TestKings.C _120,QA

Transcription

1 TestKings.C _120,QA Number: C Passing Score: 800 Time Limit: 120 min File Version: These are the most accurate study questions. Just focus on these and sit in your exam. Many new questions are added, Good for review go ahead and pass the exam now. Got this vce from my friend who passed with 98%, each and every stuff in it. I am sharing with you guys. Nicely written Questions with many corrections inside. All questions ok, many answers are well explained.

2 Exam A QUESTION 1 A customer uses WebSEAL as the point of contact for IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) where IBM Tivoli Access Manager (TAM) is configured to support Federal Information Processing Standards (FIPS). When running the tfimcfg.jar tool this error is received: FBTTAC1161 The SSL handshake failed. Retrying connection with certificate validation disabled What must be done? A. TFIM must be configured for SSL communication. B. FIPS must be enabled on all TFIM WebSphere servers. C. The TAM public certificates must be imported to the WebSphere trust store. D. The tfimcfg.jar tool needs to run with the-sslfactory TLS argument. QUESTION 2 What is a trust service chain in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM)? A. It is a defined set of WS-Trust security tokens, which together form a proof of trust and are organized sequentially in their correct order of precedence. B. It is a defined set of WS-Security trust tokens, which together form a proof of claim and are organized sequentially in their correct order of precedence. C. It is a defined set of individual processing module instances, collectively executed in a specific order, with the interface to and roles for each module conforming to the WS-Trust model. D. It is a defined set of individual processing module instances which are always executed in the specific order required by the authentication flow, with the interface to and roles for each module conforming to the WS-Trust model. QUESTION 3 Which partner vouches for the identity of a user in a Single Sign-On federation? A. Relying party B. Attribute party C. Service provider D. Identity provider QUESTION 4 When configuring WebSEAL as the point of contact for IBM Tivoli Federated Identity Manager V6.2.2 using the WebSEAL No ACLD profile, which configuration requirement(s) are relevant?

3 A. This option must be set: Disable Access Manager (IVCred) credential issuing (requires EAI to be configured). B. This option must be cleared: Enable Access Manager (IVCred) credential issuing (requires PDJRTE to be configured). C. This option must be set: Disable Access Manager (IVCred) credential issuing (requires EAI to be configured); and the no-acid tag value attribute must be defined in the WebSEAL configuration. D. This option must be cleared: Enable Access Manager (IVCred) credential issuing (requires PDJRTE to be configured); and the no-acid tag value attribute must be defined in the WebSEAL configuration. answer is corrected. QUESTION 5 Which statement is true about the IBM Tivoli Federated Identity Manager V6.2.2 Business Gateway? A. Users can use several gateway protocols. B. Users can access external Web services. C. Users can create Federated Single Sign-On partnerships with multiple providers. D. Users cannot create Federated Single Sign-On partnerships with multiple providers. : QUESTION 6 What does SAML stand for? A. System Access Markup Language B. Security Assertion Markup Language C. Server Authenticated Markup Language D. Secure Authentication Markup Language : QUESTION 7 A company wants to establish a Federated Single Sign-On (FSSO) relationship with a partner identity provider to allow partner administrator access. This company provides services for credit card processing. What is the most secure choice for the FSSO protocol?

4 A. OpenID using Associate Mode B. SAML 2.0 using HTTP Redirect/POST bindings, signed response, and signed assertion C. SAML 1.1 using a Browser/POST profile, signed response and assertion, and a narrow assertion validity window of only a few seconds D. SAML 2.0 using an HTTP-Artifact binding, signed response and assertion, an encrypted assertion, and a narrow assertion validity window of only a few seconds : QUESTION 8 Which roles are typically defined in an IBM Tivoli Federated Identity Manager V6.2.2 Single Sign-On federation configuration? A. Relying Party or Service Provider B. Asserting Party or Service Provider C. Identity Provider or Asserting Party D. Identity Provider or Service Provider : QUESTION 9 When is IBM WebSphere Application Server required for IBM Tivoli Federated Identity Manager V6.2.2 (TFIM)? A. It is always required for TFIM. B. When it is used as the point of contact. C. When the Management Console GUI is used. D. When Web Services Security Management is used : QUESTION 10 When installing IBM Tivoli Federated Identity Manager V6.2.2, which three point of contact configuration options are available? (Choose three.) A. JBoss Application Server B. generic point of contact server C. Internet Information Services (IIS) D. Apache Tomcat Application Server E. IBM WebSphere Application Server F. IBM Tivoli Access Manager WebSEAL EF

5 : QUESTION 11 Users of a SAML Single Sign-On federation that was previously operating properly are now experiencing errors. The administrators of both partners insist that no configuration changes have been made. What are two obvious items to check? (Choose two.) A. The validity period in a partner certificate may have been reset. B. The subject attribute in a partner certificate may have become invalid. C. The NotBefore/NotAfter window in a partner certificate may have been exceeded. D. The partner system clocks may have fallen out of sync beyond the NotBefore/NotOnOrAfter window. E. The partner system clocks may have fallen out of sync beyond the allowable 30 second SAML tolerance D : QUESTION 12 What is correct regarding cookies received from a browser? A. The browser determines which cookies to send and includes only the cookie names and values in the request. B. The browser determines which cookies to send and includes only the cookie names, values, and expiration times in the request. C. The browser determines which cookies are eligible to send, and then if a Cookies-Requested header is in the previous response from the server, only cookies named in the Cookies-Requested value will be sent. Only the cookie names and values are included in the request. D. The browser determines which cookies are eligible to send, and then if a Cookies-Requested header is in the previous response from the server, only cookies named in the Cookies-Requested value will be sent. Only the cookie names, values, and expiration times are included in the request. : QUESTION 13 Which WS-Trust binding issues new tokens, possibly with new proof information, based upon a proven credential provided in a request in a SOAP message? A. Issue B. Create C. Renew D. Generate :

