Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

000 891

VIEWS: 33 PAGES: 53

									                                               000-891


QUESTION 1:

Which two commands can be used to query the status of WebSEAL Servers on the
local machine? (Choose two.)

A. iv status
B. webseald -status
C. pd_start status
D. amstatus
E. pdweb status

Answer: C,E
QUESTION 2:

Which statement is true about a Dynamic Chain Selection Module instance?

A. It is the first module in the application module chain for partner.
B. It is the last module in the partner module chain in WSSM.
C. It is the first module in the partner module chain in Web Services Security
Management (WSSM).
D. It is the last module in the application module chain for the partner.

Answer: B
QUESTION 3:

RBTelco is a large multinational company that outsources health care benefit
management to RBBenefits. RBTelco employees access RBBenefits resources
through an authenticate-able account at each company.
RBTelco uses Intel-based machines with 2GB RAM, 10 GB hard drive, and RedHat
Enterprise Linux (RHEL) 3.0. They plan to run IBM Tivoli Federated Identity
Manager (ITFIM) using a single WebSphere Application Server Base V6 instance.
How many machines are required to support this environment?

A. 2 = (IBM Tivoli Access Manager for e-business (TAMeb) WebSEAL on one
machine) + (remainder TAMeb and all ITFIM components on one machine)
B. 2 = (TAMeb WebSEAL and ITFIM Runtime and Management Services on one machine)
+ (all remainder TAMeb and ITFIM on one machine)
C. 3 = (TAMeb WebSEAL on one machine) + (remainder TAMeb on one machine) + (all
ITFIM components including Integrated Solution Console (ISC) on one machine)
D. 3 = (TAMeb WebSEAL on one machine) + (remainder TAMeb and ITFIM Runtime
and Management Services on one machine) + (all remainder ITFIM including ISC on one Page 1
machine)

                                KoolExams.com - Free Certification Exams Resources
                                               000-891




QUESTION 4:

Use of IBM Tivoli Access Manager e-business (TAMeb) authorization is configured
for a given Web Service application enabled for Web Services Security
Management (WSSM).
Which identity is used to create the TAMeb credential used in the authorization
decision?

A. The WSSM token modules on WebSphere use the ITFIM Trust Service to validate the
input security token and exchange it for a new security token. The ITFIM Trust Service
locates the WSSM Partner for the input security token. The WSSM Partner configuration
can maintain the user identity in the input security token or map it to a new user identity.
In either case, the result of the WSSM Partner processing must specify a valid TAMeb
user, and its credential is used by the ITFIM Trust Service to authorize the users access to
the application.
B. The WSSM token modules on WebSphere use the ITFIM Trust Service to validate the
input security token and exchange it for a new security token. The identity is contained in
the "new" (exchanged) security token generated by the ITFIM Trust Service.
C. The configuration of a WSSM Partner creates a TAMeb user that corresponds to that
partner. This TAMeb identity is used by the IBM Tivoli Federated Identity Manager
(ITFIM) Trust Service to authorize access to the Web Service application.
D. The WSSM token modules on WebSphere use the ITFIM Trust Service to validate the
input security token and exchange it for a new security token. The identity in the input
security token must be valid TAMeb user, and its credential is used by the ITFIM Trust
Service to authorize the users access to the application.

Answer: A
QUESTION 5:

During which configuration step can the tfimcfg utility be used?

A. configure federation partners in Integrated Solutions Console (ISC)
B. configure Alias service
C. configure IBM Tivoli Federated Identity Manager Trust module chains
D. configure LDAP user registry for ISC

Answer: D
QUESTION 6:

Once you have successfully placed your custom alias service plug-in in the correct         Page 2
location, what is a Runtime custom property required to enable your plug-in?

                                KoolExams.com - Free Certification Exams Resources


Answer: D
                                               000-891




QUESTION 7:

What are three functions of a WebSphere Node Agent? (Choose three.)

A. manages the deployment manager
B. routes administrative requests to servers
C. manages JVM memory
D. serves J2EE applications
E. monitors performance
F. manages configuration synchronization

Answer: B,E,F
QUESTION 8:

RBTelco is an Identity Provider. They require that logout user life-cycle operations
be highly available to improve the probability that a users account is logged out
when the user initiates a Single Logout (SLO) action. What should RMTelco do to
meet this requirement?

A. configure IBM Tivoli Federated Identity Manager (ITFIM) into a node in a
WebSphere cluster
B. enable both the SOAP binding and HTTP Redirect for the SLO profile
C. junction the ITFIM application behind multiple WebSEAL Servers
D. configure IBM Tivoli Access Manager for e-business to use Session Management
Service (SMS)

Answer: D
QUESTION 9:

Which utility is used to build a Trust Chain for a specific Web Service application?

A. WSDL2SAML
B. WSDL2TAM
C. WSDL2TFIM
D. TFIMCFG                                                                             Page 3




                                KoolExams.com - Free Certification Exams Resources


A. com.tivoli.am.fim.alias.service.factory.id
B. com.tivoli.am.fim.alias.service.moduleVersion
C. com.tivoli.am.fim.alias.factory.moduleId
D. com.tivoli.am.fim.alias.service.moduleName

Answer: C
                                             000-891




QUESTION 10:

What is the ibmditk tool?

A. Toolkit GUI used to create the assembly line
B. Configuration Editor GUI used to edit the IBM Tivoli Directory Integrator server
configuration file in order to define a server
C. Logging Management Program GUI used to enable/disable logging as well as set
logging parameters
D. Installation GUI used to install IBM Tivoli Directory Integrator

Answer: B
QUESTION 11:

An Identity Provider (IDP) and Service Provider (SP) have entered into a
Federation partnership. A user at IDP attempts to federate his account to the SP,
but receives an error that is displayed in his browser (as shown in the exhibit).
You review the IBM Tivoli Federated Identity Manager trace log file and find the
relevant messages shown in the exhibit. The error message points towards a
mismatch in the "issuer" parameter received in the request and the "issuer"
parameter for the federation.
Which configuration file should be examined to further troubleshoot this problem?
Exhibit:




                                                                                      Page 4




                               KoolExams.com - Free Certification Exams Resources


Answer: C
                                             000-891




QUESTION 12:

There is a WebSphere Network Deployment server named dmgr with a profile
named dmgr01, in a UNIX environment. Where can the server logs be found?

A. /opt/IBM/WebSphere/AppServer/logs/dmgr01/dmgr
B. /opt/IBM/WebSphere/AppServer/profiles/default/dmgr/logs
C. /opt/IBM/WebSphere/AppServer/dmgr/logs/dmgr01
D. /opt/IBM/WebSphere/AppServer/profiles/dmgr01/logs/dmgr

Answer: D
QUESTION 13:

Which configuration is required to enforce timestamp checking of the SAML
assertion being passed from AppSrv03 to AppSrv02?
Exhibit:




                                                                                       Page 5




                              KoolExams.com - Free Certification Exams Resources


A. /opt/IBM/WebSphere/AppServer/profiles/<profile-name>/config/itfim/<domain-name>/etc/sps.xml
B. /opt/IBM/WebSphere/AppServer/profiles/<profile-name>/config/itfim/<domain-name>/etc/sts.xml
C. /opt/IBM/WebSphere/AppServer/profiles/<profile-name>/config/itfim/<domain-name>/etc/lids.xml
D. /opt/IBM/WebSphere/AppServer/profiles/<profile-name>/config/itfim/<domain-name>/etc/feds.xml

Answer: B
                                                000-891




QUESTION 14:

What limitations exist for a SAML Partner Provider ID configured at the Identity
Provider?

A. The Provider ID must match the Succinct ID configured at the Service Provider.
B. The Provider ID can be any string.
C. The Provider ID must match the prefix of Target URLs in SSO requests.
D. The Provider ID can only include alphanumeric characters.

Answer: C
QUESTION 15:

Assuming the /FIM junction is defined with defaults for the Federated-Single
Sign-On (F-SSO) using SAML V2.0, which policy is required at the Identity
Provider so that only the SSL connection is allowed to the Single Sign-On (SSO)
Protocol Service?

A. attach a POP with qop set to none
B. attach a POP with qop set to privacy
C. attach a POP with qop set to ssl
D. attach a POP with qop set to encryption

Answer: B
QUESTION 16:

You want to use TCPMON between the two WS-Provisioning Service instances.
How do you configure the endpoint of the partner WS-Provisioning service (i.e., the
destination of step 3) so that TCPMON can be used?
Exhibit:

                                                                                         Page 6




                                 KoolExams.com - Free Certification Exams Resources

A. Timestamp checking must be enabled in the SAML Assertion Login Module on
AppSrv03.
B. Timestamp checking must be enabled in the SAML Assertion Login Module on
AppSrv02.
C. A callout to the Trust Service must be added to the token consumer configuration on
AppSrv02.
D. Timestamp generation must be added to the SAML Assertion in the Trust Service
configuration.

Answer: C
                                              000-891




A. use the IBM Tivoli Federated Identity Manager Console to modify a custom runtime
parameter
B. modify the ITFIMClientScript.constants file
C. use the WebSphere Application Server Administration Console to modify the
WS-Provisioning application properties
D. modify the ITFIMClientIDI.properties file

Answer: A
QUESTION 17:

What must be unique across all federations?

