SelfTestEngine.C _135,Q&A

Transcription

1 SelfTestEngine.C _135,Q&A Number: C Passing Score: 800 Time Limit: 120 min File Version: This VCE has a lot of questions where all answers are up-to-date. The material is well organized and well presented in this VCE. I have uploaded new file in which i have corrected all wrong answers Pretty much all the questions we study that no answer in doubt. The questions in the dump are fantastic, the test will take different versions of the questions and display the answers differently.

2 Exam A QUESTION 1 What is required to use an IBM Tivoli Director/ Integrator (TDI) AssemblyLine as an IBM Tivoli Federated Identity Manager (TFIM) mapping function? A. The TDI api.remote.on property for the solution must be set to True. B. The TDI api.remote.on property for the solution must be set to False. C. The TDI solution directory must be located under the TFIM TDI Mapping directory. D. The DirectoryIntegratorSTSModule.jar file needs to be copied to the TDI solutions directory. Correct Answer: A /Reference: QUESTION 2 A customer would like to give third-party applications scoped access to a protected resource on behalf of the resource owner. What is the appropriate protocol? A. SAML B. OAuth C. Liberty D. WS-Federation /Reference: QUESTION 3 What is a registry configuration requirement when used with IBM Tivoli Federated Identity Manager V6.2.2 User Self Care (USC)? A. IBM WebSphere Application Server (WAS) federated repositories must be used. B. WAS federated repositories cannot be used. C. The USC schema extensions must be applied to the managed registry.

3 D. The managed registry must support WS-Provisioning extensions, and the extensions must be enabled. Correct Answer: A /Reference: QUESTION 4 SAML responses passed to destination sites via Browser/POST utilize which form of encoding? A. ROT13 B. Base64 C. urlencode D. uuencode /Reference: QUESTION 5 In reviewing a IBM WebSphere Application Server IBM Tivoli Federated Identity Manager V6.2.2 diagnostic trace, which object type should be examined to determine how successive processing steps act upon the transaction information? A. STSUniversalUser (STSUU) B. SPSUniversalUser (SPSUU) C. SPSUniversalCredential(SPSUC)

4 D. SSOCommonCredential(SSOCC) Correct Answer: A /Reference: QUESTION 6 What is a claim relative to security tokens? A. Within a security token, it is a statement which establishes that the token was issued by a trusted party. B. Within a security token, it is a statement which asserts policy governance for a resource such as an application, service endpoint, or other capability. C. Within a security token, it is a statement which provides information about a resource such as a user identity, an entitlement, an attribute, capability, etc. D. Within a security token, it is a statement which establishes ownership of or access to a resource such as an application, service endpoint, or other capability. Correct Answer: C /Reference: QUESTION 7 What is a correct statement regarding OpenID? A. It supports a consumer-agnostic Federated Single Sign-On (FSSO) model that allows a relying party to control which OpenID provider(s) it is willing to trust. B. It supports a user-centric FSSO model that allows a relying party to control which OpenID provider(s) it is willing to trust C. It supports a user-centric FSSO model that allows an OpenID provider to select which relying parties to trust without creating a formal trust relationship in advance (such as is done with SAML). D. It supports a provider-agnostic FSSO model that allows an OpenID provider to select which relying parties to trust without creating a formal trust relationship in advance (such as is done with SAML). /Reference:

5 answer is corrected. QUESTION 8 When installing IBM Tivoli Federated Identity Manager V6.2.2, which three point of contact configuration options are available? (Choose three.) A. JBoss Application Server B. generic point of contact server C. Internet Information Services (IIS) D. Apache Tomcat Application Server E. IBM WebSphere Application Server F. IBM Tivoli Access Manager WebSEAL EF /Reference: QUESTION 9 Users of a SAML Single Sign-On federation that was previously operating properly are now experiencing errors. The administrators of both partners insist that no configuration changes have been made. What are two obvious items to check? (Choose two.) A. The validity period in a partner certificate may have been reset. B. The subject attribute in a partner certificate may have become invalid. C. The NotBefore/NotAfter window in a partner certificate may have been exceeded. D. The partner system clocks may have fallen out of sync beyond the NotBefore/NotOnOrAfter window. E. The partner system clocks may have fallen out of sync beyond the allowable 30 second SAML tolerance Correct Answer: CD /Reference: QUESTION 10 What is correct regarding cookies received from a browser?

6 A. The browser determines which cookies to send and includes only the cookie names and values in the request. B. The browser determines which cookies to send and includes only the cookie names, values, and expiration times in the request. C. The browser determines which cookies are eligible to send, and then if a Cookies-Requested header is in the previous response from the server, only cookies named in the Cookies-Requested value will be sent. Only the cookie names and values are included in the request. D. The browser determines which cookies are eligible to send, and then if a Cookies-Requested header is in the previous response from the server, only cookies named in the Cookies-Requested value will be sent. Only the cookie names, values, and expiration times are included in the request. Correct Answer: A /Reference: QUESTION 11 Which WS-Trust binding issues new tokens, possibly with new proof information, based upon a proven credential provided in a request in a SOAP message? A. Issue B. Create C. Renew D. Generate Correct Answer: A /Reference: : QUESTION 12 Assume IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) is installed in a clustered IBM WebSphere Application Server (WAS) environment. What is a concern with WAS TFIM runtime diagnostic trace analysis for Federated Single Sign-On (FSSO)? A. The Common Audit Service component must be installed. B. First Failure Data Capture timestamps may not be synchronized across cluster nodes. C. SAML 2.0 artifact bindings and OpenID may cause diagnostic trace messages for a given FSSO transaction to span trace logs on multiple cluster nodes. D. SAML 1.1 Browser/POST profile transactions may cause diagnostic trace messages for a given FSSO transaction to span trace logs on multiple cluster nodes. Correct Answer: C

