standard installation relies on the filesystem. Option A is incorrect because the storepass is the key to the keystore, not a secret inside it, and Option D refers to specialized hardware integrations not used in a default software-only setup. Therefore, the Filesystem secret store is the correct technical answer for the default location of the storepass.



The Core Token Service (CTS) can be used for storing which of the following?

  1. Configuration
  2. Users
  3. Kerberos tokens
  4. OAuth2 tokens

Answer(s): D

Explanation:

The Core Token Service (CTS) is a high-performance persistence layer in PingAM 8.0.2 designed to store short-lived, stateful data. Unlike the Configuration Store (which holds static system settings) or the Identity Store (which holds user profiles), the CTS is optimized for "token-like" data that is frequently created, updated, and deleted.
According to the "Core Token Service (CTS) Overview" in the PingAM 8.0.2 documentation, the primary purpose of the CTS is to provide a centralized repository for:
Session Tokens: For server-side sessions, the session state is stored in the CTS. OAuth 2.0 Tokens: This includes Access Tokens, Refresh Tokens, and Authorization Codes.
When an OAuth2 client requests a token, AM generates it and, if configured for server-side storage, persists it in the CTS so that any node in an AM cluster can validate it. SAML 2.0 Tokens: Used for tracking assertions and managing Single Logout (SLO) states. UMA (User-Managed Access) Labels and Resources: Various state information for the UMA protocol. The documentation explicitly clarifies that the CTS is not a general-purpose database. Configuration (Option A) is strictly stored in the Configuration Data Store (usually a dedicated PingDS instance). Users (Option B) are stored in an Identity Store such as Active Directory or PingDS. Kerberos tokens (Option C) are part of a challenge-response handshake that is typically handled at the protocol layer and not stored as persistent records in the CTS. Therefore, OAuth2 tokens are the definitive type of data managed by the CTS among the choices provided. Utilizing the CTS for OAuth2 tokens is a prerequisite for supporting features like token revocation and refresh token persistence across multiple AM instances in a high-availability deployment.



A non-authenticated user requests a resource protected by PingGateway or a Web Agent. Put the following events of the authentication lifecycle in chronological order:
User answers the "questions asked" (callbacks) by PingAM. User tries to access a resource protected by PingGateway or a Web Agent.
Session reaches a timeout value or user logs out.
PingGateway or the Web Agent validates the session.
User is redirected to the authentication user interface of PingAM.
User is redirected to the resource.

  1. 2-1-4-3-5-6
  2. 2-5-1-6-4-3
  3. 2-5-1-6-3-4
  4. 2-1-5-6-4-3

Answer(s): B

Explanation:

The authentication lifecycle in a Ping Identity environment follows a strict sequence to ensure that only authorized users can access protected resources. This process is governed by the interaction between a Policy Enforcement Point (PEP), such as a Web Agent or PingGateway, and the Policy Decision Point (PDP), which is PingAM.
Following the chronological flow according to the PingAM 8.0.2 "Introduction to Authentication" and "Web Agent User Guide":
Step 2: The process begins when an unauthenticated user attempts to access a protected URL. Step 5: The Agent/PingGateway intercepts the request, detects the absence of a valid session cookie, and redirects the user to the PingAM login URL (the UI). Step 1: The user interacts with the AM UI, providing the necessary credentials or answering the "callbacks" (username, password, MFA) defined in the authentication tree. Step 6: Upon successful authentication, PingAM issues a session token and redirects the user back to the original resource they were trying to access.
Step 4: The Agent/PingGateway receives the request again, but this time it contains a session token. The agent then validates the session with PingAM to ensure it is still active and possesses the correct permissions.
Step 3: Finally, the lifecycle ends when the session expires due to inactivity (Idle Timeout), reaches its Max Session Time, or the user explicitly logs out.
Sequence 2-5-1-6-4-3 (Option B) accurately captures this "Round-Trip" nature of modern web authentication. Options A and D are incorrect because they place the callback interaction before the initial redirect or the resource access. Option C is incorrect because it suggests the session reaches a timeout before the agent has a chance to validate the session for the current request.



Which statement does not reflect best practice when configuring a PingAM cluster for secure communication with external servers?

  1. Create the new truststore as a copy of the JVM container truststore to isolate the PingAM truststore from changes to the JVM container's truststore when the JVM container's truststore is updated
  2. Create a new truststore with the certificates needed in the environment, and configure the container to use it
  3. Create a new truststore using a copy of the JVM container truststore and add the PingDS instances certificates to the new truststore
  4. Don't add PingDS instances certificates to the JVM container truststore

Answer(s): A

Explanation:

When configuring secure communication (LDAPS, HTTPS) in PingAM 8.0.2, managing the Truststore is a critical security task. The truststore contains the public certificates (trust anchors) of the servers PingAM needs to communicate with, such as PingDS or external Identity Providers. The PingAM "Secure Network Communication" documentation outlines several best practices:
Avoid Modifying the JVM Truststore: One should not add internal certificates (like those for PingDS) to the default JVM cacerts file (Option D is a best practice). This prevents pollution of the system- wide Java environment.

Use a Dedicated Truststore: Creating a fresh, minimal truststore containing only necessary certificates (Option B and C) ensures a "least privilege" approach to trust.
Why Statement A is NOT a best practice: Statement A suggests that you should copy the JVM truststore to isolate it from changes made to the JVM container's truststore. In a production security context, this is a dangerous anti-pattern. The JVM's default truststore (e.g., cacerts) is frequently updated by Java maintainers and OS vendors to include new Root CAs and, more importantly, to remove/revoke compromised or untrustworthy CAs. By making a static copy to "isolate" AM from these updates, an administrator inadvertently keeps obsolete or insecure certificates in AM's trust list while missing out on critical security updates provided by the platform. Best practice dictates that AM should point to a truststore that is intentionally managed. If isolation is needed, it should be achieved by creating a new store for internal certificates and potentially using the -Djavax.net.ssl.trustStore property to manage the hierarchy, rather than cloning the system-wide CA bundle to avoid "changes." Therefore, Option A is the correct answer as it describes a maintenance and security risk.






Post your Comments and Discuss Ping Identity PT-AM-CPE exam dumps with other Community members:

Join the PT-AM-CPE Discussion