A. Single Sign-On (SSO) Protocol
B. Provider ID
C. Identity Mapping Rules
D. Point of Contact

Answer: B
QUESTION 18:
                                                                                      Page 7
IBM Tivoli Federated Identity Manager is installed and configured with

                                KoolExams.com - Free Certification Exams Resources
                                                       000-891




QUESTION 19:

A WS-Federation federation named wsfed is created using the base URL:
https://mycompany.com/FIM.
By default, what would be the endpoint used for initiating Single Logout (SLO)?

A. https://mycompany.com/FIM/sps/wsfed/wsf/slo
B. https://mycompany.com/FIM/sps/wsf/wsfed/logout
C. https://mycompany.com/FIM/sps/wsfed/wsf
D. https://mycompany.com/FIM/sps/wsf/wsfed/slo

Answer: C
QUESTION 20:

Which type of incoming message is understood by the WS-Provisioning service
defined for WS-Provisioning in a deployed IBM Tivoli Federated Identity
Management solution at a Service Provider side?

A. XML
B. SOAP
C. DSML
D. DAML

Answer: B
QUESTION 21:
Federated-Single Sign-On (F-SSO) (Liberty ID-FF 1.2) and Federated Provisioning
at RBTelco, acting placed your custom alias service plug-in in the correct Page 8
                                                                       verified the
Once you have successfullyas an Identity Provider (IDP). You have successfully
Federated Provisioning between your IDP and your partner.
Now you are required to secure the provisioning using WS-Security. After setting
                                  KoolExams.com - Free Certification Exams Resources
up WS-Security, the provisioning stops working. TFIM Web Services Security
Manager is configured for this setup on server side.
Which three actions should you take to help solve this problem? (Choose three.)

A. enable LDAP tracing for server change log errors
B. enable Liberty V1.2 Single Sign-On (SSO) tracing
C. enable IBM Tivoli Directory Integrator tracing
D. enable IBM Tivoli Access Manager for e-business authorization tracing
E. enable WS-Security tracing in Websphere Application Server
F. enable WS-Trust tracing in Websphere Application Server

Answer: D,E,F
                                                000-891




QUESTION 22:

When recovering from a disaster, the backup and restore operation you use is
similar to the export/import configuration procedure, with one additional step.
Which additional step must you take when recovering from a disaster?

A. The restored system requires the IBM Tivoli Access Manager for e-business (TAMeb)
JRTE to be manually configured against the WebSphere's Java Runtime to allow the IBM
Tivoli Federated Identity Manager (ITFIM) Runtime to function properly.
B. The ITFIM Domain needs to be created manually within the Integrated Solution
Console.
C. A new WebSphere profile is required to restore the configuration.
D. The ITFIM Runtime instance needs to be re-registered with the TAMeb policy server by
running the SvrSslCfg command.

Answer: B
QUESTION 23:

A Web Service client has been deployed on WebSphere Application Server V6. This
client requires access to a Web Service application running at a partner site. The
partner requires that a SAML assertion is contained in the SOAP header of
incoming requests containing the identity of the user attempting to access the
service. Which Web Services Security Management (WSSM) components need to be
configured to enable the client to access the Web Service?

A. WSSM Token Consumer
B. WSSM SAMLA Login Module
C. WSSM Username Token Login Module
D. WSSM Token Generator

Answer: D
QUESTION 24:

Which file contains the Common Audit and Reporting Service (CARS) event server        Page 9
installation log?

                                 KoolExams.com - Free Certification Exams Resources

location, what is a Runtime custom property required to enable your plug-in?

A. com.tivoli.am.fim.alias.service.moduleName
B. com.tivoli.am.fim.alias.factory.moduleId
C. com.tivoli.am.fim.alias.service.moduleVersion
D. com.tivoli.am.fim.alias.service.factory.id

Answer: B
                                             000-891




QUESTION 25:

When configured for an Identity Provider side Liberty V1.1 Federation, which three
profiles require the IBM Tivoli Federated Identity Manager Alias Service? (Choose
three.)

A. Identity Provider Introduction
B. Single Logout (SLO)
C. Identity Provider Proxy
D. Attribute Management
E. Register Name Identifier
F. Single Sign-On (SSO)

Answer: B,E,F
QUESTION 26:

Where is the WebSEAL trace log output configured?

A. in ivmgrd.conf
B. in the WebSEAL configuration file (webseald-default.conf)
C. in the 'routing' file
D. in pd.conf

Answer: C
QUESTION 27:

When configured for a Service Provider side Liberty V1.2 Federation, which
functionality requires the IBM Tivoli Federated Identity Manager Alias Service?
(Choose three.)

A. One Time Identifiers
B. Single Logout (SLO)
C. Consent to Federate
D. Register Name Identifier
E. Single Sign-On (SSO)                                                              Page 10
F. Identity Provider Proxy

                               KoolExams.com - Free Certification Exams Resources


A. install_cars.log
B. serverInstall.log
C. install.log
D. CARS_Install

Answer: B
                                               000-891




QUESTION 28:

If WebSEAL to LDAP must be secured using SSL, what is required for WebSEAL
to communicate to SSL?

A. an empty keystore database file so that WebSEAL can automatically download the
certificate from LDAP server
B. personal cert from LDAP server
C. personal cert and CA cert from LDAP server
D. Certificate Authority (CA) certificate from LDAP server

Answer: D
QUESTION 29:

What is in a WebSphere cluster?

A. WebSphere Application Server hosts
B. WebSphere Application Server Nodes
C. WebSphere Application Servers
D. computers

Answer: C
QUESTION 30:

RBTelco is a large multinational company that outsources health care benefit
management to RBBenefits. Once an RBTelco employee logs into his intranet
website, the employee can use a link in the intranet page to get Single Signed-On to
RBBenefits. RBTelco is the Identity Provider and RBBenefits is the Service
Provider.
RBBenefits and RBTelco use SAML2.0 protocol for Federated-Single Sign-On
(F-SSO) using browser artifact profile. RBTelco uses WebSEAL as the point of
contact server configured for basic authentication for any incoming Web-based
requests (including Single Sign-On requests).
When a Single Sign-On (SSO) request comes from RBBenefits, RBTelco sends an
artifact using Http-Redirect. Using this artifact, RBTelco requires RBBenefits to
retrieve the SAML Assertion using an authenticated SOAP back-channel.
Which kind of authentication should be used for the SOAP back-channel
communication using a minimum number of WebSeals on RBTelco side?
                                                                                       Page 11
A. create another WebSEAL instance for SOAP back-channel and configure it for basic
authentication
                                KoolExams.com - Free Certification Exams Resources


Answer: B,D,E
                                              000-891




QUESTION 31:

Which security token may carry user attribute information as part of the defined
token format?

A. SAML Assertion
B. Kerberos
C. RACF Token
D. Username Token

Answer: A
QUESTION 32:

You have just removed a partner from a Liberty ID-FF V1.1 Federation in an IBM
Tivoli Federated Identity Manager (ITFIM) Domain and deleted that partner's
digital certificates from the key store.
Which step(s) should you take to back up the new ITFIM Domain configuration?
I. navigate to Configure Federated-Single Sign-On (F-SSO) in the side bar, click the
Federations link, select the Liberty ID-FF V1.1 federation from the list, and then
click the Export button
II. navigate to Key Management in the side bar, and then access the key store and
export the remaining keys and certificates
III. navigate to Domains in the side bar, select the domain and click the Export
Configuration button and save the archive to disk

A. I and III only
B. I only
C. III only
D. II and III only

Answer: C
QUESTION 33:

Which two steps must be completed after adding a new suffix to IBM Tivoli              Page 12
Directory Server (ITDS) and configuring the IBM Tivoli Federated Identity

                               KoolExams.com - Free Certification Exams Resources

B. create another WebSEAL instance for SOAP back-channel and configure it for
certificate authentication
C. use the same front-end WebSEAL accepting the SSO requests for SOAP back-channel
requests
D. create another WebSEAL instance for SOAP back-channel and configure it for
forms-based authentication

Answer: C
                                                 000-891




QUESTION 34:

What is the default trace file (for Linux) that is used for the initial debugging of
IBM Tivoli Federated Identity Manager Runtime?

A. /opt/IBM/WebSphere/AppServer/profiles/<servername>/logs/<profile>/trace.log
B. /opt/IBM/WebSphere/AppServer/profiles/<servername>/logs/<profile>/SystemOut.log
C. /opt/IBM/FIM/logs/< ITFIM Domain Name>/tivoli-common/FBT/logs/msg.log
D. /opt/IBM/FIM/logs/< ITFIM Domain Name>/tivoli-common/FBT/logs/trace.log

Answer: D
QUESTION 35:

Which type of WebSphere Server profile is needed to enable Service Integration
Bus Web Services?

A. Deployment Manager profile
B. Cluster Manager profile
C. Application Server profile
D. Custom profile

Answer: A
QUESTION 36:

Which configuration must be accomplished through the IBM Tivoli Federated
Identity Manager (ITFIM) Console to enable an ITFIM Federated Provisioning
service?

A. enable IBM Tivoli Directory Integrator Assembly Line for Federated Provisioning
B. identify Proxy URL
C. link ITFIM Alias Service to Provisioning Service
D. enable ITFIM Federated Provisioning Service
                                                                                       Page 13
Answer: B

                                 KoolExams.com - Free Certification Exams Resources

Manager Alias Service? (Choose two.)