7 /Reference: : QUESTION 13 What is an OpenID association? A. a negotiated connection between provider and consumer B. a required linkage between the claimed identifier and stateless user site C. an optional URL/XRI string provided by the user established with the external site D. a shared secret between a relying party and OpenID provider used to verify protocol messages and reduce round trips /Reference: : QUESTION 14 What is the cryptographic requirement when configuring IBM Tivoli Federated Identity Manager V6.2.2 for Information Card support? A. Information Card uses SHA-384 hashes. This means that the Java security file java.security must be edited to include the option sha.options = SHA2, 384. B. The encryption used by Information Card is AES/CBC with PKCS5Padding.This means that the Java security file java.security must be edited to include the option aes.options=cbc, pkcss Pad. C. The encryption used by Information Card is DESede/ECB with PKCS5Padding. This means that the Java security file java.security must be edited to include the option des.options=ede, pkcss Pad. D. The encryption algorithms used by Information Card require strong cryptographic library support. This means that a replacement is needed for the default Java security files local_policy.jar and US_export_policyjar. /Reference: :

8 QUESTION 15 A SAML 1.1 identity provider federation has been created in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) and a service provider partner from XYZZY Corporation must be added. The partner includes the following information: Provider ID: XYZZY SAML SP Assertion Consumer Service (ACS) Endpoint: Which statement is correct regarding these values? A. These values may be used directly in the TFIM partner configuration. B. Because Provider IDs must be domain names, the partner must supply a Provider ID value of sp.xyzzycorp.com. C. Because Provider IDs must be single word identifiers, the partner must supply a different value which meets this requirement. D. Because Provider IDs must be URLs, the partner must supply a Provider ID value which matches the context root of the Assertion Consumer Service endpoint. Correct Answer: A /Reference: answer is valid. QUESTION 16 The IBM Tivoli Federated Identity Manager V6.2.2 provisioning service supports which WS- Provisioning operations? A. notify, subscribe, unsubscribe B. provision, deprovision, cancelrequest C. createaccount, restoreaccount,deleteaccount D. requestaccount,deprovisionaccount, changepassword /Reference: : QUESTION 17 A corporate intranet supports single sign-on (SSO) for internally facing Web applications accessed by employees. The company also has an external facing product support site used by customers, business partners, and company employees. Employee IDs are maintained in a user registry which is separate from the user registry for the support site. To use the support site, employees must register in the same manner other users do.

9 The customer has chosen to use IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) to provide SSO for employees between the intranet and the external facing support site so that an intranet SSO login can be leveraged for support site access. How can this capability be provided? A. SAML 2.0 using persistent Name Identifiers can be used along with the TFIM Name Identifier Linking Service to link intranet and support accounts for employees. The intranet TFIM can be configured as an identity provider (IdP) in a SAML 2.0 federation, and the support site TFIM can be configured as a SAML 2.0 service provider (SP). B. SAML 2.0 using persistent Name Identifiers and Name Identifier Management can be used along with the TFIM alias service to link intranet and support accounts for employees. The intranet TFIM can be configured as an IdP in a SAML 2.0 federation, and the support site TFIM can be configured as a SAML 2.0 SP. C. SAML 1.1 using persistent Name Identifiers and Name Identifier Management can be used along with the TFIM alias service to link intranet and support accounts for employees. The intranet TFIM can be configured as an IdP in a SAML 1.1 federation, and the support site TFIM can be configured as a SAML 1.1 SP. D. SAML 2.0 using persistent Consent Identifiers and Name Identifier Management can be used along with the TFIM alias service to link intranet and support accounts for employees. The intranet TFIM can be configured as an IdP in a SAML 2.0 federation, and the support site TFIM can be configured as a SAML 2.0 SP. /Reference: : QUESTION 18 Using IBM Tivoli Federated Identity Manager V6.2.2 as an OpenID provider (OP), an error is being reported indicating that a required attribute is missing. What might be the problem? A. The relying party (RP) may have not included the attribute in the encoded attribute request object sent to the OP AX endpoint, and it was not included in the response. B. The OP may have not supplied a value for the attribute in the encoded attribute response list sent to the RP attribute exchange (AX) endpoint. C. A required attribute may have been solicited via Simple Registration (SREG) in the initial request POSTed to the OP login endpoint, and the OP mapping rule/ function did not supply a value. D. A required attribute may have been solicited via SREG in the initial request POSTed to the RP login endpoint, and the OP mapping rule/function did not supply a value.