6 QUESTION 14 Assume IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) is installed in a clustered IBM WebSphere Application Server (WAS) environment. What is a concern with WAS TFIM runtime diagnostic trace analysis for Federated Single Sign-On (FSSO)? A. The Common Audit Service component must be installed. B. First Failure Data Capture timestamps may not be synchronized across cluster nodes. C. SAML 2.0 artifact bindings and OpenID may cause diagnostic trace messages for a given FSSO transaction to span trace logs on multiple cluster nodes. D. SAML 1.1 Browser/POST profile transactions may cause diagnostic trace messages for a given FSSO transaction to span trace logs on multiple cluster nodes. : QUESTION 15 What is an OpenID association? A. a negotiated connection between provider and consumer B. a required linkage between the claimed identifier and stateless user site C. an optional URL/XRI string provided by the user established with the external site D. a shared secret between a relying party and OpenID provider used to verify protocol messages and reduce round trips : QUESTION 16 What is the cryptographic requirement when configuring IBM Tivoli Federated Identity Manager V6.2.2 for Information Card support? A. Information Card uses SHA-384 hashes. This means that the Java security file java.security must be edited to include the option sha.options = SHA2, 384. B. The encryption used by Information Card is AES/CBC with PKCS5Padding.This means that the Java security file java.security must be edited to include the option aes.options=cbc, pkcss Pad. C. The encryption used by Information Card is DESede/ECB with PKCS5Padding. This means that the Java security file java.security must be edited to include the option des.options=ede, pkcss Pad. D. The encryption algorithms used by Information Card require strong cryptographic library support. This means that a replacement is needed for the default Java security files local_policy.jar and US_export_policyjar. : QUESTION 17 A SAML 1.1 identity provider federation has been created in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) and a service provider partner from XYZZY Corporation must be added. The partner includes the following information:

7 Provider ID: XYZZY SAML SP Assertion Consumer Service (ACS) Endpoint: Which statement is correct regarding these values? A. These values may be used directly in the TFIM partner configuration. B. Because Provider IDs must be domain names, the partner must supply a Provider ID value of sp.xyzzycorp.com. C. Because Provider IDs must be single word identifiers, the partner must supply a different value which meets this requirement. D. Because Provider IDs must be URLs, the partner must supply a Provider ID value which matches the context root of the Assertion Consumer Service endpoint. : QUESTION 18 The IBM Tivoli Federated Identity Manager V6.2.2 provisioning service supports which WS- Provisioning operations? A. notify, subscribe, unsubscribe B. provision, deprovision, cancelrequest C. createaccount, restoreaccount,deleteaccount D. requestaccount,deprovisionaccount, changepassword : QUESTION 19 A corporate intranet supports single sign-on (SSO) for internally facing Web applications accessed by employees. The company also has an external facing product support site used by customers, business partners, and company employees. Employee IDs are maintained in a user registry which is separate from the user registry for the support site. To use the support site, employees must register in the same manner other users do. The customer has chosen to use IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) to provide SSO for employees between the intranet and the external facing support site so that an intranet SSO login can be leveraged for support site access. How can this capability be provided? A. SAML 2.0 using persistent Name Identifiers can be used along with the TFIM Name Identifier Linking Service to link intranet and support accounts for employees. The intranet TFIM can be configured as an identity provider (IdP) in a SAML 2.0 federation, and the support site TFIM can be configured as a SAML 2.0 service provider (SP). B. SAML 2.0 using persistent Name Identifiers and Name Identifier Management can be used along with the TFIM alias service to link intranet and support accounts for employees. The intranet TFIM can be configured as an IdP in a SAML 2.0 federation, and the support site TFIM can be configured as a SAML 2.0 SP. C. SAML 1.1 using persistent Name Identifiers and Name Identifier Management can be used along with the TFIM alias service to link intranet and support accounts for employees. The intranet TFIM can be configured as an IdP in a SAML 1.1 federation, and the support site TFIM can be configured as a SAML 1.1 SP. D. SAML 2.0 using persistent Consent Identifiers and Name Identifier Management can be used along with the TFIM alias service to link intranet and support accounts for employees. The intranet TFIM can be

8 configured as an IdP in a SAML 2.0 federation, and the support site TFIM can be configured as a SAML 2.0 SP. : QUESTION 20 Using IBM Tivoli Federated Identity Manager V6.2.2 as an OpenID provider (OP), an error is being reported indicating that a required attribute is missing. What might be the problem? A. The relying party (RP) may have not included the attribute in the encoded attribute request object sent to the OP AX endpoint, and it was not included in the response. B. The OP may have not supplied a value for the attribute in the encoded attribute response list sent to the RP attribute exchange (AX) endpoint. C. A required attribute may have been solicited via Simple Registration (SREG) in the initial request POSTed to the OP login endpoint, and the OP mapping rule/function did not supply a value. D. A required attribute may have been solicited via SREG in the initial request POSTed to the RP login endpoint, and the OP mapping rule/function did not supply a value. : QUESTION 21 Which mechanism does IBM Tivoli Federated Identity Manager V6.2.2 provide for supporting configuration of a custom module? A. Java Properties class B. User Interface using GUIXML C. XSLT-based configuration file D. Java Class Loader abstraction answer is corrected. QUESTION 22 Which IBM Tivoli Access Manager for e-business component is always required when deploying WebSEAL as an IBM Tivoli Federated Identity Manager V6.2.2 point of contact? A. NetSEAL B. Policy Server (pdmgrd) C. Web Portal Manager (wpm) D. Authorization Server (pdacld)

