When a backend application requires its own authentication (e.g., Basic Auth or mutual TLS), PingAccess uses aSite Authenticatorto inject the necessary credentials.
Exact Extract:
"Site Authenticators provide the credentials PingAccess uses when authenticating to target applications that require their own authentication mechanisms."
* Option A (Token Provider)is incorrect - this is used for OIDC/OAuth tokens, not site-level authentication.
* Option B (Web Session)manages end-user sessions, not backend site authentication.
* Option C (Site Authenticator)is correct - it handles authentication between PingAccess and the backend.
* Option D (Access Control Rule)enforces authorization, not backend authentication.
Reference:PingAccess Administration Guide -Site Authenticators

PingAccess allows administrators to configurecustom error pages or messagesat theRoot Resource levelof an application. This ensures that when rule violations (e.g., authorization failures) occur, the application can display tailored error responses.
Exact Extract:
"Custom error handling for rule violations is configured within the Root Resource of an application."
* Option Ais incorrect - assigning a rule to a resource does not allow defining custom errors.
* Option Bis correct - the Root Resource is where administrators define custom error handling for the entire application.
* Option Cis incorrect - Rule Sets only combine rules; they do not handle error responses.
* Option Dis incorrect - individual rule definitions do not contain custom error configurations.
Reference:PingAccess Administration Guide -Configuring Application Resources and Error Handling

PingAccess supports flexible path matching for resources using wildcards. If the requirement is to matchany path that contains a folder named "escalated", the correct format is:
* */escalated/# matchesany locationof theescalateddirectory within the path.
Exact Extract:
"The asterisk (*) wildcard matches zero or more characters. Use it in resource paths to match folders at any depth."
* Option A (escalated/)only matches when the resource starts with "escalated/" at the root, not at arbitrary depth.
* Option B (*/escalated/)is correct - it matches theescalatedfolder no matter where it occurs.
* Option C (*/escalated/+ )is incorrect -+is not a valid PingAccess wildcard operator.
* *Option D (/escalated/)matches only when the path starts with "escalated" at the first level, not arbitrary positions.
Reference:PingAccess Administration Guide -Resource Path Matching

When applications depend solely onheader-based identity mapping, attackers can attempt to bypass PingAccess by injecting headers directly into requests sent to the backend. To prevent spoofing, PingAccess should be configured to passcryptographically verifiable tokens(e.g.,ID tokens from OIDC) instead of relying on plain headers.
Exact Extract:
"Headers can be spoofed if not protected. Use signed tokens, such as ID tokens or JWTs, to provide strong identity assurance and prevent header injection attacks."
* Option A (Use ID Tokens)is correct - ID tokens are signed and verifiable, preventing spoofing.
* Option B (Add Site Authenticator)protects PingAccess-to-site authentication, not client-to-API spoofing.
* Option C (Require HTTPS)prevents eavesdropping but does not stop header spoofing from inside the network.
* Option D (Use Target Host Header)ensures host header integrity but not user identity.
Reference:PingAccess Administration Guide -Identity Mapping and Security Considerations

The propertyengine.ssl.protocolsinrun.propertiesspecifies the TLS protocol versions that PingAccess engines will support for incoming HTTPS traffic.
Exact Extract:
"Theengine.ssl.protocolsproperty configures which TLS versions are enabled for HTTPS listeners."
* Option A (ciphers)is incorrect - cipher suites are defined separately, not in this property.
* Option B (HTTPS port)is incorrect - the port is defined in the engine listener, not here.
* Option C (TLS versions)is correct - this property controls TLS version support (e.g., TLSv1.2, TLSv1.3).
* Option D (clustering)is incorrect - clustering does not depend on this property.
Reference:PingAccess Administration Guide -run.properties settings