10 /Reference: : QUESTION 19 Which mechanism does IBM Tivoli Federated Identity Manager V6.2.2 provide for supporting configuration of a custom module? A. Java Properties class B. User Interface using GUIXML C. XSLT-based configuration file D. Java Class Loader abstraction /Reference: : QUESTION 20 Which IBM Tivoli Access Manager for e-business component is always required when deploying WebSEAL as an IBM Tivoli Federated Identity Manager V6.2.2 point of contact? A. NetSEAL B. Policy Server (pdmgrd) C. Web Portal Manager (wpm) D. Authorization Server (pdacld) /Reference: : QUESTION 21 A partner, in the context of Federated Single Sign-On, is a participating entity in a federated relationship which operates in the role of what? A. a Trusted Provider B. a Service Provider (SP)

11 C. the Identity Provider (IdP) D. either an IdP or a SP /Reference: : QUESTION 22 With regard to the SAML standards, which statement describes an assertion? A. A piece of data produced by a SAML authority regarding either an act of authentication performed on a subject, attribute information about the subject, or authorization permissions applying to the subject with respect to a specified resource. B. A signed and encrypted token produced by a SAML authority regarding either an act of authentication performed on a subject, attribute information about the subject, or authorization permissions applying to the subject with respect to a specified resource. C. A SOAP message containing an artifact produced by a SAML authority regarding either an act of authentication performed on a subject, attribute information about the subject, or authorization permissions applying to the subject with respect to a specified resource. D. A SOAP message containing an artifact produced by a SAML identity provider regarding either an act of authentication performed on a user, attribute information about the user, or authorization permissions applying to the user with respect to a specified application. Correct Answer: A /Reference: : QUESTION 23 Which two deployment scenarios are supported by Web Services Security Management? (Choose two.)

12 A. surrogation B. authorization C. validation of token types D. conversion of token types E. authentication and authorization E /Reference: : QUESTION 24 WebSEAL is used as the Single Sign-On point of contact for an IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) SAML 1.1 identity provider (IdP) configuration using Browser/Artifact with the service provider (SP). What is the action order in an IBM WebSphere Application Server diagnostic trace of the TFIM IdP when an inter-site transfer service request is received? 1. Run the SAML token creation Security Token Service (STS) module to produce the assertion. 2. Generate the artifact. 3. Run the appropriate mapping function for the federation partnership against the STS Universal User (STSUU) object. 4. Redirect the user to the SP Attribute Retrieval Service. A. 3, 1, 4, 2 B. 2, 1, 3, 4 C. 3, 1, 2, 4 D. 2, 3, 1, 4 Correct Answer: C /Reference: : QUESTION 25 What are the four core elements defined by the SAML 1.1 and SAML 2.0 standards? A. assertions, bindings, profiles, protocols

13 B. assertions, subjects, profiles, protocols C. assertions, bindings, attributes, protocols D. subjects, attributes, protocols, authentication responses Correct Answer: A /Reference: : QUESTION 26 Which IBM WebSphere Application Server (WAS) security properties must be configured so WAS can be used as an IBM Tivoli Federated Identity Manager V6.2.2 point of contact? A. Application and container security are enabled B. Application and JEE/J2EE security are enabled; Single Sign-On (SSO) is disabled C. Server and cluster security are enabled; SSO (LTPA Token) are enabled D. Application and administration security are enabled; SSO (LTPA Cookie) is enabled /Reference: : QUESTION 27 Which component(s) of IBM Tivoli Federated Identity Manager V6.2.2 are compliant with the WS- Trust standard? A. Secure Token Service (STS) B. STS, Security Token Service Universal User (STSUU) C. STS, WS-Trust Web Service Description Language (WSDL) D. STS, WS-Trust WSDL, STSUU Correct Answer: A

14 /Reference: : QUESTION 28 Which component is included with IBM Tivoli Federated Identity Manager V6.2.2 for auditing data? A. QRadar B. IBM Cognos Server C. Common Audit Service D. Common Event Service Correct Answer: C /Reference: : QUESTION 29 When performing an IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) deployment operation after creating a domain, this error is seen: FBTCON137E: An error occurred during the deployment operation. What is a possible cause of this error message and what action should be taken to address it? A. This message is a generic description of any deployment failure and can be received even when the operation is successful but the operation took longer than the specified SOAP request timeout value.to validate the deployment, perform these steps:1. Close the Runtime Node Management panel.2. Open the Runtime Node Management panel.if the TFIM Runtime shows as deployed with a check mark in the status column proceed to configuring the Runtime. B. This message is a generic description of any deployment failure and can be received even when the operation is successful but the operation took longer than the specified JSON-RPC request timeout value.to validate the deployment, perform these steps:1. Close the Runtime Node Management panel.2. Open the Runtime Node Management panel.if the TFIM Runtime shows as deployed with a check mark in the status column proceed to configuring the Runtime. C. This message is related to the domain being created before the TFIM Runtime was configured.to correct, perform these steps:1. Close the Runtime Node Management panel.2. Configure the Runtime.3. Open the Runtime Node Management panel.4. Perform the Deploy operation again. D. This message is related to the domain being created before the TFIM Management Service was started.to correct, perform these steps:1. Close the Runtime Node Management panel.2. Start the Management Service.3. Open the Runtime Node Management panel.4. Perform the Deploy operation again. Correct Answer: A

15 /Reference: : QUESTION 30 Which additional configuration step must be done after creating a federation when using WebSEAL as the point of contact? A. Run the wsconfig utility. This creates a WebSEAL virtual host junction to the federation endpoint and updates IBM Tivoli Access Manager (TAM) ACLs against federation endpoints. B. Run the tfimcfg utility. This updates the WebSEAL configuration to support the specific federation being created, and it updates TAM ACLs against federation endpoints. C. Run the wsconfig utility. This creates a WebSEAL transparent junction to the federation endpoint, adds an EAI trigger to the WebSEAL configuration to support the specific federation being created, and updates TAM ACLs against federation endpoints. D. Run the tfimcfg utility. This creates a WebSEAL transparent path junction to the federation endpoint, adds an EAI trigger to the WebSEAL configuration to support the specific federation being created, and updates TAM ACLs against federation endpoints. /Reference: : QUESTION 31 Consider this HTTP protocol response: HTTP/ Found Location: How will the browser respond? A. The browser will issue an HTTP PUT to the URL specified by Location. B. The browser will issue an HTTP GET to the URL specified by Location. C. The browser will issue an HTTP POST to the URL specified by Location. D. The browser will open a new window containing the content specified by Location.