9 : QUESTION 23 Using a browser traffic capture tool, a capture of the HTTP interactions between Internet Explorer and a federation endpoint was recorded. The IBM Tivoli Federated Identity Manager V6.2.2 deployment was configured with WebSEAL as the point of contact server. When looking through the trace, which cookie indicates that a session has been established with IBM Tivoli Access Manager? A. JSESSIONID B. PD-ID-SESSION C. PD-S-SESSION-ID D. AMWEBJCT-SESSION : QUESTION 24 When configuring an OpenID Relying Party' federation in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM), the two parameters OPENID. DiscoveredInformationExpirationSeconds and OPENID.skipclaimedIdDiscovery can have a positive performance impact in some scenarios. How are these values configured? A. Values for these two parameters can be set by directly adding them to the runtime custom variables for the TFIM domain. B. Values for these two parameters can be set using the TFIM Management Console OpenID configuration wizard, or via options for the rnanageitfimpartner command. C. Values for these two parameters can be set using the TFIM Management Console OpenID configuration wizard, or via options for the manageitfimfederation command. D. Values for these two parameters can be set by directly editing the Self section for the relying party federation configuration in the file <was_config_root>/itfim/<tfim_domain>/etc/feds.xml. : QUESTION 25 Which statement is true regarding SAML 1.1 Single Sign-On? A. Service provider (SP)-initiated mode is not supported. B. The SP must redirect the user to the identity provider (IdP) in the first step of the protocol flow. C. IdP-initiated flows must use HTTP-POST to return the identity assertion to the SP. D. The IdP must contact the SP through a back channel to send the identity assertion. : QUESTION 26 When creating a partner for an IBM Tivoli Federated Identity Manager V6.2.2 SAML 2.0 identity provider, the Default Post-Authentication Target URL is the location the user is redirected to under which condition?

10 A. after the partner validates the identity assertion if the partner does not provide a TARGET URL when the Single Sign-On protocol is initiated B. after the partner validates the identity assertion if the partner does not provide a DEFAULT URL when the Single Sign-On protocol is initiated C. after the Identity Provider validates the identity assertion if the partner does not provide a TARGET URL when the Single Sign-On protocol is initiated D. after the Identity Provider authenticates the user and prior to assertion validation if the partner does not provide a TARGET URL when the Single Sign-On protocol is initiated : QUESTION 27 When configuring a SAML 1.1 partner using Browser/POST, how can the assertion from the IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Identity Provider (IdP) be tested using a browser capture tool (such as Fiddler) to ensure correct values are being sent? A. An HTTP POST can be issued to the Service Provider (SP) login endpoint with the query string parameters IDP_PROVIDER_ID and TARGET. After the HTTP 302 redirect to the IdP, the ROT13 encoded SAML response can be extracted from the HTML form in the HTTP 200 response. After decoding, the SAML response may be examined. B. An HTTP POST can be issued to the SP login endpoint with the query string parameters idp_provider_id and target. After the HTTP 302 redirect to the IdP, the Base64 encoded SAML response can be extracted from the HTML form in the HTTP 200 response. After decoding, the SAML response may be examined. C. An HTTP GET can be issued to the IdP login endpoint with the query string parameters SP_PROVIDER_ID and target. The Base64 encoded SAML response can be extracted from the HTML form in the HTTP 200 response. After decoding, the SAML response may be examined. The SP does not need to be functional or accessible to perform the test. D. An HTTP GET can be issued to the IdP login endpoint with the query string parameters IDP_PROVIDER_ID and target. The Base64 encoded SAML response can be extracted from thehtml form in the HTTP 200 response. After decoding, the SAML response may be examined. The SP does not need to be functional or accessible to perform the test. : QUESTION 28 Which IBM Tivoli Federated Identity Manager V6.2.2 User Self Care operations are predefined? A. enrollment, user ID reconciliation, captcha B. enrollment, forgotten password, profile management C. forgotten password, role management, profile management D. forgotten password, user ID reconciliation, profile management :

11 QUESTION 29 What does this XSL code do? A. Sets the commonname attribute to the value of the Principal name. B. Sets the commonname attribute to the name value that was provided in the SAML assertion. C. Sets the commonname attribute to the name value that was provided by the Secure Token Service. D. Sets the commonname attribute to the value that was retrieved from the IBM Tivoli Access Manager credential attribute service. : QUESTION 30 Which IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) configuration step is always required for the Alias Service, assuming SSL is used for the connection to the directory server? A. Selecting port 389 for the directory server port. B. Configuring the directory server trust store with the default TFIM SSL certificate. C. Creating a self-signed certificate and install the certificate on the directory server. D. Selecting the trusted keystore that contains the directory server certificate or CA certificate. : QUESTION 31 What are two selection criteria when comparing IBM Tivoli Federated Identity Manager User Self Care and IBM Tivoli Identity Manager User Management? (Choose two.) A. Large Scale versus Small Scale B. Self Managed versus Help Desk Managed C. Identity Approach versus Life-Cycle Approach D. Business to Consumer versus Business to Employees E. Cloud/Software as a Service Environments versus Enterprise Environments E :