A. manually create an object for newly created suffix
B. run ldapxcfg
C. restart ITDS
D. restart WebSphere
E. restart WebSEAL

Answer: C,D
                                                 000-891


QUESTION 37:

You are configuring an IBM Tivoli Federated Identity Manager FederatedSingle
Sign-On (F-SSO) environment for a company acting as an Identity Provider. You
know that this company will be required to support F-SSO relationships for SAML
V 1.0, Liberty ID-FF V 1.1, Liberty ID-FF V 1.2 and WS-Federation Passive
functionality. You also know that where there is a choice, a SAML v1.1 token type
should be used as the assertion format used within the F-SSO exchange.
What is the minimum number of required federations and partners in each
federation?
Exhibit:




A. four federations: one with (A, B), one with (C), one with (D) and one with (D)
B. three federations: one with (A, B), one with (C, E) and one with (D)
C. four federations: one with (A), one with (B), one with (C, E) and one with (D)
D. three federations: one with (A, D), one with (B), and one with (C, E)

Answer: D
QUESTION 38:

How many endpoints are specified when adding a partner to a WS-Federation type
federation?

A. 2
B. 1
C. 4
D. 3

Answer: B
QUESTION 39:

What is the path to get to the WebSphere Application Logging settings for the IBM     Page 14
Federated Identity Manager (ITFIM) Management Service in the WebSphere
Application Server Administration Console?
                                 KoolExams.com - Free Certification Exams Resources
                                               000-891




QUESTION 40:

Which protocol supports only PULL Single Sign-On (SSO)?

A. WS-Federation
B. Liberty ID-FF V1.1
C. Liberty ID-FF V1.2
D. SAML V2.0

Answer: B
QUESTION 41:

After generating a request against the IBM Tivoli Federated Identity Manager
Trust Service, you believe the request has failed. Upon reviewing the trace log you
observe the following error:
FBTSTM015E The given TokenType or AppliesTo
({{hello-module-appliesto};{};{}}) in the request is not supported by this server's
configuration for http://schemas.xmlsoap.org/ws/2004/04/security/trust/Validate
RequestType and Issuer ({{hello-module-issuer};{};{}}).
Which three statements are true? (Choose three.)

A. The RequestType http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue does
not support the TokenType
B. The RequestType
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Validatehttp://schemas.xmlsoap.org/ws/2004/04/secur
may not support the Issuer.
C. The RequestType
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issuehttp://schemas.xmlsoap.org/ws/2004/04/security/
does not support the AppliesTo.
D. The RequestType
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Validatehttp://schemas.xmlsoap.org/ws/2004/04/secur
may not support the TokenType.
E. The RequestType http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue does not
support the Issuer.
F. The RequestType                                                                    Page 15
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Validatehttp://schemas.xmlsoap.org/ws/2004/04/secur
may not support the AppliesTo.
                               KoolExams.com - Free Certification Exams Resources


A. Applications->Enterprise applications->ITIFM Management Service->Monitoring
B. Troubleshooting->Logs and Trace->ServerName->Change Log Detail Levels
C. Monitoring and Tuning->Monitoring Infrastructure->Logging
D. Troubleshooting->Runtime Messages->Error

Answer: B
                                              000-891




QUESTION 42:

Which configuration option determines if the Identity Provider should prompt a
user before federating their account with a Service Provider account?

A. Require Consent to Federate
B. Identity Provider Introduction
C. IsPassive is Enabled
D. Require Partner to Sign Liberty Messages

Answer: A
QUESTION 43:

The configuration of a Web Services Security management (WSSM) Partner allows
for the specification of XSL mapping rules. What is the input and output of these
XSL mapping rules?

A. The input to the XSL mapping rules of a WSSM Partner is the binary security token as
received on the Web Service request. The output of the mapping rules is a new security
token ready for use by the Web Service application.
B. The input to the XSL mapping rules of a WSSM Partner is an STSUniveralUser XML
document created from the security token received on the Web Service request. The
output of the mapping rules is an arbitrary collection of attributes that will be made
available to the Web Services application.
C. The input to the XSL mapping rules of a WSSM Partner is an STSUniveralUser XML
document created from the security token received on the Web Service request. The
output of the mapping rules is a new STSUniversalUser XML document that represents
the security token required by the application.
D. The input to the XSL mapping rules of a WSSM Partner is an STSUniveralUser XML
document created from the security token received on the Web Service request. The
output of the mapping rules is an IBM Tivoli Access Manager for e-business credential
that will be used to authorize the partner's access to the Web Service application.

Answer: C
QUESTION 44:

Which command displays information about the installed GSKIT components used
by IBM Tivoli Access Manager for e-business V6?

A. gsk7ikm                                                                           Page 16
B. gsk7ver

                              KoolExams.com - Free Certification Exams Resources


Answer: B,C,D
                                              000-891




QUESTION 45:

You are configuring an IBM Tivoli Federated Identity Manager FederatedSingle
Sign-On (F-SSO) environment for a company acting as a Service Provider. The
company will provide five business partners (acting as Identity Providers) with
access to the web application, which performs purchase orders. The partners are as
follows:
Partner A will use SAML 2.0
Partner B will use SAML 1.1
Partner C will use Liberty 1.1
Partner D will use SAML 1.0
Partner E will use SAML 1.1
What is the minimum number of federations required to accommodate these
requirements?

A. four federations: one with Partner A, one with Partner B and E, one with Partner C,
and one with Partner D
B. two federations: one with Partners A, B, D, E, one with Partner C
C. one federation: one with Partners A, B, C, D, E
D. four federations: one with Partner A, one with Partner B and C, one with Partner D,
and one with Partner E

Answer: A
QUESTION 46:

What triggers the "Consent to Federate" page to be displayed?

A. The Consent flag is set in an incoming federate request.
B. The Identity Provider configuration requires the page to be displayed.
C. The Consent flag is set in an incoming authentication request.
D. The Service Provider configuration requires the page to be displayed.

Answer: B
QUESTION 47:

Which WebSphere log file is best to inspect to determine if an application was
started successfully?
                                                                                         Page 17
A. SystemOut.log

                               KoolExams.com - Free Certification Exams Resources

C. gskitinfo
D. gskinfo

Answer: B
                                                               000-891




QUESTION 48:

After initial analysis, you find that the communication from IBM Tivoli Federated
Identity Manager Runtime needs to be trace enabled with the IBM Tivoli Access
Manager for e-business Authorization Server. Where is this done?

A. <WAS_HOME>/java/jre/PolicyDirector/PDJlog.properties
B. <PD_HOME>/etc/ivmgrd.conf
C. <PD_HOME>/etc/ivacld.conf
D. <WAS_HOME>/logs

Answer: A
QUESTION 49:

You have installed the Integrated Service Console on to a host with DNS name
machine1. Using the system defaults, what is the correct URL you must use to verify
the installation?

A. http://machine1:8421/ibm/consolehttp://machine1:8421/ibm/console
B. http://machine1:8421/isc/consolehttp://machine1:8421/isc/console
C. http://machine1:8421/console/ibm/http://machine1:8421/console/ibm/
D. http://machine1:8421/fim/consolehttp://machine1:8421/fim/console

Answer: A
QUESTION 50:

RBTelco is a large multinational company that outsources health care benefit
management to RBBenefits. RBTelco employees access RBBenefits resources
through an authenticate-able account at each company. RBBenefit and RBTelco will
use SAML V1.0.
Which IBM Tivoli Access Manager for e-business (ITAMeb) and IBM Tivoli
Federated Identity Manager (ITFIM) components are required to be installed at
RBTelco?

A. TAMeb Runtime, TAMeb Policy Server, TAMeb Authorization Server, TAMeb
WebSEAL Server, ITFIM Runtime and Management Services, ITFIM Management
Console, WebSEAL Application Developer Kit
B. TAMeb Runtime, TAMeb Policy Server, TAMeb Authorization Server, TAMeb Page 18




                                           KoolExams.com - Free Certification Exams Resources

B. SystemErr.log
C. startServer.log
D. native_stdout.log

Answer: A
                                               000-891




QUESTION 51:

If an invalid username and password is entered on the EchoClient, which log files
will be the first to record this (assuming all components have necessary logging and
tracing enabled)?
Exhibit:




A. IBM Tivoli Federated Identity Manager (ITFIM) tracing on AppSrv01 during token
validation
B. the EchoClient log during token generation
                                                                                       Page 19
C. ITFIM tracing on AppSrv03 during an attempted JAAS login
D. the PDACLD authentication audit log

                                KoolExams.com - Free Certification Exams Resources
WebSEAL Server, ITFIM Runtime and Management Services, ITFIM Management
Console
C. TAMeb Runtime, TAMeb Policy Server, TAMeb Authorization Server, TAMeb Java
Runtime Environment, TAMeb WebSEAL Server, ITFIM Runtime and Management
Services, ITFIM Management Console, WebSEAL Application Developer Kit
D. TAMeb Runtime, TAMeb Policy Server, TAMeb Authorization Server, TAMeb Java
Runtime Environment, TAMeb WebSEAL Server, ITFIM Runtime and Management
Services, ITFIM Management Console, ITFIM Demonstration Scenarios, WebSEAL
Application Developer Kit

Answer: B
                                               000-891




QUESTION 52:

WS-Security signing and encryption are used on the message from the EchoClient
to the EchoApplication secured by Web Services Security Management (WSSM).
XML Encryption is performed by the client using which key?