16 /Reference: : QUESTION 32 What is an XSLT template? A. It is a defined set of XSL rules executed against a collection of relational elements based on a pattern match, and may be called by other templates, which may pass input parameters by name. B. It is a defined set of XSL rules executed against a collection of tree structured nodes in the input based on a pattern match, and maybe called by other templates, which may pass input parameters by name. C. It is a defined set of XSL rules executed against a serialized list of input elements based on a pattern match, and may be called by other templates. Input parameters are passed by inference rather than explicitly. D. It is a defined set of XSL rules executed against a collection of tree structured nodes based on a pattern match, and may be called by other templates. Input parameters are passed by inference rather than explicitly. /Reference: : QUESTION 33 The Web Services Security Management component will be added to an existing IBM Tivoli Federated Identity Manager installation using WebSEAL as a point of contact for Federated Single Sign-On. What other additional components are also required? A. IBM HTTP Server must be installed. B. No other additional components are required. C. IBM Tivoli Identity Manager must be installed. D. IBM WebSphere Application Server network deployment version must be installed. /Reference: : QUESTION 34

17 What are the roles defined by OAuth 2.0? A. Client application, resource owner, resource server B. User, client application, resource owner, resource server C. User, resource owner, resource server, authorization server D. Client application, resource owner, resource server, authorization server /Reference: answer is modified. QUESTION 35 Which two configuration types are available for use with the Alias Service? (Choose two.) A. XML B. LDAP C. Active Directory D. JDBC provider and data source E. ODBC provider and data source D /Reference: : QUESTION 36 Using a browser traffic capture tool, a capture of the HTTP interactions between Internet Explorer and a federation endpoint was recorded. The IBM Tivoli Federated Identity Manager V6.2.2 deployment was configured with WebSEAL as the point of contact server. When looking through the trace, which cookie indicates that a session has been established with IBM Tivoli Access Manager? A. JSESSIONID B. PD-ID-SESSION C. PD-S-SESSION-ID

18 D. AMWEBJCT-SESSION Correct Answer: C /Reference: : QUESTION 37 When configuring an OpenID Relying Party' federation in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM), the two parameters OPENID. DiscoveredInformationExpirationSeconds and OPENID.skipclaimedIdDiscovery can have a positive performance impact in some scenarios. How are these values configured? A. Values for these two parameters can be set by directly adding them to the runtime custom variables for the TFIM domain. B. Values for these two parameters can be set using the TFIM Management Console OpenID configuration wizard, or via options for the rnanageitfimpartner command. C. Values for these two parameters can be set using the TFIM Management Console OpenID configuration wizard, or via options for the manageitfimfederation command. D. Values for these two parameters can be set by directly editing the Self section for the relying party federation configuration in the file <was_config_root>/itfim/ <tfim_domain>/etc/feds.xml. /Reference: : QUESTION 38 Which statement is true regarding SAML 1.1 Single Sign-On? A. Service provider (SP)-initiated mode is not supported. B. The SP must redirect the user to the identity provider (IdP) in the first step of the protocol flow. C. IdP-initiated flows must use HTTP-POST to return the identity assertion to the SP. D. The IdP must contact the SP through a back channel to send the identity assertion. Correct Answer: A

19 /Reference: : QUESTION 39 When creating a partner for an IBM Tivoli Federated Identity Manager V6.2.2 SAML 2.0 identity provider, the Default Post-Authentication Target URL is the location the user is redirected to under which condition? A. after the partner validates the identity assertion if the partner does not provide a TARGET URL when the Single Sign-On protocol is initiated B. after the partner validates the identity assertion if the partner does not provide a DEFAULT URL when the Single Sign-On protocol is initiated C. after the Identity Provider validates the identity assertion if the partner does not provide a TARGET URL when the Single Sign-On protocol is initiated D. after the Identity Provider authenticates the user and prior to assertion validation if the partner does not provide a TARGET URL when the Single Sign-On protocol is initiated Correct Answer: A /Reference: : QUESTION 40 When configuring a SAML 1.1 partner using Browser/POST, how can the assertion from the IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Identity Provider (IdP) be tested using a browser capture tool (such as Fiddler) to ensure correct values are being sent? A. An HTTP POST can be issued to the Service Provider (SP) login endpoint with the query string parameters IDP_PROVIDER_ID and TARGET. After the HTTP 302 redirect to the IdP, the ROT13 encoded SAML response can be extracted from the HTML form in the HTTP 200 response. After decoding, the SAML response may be examined. B. An HTTP POST can be issued to the SP login endpoint with the query string parameters idp_provider_id and target. After the HTTP 302 redirect to the IdP, the Base64 encoded SAML response can be extracted from the HTML form in the HTTP 200 response. After decoding, the SAML response may be examined. C. An HTTP GET can be issued to the IdP login endpoint with the query string parameters SP_PROVIDER_ID and target. The Base64 encoded SAML response can be extracted from the HTML form in the HTTP 200 response. After decoding, the SAML response may be examined. The SP does not need to be functional or accessible to perform the test. D. An HTTP GET can be issued to the IdP login endpoint with the query string parameters IDP_PROVIDER_ID and target. The Base64 encoded SAML response can be extracted from thehtml form in the HTTP 200 response. After decoding, the SAML response may be examined. The SP does not need to be functional or accessible to perform the test. Correct Answer: C