12 QUESTION 32 What does this XSL code do? A. It sets the AuthenticationMethod attribute to Password for a SAML assertion. B. It sets the AuthenticationMethod attribute to Secure Remote Password for a SAML assertion. C. It sets the AuthenticationMethod attribute to Password for a SAML assertion only if the local user was authenticated with a user ID and password. D. It sets the AuthenticationMethod attribute to Secure Remote Password for a SAML assertion only if the local user was authenticated with a user ID and password. : QUESTION 33 What is one of the first things to look for in an IBM WebSphere Application Server IBM Tivoli Federated Identity Manager V6.2.2 diagnostic trace? A. Java errors and stack traces located by searching for Java Jang.Error B. mapping rule translation errors located by searching for domap ENTRY C. Java exceptions and stack traces located by searching for Java.lang.Exception D. association mode errors located by searching for Association request final data : QUESTION 34 Which function(s) are provided when using WebSEAL as a point of contact server? A. WebSEAL is used as a forward proxy for HTTP(S) access to IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) endpoints to provide user authentication, and to manage user sessions for Web Single Sign-On (SSO). B. WebSEAL is used as a reverse proxy for HTTP(S) access to TFIM endpoints,to provide user authentication, and to manage user sessions for Web SSO. C. WebSEAL is used as a forward proxy for HTTP(S) access to TFIM endpoints, to validate IVCred tokens, to provide user authentication, and to manage user sessions for Web SSO. D. WebSEAL is used as a reverse proxy for HTTP(S) access to TFIM endpoints, to validate IVCred tokens, to provide user authentication, and to manage user sessions for Web SSO.

13 : QUESTION 35 Which statement is true about the default operation of the IBM Tivoli Federated Identity Manager V6.2.2 User Self Care Enrollment Process? A. It is a one step process. B. Users can request an identity and receive an with their user ID and password. C. Users have unlimited time to complete their enrollment without having to restart the process. D. Users can request an identity and receive a link in an after the identity is validated as unique. : QUESTION 36 How are IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Single Sign-On event pages published? A. From the TFIM Management Console, Select Tivoli Federated Identity Manager > Federations. Select the properties screen of the federation for which the event pages are to be updated. Select Event Pages. For the event pages to be updated, update the configuration information as required and Apply. In a WebSphere Application Server cluster TFIM configuration, initiate a full node resynchronization. B. From the TFIM Management Console, Select Tivoli Federated Identity Manager > Federations. Select the properties screen of the federation for which the event pages are to be updated. Select Event Pages. For the event pages to be updated, update the configuration information as required and Apply. Click Publish Pages to publish the changes to the active TFIM configuration. C. From the TFIM Management Console, Select Tivoli Federated Identity Manager > Domain Management > Event Pages. For the event pages to be updated, update the configuration information as required and Apply. Click Publish Pages to publish the changes to the active TFIM configuration. D. From the TFIM Management Console, Select "Tivoli Federated Identity Manager > Domain Management > Event Pages. For the event pages to be updated, update the configuration information as required and Apply. In a WAS cluster TFIM configuration, initiate a full node resynchronization. : QUESTION 37 What is a function of IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) User Self Care? A. It links user accounts between partners. B. It provides an identity feed to WS-Provisioning. C. It provisions users to IBM Tivoli Identity Manager. D. It manages users in the IBM WebSphere Application Server user registry where TFIM is installed. : QUESTION 38 Which WS-Trust binding returns a previously issued token with new expiration semantics?

14 A. Issue B. Renew C. Extend D. Regenerate : QUESTION 39 What must be completed first when configuring an IBM Tivoli Federated Identity Manager V6.2.2 Single Sign-On federation partner? A. Metadata files must be exchanged with the partner. B. The federation must be defined before partners can be added. C. The WebSEAL configuration must be updated using the tfimcfg tool. D. The federation must be defined and enabled before partners can be added : QUESTION 40 What are forms of redirection? A. browser-side JavaScript, meta-refresh, HTML <v> tag B. server-side via a 3xx HTTP status code, meta-refresh,browser-side JavaScript, HTML <a> tag C. server-side JavaScript, browser-side via a 3xx HTTP status code, meta-refresh. HTML <a>.tag D. server-side via a 3xx HTTP status code, meta-refresh, browser-side PHP, browser side JavaScript : QUESTION 41 A customer has developed an XSLT mapping rule which calls custom Java classes developed in-house. The Java classes have been thoroughly unit tested. The solution is not working correctly, and it is suspected that there is an issue with accessing one or more class methods. What is an appropriate input to the customer regarding the solution? A. The Java class must be packaged as an EJB and installed in an EJB container. B. The Java class must be packaged as an OSGi bundle and installed in an OSGi container. C. IBM only supports calling custom Java classes from XSLT in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) when XSLT version 2.4 or later is used. D. IBM does not support calling custom Java classes from XSLT in TFIM and a custom Java mapping module should be used instead.