A. the client's public key
B. the server's public key
C. the client's private key
D. the server's private key

Answer: B
QUESTION 53:

In the IBM Tivoli Federated Identity Manager Console, you have two different
domains: spDomain and idpDomain.
What should you do to back up idpDomain if the domains appear as shown in the
exhibit?
Exhibit:




A. click the Delete button to remove spDomain, then click the Import and Export
Configuration link, click the Export Configuration button, and save the archive
B. back up files included in
/opt/IBM/WebSphere/AppServer/profiles/<WAS_PROFILE_NAME>/config/itfim/domain2
C. select idpDomain, click the Make Active button, then click the Import and Export
Configuration link, click the Export Configuration button, and save the archive
D. click the Import and Export Configuration link, click the Export Configuration button,
and save the archive
                                                                                            Page 20
Answer: C


                                KoolExams.com - Free Certification Exams Resources


Answer: D
                                              000-891

QUESTION 54:

What is the default message level configured for IBM Tivoli Federated Identity
Manager?

A. disable all messages
B. error messages only
C. info, error and warning messages
D. error and warning messages only

Answer: C
QUESTION 55:

RBTelco is a large multinational company that outsources health care benefit
management to RBBenefits. RBTelco employees access RBBenefits resources
through an authenticate-able account at each company. RBBenefit and RBTelco will
use SAML V1.0.
Which IBM Tivoli Access Manager for e-business (ITAMeb) and IBM Tivoli
Federated Identity Manager (ITFIM) components are required to be installed at
RBTelco?

A. TAMeb Runtime, TAMeb Policy Server, TAMeb Authorization Server, TAMeb Java
Runtime Environment, TAMeb WebSEAL Server, ITFIM Runtime and Management
Services, ITFIM Management Console, ITFIM Demonstration Scenarios, WebSEAL
Application Developer Kit
B. TAMeb Runtime, TAMeb Policy Server, TAMeb Authorization Server, TAMeb
WebSEAL Server, ITFIM Runtime and Management Services, ITFIM Management
Console
C. TAMeb Runtime, TAMeb Policy Server, TAMeb Authorization Server, TAMeb
WebSEAL Server, ITFIM Runtime and Management Services, ITFIM Management
Console, WebSEAL Application Developer Kit
D. TAMeb Runtime, TAMeb Policy Server, TAMeb Authorization Server, TAMeb Java
Runtime Environment, TAMeb WebSEAL Server, ITFIM Runtime and Management
Services, ITFIM Management Console, WebSEAL Application Developer Kit

Answer: B
QUESTION 56:

Which statement is true about configuring IBM Federated Identity Manager
(ITFIM) audit settings to use the Common Audit and Reporting Services (CARS)
Web Service Emitter over SSL?

A. You must import the CARS root signer certificate into the ITFIM DefaultKeyStore.   Page 21
B. You must import the CARS keystore into ITFIM using the Key Service.

                               KoolExams.com - Free Certification Exams Resources
                                                000-891




QUESTION 57:

Which utility is used to build a Trust Chain for a specific Web Service application?

A. WSDL2SAML
B. WSDL2TAM
C. TFIMCFG
D. WSDL2TFIM

Answer: D
QUESTION 58:

What are the two default TCP and SSL listener ports of IBM Tivoli Directory
Server? (Choose two.)

A. 9180
B. 443
C. 8080
D. 636
E. 389

Answer: D,E
QUESTION 59:

Which action confirms that the Policy Server is able to successfully connect to the
WebSEAL Server?

A. telnet to the WebSEAL system from the Policy Server
B. telnet from the WebSEAL system to the Policy Server
C. a server show of the WebSEAL using the pdadmin command line interface
D. access WebSEAL with a browser

Answer: C
QUESTION 60:

Assume that a given Web Services Security Management (WSSM) partner submits               Page 22
Web Service security requests that contain a SAML token. The SAML token

                                 KoolExams.com - Free Certification Exams Resources

C. You must import a self-signed public key certificate into the ITFIM DefaultKeyStore.
D. You must import the CARS public/private key pair into the ITFIM DefaultKeyStore
for mutual authentication.

Answer: A
                                                 000-891




QUESTION 61:

You have a configured SAML 2.0 federation, and are trying to Single Sign-On
(SSO) to an application on Service Provider. You receive the following error
message: the end user that originated the request and also a set of attributes about
identifies
SAML 2.0 authentication failed FBTSML215E. The name additional attributes the
the end user. The Web Service application, however, requires identifier policy in
authentication request could not be met by this identity provider.
that are not in the SAML token.
How is a WSSM reason for the error message?
Whatcana possiblePartner configuration be used to provide the additional
attributes?
A. The authentication request could not be validated by IDP.
B. An unsupported protocol is used.
A. The WSSM token modules on WebSphere use the ITFIM Trust Service to validate the
C. The accounts have not yet been linked. security token. The configuration of a
input SAML token and exchange it for a new
D. The user is not authenticated by Identity Provider (IDP).
WSSM Partner includes XSL rules for identity and attribute mapping. These XSL
mapping rules can add attributes to the token returned from the Trust Service to the
Answer: C
application.
 QUESTION 62:
B. The WSSM token modules on WebSphere use the IBM Tivoli Federated Identity                   Page 23
Manager (ITFIM) Trust Service to validate the input SAML token and exchange it for a
new security token. Customers that require identity or attribute mapping must supply a
custom module instance to perform mapping functionality. Certification Exams Resources
                                     KoolExams.com - Free
C. The WSSM token modules on WebSphere use the ITFIM Trust Service to validate the
input SAML token and exchange it for a new security token. Each WSSM Partner is also
configured as a member of the TAMeb secure domain. The partner's TAMeb credentials
are retrieved by ITFIM and all "tag value" attributes from the TAMeb registry are added
to the SAML token, returned by the Trust Service.
D. WSSM provides a JAAS login module for SAML tokens. The WSSM Partner
configuration specifies a list of attributes that are returned from the Trust Service to the
WSSM JAAS login module. The JAAS login module retrieves these attributes from the
IBM Tivoli Access Manager for e-business (TAMeb) registry and inserts them into the
new SAML token that is then available to application.

Answer: A
                                                000-891




QUESTION 63:

A SAML 1.1 federation called saml11fed is created on the Identity Provider side
using the base URL:
http://mycompany.com/FIM
What is the valid SOAP endpoint that can be used for that federation?

A. https://www.mycompany.com/FIM/sps/saml/saml11
B. https://www.mycompany.com/FIM/samlfed/soap
C. https://www.mycompany.com/FIM/saml11fed/soap
D. https://www.mycompany.com/FIM/samlfed/saml11/soap

Answer: A
QUESTION 64:

Web Service applications on WebSphere Application Server V6.0 must be
configured for use of Web Services Security Management (WSSM).
Which two statements are true about the necessary Web Service application
configuration? (Choose two.)

A. The Web Service application's token deployment binding must specify the WSSM
Token Consumer module.
B. The Web Service application's token deployment binding must specify the alias of the
Java Authentication Authorization Service (JAAS) configuration entry for WSSM.
C. The WSSM Token Consumer module is configured with the alias of a JAAS
configuration entry to process the security token returned from the ITFIM Trust Service.
D. The Web Service application must invoke the WSSM JAAS callback handler to
process the security token returned from the IBM Tivoli Federated Identity Manager
(ITFIM) Trust Service.
E. The Web Service application's token deployment binding must specify a JAAS login
token consumer module. The JAAS login token consumer module is configured to invoke
the ITFIM Trust Service to provide WSSM-based token consumer functionality.

Answer: A,C                                                                           Page 24




                                 KoolExams.com - Free Certification Exams Resources

Which file does IBM Tivoli Directory Server log error messages to by default?

A. cli.error
B. ibmslapd_failure.log
C. ibmslapd_error.log
D. ibmslapd.log

Answer: D
                                                  000-891

QUESTION 65:

Which three features does a Websphere cluster provide? (Choose three.)

A. workload balancing
B. ease of configuration
C. centralized auditing and reporting
D. centralized debugging of applications
E. centralized logging
F. ease of deployment

Answer: A,B,F
QUESTION 66:

If the WebSphere Application Server has an unexpected outage, what is the first
thing to look for to help determine the cause?

A. a Java core file located in the products installation directory
B. an entry in the operating system event log
C. heap dump file located in the product installation directory
D. a native core file located in the products installation directory

Answer: A
QUESTION 67:

You have successfully configured Web Services Security Management (WSSM) for
a Web Service application EchoService and externalized authorization to IBM
Tivoli Access Manager for e-business. There is still a problem invoking a Web
Service using X509 Token (shown in the exhibit).
Which action still needs to be taken?
Exhibit:




A. import the Certified Authority (CA) certificate that has signed the token certificate
into the pdsrv.kdb and restart WebSEAL
                                                                                           Page 25
B. run the command pdadmin sec_master > user modify wssm-testuser password-valid
yes

                                  KoolExams.com - Free Certification Exams Resources
                                                  000-891




QUESTION 68:

Which two protocols require the use of partner metadata when establishing a
partner? (Choose two.)