20 /Reference: : QUESTION 41 Which IBM Tivoli Federated Identity Manager V6.2.2 User Self Care operations are predefined? A. enrollment, user ID reconciliation, captcha B. enrollment, forgotten password, profile management C. forgotten password, role management, profile management D. forgotten password, user ID reconciliation, profile management /Reference: : QUESTION 42 What does this XSL code do? A. Sets the commonname attribute to the value of the Principal name. B. Sets the commonname attribute to the name value that was provided in the SAML assertion. C. Sets the commonname attribute to the name value that was provided by the Secure Token Service. D. Sets the commonname attribute to the value that was retrieved from the IBM Tivoli Access Manager credential attribute service.

21 /Reference: : QUESTION 43 Which IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) configuration step is always required for the Alias Service, assuming SSL is used for the connection to the directory server? A. Selecting port 389 for the directory server port. B. Configuring the directory server trust store with the default TFIM SSL certificate. C. Creating a self-signed certificate and install the certificate on the directory server. D. Selecting the trusted keystore that contains the directory server certificate or CA certificate. /Reference: : QUESTION 44 What are two selection criteria when comparing IBM Tivoli Federated Identity Manager User Self Care and IBM Tivoli Identity Manager User Management? (Choose two.) A. Large Scale versus Small Scale B. Self Managed versus Help Desk Managed C. Identity Approach versus Life-Cycle Approach D. Business to Consumer versus Business to Employees E. Cloud/Software as a Service Environments versus Enterprise Environments E /Reference: :

22 QUESTION 45 What does this XSL code do? A. It sets the AuthenticationMethod attribute to Password for a SAML assertion. B. It sets the AuthenticationMethod attribute to Secure Remote Password for a SAML assertion. C. It sets the AuthenticationMethod attribute to Password for a SAML assertion only if the local user was authenticated with a user ID and password. D. It sets the AuthenticationMethod attribute to Secure Remote Password for a SAML assertion only if the local user was authenticated with a user ID and password. Correct Answer: A /Reference: : QUESTION 46 What is one of the first things to look for in an IBM WebSphere Application Server IBM Tivoli Federated Identity Manager V6.2.2 diagnostic trace? A. Java errors and stack traces located by searching for Java Jang.Error B. mapping rule translation errors located by searching for domap ENTRY C. Java exceptions and stack traces located by searching for Java.lang.Exception D. association mode errors located by searching for Association request final data Correct Answer: C

23 /Reference: : QUESTION 47 Which function(s) are provided when using WebSEAL as a point of contact server? A. WebSEAL is used as a forward proxy for HTTP(S) access to IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) endpoints to provide user authentication, and to manage user sessions for Web Single Sign-On (SSO). B. WebSEAL is used as a reverse proxy for HTTP(S) access to TFIM endpoints,to provide user authentication, and to manage user sessions for Web SSO. C. WebSEAL is used as a forward proxy for HTTP(S) access to TFIM endpoints, to validate IVCred tokens, to provide user authentication, and to manage user sessions for Web SSO. D. WebSEAL is used as a reverse proxy for HTTP(S) access to TFIM endpoints, to validate IVCred tokens, to provide user authentication, and to manage user sessions for Web SSO. /Reference: : QUESTION 48 Which statement is true about the default operation of the IBM Tivoli Federated Identity Manager V6.2.2 User Self Care Enrollment Process? A. It is a one step process. B. Users can request an identity and receive an with their user ID and password. C. Users have unlimited time to complete their enrollment without having to restart the process. D. Users can request an identity and receive a link in an after the identity is validated as unique. /Reference: : QUESTION 49 How are IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Single Sign-On event pages published?

24 A. From the TFIM Management Console, Select Tivoli Federated Identity Manager > Federations. Select the properties screen of the federation for which the event pages are to be updated. Select Event Pages. For the event pages to be updated, update the configuration information as required and Apply. In a WebSphere Application Server cluster TFIM configuration, initiate a full node resynchronization. B. From the TFIM Management Console, Select Tivoli Federated Identity Manager > Federations. Select the properties screen of the federation for which the event pages are to be updated. Select Event Pages. For the event pages to be updated, update the configuration information as required and Apply. Click Publish Pages to publish the changes to the active TFIM configuration. C. From the TFIM Management Console, Select Tivoli Federated Identity Manager > Domain Management > Event Pages. For the event pages to be updated, update the configuration information as required and Apply. Click Publish Pages to publish the changes to the active TFIM configuration. D. From the TFIM Management Console, Select "Tivoli Federated Identity Manager > Domain Management > Event Pages. For the event pages to be updated, update the configuration information as required and Apply. In a WAS cluster TFIM configuration, initiate a full node resynchronization. Correct Answer: C /Reference: : QUESTION 50 What is a function of IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) User Self Care? A. It links user accounts between partners. B. It provides an identity feed to WS-Provisioning. C. It provisions users to IBM Tivoli Identity Manager. D. It manages users in the IBM WebSphere Application Server user registry where TFIM is installed. /Reference: : QUESTION 51 Which WS-Trust binding returns a previously issued token with new expiration semantics? A. Issue

