What should be configured in PingAM if you are using an LDAP directory service that does not support persistent search?
Correct Answer: D
Persistent Search is an LDAP control that allows a client (like PingAM) to receive real-time notifications from the Directory Server (like PingDS) whenever a user record is modified. PingAM 8.0.2 uses this to maintain its User Data Cache. According to the "Identity Store Configuration" and "Tuning AM" documentation: When persistent search is supported, PingAM caches user profile data in memory to speed up authentication and authorization decisions. When a change happens in the LDAP store, the directory server "pushes" the update to AM via the persistent search connection, and AM updates its cache immediately. If the LDAP directory does not support persistent search (common in some legacy or highly restricted environments): Cache Inconsistency: If caching were enabled, PingAM would not know when a user's attribute (like a group membership) had changed in the back-end. The cache would become "stale," leading to incorrect authorization decisions. Required Configuration: The administrator must Disable user data caching to ensure that every request results in a direct query to the LDAP server, ensuring "Read-through" accuracy. Performance Impact: Disabling the cache has a negative impact on performance (Option D) because every policy evaluation or session check now requires a synchronous network round-trip to the LDAP server, increasing latency and putting higher CPU/IO load on the directory. Therefore, for directories lacking persistent search, disabling the cache is necessary for data integrity but comes at a significant performance cost.
PT-AM-CPE Exam Question 2
Which of the following environment conditions are needed in an authentication policy created as part of the prerequisites for step-up authentication? A) Authentication Level (greater than or equal to) B) Authentication by Service C) Authentication by Module Instance (authentication modules only) D) Authentication to a Realm
Correct Answer: B
To implement Step-up Authentication in PingAM 8.0.2, you typically use Authorization Policies that include "Environment Conditions."14 These conditions check the "quality" of the user's current session. If the session does not meet the specified condition, PingAM generates an Advice, which triggers the step-up process. According to the "Condition Types" reference in the PingAM 8 documentation, the conditions used specifically to evaluate how a user authenticated are: Authentication Level (greater than or equal to): This is the most common condition for step-up. It checks if the session's Auth Level is at least a certain value (e.g., Level 2). If the user only has a Level 1 session, the policy fails and triggers an upgrade. Authentication by Service: This condition checks if the user authenticated using a specific Authentication Tree or Chain (e.g., the user must have used the "SecureBankMFA" tree). Authentication by Module Instance: This is used for legacy deployments where individual modules are used instead of trees. It verifies that the user successfully completed a specific module (e.g., the "DataStore" module). Authentication to a Realm (Option D) is generally not a condition used for step-up authentication. While a policy exists within a realm, the "step-up" logic is focused on the method or level of authentication within that realm, not the fact that they are in the realm itself (which is already a prerequisite for reaching the policy engine). Therefore, the combination of A, B, and C (Option B) represents the specific environment conditions designed to evaluate the authentication context for step-up or "Quality of Service" (QoS) requirements.
PT-AM-CPE Exam Question 3
A user enters their credentials, but is faced with the error message "user requires profile to login". What is a possible cause of this message?
Correct Answer: B
This error message is directly related to the User Profile configuration within a specific realm in PingAM 8.0.2. In the "Core Authentication Attributes" of a realm, PingAM defines how it should handle user identities after they have successfully provided valid credentials through an authentication tree or chain. There are primarily four modes for the User Profile setting: Required: This is often the default. It specifies that after a user successfully authenticates, PingAM must be able to locate a corresponding user entry in the configured Identity Store. If the user exists in the datastore, the session is created. If the user does not exist, authentication fails with the error message "user requires profile to login" (or a similar profile-related exception in the logs). Ignored: In this mode, PingAM issues an SSO session token immediately upon successful credential validation, regardless of whether a user profile exists in the back-end repository. This is useful for temporary or guest access where no permanent record is needed. Dynamic: AM attempts to find the user; if the user is not found, it automatically creates a new profile in the identity store. Dynamic with User Alias: Similar to dynamic creation but supports aliasing. If an administrator sees the "user requires profile to login" error, it confirms that the credentials themselves were technically correct (the user passed the authentication nodes), but the realm is currently in Required mode (it has not been set to Ignore or Dynamic) and no matching entry exists in the identity store. This frequently happens in migration scenarios or when using external identity providers (like Social IDPs) where the "Link" or "Provisioning" step has not been properly configured in the authentication journey. To resolve this, the administrator must either pre-provision the user, set the mode to Ignore, or implement a Create Object node within the authentication tree to handle dynamic provisioning.
PT-AM-CPE Exam Question 4
In order to support rollback in case of a failed PingAM upgrade in a two server PingDS environment, what PingDS safety measure can be configured?
Correct Answer: D
Upgrading PingAM 8.0.2 in an environment with multiple PingDS (Directory Server) instances requires a careful strategy to ensure data integrity and to allow for an immediate Rollback if the upgrade fails or introduces instability.6 According to the PingAM "Plan for Rollback" and "Upgrade in a Replicated Environment" documentation, the recommended safety measure involves isolating one of the data store nodes to act as a "time-capsule" of the pre-upgrade state. The process is as follows: Stop Replication: Before starting the upgrade, administrators should disable or stop replication between the PingDS nodes. This prevents any schema changes or data modifications performed during the AM upgrade from being propagated to the backup node. Isolate a Node: One PingDS instance is shut down or taken out of the load balancer rotation. This instance remains in its original, healthy state. Perform the Upgrade: The PingAM upgrade is performed against the remaining active PingDS instance. If the upgrade involves schema updates (which is common when moving to version 8.0.2), only the active node's data is modified. Rollback Path: If the upgrade fails, the administrator can simply shut down the "corrupted" upgraded environment and restart the isolated PingDS instance along with the original PingAM WAR file. Because replication was stopped, the isolated node still contains the original configuration and user data. Option D is the only answer that correctly identifies this "safety-net" architecture. Option A is risky because a failed upgrade would corrupt both instances. Option C is incomplete because simply "starting up" the shutdown instance after an upgrade doesn't account for how you handle the discrepancy between the upgraded and non-upgraded nodes. The goal is to keep the shutdown instance as a valid, un-touched recovery point.
PT-AM-CPE Exam Question 5
After installing a PingAM instance with the configuration directory path set to /home/forgerock/am, where is the default directory that contains the debug log files?
Correct Answer: D
When PingAM is installed, it creates a specific directory structure within its Configuration Directory (also known as the AM_HOME or .openamcfg pointer target). This structure is standardized across versions to ensure that administrators and automated scripts can locate critical files. According to the PingAM 8.0.2 "File System Reference" and "Debug Logging" documentation: The primary directory for engine-level troubleshooting files (debug logs) is named debug.17 This directory is located immediately within the root of the configuration directory. Therefore, if the configuration path is explicitly set to /home/forgerock/am, the resulting path for debug files will be /home/forgerock/am/debug (Option D). It is important to distinguish between Audit Logs and Debug Logs: Audit Logs: (e.g., access.audit.json) are usually found in the .../openam/log or .../openam/logs directory (making Option A a common distractor). Debug Logs: (e.g., amAuth, amSession, amCore) are strictly stored in the debug directory. The var directory (Options B and C) is a convention used in some ForgeRock "ForgeOps" containerized deployments (like those in Kubernetes) to separate variable data from static config. However, in a standard standalone installation as described in the question, the direct .../debug path is the verified default behavior of the PingAM installation wizard and configurator tool.