A. SAML V1.X
B. WS-Provisioning
C. Liberty V1.X
D. SAML V2.0
E. WS-Federation

Answer: A,D
QUESTION 69:

When adding a partner whose SOAP endpoints are secure, which two
authentication options are available? (Choose two.)

A. Token Authentication
B. IP Address Authentication
C. Multi-factor Authentication
D. Client Certificate Authentication
E. Basic Authentication

Answer: D,E
QUESTION 70:

In Federated-Single Sign-On (F-SSO) using IBM Tivoli Federated Identity
Management, a Service Provider (SP) is configured using SAML V1.0 as the
protocol and the Identity Provider (IDP) is using forms-based authentication.
Which WebSEAL configuration on the IDP side must be done for the secure Basic
Authentication in order to communicate over SOAP at the IDP? (Choose two.)

A. enable SSL port 443 on primary WebSEAL instance
B. create an additional WebSEAL instance configured for basic authentication
C. export WebSEAL certificate and import it into SOAP client key store
D. export client certificate and import it into WebSEAL key store                       Page 26

E. configure user registry with SPs user name aliases

                                  KoolExams.com - Free Certification Exams Resources

C. edit the webseald.conf and enable certificate authentication by setting
accept-client-certs=required
D. import the CA certificate that has signed the token certificate into an IBM Tivoli
Federated Identity Manager Key Service Keystore

Answer: D
                                              000-891




QUESTION 71:

You are using multiple TCPMON instance to trace Web Service and Web Services
Security Management (WSSM) communication. In one TCPMON window, you see
the message shown in the exhibit.
This communication is between which two components?
Exhibit:




A. from Echo Client to Echo Web Service
B. from WSSM to the ITFIM Trust Service
C. from Echo Client to WSSM
D. from Echo Web Service to IBM Tivoli Federated Identity Manager (ITFIM) Trust
Service

Answer: B
QUESTION 72:

IBM Tivoli Federated Identity Manager is installed and configured with
Federated-Single Sign-On (F-SSO) (Liberty ID-FF V1.2) and Federated
                                                                                     Page 27
Provisioning at RBTelco, acting as an Identity Provider (IDP). An assembly line is
configured such that when a new user is created at the RBTelco, a federated

                               KoolExams.com - Free Certification Exams Resources


Answer: B,C
                                              000-891




QUESTION 73:

Which two tasks are required to install Service Integration Bus Web Services?
(Choose two.)

A. configure SOAP listener port
B. install the Resource Adapter
C. install the Service Data Objects (SDO) Repository
D. deploy the Service Integration Bus application
E. create a new WebSphere Application Server profile

Answer: B,C
QUESTION 74:

You have a Liberty Service Provider (SP) side federation configured for Bowser
Artifact. How can you modify it to use Liberty Browser POST?

A. modify the partner configuration at the Identity Provider (IDP)
B. modify the federation configuration at the SP
C. modify the federation configuration at the IDP
D. modify the partner configuration at the SP

Answer: B
QUESTION 75:

Which version of WebSphere Application Server does the Integrated Solutions
Console (ISC) install?

A. 5.1.1
B. 5.0.2                                                                                Page 28
C. 5.1

                                   KoolExams.com - Free Certification Exams Resources
provisioning request is sent to the RBBenefits, acting as a Service Provider (SP).
Upon verifying your new setup, the provision fails.
Which three steps should you take to help solve this problem? (Choose three.)

A. check logs for Liberty V1.2 SSO errors on SP
B. side check logs for Liberty V1.2 SSO errors on IDP side
C. check the ibmdi.log for errors on SP side
D. check IBM Tivoli Access Manager for e-business logs on SP side
E. check the LDAP logs for server change log errors on the IDP
F. check the Common Audit and Report Services (CARS) auditing logs

Answer: C,D,F
                                              000-891




QUESTION 76:

When recovering from a disaster, the backup and restore operation you use is
similar to the export/import configuration procedure, with one additional step.
Which additional step must you take when recovering from a disaster?

A. The ITFIM Runtime instance needs to be re-registered with the TAMeb policy server
by running the SvrSslCfg command.
B. A new WebSphere profile is required to restore the configuration.
C. The ITFIM Domain needs to be created manually within the Integrated Solution
Console.
D. The restored system requires the IBM Tivoli Access Manager for e-business (TAMeb)
JRTE to be manually configured against the WebSphere's Java Runtime to allow the IBM
Tivoli Federated Identity Manager (ITFIM) Runtime to function properly.

Answer: C
QUESTION 77:

When IBM Tivoli Federated Identity Manager Runtime is deployed, which two
tasks are performed by the Management Service? (Choose two.)

A. Tivoli Access Manager Java Runtime is updated.
B. Response pages are updated.
C. Demo app is configured.
D. Tools are updated.
E. Plug-ins are updated.

Answer: B,E
QUESTION 78:

When installing the IBM Tivoli Federated Identity Manager Service, the installer
prompts for the WebSphere Application Server SOAP Connector Port.
In a WebSphere Network Deployment environment, which WebSphere component
uses the SOAP Connector Port?
Exhibit:



                                                                                    Page 29




                               KoolExams.com - Free Certification Exams Resources

D. 6.0

Answer: A
                                             000-891




A. WebSphere Node Agent
B. WebSphere Deployment Manager
C. WebSphere cluster
D. WebSphere installation

Answer: B
QUESTION 79:

You have only a single WebSphere Application Server V6.0 named "server1" and a
profile named "default." Which directory should you go to on a UNIX environment
to find the server's logs?

A. /opt/IBM/WebSphere/AppServer/server1/logs
B. /opt/IBM/WebSphere/AppServer/logs/server1
C. /opt/IBM/WebSphere/AppServer/profiles/default/logs/server1/
D. /opt/IBM/WebSphere/AppServer/default/server1/logs

Answer: C
QUESTION 80:

Which two techniques can be used to add custom attributes to the IBM Tivoli
Access Manager for e-business (TAMeb) credential passed to the IBM Tivoli
Federated Identity Manager Runtime built at the Identity Provider? (Choose two.)

A. a Custom CDAS module
B. an XSL mapping rule that refers to information in the TAMeb registry
C. a call to Java from XSL mapping rule
D. a Credential Attribute Entitlement Service
E. static text in XSL mapping rule

Answer: A,D                                                                        Page 30




                              KoolExams.com - Free Certification Exams Resources
                                                               000-891

QUESTION 81:

Assuming /FIM is the junction defined with defaults for the Federated-Single
Sign-On (F-SSO) using WS-Federation, which policy is required at the Identity
Provider so that only the SSL connection is allowed to the Single Sign-On (SSO)
Protocol Service?

A. attach a POP with qop set to ssl
B. attach a POP with qop set to privacy
C. attach a POP with qop set to encryption
D. attach a POP with qop set to none

Answer: B
QUESTION 82:

When designing a system to use WS-Federation, which browser Single Sign-On
(SSO) method should be used?

A. Browser Artifact
B. Browser Response
C. Browser POST
D. Browser GET

Answer: C
QUESTION 83:

Assuming the Integrated Solution Console (ISC) Administrative User ID and
password are correct, what are two possible causes for an ISC login authentication
failure? (Choose two.)

A. Another resource leveraging the same authentication mechanism (LDAP) has
modified the ACLs.
B. The WebSEAL Server instance is not running or has been unconfigured.
C. The user being used to authenticate with has been removed from the
'fim-remote-acld-users' group.
D. The embedded WebSphere installation within ISC has had its IBM Tivoli Access
Manager for e-business JRTE corrupted or unconfigured.
E. The authentication mechanism (LDAP) is not running or is unreachable.

Answer: A,E
QUESTION 84:

WS-Security signing and encryption are used on the message from the EchoClient Page 31



                                           KoolExams.com - Free Certification Exams Resources
                                             000-891




QUESTION 85:

Which three components should you enable for tracing in order to debug a
WS-Federation Federated-Single Sign-On (F-SSO) problem? (Choose three.)

A. SOAP Client
B. Middle Manager
C. SSO Protocol Service
D. XSL
E. Trust Service
F. Identity Service Client

Answer: C,D,E
QUESTION 86:

If a Liberty ID-FF V1.2 federation named libertyfed is created using the base URL:
https://mycompany.com/FIM, what endpoint would be auto-generated for the
SOAP endpoint?

A. https://mycompany.com/FIM/sps/liberty/libertyfed/soap
B. https://mycompany.com/FIM/sps/libertyfed/soap
C. https://mycompany.com/FIM/libertyfed/liberty
D. https://mycompany.com/FIM/sps/libertyfed/liberty/soap

Answer: D
QUESTION 87:

When authorizing a Web Service request, which component calls the IBM Tivoli
Access Manager Authorization Service?

A. Web Services Security Management (WSSM) Token module
B. IBM Tivoli Federated Identity Manager Trust Service
C. Web Service provider application                                                  Page 32
D. WebSphere Web Services Gateway

                               KoolExams.com - Free Certification Exams Resources

to the EchoApplication secured by Web Services Security Management (WSSM).
Which key does the client use to create a digital signature?

A. the servers private key
B. the servers public key
C. the clients public key
D. the clients private key

Answer: D
                                             000-891




QUESTION 88:

What is the proper way to successfully deploy a custom mapping module?