25 B. Renew C. Extend D. Regenerate /Reference: : QUESTION 52 What must be completed first when configuring an IBM Tivoli Federated Identity Manager V6.2.2 Single Sign-On federation partner? A. Metadata files must be exchanged with the partner. B. The federation must be defined before partners can be added. C. The WebSEAL configuration must be updated using the tfimcfg tool. D. The federation must be defined and enabled before partners can be added /Reference: : QUESTION 53 What are forms of redirection? A. browser-side JavaScript, meta-refresh, HTML <v> tag B. server-side via a 3xx HTTP status code, meta-refresh,browser-side JavaScript, HTML <a> tag C. server-side JavaScript, browser-side via a 3xx HTTP status code, meta-refresh. HTML <a>.tag D. server-side via a 3xx HTTP status code, meta-refresh, browser-side PHP, browser side JavaScript /Reference:

26 : QUESTION 54 A customer has developed an XSLT mapping rule which calls custom Java classes developed in-house. The Java classes have been thoroughly unit tested. The solution is not working correctly, and it is suspected that there is an issue with accessing one or more class methods. What is an appropriate input to the customer regarding the solution? A. The Java class must be packaged as an EJB and installed in an EJB container. B. The Java class must be packaged as an OSGi bundle and installed in an OSGi container. C. IBM only supports calling custom Java classes from XSLT in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) when XSLT version 2.4 or later is used. D. IBM does not support calling custom Java classes from XSLT in TFIM and a custom Java mapping module should be used instead. /Reference: : QUESTION 55 Which type of Single Sign-On protocol exchanges cannot be viewed using a browser traffic capture tool? A. Browser/POST B. Browser/Redirect C. HTTP-Artifact SOAP channel D. SSL encrypted protocol flows Correct Answer: C /Reference: : QUESTION 56 In IBM Tivoli Federated Identity Manager V6.2.2 using SAML V2.0, which name identifier format will trigger the account linking process to store an alias? A. urn:oasis:names:tc:saml:2.0:nameid-format:entity

27 B. urn:oasis:names:tc:saml:2.0:nameid-format:persistent C. urn:oasis:names:tc:saml:1.1:nameid-format:unspecified D. urn:oasis:names:tc:saml:1.1:nameid-format: address /Reference: : QUESTION 57 Which component of IBM WebSphere Application Server (WAS) must have diagnostic trace enabled to capture a diagnostic trace of the IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Management Service in a WAS clustered environment? A. dmgr B. appsrvr C. nodeagent D. the specific application server on which the TFIM runtime is installed (for example, "fimas") Correct Answer: A /Reference: : QUESTION 58 A SAML 2.0 federation has been previously configured and a recent change was made to the configuration to support an additional profile. Errors are now being seen. What is appropriate to check? A. If using a Web server such as IBM HTTP Server as a front-end to IBM WebSphere Application Server (WAS), the WAS plug-in configuration may require updating. B. The source IDs for both partners may require updating. Also, if using a Web server such as IBM HTTP Server as a front-end to WAS, the WAS plug-in configuration may require updating. C. The partners may need to exchange updated metadata. Also, if using WebSEAL as the point of contact, the tfimcfg utility should also have been re-executed to assure the appropriate objects and ACLs are defined. D. The source IDs for both partners may require updating. Also, if using WebSEAL as the point of contact, the tfimcfg utility should also have been re-executed to ensure the appropriate objects and ACLs are defined.

28 Correct Answer: C /Reference: : QUESTION 59 Which files are stored in this IBM WebSphere Application Server configuration directory and contain the federation configuration definitions used by IBM Tivoli Federated Identity Manager V6.2.2? <was_config_root>/itfim/<tfim_domain>/etc/ A. fdef.xml.sts.xml, sps.xml B. fdef.xml.sts.xml, sms.xml C. feds.xml.sts.xml, sps.xml D. feds.xml.sas.xml, sms.xml Correct Answer: C /Reference: : QUESTION 60 A relying party is also known as what? A. an end user B. a service provider C. an asserting party D. an identity provider /Reference:

29 : QUESTION 61 What is valid when using a WebSphere Application Server (WAS) point of contact server with a target application hosted by a separate WAS using lightweight third-party authentication (LTPA) Single Sign- On? A. export LTPA key from WAS point of contact server; import LTPA key to WAS application server B. exchange public/private key pairs between WAS point of contact server and the WAS application server C. export public key of the WAS application server; import public key to trust store of the WAS point of contact server D. export LTPA signer certificate from the WAS application server; import LTPA signer certificate to the WAS point of contact server Correct Answer: A /Reference: : QUESTION 62 Which steps are required to configure a SAML 2.0 service provider partner in an existing SAML 2.0 federation using the IBM Tivoli Federated Identity Manager V6.2.2 Command Line Interface? A. First, a metadata file must be obtained for the partner. Then a response file must be created using the createitfimresponse command, and the file must then be edited to provide the appropriate SAML configuration values. Finally, the manageitfimpartner command is run to create the partner using the edited response file. B. First, a metadata file must be obtained from the partner. Then a response file must be created using the manageitfimpartner command, and the file must then be edited to provide the appropriate SAML configuration values. Finally, the manageitfimpartner command is run again to create the partner using the edited response file. C. First, a metadata file for the federation must be exported and provided to the partner. Then a response file must be created using the manageitfimpartne r command, and the file must then be edited to provide the appropriate SAML configuration values. Finally, the manageitfimpartner command is run again to create the partner using the edited response file. D. A response file must be created using the manageitfimpartner command, and the file must then be edited to provide the appropriate SAML configuration values. Next, the manageitfimpartner command is run again to create the partner using the edited response file. Finally, the exportitfimconfig command is run to export the metadata for the partner configuration, and the file is forwarded to the partner to allow them to complete their configuration. /Reference:

