The deployed IBM Security Access Manager (ISAM) V9.0 solution in a company already contains a federated LDAP server. However, the dynamic group support is disabled. A deployment professional is required to change the existing federated LDAP server configuration to support the dynamic groups.
How should the deployment professional do this?
A. Re-federate the LDAP server with dynamic group support enabled
B. Manually modify the ldap.conf file and add `dynamic-groups-enabled=yes'
C. Manually modify the activedir.conf file and add `dynamic-groups-enabled=yes'
D. Edit the federated directory configuration using LMI method and select the checkbox "Enable dynamic group"
A company is using the embedded LDAP server to store IBM Security Access Manager V9.0 user data. However, there is a requirement to create another suffix to hold a set of user data.
Which two suffix elements are supported when creating a top level entry for the suffix? (Choose two.)
A. c
B. l
C. dn
D. st
E. cn
After a test cycle the deployment professional wants to search the WebSEAL WGA1 instance request log for HTTP 404 responses.
Where can this log be found in the Local Management Interface?
A. Monitor> Manage Reverse Proxy Log Files, select the WGA1 instance, select the request.log file and click View
B. Monitor> Application Log Files, expand the var/logs/pdweb/WGA 1 folder, select the request.log file and click View
C. From the Home page, click on the WGA1 instance in Reverse Proxy Health widget, select the request.log file and click View.
D. Secure Web Settings> Reverse Proxy, select the WGA1 instance, access the Manage> Troubleshooting> Tracing menu item, select the request.log file and click View
A large bank has multiple applications protected by two identically configured WebSEAL servers. One junction supports a reporting application that frequently expenses performance issues which slows response time. The worst case results in the entire site becoming unresponsive when all WebSEAL worker threads on all WebSEAL instances are consumed on the junctions to this one reporting application.
Which configuration change will prevent this situation from occurring without impacting the behavior of any other application (junction), and keeping the entire site up?
A. Change worker-thread-hard-limit to 75 in WebSEAL configuration file on both WebSEAL servers.
B. Use the "throttle" option on the "pdadmin server task" command for the reporting application junction on both WebSEAL instances.
C. Use the –L 75 and –f options on the “pdadmin server task” command for the reporting application junction on both WebSEAL instances.
D. Create a third WebSEAL instance supporting only this one reporting application and load balance requests across all three WebSEAL instances.
The request in a customer environment is IDP Initiated unsolicited SSO. The initial URL is:
https://POCIDP/FIM/sps/saml2idp/saml20/loginitial?
RequestBinding =HTTPPostandPartnerId= https://POCSP/isam/sps/abc/saml20andNameIdFormat =Email
The POCIDP is Point of Contact for Identity Provider and POCSP is Point of Contact for Service Provider.
The customer wants to configure TargetURL within the Service Provider Federation configuration in IBM
Security Access Manager V9.0.
What will satisfy this requirement?
A. poc.sigin.responseTargetURL
B. Target_URL in the mapping rule
C. Federation Runtime property TargetURL
D. itfim_override_targeturl_attr in the mapping rule
A deployment professional has created an Access Control Policy to protect sensitive business information: Which Policy decision is returned for a user with a risk score of 35 and has consented to registering a device?
A. Deny
B. Permit
C. Permit with Obligation Register Device
D. Permit with Authentication Consent Register Device
Multiple users are complaining about being denied access to resources they believe they are entitled to see. The IBM Security Access Manager (ISAM) V9.0 deployment professional needs to understand and troubleshoot the various access control constructs in the ISAM protected object space. The deployment professional must also understand the order of evaluation of the three major access control constructs available in the Policy Administration tool.
That is the correct order of evaluation for these constructs?
A. ACL->AuthzRule->POP
B. POP->AuthzRule->ACL
C. ACL->POP->AuthzRule
D. AuthzRule->ACL->POP
The customer directory environment includes two Active Directory (AD) Domain Controllers (DC) managing separate suffixes (one for corporate users, one for field offices), and one occurrence of Oracle Directory Server (ODS). The business requirement states the AD for corporate users in optional and the environment should remain available even if this DC is down. There are no duplicate users across these directories.
After configuring all directories in the Secure Web Settings -> Runtime Component -> Manage -> Federated Directories, how can this requirement be achieved?
A. Edit the resulting ldap.conf and add the "ignore-if-down = yes" to the AD for the corporate.
B. Ensure the "Required" checkbox is checked for both the field office AD and the ODS server.
C. Edit the resulting ldap.conf and add the "max-server-connections = 0" to the AD for the corporate.
D. Edit the resulting ldap.conf and add the "ignore-if-down = yes" to the AD for the field offices and ODS server.
In an IBM Security Access Manager (ISAM) V9.0 Federated SSO flow, the ISAM V9.0 appliance is used as the Service Provider. The SSO is IDP initiated. The IDP initiated unsolicited SSO doesn't have the target URL specified where Service Provider should be sending the user after consuming the SAML2.0 Assertion. The implementer of the SSO provider has been given the task of providing Target URL through a mapping rule in the Service Provider configuration.
How should this requirement be achieved in the mapping URL?
A. login-redirect in
B. local-response-redirect in
C. itfim_override_targeturl in
D. ITFIM attribute target_url IN
A customer has expressed the requirement that users accessing online-banking application must first authenticate using a userid/password and successfully enter a one-time PIN which is texted to a cell phone.
Which two IBM Security Access Manager (ISAM) V9.0 modules are required to fully implement the solution? (Choose two.)
A. ISAM PAM Module
B. ISAM Cloud Module
C. ISAM Federation Module
D. ISAM Advanced Control Module
E. ISAM Access Manager Platform