A. create a directory in {FIM-Install}/plugins to host jar file and module deployment
descriptor, update software.properties and re-deploy ITFIM Runtime on all nodes using
ISC
B. manually distribute the jar file and XML file defining the module to all WebSphere
Application Server nodes and recycle all nodes where the
C. IBM Tivoli Federated Identity Manager (ITFIM) Runtime is deployed
D. use ISC to create a new module type, create a new module instance for the module and
then create a new module chain where this module instance is used in map mode
E. create a custom XSLT rule and load it using the Integrated Solution Console (ISC), so
that the Default XSLT Mapping Token instance parses successfully

Answer: A
QUESTION 89:

What is the correct method to configure the proxy URL for Federated
Provisioning?

A. Once the IBM Tivoli Directory Integrator (ITDI) connector and itfim-provisioning.ear
have been configured, you then must configure ITDI to use the proxy URL that points to
the federated provisioning partner.
B. Once the IBM Tivoli Federated Identity Manager Runtime has been successfully
deployed, a runtime custom property is available to configure the proxy URL.
C. Once the itfim-provisioning.ear file has been manually deployed, the Integrated
Solution Console (ISC) will provide a new menu to configure WS-Provisioning. In this
menu, you can configure the proxy URL.
D. Once the itfim-provisioning.ear file has been manually deployed, the ISC federation
menu will provide a sub-menu to configure WS-Provisioning, which contains the proxy
URL setting.

Answer: B
QUESTION 90:

You are configuring IBM Tivoli Federated Identity Manager (ITFIM) to use basic
authentication for the Common Audit and Reporting Services (CARS) Web
Services Emitter. What must the User ID have specified?
                                                                                       Page 33
A. access to ITFIM Console

                               KoolExams.com - Free Certification Exams Resources


Answer: B
                                                 000-891




QUESTION 91:

Which IBM Tivoli Directory Server V6.0 utility is used to perform LDAP tracing?

A. ldtrc
B. ldapmodify
C. trace
D. slapdtrc

Answer: A
QUESTION 92:

IBM Tivoli Access Manager for e-business WebSEAL Runtime is installed under
directory /opt/pdwebrte on the Solaris platform.
What is correct configuration for [authentication-mechanism] stanza in the
webseald.conf file for the external authentication interface library for the
Federated-Single Sign-On (F-SSO) using IBM Tivoli Federated Identity
Management?

A. ext-auth-interface = /opt/pdwebrte/lib/libssocreate.so
B. ext-auth-interface = /opt/pdwebrte/lib/libstliuthn.so
C. ext-auth-interface = /opt/pdwebrte/lib/libssoconsume.so
D. ext-auth-interface = /opt/pdwebrte/lib/libeaiauthn.so

Answer: D
QUESTION 93:

Which utility is best used as an initial step to troubleshoot a performance problem
on a WebSphere Application Server?

A. WebSphere Memory Monitoring Tool
B. WebSphere Performance Monitoring Tool
C. WebSphere Performance Monitoring Infrastructure
D. WebSphere Install Verification Test Tool

Answer: C
                                                                                      Page 34




                                 KoolExams.com - Free Certification Exams Resources

B. the EventEmitter role on the CARS server
C. read/write access to the file system on the CARS server
D. belongs to the EventSource role on the CARS server

Answer: D
                                              000-891

QUESTION 94:

You want to use TCPMON between the IDI running on the Identity Provider (IDP)
System, and the WS-Provisioning Service also running on the IDP.
How do you configure the endpoint of the WS-Provisioning service (i.e., the
destination of step 2)?
Exhibit:




A. use the IBM Tivoli Federated Identity Manager Console to modify a custom runtime
parameter
B. modify the ITFIMClientIDI.properties file
C. modify the ITFIMClientScript.constants file
D. use the WebSphere Application Server Administration Console to modify the
WS-Provisioning application properties

Answer: B
QUESTION 95:

You want to replicate the configuration from IBM Tivoli Federated Identity
Manager (ITFIM) domain domainX currently on machine1 in ITFIM domain
domainY on host machine2.
domainX is the current active domain. You will be using the same ITFIM Console to
manage both domains.                                                                  Page 35
Which steps must you take, and in what order, to accomplish this task?

                                KoolExams.com - Free Certification Exams Resources
                                               000-891




QUESTION 96:

If an invalid username and password is entered on the EchoClient, which log files
will be the first to record this (assuming all components have necessary logging and
tracing enabled)?
Exhibit:




A. ITFIM tracing on AppSrv03 during an attempted JAAS login
B. the PDACLD authentication audit log
C. the EchoClient log during token generation
D. IBM Tivoli Federated Identity Manager (ITFIM) tracing on AppSrv01 during token      Page 36
validation

                                  KoolExams.com - Free Certification Exams Resources
I.create domainY on machine2 and make it the active domain
II.export the configuration from domainX to archive file archive.jar
III.import the configuration from archive.jar to domainY
IV.log out from the console and restart the WebSphere Application Server hosting
the ITFIM Management Service

A. II, I, III
B. I, II, III
C. I, II, IV, III
D. II, I, IV, III

Answer: A
                                              000-891




QUESTION 97:

IBM Tivoli Federated Identity Manager is installed and configured with
Federated-Single Sign-On (F-SSO) (Liberty ID-FF V1.2) and Federated
Provisioning at RBTelco, acting as an Identity Provider (IDP). An assembly line is
configured such that when a new user is created at the RBTelco, a federated
provisioning request is sent to the RBBenefits, acting as a Service Provider (SP).
Upon verifying your new setup, the provision fails.
Which three steps should you take to help solve this problem? (Choose three.)

A. check the ibmdi.log for errors on SP side
B. check IBM Tivoli Access Manager for e-business logs on SP side
C. side check logs for Liberty V1.2 SSO errors on IDP side
D. check logs for Liberty V1.2 SSO errors on SP
E. check the LDAP logs for server change log errors on the IDP
F. check the Common Audit and Report Services (CARS) auditing logs

Answer: A,B,F
QUESTION 98:

What is the default message level configured for IBM Tivoli Federated Identity
Manager?

A. error messages only
B. disable all messages
C. info, error and warning messages
D. error and warning messages only

Answer: C
QUESTION 99:

Which two software components are prerequisite products for the Common Audit
and Reporting Service (CARS) event server? (Choose two.)

A. Crystal Enterprise Server
B. IBM Tivoli Directory Server
C. IBM Tivoli Access Manager Authorization Server
D. IBM WebSphere Application Server
E. IBM DB2 Server
                                                                                     Page 37
Answer: D,E

                               KoolExams.com - Free Certification Exams Resources


Answer: B
                                                    000-891


QUESTION 100:

What does the exhibit indicate?
Exhibit:




A. Mid-level tracing is enabled for the trustserver that is persisted.
B. Mid-level tracing is enabled for the trustserver that is not persisted.
C. High-level tracing is enabled for the trustserver that is not persisted.
D. High-level tracing is enabled for the trustserver that is persisted.

Answer: A
QUESTION 101:

Which error condition would cause the following error message to appear in the
logs?
FBTLIB204E No federation exists for this principal

A. Consent to federate is not granted.
B. The federation being requested by the user is not enabled.
C. The federation being requested is not defined for this user.
D. IBM Tivoli Access Manager for e-business user account is invalid.

Answer: A
                                                                                        Page 38




                                   KoolExams.com - Free Certification Exams Resources
                                                000-891

QUESTION 102:

Which simple command is used to determine if an IBM LDAP server is listening
and servicing queries?

A. ldapcfg
B. ldapsearch
C. ldapmodify
D. ping

Answer: B
QUESTION 103:

RBBenefits is acting as a Service Provider (SP) and RBTelco is acting as an Identity
Provider (IDP). A user has RBTelco as her IDP. The user has not federated her
account at RBBenefits with RBTelco. She requests a resource at RBBenefits
through a bookmarked URL.
How does the RBBenefits know which of its IDP partners will act as this user's IDP
for Single Sign-On (SSO) purposes?

A. RBBenefits will post a response to the user with a message that her IDP has not yet
notified RBBenefits with her federation information. The user will be instructed to try to
access the RBBenefits resources in 24 hours.
B. RBBenefits will generate a list of all its known IDPs and present this in a page to the
user so that she can select her preferred IDP.
C. RBBenefits will request a SSO authentication for the user from all known IDPs through
front channel communications (via redirection through the users browser) and select the
first IDP that does not fail.
D. RBBenefits will request a SSO authentication for the user from all known IDPs using
back channel communications. The first IDP that is able to generate a successful
authentication response is used as the user's IDP.

Answer: B
QUESTION 104:

What must be done after adding a partner to a Federated-Single Sign-On (F-SSO)
Federation to allow the partner's users to Single Sign-On (SSO)?

A. restart WebSEAL
B. restart Integrated Solutions Console (ISC)
C. enable the Partner
D. stop/restart IBM Tivoli Directory Server
                                                                                        Page 39
Answer: C

                               KoolExams.com - Free Certification Exams Resources
                                                               000-891


QUESTION 105:

Which protocol should the Service Provider and Identity Provider use to obtain the
SAML assertion from a browser artifact?

A. WS-Security
B. SSL
C. WS-MetaData
D. SOAP

Answer: D
QUESTION 106:

According to the Usage menu and assuming that the fields following the flags are
correct, what is the proper method of making the IBM Tivoli Directory Integrator
server call?