30 : QUESTION 63 The IBM WS-Provisioning specification is related to which OASIS specification? A. WS-Identity B. WS-Account C. Identity Provisioning Markup Language D. Services Provisioning Markup Language /Reference: : QUESTION 64 Which protocols are specified in the SAML 2.0 Core? A. Authorization Request, Identity Request, Password Request B. Service Provider Request, Access Request, Log-on Request C. Access Request, Authentication Request, Termination Request D. Assertion Query and Request, Authentication Request, Single Logout /Reference: : QUESTION 65 Which three HTTP headers may appear in requests? (Choose three.) A. Cookie B. Accept C. Expires D. Location

31 E. Set-Cookie F. Authorization Correct Answer: ABF /Reference: : QUESTION 66 Which provider can be selected when configuring an OAuth partner in IBM Tivoli Federated Identity Manager V6.2.2? A. Service provider B. Client requester C. Identity provider D. No specific partner mode is required /Reference: : QUESTION 67 What is true about the OAuth protocol? A. It is an HTTP-based authorization protocol. B. It is an HTTP-based authentication protocol. C. It is an HTTP-based authentication and authorization protocol. D. It is an HTTP-based authentication, authorization, and auditing protocol. Correct Answer: A /Reference: :

32 QUESTION 68 An OAuth access token is a string that represents authorization granted to the OAuth client by what? A. the OAuth Server B. the Resource Server C. the Resource Owner D. the Authorization Server Correct Answer: C /Reference: : QUESTION 69 How is the user registry configured before IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) can be used for a SAML 1.1 federation with WebSEAL as the point of contact? A. The cn=itfim suffix must be created. B. The schema must be updated with the itfim-secuser.idif file. C. The user registry must be configured for IBM Tivoli Access Manager. D. A SSL connection must be configured from TFIM to the user registry and the server validation certificate added to the trusted keystore. Correct Answer: C /Reference: : QUESTION 70 Which statement is true when using a SAML 1.1 Browser/Artifact profile for Single Sign-On for an identity provider (IdP) and service provider (SP)? A. The IdP returns an artifact value to the SP via HTTP-POST. The SP then accesses the IdP over a SOAP channel and issues a SAML request containing the assertion. The IdP responds with the assertion. B. The IdP returns an artifact value to the SP via an HTTP 302 response. The SP then accesses the IdP over a SOAP channel and issues a SAML request containing the artifact value. The IdP responds with the assertion.

33 C. The SP creates an artifact value which is contained in the SAML authentication request to the IdP. After creating the assertion, the IdP issues a SAML request to the SP via HTTP-POST which contains both the artifact value and the assertion. D. The SP creates an artifact value which is contained in the SAML authentication request to the IdP. After creating the assertion, the IdP issues a SAML request to the SP over a SOAP channel which contains both the artifact value and the assertion. /Reference: : QUESTION 71 Which two statements are correct regarding OpenID discovery? (Choose two.) A. If the identifier is a URL, the Yadis protocol must be attempted first to obtain an XRDS document. B. If the identifier is a URL, HTML-based discovery must be attempted first to obtain an XRDS document. C. If the identifier is an XRI, the OXRI protocol will yield an XRDS document that contains the necessary information. D. HTML-based discovery must be attempted if the Yadis protocol fails and no valid XRDS document is retrieved, or no Service Elements are found in the XRDS document. E. The Yadis protocol must be attempted if the HTML-based discovery fails and no valid XRDS document is retrieved, or no Service Elements are found in the XRDS document. Correct Answer: AD /Reference: : QUESTION 72 IBM Tivoli Federated Identity Manager V6.2.2 supports which three point of contact options for Federated Single Sign-On? (Choose three.) A. Custom B. Apache Tomcat C. SAP NetWeaver D. IBM WebSphere Application Server E. IBM Tivoli Access Manager WebSEAL

34 F. IBM Tivoli Access Manager Authorization Server Correct Answer: ADE /Reference: answer is up-to-date. QUESTION 73 What is the default server port number used by IBM Tivoli Directory Integrator? A B C D Correct Answer: A /Reference: : QUESTION 74 What must be performed before users can access IBM Tivoli Federated Identity Manager V6.2.2 User Self Care? A. change browser configuration settings B. create user accounts within the directory server C. deploy an ActiveX plug-in in the user's browser D. create a User Self Care federation for the managed user registry

35 /Reference: : QUESTION 75 Assume a SAML 2.0 Identity Provider (IdP) Single Sign-On federation is defined in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM), and a Service Provider (SP) is defined as a partner to this federation. Which step is always required? A. The partner must provide a metadata file for their SP configuration which can be imported to define the SP partner to TFIM. B. A metadata file for the IdP configuration must be provided to the partner which can be imported to define the IdP in their configuration. C. The partner must provide a metadata file for their SP configuration to the IdP, and a metadata file for the IdP configuration must be provided to the partner and imported to generate the respective partnering configurations. D. The partner may optionally provide a metadata file for their SP configuration which can be imported to define the SP partner to TFIM. If a metadata file is not provided, the configuration values may be individually entered in the partner creation dialogue. Correct Answer: A /Reference: : QUESTION 76 When configuring WebSEAL as the IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) point of contact with ACLD, how does TFIM in a service provider role create the user credential? A. TFIM uses the the IBM Tivoli Access Manager (TAM) Java Runtime GetAuthnHeaders method to create the appropriate headers and the WebSEAL EAI mechanism to return the headers in the HTTP response. This triggers WebSEAL to create a TAM credential (IVCred) for the user. B. TFIM accesses the authorization server through the TAM Java Runtime to create the appropriate headers and uses the WebSEAL EAI mechanism to return the headers in the HTTP response. This triggers WebSEAL to create a TAM credential (IVCred) for the user. C. TFIM uses the TAM Java Runtime CreatelVCred method to create the TAM credential (IVCred) and uses the WebSEAL EAI mechanism to return the credential by a header in the HTTP response. This triggers WebSEAL to use the provided credential directly for the authenticated user session. D. TFIM accesses the authorization server through the TAM Java Runtime to create the TAM credential (IVCred) and uses the WebSEAL EAI mechanism to return the credential by a header in the HTTP response. This triggers WebSEAL to use the provided credential directly for the authenticated user session.