15 : QUESTION 42 Which type of Single Sign-On protocol exchanges cannot be viewed using a browser traffic capture tool? A. Browser/POST B. Browser/Redirect C. HTTP-Artifact SOAP channel D. SSL encrypted protocol flows : QUESTION 43 In IBM Tivoli Federated Identity Manager V6.2.2 using SAML V2.0, which name identifier format will trigger the account linking process to store an alias? A. urn:oasis:names:tc:saml:2.0:nameid-format:entity B. urn:oasis:names:tc:saml:2.0:nameid-format:persistent C. urn:oasis:names:tc:saml:1.1:nameid-format:unspecified D. urn:oasis:names:tc:saml:1.1:nameid-format: address : QUESTION 44 Which component of IBM WebSphere Application Server (WAS) must have diagnostic trace enabled to capture a diagnostic trace of the IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Management Service in a WAS clustered environment? A. dmgr B. appsrvr C. nodeagent D. the specific application server on which the TFIM runtime is installed (for example, "fimas") answer is updated. QUESTION 45 A SAML 2.0 federation has been previously configured and a recent change was made to the configuration to support an additional profile. Errors are now being seen. What is appropriate to check?

16 A. If using a Web server such as IBM HTTP Server as a front-end to IBM WebSphere Application Server (WAS), the WAS plug-in configuration may require updating. B. The source IDs for both partners may require updating. Also, if using a Web server such as IBM HTTP Server as a front-end to WAS, the WAS plug-in configuration may require updating. C. The partners may need to exchange updated metadata. Also, if using WebSEAL as the point of contact, the tfimcfg utility should also have been re-executed to assure the appropriate objects and ACLs are defined. D. The source IDs for both partners may require updating. Also, if using WebSEAL as the point of contact, the tfimcfg utility should also have been re-executed to ensure the appropriate objects and ACLs are defined. : QUESTION 46 Which files are stored in this IBM WebSphere Application Server configuration directory and contain the federation configuration definitions used by IBM Tivoli Federated Identity Manager V6.2.2? <was_config_root>/itfim/<tfim_domain>/etc/ A. fdef.xml.sts.xml, sps.xml B. fdef.xml.sts.xml, sms.xml C. feds.xml.sts.xml, sps.xml D. feds.xml.sas.xml, sms.xml : QUESTION 47 A relying party is also known as what? A. an end user B. a service provider C. an asserting party D. an identity provider :

17 QUESTION 48 What is valid when using a WebSphere Application Server (WAS) point of contact server with a target application hosted by a separate WAS using lightweight third-party authentication (LTPA) Single Sign- On? A. export LTPA key from WAS point of contact server; import LTPA key to WAS application server B. exchange public/private key pairs between WAS point of contact server and the WAS application server C. export public key of the WAS application server; import public key to trust store of the WAS point of contact server D. export LTPA signer certificate from the WAS application server; import LTPA signer certificate to the WAS point of contact server : QUESTION 49 Which steps are required to configure a SAML 2.0 service provider partner in an existing SAML 2.0 federation using the IBM Tivoli Federated Identity Manager V6.2.2 Command Line Interface? A. First, a metadata file must be obtained for the partner. Then a response file must be created using the createitfimresponse command, and the file must then be edited to provide the appropriate SAML configuration values. Finally, the manageitfimpartner command is run to create the partner using the edited response file. B. First, a metadata file must be obtained from the partner. Then a response file must be created using the manageitfimpartner command, and the file must then be edited to provide the appropriate SAML configuration values. Finally, the manageitfimpartner command is run again to create the partner using the edited response file. C. First, a metadata file for the federation must be exported and provided to the partner. Then a response file must be created using the manageitfimpartne r command, and the file must then be edited to provide the appropriate SAML configuration values. Finally, the manageitfimpartner command is run again to create the partner using the edited response file. D. A response file must be created using the manageitfimpartner command, and the file must then be edited to provide the appropriate SAML configuration values. Next, the manageitfimpartner command is run again to create the partner using the edited response file. Finally, the exportitfimconfig command is run to export the metadata for the partner configuration, and the file is forwarded to the partner to allow them to complete their configuration. : QUESTION 50 The IBM WS-Provisioning specification is related to which OASIS specification? A. WS-Identity B. WS-Account C. Identity Provisioning Markup Language D. Services Provisioning Markup Language :

18 QUESTION 51 Which protocols are specified in the SAML 2.0 Core? A. Authorization Request, Identity Request, Password Request B. Service Provider Request, Access Request, Log-on Request C. Access Request, Authentication Request, Termination Request D. Assertion Query and Request, Authentication Request, Single Logout : QUESTION 52 Which three HTTP headers may appear in requests? (Choose three.) A. Cookie B. Accept C. Expires D. Location E. Set-Cookie F. Authorization BF : QUESTION 53 Which provider can be selected when configuring an OAuth partner in IBM Tivoli Federated Identity Manager V6.2.2? A. Service provider B. Client requester C. Identity provider D. No specific partner mode is required : QUESTION 54 What is true about the OAuth protocol? A. It is an HTTP-based authorization protocol. B. It is an HTTP-based authentication protocol. C. It is an HTTP-based authentication and authorization protocol. D. It is an HTTP-based authentication, authorization, and auditing protocol.