A. ./ibmserver s /opt/IBM/IDIserver c client.xml t user_registry_handler
B. ./ibmdisrv s /opt/IBM/IDIserver c client.xml t user_registry_handler
C. ./ibmidisvr s /opt/IBM/IDIserver c client.xml t user_registry_handler
D. ./ibmditk -s /opt/IBM/IDIserver c client.xml t user_registry_handler

Answer: B
QUESTION 107:

An incorrectly built client tries to send a message to the Web Services Security
Management (WSSM) secured EchoApplication using a SAML assertion as the
embedded security token instead of a UsernameToken. All digital encryption and
signature configuration on the client is correct. What is the expected behavior of the
server side?

A. Signature validation on the server fails because the signature is expected to be on a
combination of the UsernameToken and Body.
B. The IBM Tivoli Federated Identity Manager Trust server fails to authenticate the
presented token.
C. Decryption fails during the initial WS-Security processing on the server.
D. The server processes the request successfully but logs a warning message.

Answer: C
QUESTION 108:

Which two tasks are executed by clicking Export Configuration in IBM Tivoli Page 40



                                           KoolExams.com - Free Certification Exams Resources
                                                  000-891




QUESTION 109:

Which technique can be used to add custom attributes to the IBM Tivoli Access
Manager for e-business (TAMeb) credential built at the Service Provider?

A. configuring a Custom Entitlement Service
B. configuring a call to the Identity Provider Attribute Service
C. configuring WebSEAL to add extended attributes from TAMeb registry
D. static text in XSL mapping rule

Answer: D
QUESTION 110:

Which utility will stop the IBM Tivoli Directory Server V6.0?

A. idsslapd -stop
B. idsdirctl
C. ldapstop
D. ldapxcfg

Answer: B
QUESTION 111:

Which three protocols allow for Single Logout (SLO)? (Choose three.)

A. SAML V2.0
B. Liberty V1.X
C. WS-Trust
D. SAML V1.X
E. WS-Federation
F. WS-Provisioning
                                                                                            Page 41
Answer: A,B,E

                                  KoolExams.com - Free Certification Exams Resources

Federated Identity Manager (ITFIM) Console? (Choose two.)

A. export an archive of the active ITFIM Domain
B. duplicate the configuration of the active ITFIM Domain in a new ITFIM Domain
C. inform the user that WebSphere Application Server must be restarted
D. initiate a file download of a configuration archive and duplicate the configuration of
the active ITFIM Domain in a new ITFIM Domain
E. initiate a file download of a configuration archive

Answer: A,E
                                               000-891


QUESTION 112:

What is the most likely cause of the following failure? FBTSTS009E Keystore alias
is not configured.

A. One of the module instances is not configured.
B. The Keystore has not been imported.
C. The alias service is not configured.
D. One of the module instances in the module chain is missing the key identifier.

Answer: D
QUESTION 113:

Which two items are required in order to test an identity mapping outside of IBM
Tivoli Federated Identity Manager? (Choose two.)

A. the input STS Universal User document
B. the XSL rule that represents the mapping
C. the output STS Universal User document
D. input IBM Tivoli Access Manager for e-business credential
E. the input security token

Answer: A,B
QUESTION 114:

Which type of connector is used to conf igure the IBM Tivoli Directory Integrator
assembly line to implement WS-provisioning using IBM Tivoli Federated Identity
Management solution at a Service Provider?

A. LDAP connector
B. Web Services connector
C. HTTP Client Connector
D. HTTP Server Connector

Answer: B
QUESTION 115:

When would "isPassive" be configured for a Liberty ID-FF V1.2 federation?

A. when LEC/P endpoints are being used and the remote device must be in passive mode
B. when the Identity Provider (IDP) needs to be limited to only dealing with passive Page 42
clients

                                KoolExams.com - Free Certification Exams Resources
                                                000-891




QUESTION 116:

In which Single Sign-On (SSO) profile is one where the Security Token is passed
from the Identity Provider to the Service Provider using a passive client?

A. Browser PUSH
B. Browser PULL
C. Browser Artifact
D. Browser POST

Answer: D
QUESTION 117:

How does transport layer security differ from message layer security in a
SOAP-based Web Service environment?

A. Transport layer security is typically based on SSL and is point to point, while message
layer security is based on SSL and is end to end.
B. Transport layer security is typically based on XML Encryption and Digital Signature
and is end to end, while message layer security is based on XML Encryption and Digital
Signature and is point to point.
C. Transport layer security is typically based on SSL and is end to end, while message
layer security is based on XML Encryption and Digital Signature and is end to end.
D. Transport layer security is typically based on SSL and is point to point, while message
layer security is based on XML Encryption and Digital Signature and is end to end.

Answer: D
QUESTION 118:

For what is the Web Services Security Management (WSSM) Token Generator
used?

A. Web Service Provider applications
B. Web Service Requestor applications
C. TFIM STS Trust Service
D. TAM Authorization Service

Answer: B                                                                                Page 43




                                 KoolExams.com - Free Certification Exams Resources

C. when the Service Provider (SP) needs to prevent IDPs from interacting with the user
D. when LEC/P endpoints are being used and the SP must be in passive mode

Answer: C
                                             000-891

QUESTION 119:

In Federated-Single Sign-On (F-SSO) using IBM Tivoli Federated Identity
Management, a Service Provider (SP) is configured using SAML V1.0 as the
protocol and the Identity Provider (IDP) is using forms-based authentication.
Which WebSEAL configuration on the IDP side must be done for the secure Basic
Authentication in order to communicate over SOAP at the IDP? (Choose two.)

A. create an additional WebSEAL instance configured for basic authentication
B. configure user registry with SPs user name aliases
C. export client certificate and import it into WebSEAL key store
D. enable SSL port 443 on primary WebSEAL instance
E. export WebSEAL certificate and import it into SOAP client key store

Answer: A,E
QUESTION 120:

You have successfully configured EchoClient and EchoApplication secured by Web
Services Security Management (WSSM). You want to test that authorization is
correctly being performed on the request. Which technique would allow you to do
this?

A. update the authorization module configuration in the Trust Service using the IBM
Tivoli Federated Identity Manager Console
B. stop all running instances of PDACLD
C. log in to the EchoClient as a different IBM Tivoli Access Manager for e-business
(TAMeb) user
D. change the TAMeb ACL policy applying to the Web Services namespace

Answer: D
QUESTION 121:

A Web Service client has been deployed on WebSphere Application Server V6. This
client requires access to a Web Service application running at a partner site. The
partner requires that a SAML assertion is contained in the SOAP header of
incoming requests containing the identity of the user attempting to access the
service. Which Web Services Security Management (WSSM) components need to be
configured to enable the client to access the Web Service?

A. WSSM Token Generator
B. WSSM SAMLA Login Module
C. WSSM Username Token Login Module
                                                                                      Page 44
D. WSSM Token Consumer


                               KoolExams.com - Free Certification Exams Resources
                                                 000-891




QUESTION 122:

Which utility is used to configure the WebSEAL Server once the files are installed?

A. web_config
B. pdconfig
C. config_web
D. pdadmin

Answer: B
QUESTION 123:

In an SAML assertion, how is the name identified for a custom attribute?

A. the child element of the Attribute element with label Name e.g.
<Name>email</Name>
B. the name attribute of the Attribute element e.g. <Attribute name="email">
C. the type attribute of the Attribute element e.g. <Attribute type="email">
D. the label of the attribute element e.g. <email>

Answer: B
QUESTION 124:

Which command determines if a WebSphere Application Server is started or
stopped?

A. wasprofile
B. serverInfo
C. wsadmin
D. serverStatus

Answer: D
QUESTION 125:

What is the purpose of the "ForceAuthn" flag in Liberty ID-FF V1.2?

A. It forces the SP to accept an unsolicited authentication response message.
B. It forces the Service Provider (SP) to refresh the authentication credentials it currently
holds.                                                                                      Page 45
C. It forces the IDP to re-authenticate the user before issuing an assertion.

                                 KoolExams.com - Free Certification Exams Resources


Answer: A
                                                   000-891




QUESTION 126:

When testing Single Sign-On (SSO) with SAML 2.0 you receive the error shown in
the Browser window of the exhibit on the Service Profile side.
In the IBM Tivoli Federated Identity Manager (ITFIM) trace log file shown in the
exhibit, what should be verified to determine the cause of the error?
Exhibit:




A. check that TAMeb Authorization Server is up and running and is able to receive the
authorization request from the machine where ITFIM Runtime is running
B. check that all WebSEAL Servers are up and running
C. check that ITFIM Management Server is up and running
D. check that IBM Tivoli Access Manager for e-business (TAMeb) Policy Server is up
and running and is able receive pdadmin command from the machine where ITFIM
Runtime is running

Answer: A
QUESTION 127:

You have successfully configured Web Services Security Management (WSSM) for                 Page 46

a Web Service application EchoService and externalized authorization to IBM

                                   KoolExams.com - Free Certification Exams Resources

D. It forces the Identity Provider (IDP) to authenticate the user before updating aliases.

Answer: C
                                                  000-891




A. import the Certified Authority (CA) certificate that has signed the token certificate
into the pdsrv.kdb and restart WebSEAL
B. edit the webseald.conf and enable certificate authentication by setting
accept-client-certs=required
C. import the CA certificate that has signed the token certificate into an IBM Tivoli
Federated Identity Manager Key Service Keystore
D. run the command pdadmin sec_master > user modify wssm-testuser password-valid
yes

Answer: C
QUESTION 128:

Which XSL if statement checks for the existence of a homepage attribute within an
STS Universal User XML structure?