36 /Reference: : QUESTION 77 Which statement is true regarding an IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Business Gateway installation? A. Only SAML 1.1 federations are supported. B. The OAuthEAS plug-in will be used instead of WebSEAL C. The default registry attribute entitlement service configuration will be used with the standard set of attributes. D. IBM Tivoli Access Manager for e-business must already be installed or it will not be used as the point of contact. /Reference: : QUESTION 78 Using WebSEAL as the identity provider (IdP) point of contact for a SAML 1.1 Single Sign-On federation, a partner is not being prompted to log in and is instead receiving an error response. What is a possible cause of the problem? A. It is likely that the service provider (SP) did not pass the Authenticate=yes parameter in the login request over the SOAP channel. B. It is likely that the SP did not pass the Authenticate=yes parameter in the authn request over the SOAP channel. C. It is likely that the correct ACL is not attached to the login endpoint object. Either the tfimcfg utility may not have been executed for this federation, or the ACL configuration was modified afterwards. D. It is likely that the correct ACL is not attached to the authn endpoint object. Either the tfimcfg utility may not have been executed for this federation, or the ACL configuration was modified afterwards. Correct Answer: C /Reference: :

37 QUESTION 79 Click the Exhibit button. Which three statements are true regarding this SAML 1.1 flow diagram? (Choose three.) A. An artifact is contained in the response in Step 2. B. The assertion is sent with an HTTP 200 response in Step 2. C. The HTTP response in Step 4 must be a 302 redirect based upon the resource requested and the user's authorized access. D. The HTTP response in Step 4 can be anything the destination site chooses based upon the resource requested and the user's authorized access. E. This is a Browser/POST profile, so in Step 3 the assertion is sent to the Assertion Consumer Service endpoint through an HTTP POST of an HTML form. F. This is a Browser/Artifact profile, so the artifact received in Step 2 must be sent to the Artifact Resolution Service in Step 3, and the assertion must be retrieved through a SOAP backchannel in Step 4. DE /Reference: :

38 QUESTION 80 When reviewing an IBM WebSphere Application Server diagnostic trace with all IBM Tivoli Federated Identity Manager V6.2.2 (TRIM) messages enabled, which entries would be searched for to locate the beginning and end of specific TFIM requests? A. dorequest ENTRY, dorequest EXIT B. dorequest INITIAL, dorequest FINAL C. dorequest INITIAL, dorequest RETURN D. dorequest ENTRYy dorequest RETURN /Reference: : QUESTION 81 Which three main types of information taken from the Security Token Service Universal User object will be included in the work object provided as input to an IBM Tivoli Directory Integrator (TDI) assemblyline used as an IBM Tivoli Federated Identity Manager V6.2.2 mapping function? (Choose three.) A. principal B. attribute list C. claims provider D. token target type E. resource requester F. security token request Correct Answer: ABF /Reference: : QUESTION 82 What is mandatory when installing IBM Tivoli Federated Identity Manager V6.2.2 for deployments that use WebSEAL as a point of contact server? A. IBM HTTP Server

39 B. IBM Tivoli Directory Server C. Session Management Server D. IBM Tivoli Access Manager for e-business /Reference: : QUESTION 83 What is the primary processing paradigm used in XSLT? A. Serialization B. Pattern matching C. Recursive descent D. Model-View-Controller (MVC) /Reference: : QUESTION 84 Where does the IBM Tivoli Access Manager (TAM) credential attribute service pass user attributes for use by IBM Tivoli Federated Identity Manager V6.2.2? A. LDAP B. URL query string C. form POST fields D. TAM iv-creds header /Reference:

40 : QUESTION 85 What is a common Single Sign-On event page type which presents a form to a user? A. A request page, such as those used for request attributes in a SAML 2.0 federation or with OpenID. B. A consent page, such as those used for consent to federate in a SAML 2.0 federation or consent to authenticate with OpenID. C. A consent page, such as those used for consent to federate in a SAML 1.1 federation or consent to authenticate with OpenID. D. A consent page, such as those used for consent to federate in a SAML 2.0 federation or consent to authenticate with WS-Federation. /Reference: : QUESTION 86 What is the last step in configuring the IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Audit Service? A. create audit views in the Management Console B. save the configuration and sync all nodes manually C. restart the IBM WebSphere Application Server (WAS) D. distribute the audit configuration files to all WAS cluster members Correct Answer: C /Reference: : QUESTION 87 XSLT begins execution at the template which has a match condition specifying the XSL root context. What is an example of such a template definition? A. <xsl:template match="/"> B. <xsl:template select-"/"> C. <xsl:template match-'@root">