19 : QUESTION 55 An OAuth access token is a string that represents authorization granted to the OAuth client by what? A. the OAuth Server B. the Resource Server C. the Resource Owner D. the Authorization Server : QUESTION 56 How is the user registry configured before IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) can be used for a SAML 1.1 federation with WebSEAL as the point of contact? A. The cn=itfim suffix must be created. B. The schema must be updated with the itfim-secuser.idif file. C. The user registry must be configured for IBM Tivoli Access Manager. D. A SSL connection must be configured from TFIM to the user registry and the server validation certificate added to the trusted keystore. : QUESTION 57 Which statement is true when using a SAML 1.1 Browser/Artifact profile for Single Sign-On for an identity provider (IdP) and service provider (SP)? A. The IdP returns an artifact value to the SP via HTTP-POST. The SP then accesses the IdP over a SOAP channel and issues a SAML request containing the assertion. The IdP responds with the assertion. B. The IdP returns an artifact value to the SP via an HTTP 302 response. The SP then accesses the IdP over a SOAP channel and issues a SAML request containing the artifact value. The IdP responds with the assertion. C. The SP creates an artifact value which is contained in the SAML authentication request to the IdP. After creating the assertion, the IdP issues a SAML request to the SP via HTTP-POST which contains both the artifact value and the assertion. D. The SP creates an artifact value which is contained in the SAML authentication request to the IdP. After creating the assertion, the IdP issues a SAML request to the SP over a SOAP channel which contains both the artifact value and the assertion. :

20 QUESTION 58 Which two statements are correct regarding OpenID discovery? (Choose two.) A. If the identifier is a URL, the Yadis protocol must be attempted first to obtain an XRDS document. B. If the identifier is a URL, HTML-based discovery must be attempted first to obtain an XRDS document. C. If the identifier is an XRI, the OXRI protocol will yield an XRDS document that contains the necessary information. D. HTML-based discovery must be attempted if the Yadis protocol fails and no valid XRDS document is retrieved, or no Service Elements are found in the XRDS document. E. The Yadis protocol must be attempted if the HTML-based discovery fails and no valid XRDS document is retrieved, or no Service Elements are found in the XRDS document. D : QUESTION 59 IBM Tivoli Federated Identity Manager V6.2.2 supports which three point of contact options for Federated Single Sign-On? (Choose three.) A. Custom B. Apache Tomcat C. SAP NetWeaver D. IBM WebSphere Application Server E. IBM Tivoli Access Manager WebSEAL F. IBM Tivoli Access Manager Authorization Server DE : QUESTION 60 What is the default server port number used by IBM Tivoli Directory Integrator? A B C D : QUESTION 61 What must be performed before users can access IBM Tivoli Federated Identity Manager V6.2.2 User Self Care? A. change browser configuration settings B. create user accounts within the directory server C. deploy an ActiveX plug-in in the user's browser

21 D. create a User Self Care federation for the managed user registry : QUESTION 62 Assume a SAML 2.0 Identity Provider (IdP) Single Sign-On federation is defined in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM), and a Service Provider (SP) is defined as a partner to this federation. Which step is always required? A. The partner must provide a metadata file for their SP configuration which can be imported to define the SP partner to TFIM. B. A metadata file for the IdP configuration must be provided to the partner which can be imported to define the IdP in their configuration. C. The partner must provide a metadata file for their SP configuration to the IdP, and a metadata file for the IdP configuration must be provided to the partner and imported to generate the respective partnering configurations. D. The partner may optionally provide a metadata file for their SP configuration which can be imported to define the SP partner to TFIM. If a metadata file is not provided, the configuration values may be individually entered in the partner creation dialogue. answer is verified. QUESTION 63 When configuring WebSEAL as the IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) point of contact with ACLD, how does TFIM in a service provider role create the user credential? A. TFIM uses the the IBM Tivoli Access Manager (TAM) Java Runtime GetAuthnHeaders method to create the appropriate headers and the WebSEAL EAI mechanism to return the headers in the HTTP response. This triggers WebSEAL to create a TAM credential (IVCred) for the user. B. TFIM accesses the authorization server through the TAM Java Runtime to create the appropriate headers and uses the WebSEAL EAI mechanism to return the headers in the HTTP response. This triggers WebSEAL to create a TAM credential (IVCred) for the user. C. TFIM uses the TAM Java Runtime CreatelVCred method to create the TAM credential (IVCred) and uses the WebSEAL EAI mechanism to return the credential by a header in the HTTP response. This triggers WebSEAL to use the provided credential directly for the authenticated user session. D. TFIM accesses the authorization server through the TAM Java Runtime to create the TAM credential (IVCred) and uses the WebSEAL EAI mechanism to return the credential by a header in the HTTP response. This triggers WebSEAL to use the provided credential directly for the authenticated user session. : QUESTION 64 Which statement is true regarding an IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Business Gateway installation?

22 A. Only SAML 1.1 federations are supported. B. The OAuthEAS plug-in will be used instead of WebSEAL C. The default registry attribute entitlement service configuration will be used with the standard set of attributes. D. IBM Tivoli Access Manager for e-business must already be installed or it will not be used as the point of contact. : QUESTION 65 Using WebSEAL as the identity provider (IdP) point of contact for a SAML 1.1 Single Sign-On federation, a partner is not being prompted to log in and is instead receiving an error response. What is a possible cause of the problem? A. It is likely that the service provider (SP) did not pass the Authenticate=yes parameter in the login request over the SOAP channel. B. It is likely that the SP did not pass the Authenticate=yes parameter in the authn request over the SOAP channel. C. It is likely that the correct ACL is not attached to the login endpoint object. Either the tfimcfg utility may not have been executed for this federation, or the ACL configuration was modified afterwards. D. It is likely that the correct ACL is not attached to the authn endpoint object. Either the tfimcfg utility may not have been executed for this federation, or the ACL configuration was modified afterwards. : QUESTION 66 Click the Exhibit button. Which three statements are true regarding this SAML 1.1 flow diagram? (Choose three.) A. An artifact is contained in the response in Step 2.