A. <xsl:if-exists="//stsuuser:AttributeList/stsuuser:Attribute/custom:Homepage">
B. <xsl:if test="//stsuuser:AttributeList/stsuuser:Attribute[attr='homepage']">
C. <xsl:if-exists="//stsuuser:AttributeList/stsuuser:Attribute[@name='homepage'])>
D. <xsl:if test="//stsuuser:AttributeList/stsuuser:Attribute[@name='homepage']">

Answer: D
QUESTION 129:

IBM Tivoli Federated Identity Manager is installed and configured with
Federated-Single Sign-On (F-SSO) (Liberty ID-FF 1.2) and Federated Provisioning
at RBTelco, acting as an Identity Provider (IDP). You have successfully verified the
Federated Provisioning between your IDP and your partner.
Now you are required to secure the provisioning using WS-Security. After setting
up WS-Security, the provisioning stops working. TFIM Web Services Security                 Page 47
Manager is configured for this setup on server side.

                                  KoolExams.com - Free Certification Exams Resources

Tivoli Access Manager for e-business. There is still a problem invoking a Web
Service using X509 Token (shown in the exhibit).
Which action still needs to be taken?
Exhibit:
                                                 000-891




QUESTION 130:

When planning for secure communications between a partner and the Point of
Contact, at what level is the SSL connection defined?
Exhibit:




A. all federations configured for an instance of IBM Tivoli Federated Identity Manager
(ITFIM)
B. all federation functionality fronted by a single instance of IBM Tivoli Access Manager
for e-business WebSEAL
C. each individual federation within an instance of ITFIM
D. each individual partner within a single federation                                       Page 48

Answer: C
                                 KoolExams.com - Free Certification Exams Resources

Which three actions should you take to help solve this problem? (Choose three.)

A. enable WS-Trust tracing in Websphere Application Server
B. enable LDAP tracing for server change log errors
C. enable IBM Tivoli Directory Integrator tracing
D. enable Liberty V1.2 Single Sign-On (SSO) tracing
E. enable WS-Security tracing in Websphere Application Server
F. enable IBM Tivoli Access Manager for e-business authorization tracing

Answer: A,E,F
                                                               000-891


QUESTION 131:

The ldapsearch command or LDAP administration GUI, can be used to verify
LDAP ACLs. Which three are valid LDAP ACL attributes? (Choose three.)

A. default-policy
B. ownerpropgate
C. default-management
D. aclentry
E. acluser
F. aclpropagate

Answer: B,D,E
QUESTION 132:

What are the three optional services that may be exposed to a partner with a
Liberty implementation? (Choose three.)

A. Single Logout (SLO) Service
B. Federation Termination Notification Service
C. Alias Service
D. Liberty Enabled Client/Proxy Service
E. Trust Service
F. Register Name Identifier Service

Answer: A,B,F
QUESTION 133:

What are two functions of a custom mapping module? (Choose two.)

A. looks up attributes in an external data source
B. maps a user's alias during the account linkage operation in SAML 2.0 and Liberty 1.2
protocol
C. maps a STSUUSER input to a SAML token
D. maps a GUI XML attributes into UI controls that are used by the IBM Tivoli
Federated Identity Manager Console to collect the input data
E. records the token assertion

Answer: A,E
QUESTION 134:

A single configured IBM Tivoli Federated Identity Manager Federation can support Page 49



                                           KoolExams.com - Free Certification Exams Resources
                                               000-891




QUESTION 135:

You need to add a new partner Identity Provider (IDP) to a customer's FI M
configuration, where the customer is acting as a Service Provider (SP). As a SP,
your customer (X) supports the IDP and SP Complete profiles for Liberty ID-FF
V1.2 and the WS-Federation Passive profile. You are given the following description
of the new partner's "required" functionality:
The customer supports multiple federation protocols, so all "Identity Provider
Identification" functionality is handled with a SP-generated cookie managed by the
SP.
The new partner, IDPNew, will provide Single Sign-On (SSO) and Single Logout
(SLO) for its users and will conform to Lib ID-FF V1.2.
IDPNew will not send authentication assertions over HTTP by redirection through a
browser.
IDPNew will not support customer X setting a Name Identifier value for IDPNew to
use with X (only IDPNew set Name Identifiers will be allowed).
IDPNew does not need to support mobile devices.
Users will typically SSO to X from IDPNew through a customized link at the
IDPNew portal, although the overall federation will support SSO in response to a
bookmarked URL access of an X resource.
The IDP will support SOAP back-channel communications
The X-IDPNew federation will use B/A profile for SSO, HTTP Redirect profile for
single sign-off, _____.

A. IDP-initiated register name identifier and federation termination notification profiles
and the IDP Introduction profile
B. SOAP-based register name identifier and federation termination notification, and the IDP
Introduction profile
C. SOAP-based register name identifier and federation termination notification
D. IDP-initiated register name identifier and federation termination notification profiles

Answer: D
QUESTION 136:

What is the most likely cause of the following exception found in the Service          Page 50
Provider logs?

                                KoolExams.com - Free Certification Exams Resources

how many Single Sign-On (SSO) standards?

A. 3
B. 2
C. 1
D. 6

Answer: C
                                              000-891




QUESTION 137:

You are configuring an IBM Tivoli Federated Identity Manager FederatedSingle
Sign-On (F-SSO) environment for a company acting as an Identity Provider. You
have XML-based metadata files for five partners. All partners are Service Providers
and all are to be configured for Liberty ID-FF V1.1 functionality. Based on the
metadata provided (shown in the exhibit), define the grouping of these partners into
the defined IDP side federations.
What is the minimum number of required federations and partners for each
federation?
Exhibit:




A. three federations: one with (A), one with (B), one with (C, D, E)
[4/10/06 21:29:39:358 EDT] 00000035 SOAPClientImp I
B. four federations: one with (A, B), one with (C), one with (D) and one with (D)
com.tivoli.am.fim.soap.client.SOAPClientImpl send
C. four federations: one with (A), one with (B), one with (C, E) and one with (D)
org.xml.sax.SAXParseException: Open quote is expected for attribute "onLoad"           Page 51
D. three federations: one with (A, B), one with (C, E) and one with (D)
associated with an element type "BODY".
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)Exams Resources
                                   KoolExams.com - Free Certification
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
at com.tivoli.am.fim.utils.XMLUtil.parseString(XMLUtil.java:317)
at com.tivoli.am.fim.soap.client.SOAPClientImpl.send(SOAPClientImpl.java:173)
at
com.tivoli.am.fim.liberty.delegate.soap.LibertySOAPClientImpl.send(LibertySOAPClientImpl.java:64)

A. The onLoad parameter was missing from a received SOAP response.
B. The configured SOAP endpoint was badly formed.
C. An invalid SOAP response was received.
D. The XSL Identity Mapping engine could not parse the input XML message.

Answer: C
                                              000-891




QUESTION 138:

IBM Tivoli Access Manager for e-business WebSEAL Runtime is installed under
directory /opt/pdwebrte on the Solaris platform.
What is correct configuration for [authentication-mechanism] stanza in the
webseald.conf file for the external authentication interface library for the
Federated-Single Sign-On (F-SSO) using IBM Tivoli Federated Identity
Management?

A. ext-auth-interface = /opt/pdwebrte/lib/libstliuthn.so
B. ext-auth-interface = /opt/pdwebrte/lib/libssoconsume.so
C. ext-auth-interface = /opt/pdwebrte/lib/libssocreate.so
D. ext-auth-interface = /opt/pdwebrte/lib/libeaiauthn.so

Answer: D
QUESTION 139:

RBBenefits is acting as a Service Provider and RBTelco is acting as an Identity
Provider. They are in the planning phase of setting up their federated partnership.
Both parties have agreed to use SAML 2.0 as the Single Sign-On (SSO) Protocol.
Many of RBTelcos employees access their intranet portal from external "unsecure"
networks. RBTelco is concerned about identity assertions passing though the users
browser. Which binding should RBTelco configure for the Web Browser SSO
profile?

A. HTTP POST
B. HTTP GET
C. HTTP Artifact
D. HTTP Redirect

Answer: C
QUESTION 140:

Using default configuration, can two partners sending in different token types use
the same Web Service URL?

A. Yes, only if the application module chain for each partner is configured using the
same Web Service URL.
B. No, different STS chains are required to validate the different partner token types. The
Issuer field of an RST from Token Consumer to partner module chain is set to destination 52
                                                                                          Page
Web Service URL.

                               KoolExams.com - Free Certification Exams Resources


Answer: C
                                                  000-891




                                                                                              Page 53




                                  KoolExams.com - Free Certification Exams Resources

C. Yes, the Request for Security Token (RST) from Token Consumer to partner module
chain contains a different AppliesTo based upon the token type being sent.
D. No, different STS chains are required to validate the different partner token types. The
Issuer field of an STS request from token Consumer is fixed, so the AppliesTo element
(i.e. the destination Web Service URL) must be unique for each partner token type.

Answer: D

								
To top