23 B. The assertion is sent with an HTTP 200 response in Step 2. C. The HTTP response in Step 4 must be a 302 redirect based upon the resource requested and the user's authorized access. D. The HTTP response in Step 4 can be anything the destination site chooses based upon the resource requested and the user's authorized access. E. This is a Browser/POST profile, so in Step 3 the assertion is sent to the Assertion Consumer Service endpoint through an HTTP POST of an HTML form. F. This is a Browser/Artifact profile, so the artifact received in Step 2 must be sent to the Artifact Resolution Service in Step 3, and the assertion must be retrieved through a SOAP backchannel in Step 4. DE : QUESTION 67 When reviewing an IBM WebSphere Application Server diagnostic trace with all IBM Tivoli Federated Identity Manager V6.2.2 (TRIM) messages enabled, which entries would be searched for to locate the beginning and end of specific TFIM requests? A. dorequest ENTRY, dorequest EXIT B. dorequest INITIAL, dorequest FINAL C. dorequest INITIAL, dorequest RETURN D. dorequest ENTRYy dorequest RETURN : QUESTION 68 Which three main types of information taken from the Security Token Service Universal User object will be included in the work object provided as input to an IBM Tivoli Directory Integrator (TDI) assemblyline used as an IBM Tivoli Federated Identity Manager V6.2.2 mapping function? (Choose three.) A. principal B. attribute list C. claims provider D. token target type E. resource requester F. security token request BF : QUESTION 69 What is mandatory when installing IBM Tivoli Federated Identity Manager V6.2.2 for deployments that use WebSEAL as a point of contact server? A. IBM HTTP Server

24 B. IBM Tivoli Directory Server C. Session Management Server D. IBM Tivoli Access Manager for e-business : QUESTION 70 What is the primary processing paradigm used in XSLT? A. Serialization B. Pattern matching C. Recursive descent D. Model-View-Controller (MVC) : QUESTION 71 Where does the IBM Tivoli Access Manager (TAM) credential attribute service pass user attributes for use by IBM Tivoli Federated Identity Manager V6.2.2? A. LDAP B. URL query string C. form POST fields D. TAM iv-creds header : QUESTION 72 What is a common Single Sign-On event page type which presents a form to a user? A. A request page, such as those used for request attributes in a SAML 2.0 federation or with OpenID. B. A consent page, such as those used for consent to federate in a SAML 2.0 federation or consent to authenticate with OpenID. C. A consent page, such as those used for consent to federate in a SAML 1.1 federation or consent to authenticate with OpenID. D. A consent page, such as those used for consent to federate in a SAML 2.0 federation or consent to authenticate with WS-Federation. :

25 QUESTION 73 What is the last step in configuring the IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Audit Service? A. create audit views in the Management Console B. save the configuration and sync all nodes manually C. restart the IBM WebSphere Application Server (WAS) D. distribute the audit configuration files to all WAS cluster members : QUESTION 74 XSLT begins execution at the template which has a match condition specifying the XSL root context. What is an example of such a template definition? A. <xsl:template match="/"> B. <xsl:template select-"/"> C. <xsl:template match-'@root"> D. <xsl:template select-'@root"> : QUESTION 75 Single Sign-On processing errors are being encountered with IBM Tivoli Federated Identity Manager V6.2.2 (TFIM), and a diagnostic trace capture is needed without restarting the running system. To enable runtime tracing for TFIM runtime services in IBM WebSphere Application Server 7, which administrator console actions are required? A. - the administrator must access the Logs and Trace settings under TFIM in the Integrated Solutions Console (ISC)- select the Runtime tab under Configure TFIM Diagnostic Trace- (optionally) configure the Trace Output settings, typically File- set the appropriate TFIM Runtime trace levels- apply the settings B. -the administrator must access the Logs and Trace settings under TFIM in the ISC- select the Configuration tab under Configure TFIM Diagnostic Trace- (optionally) configure the Trace Output settings, typically File- set the appropriate TFIM Runtime trace levels -apply the settings C. - the administrator must access the Troubleshooting/Logs and Trace settings in the ISC- select the application server the TFIM runtime is installed on- select the Runtime tab under Diagnostic Trace- (optionally) configure the Trace Output settings, typically File- set the appropriate TFIM runtime trace levels- apply the settings D. - the administrator must access the Troubleshooting/Logs and Trace settings in the ISC- select the application server the TFIM runtime is installed on- select the Configuration tab under Diagnostic Trace- (optionally) configure the Trace Output settings, typically File- set the appropriate TFIM runtime trace levels -apply the settings : QUESTION 76

26 When defining a federation, the administrator is getting an error saying the federation name is invalid. What is the complete set of characters allowed in creating federation names? A. alphabetic characters: A-Z, a-z only B. alphabetic characters: A-Z, a-z; numbers: 0-9 only C. alphabetic characters: A-Z, a-z; numbers: 0-9; characters: $, & only D. alphabetic characters: A-Z, a-z; numbers: 0-9; characters: $, &, _, ~ only answer is modified. QUESTION 77 What is required to add an attribute request partner to an IBM Tivoli Federated Identity Manager V6.2.2 SAML 2.0 federation configured as an attribute authority? A. Run the manageitfimpartner Command. B. Run the manageitfimattributepartner Command. C. The Add Partner wizard can be used. It will recognize that the federation is configured as an attribute authority and provide the option to configure an attribute request partner. D. The Add Partner wizard can be used. But it will not display the option to configure an attribute request partner unless the Federation is an Attribute Authority box is checked. : QUESTION 78 When configuring XSLT mapping rules from IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) Console, where is the XSL file uploaded from? A. the computer on which TFIM is installed B. the computer on which the Console is deployed C. the computer on which a browser is being used to view the Console D. the computer on which IBM WebSphere Application Server is installed : QUESTION 79 Given an installation of IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) is set up with an embedded IBM WebSphere Application Server as its point of contact server, which manual configuration tasks must be completed during deployment? A. none; all settings are configured automatically B. use the WebSphere Administration Console to configure mapping application roles to users C. use the WebSphere Administration Console to configure application and administration security D. use the WebSphere Administration Console to configure Single Sign-On (LTPA Cookie) to Enabled status

27 : QUESTION 80 Which statement is true about IBM Tivoli Federated Identity Manager V6.2.2 User Self Care Password Management Operations? A. It requires the administrator to reset the password for the user. B. It only provides the ability for the user to change their password. C. It only provides the ability for the point of contact to ask the user to change their password. D. It provides the ability for users to change their password as well as request a new password if the user password is required to be changed. : QUESTION 81 A client who recently installed IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) wants to provide employee Single Sign-On (SSO) to an external travel reservation provider who has a non-ibm federated SSO installed. Based on a combination of client requirements and capabilities, which two steps must be performed before the partner can be configured? (Choose two) A. The appropriate subject attribute must be selected. B. The SSO protocol and key options must be selected. C. The partner's signing certificate must be imported into the keystore. D. The Identity Provider must develop any needed attribute mapping and/or just-in-time provisioning implementation. E. If using WebSEAL as the point of contact, the tfimcfg command must be used to configure the appropriate ACLs B : QUESTION 82 Which type(s) of partners can be configured when a SAML 2.0 federation has been configured as an attribute authority? A. attribute query request partner B. identity provider or service provider C. service provider or attribute query request partner D. identity provider, service provider, or attribute query request partner :

28 QUESTION 83 What are the major components used with IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) User Self Care? A. IBM WebSphere Application Server (WAS), Secure Token Service. IBM Tivoli Access Manager (TAM) Java API, MQSeries B. TFIM Management Console, TFIM Runtime, Tivoli Directory Integrator (service connectors) C. TFIM Runtime, IBM Tivoli Directory Integrator, IBM HTTP Server, TAM Java API D. WAS, TFIM Runtime, Secure Token Service, TAM Java API : QUESTION 84 When using WebSEAL as the point of contact for IBM Tivoli Federated Identity Manager V6.2, what type of junction should be used? A. A TCP junction B. A standard junction C. A virtual host junction D. A transparent junction : QUESTION 85 Which XSL code example can be used to access each value in a multi-valued attribute? A. <xsl:for-eachselect="//stsuuser:attributelist/stsuuser:attribute[@name='role'] [@type=, example.com/federation/v1/role']/stsuuser:value"> B. <xsl:while true select="//stsuuser:attributelistystsuuser:attribute[@name='role'] [@type=, example.com/federation/v1/role']/stsuuser:value"> C. <xsl:value-of select="//stsuuser:attributelist/stsuuser:attribute[@name=' '] [@type=' example.com/federation/v1/emair]/stsuuser: Value"/> D. <xsl:while not eof() select="//stsuuser:attributelis1/stsuuser:attribute[@name=' '] [@type=' example.com/federation/v1/emair]/stsuuser:value"/> : QUESTION 86 Which statement is true regarding the response file for IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) User Self Care (USC)? A. It is an XML file which contains properties used to configure USC with the command manageitfimuser self care. B. It is a stanza format file which contains configuration properties used by USC with the command

29 manageitfimuserselfcare. C. It is an XML file which contains configuration properties used by USC with the command manageitfimselfcare or the TFIM Management Console operation Load Self Care Configuration. D. It is a Java properties format file which contains configuration properties used by USC with the command manageitfimself Care or the TFIM Management Console operation Load Self Care Configuration. : QUESTION 87 To capture diagnostic trace information for IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) protocol exchanges, which component of IBM WebSphere Application Server must have diagnostic trace enabled? A. dmgr B. appsrvr C. nodeagent D. the specific application server on which the TFIM runtime is deployed (for example, "fimas") : QUESTION 88 What does a SAML authorization decision statement assert? A. Identity I is permitted access to resource R. B. User A is permitted to perform operation 0 on resource R. C. Resource R can be accessed by members of the groups G1 and G2. D. Subject S is permitted to perform action A on resource R given (optional) evidence E. : QUESTION 89 What is required to use a custom mapping module in IBM Tivoli Federated Identity Manager V6.2.2 (TFIM)? A. The module must first be started. B. The TFIM Runtime must be restarted. C. The module must first be instantiated. D. The tfimcfg utility must be run to create the appropriate mapping objects. :