あなたを必ず合格させるSecret-Sen問題集PDF 2024年最新のに更新されたのは62問あります
CyberArk Secret-Senリアル試験問題と解答を無料で提供いたします
Cyberark Secret-Sen試験は、Secrets Managerに関連するさまざまなトピックをカバーする多肢選択式の質問で構成されています。これらのトピックには、Secrets Managerのアーキテクチャと展開、秘密と資格の管理、アプリケーションおよびサービスアカウント管理のためのSecrets Managerの使用、およびSecrets Managerの他のサイバーセキュリティソリューションの統合が含まれます。この試験では、秘密と資格情報を管理するためのベストプラクティス、およびトラブルシューティングとメンテナンス手順についてもカバーしています。
質問 # 27
Match each use case to the appropriate Secrets Manager Solution.
正解:
解説:


質問 # 28
When an application is retrieving a credential from Conjur, the application authenticates to Follower A.
Follower B receives the next request to retrieve the credential.
What happens next?
- A. The Coryur Token is stateless and Follower B redirects the request to Follower A to satisfy the request.
- B. The Coniur Token is stateful and Follower B redirects the request to Follower A to satisfy the request.
- C. The Coniur Token is stateful and Follower B is unable to validate the Token promptinq the application to re-authenticate.
- D. The Coniur Token is stateless and Follower B is able to validate the Token and satisfy the request.
正解:D
解説:
Explanation
This is the correct answer because the Conjur Token is a JSON Web Token (JWT) that is signed by the Conjur master and contains the identity and permissions of the application. The Conjur Token is stateless, meaning that it does not depend on any stored session or transaction information on the server side. Therefore, any Conjur follower can validate the Token by verifying the signature and the expiration time, and satisfy the request by retrieving the credential from the local database. This allows the Conjur followers to be horizontally scalable and load balanced, and to provide high availability and performance for the applications. This answer is based on the Conjur documentation1 and the Conjur training course2.
質問 # 29
Followers are replications of the Leader configured for which purpose?
- A. synchronous replication to ensure high availability
- B. synchronous replication to ensure that there is always an up-to-date database
- C. asynchronous replication from the Leader with read/write operations capability
- D. asynchronous replication from the Leader which allows secret reads at scale
正解:D
解説:
Explanation
Followers are read-only replicas of the Leader that perform asynchronous replication from the Leader. This means that they receive updates from the Leader periodically, but not in real time. Followers are designed to handle all types of read requests from workloads and applications, such as authentication, permission checks, and secret fetches. Followers can scale horizontally to support a large number of concurrent requests and reduce the load on the Leader. Followers also provide high availability and disaster recovery by serving as backup nodes in case of Leader failure or network partition. References: Set up Follower, Deploy the Conjur Follower, Follower architecture
質問 # 30
When attempting to retrieve a credential managed by the Synchronizer, you receive this error:
What is the cause of the issue?
- A. The host does not have access to the credential.
- B. The Conjur Leader has lost upstream connectivity to the Vault Conjur Synchronizer.
- C. The path to the credential was not properly encoded.
- D. The Vault Conjur Synchronizer has crashed and needs to be restarted.
正解:A
解説:
Explanation
The cause of the issue is that the host does not have access to the credential. This can happen if the host does not have the correct permissions or if the credential is not properly configured in the Vault Conjur Synchronizer.
The Vault Conjur Synchronizer is a tool that enables the integration between CyberArk Vault and Conjur Secrets Manager Enterprise. The Synchronizer synchronizes secrets that are stored and managed in the CyberArk Vault with Conjur Enterprise, and allows them to be used via Conjur clients, APIs, and SDKs. The Synchronizer creates and updates Conjur policies and variables based on the Vault accounts and safes, and assigns permissions to Conjur hosts based on the Vault allowed machines.
To fix this issue, the host needs to have the permission to access the credential in Conjur. This can be done by adding the host to the allowed machines list of the Vault account that corresponds to the credential, and synchronizing the changes with Conjur. Alternatively, the host can be granted the permission to access the credential in Conjur by modifying the Conjur policy that corresponds to the Vault safe that contains the credential, and loading the policy to Conjur. However, this may cause conflicts or inconsistencies with the Synchronizer, and is not recommended.
For more information, see the CyberArk Vault Synchronizer docs1 and the Synchronizer Troubleshooting guide2.
質問 # 31
Which API endpoint can be used to discover secrets inside of Conjur?
- A. Roles
- B. Policies
- C. Resources
- D. WhoAmi
正解:C
解説:
Explanation
Conjur is a secrets management solution that securely stores and manages secrets and credentials used by applications, DevOps tools, and other systems. Conjur provides a REST API that enables users to perform various operations on Conjur objects, such as secrets, policies, roles, and resources. The API endpoint for each Conjur object is composed of the base URL of the Conjur server, followed by the object type and identifier.
For example, the API endpoint for a secret named db-password in the dev/my-app policy is:
https://<conjur-server>/secrets/dev/my-app/db-password
To discover secrets inside of Conjur, the API endpoint that can be used is Resources. Resources are Conjur objects that have permissions and annotations associated with them, such as secrets, hosts, groups, and layers.
The Resources API endpoint allows users to list, search, and filter resources based on various criteria, such as kind, owner, policy, and annotation. For example, the following API request will return a list of all secrets owned by the user alice:
https://<conjur-server>/resources?kind=variable&owner=user:alice
The Resources API endpoint can help users to discover secrets inside of Conjur by providing information such as the name, ID, policy, owner, and annotations of each secret. Users can also use the Resources API endpoint to check the permissions and audit records of each secret, and to retrieve the secret value if they have the read permission.
References = Conjur API; Resources API; Secrets API
質問 # 32
A customer requires high availability in its AWS cloud infrastructure.
What is the minimally viable Conjur deployment architecture to achieve this?
- A. two Followers in each region, load balanced for the region
- B. two Followers in each AZ. load balanced for the region
- C. one Follower in each AZ. load balancer for the region
- D. two Followers in each region, load balanced across all regions
正解:C
質問 # 33
When installing the CCP and configuring it for use behind a load balancer, which authentication methods may be affected? (Choose two.)
- A. Path
- B. Allowed Machines authentication
- C. Hash
- D. [Client Certificate authentication
- E. OS User
正解:B、D
解説:
Explanation
The CCP (Central Credential Provider) is a tool that enables applications to securely retrieve credentials from CyberArk Secrets Manager without hard-coding or storing them in files. The CCP can be installed on a single server or on multiple servers behind a load balancer for high availability and scalability. The load balancer is a device or service that distributes the network traffic among the CCP servers based on predefined rules and criteria.
The CCP supports multiple methods to authenticate applications, such as Allowed Machines, Client Certificate, OS User, Path, and Hash. These methods are based on registering information in the Vault with the unique application ID. For more information about the supported authentication methods, see Application authentication methods1.
When installing the CCP and configuring it for use behind a load balancer, some authentication methods may be affected by the load balancer's behavior and settings. Specifically, the following authentication methods may be affected:
Allowed Machines authentication: This method authenticates applications based on their IP address or hostname. If the load balancer replaces the source IP or hostname of the routed packets with its own IP or hostname, the CCP will not be able to authenticate the application that initiated the credential request.
To enable the CCP to resolve the IP or hostname of the application, the load balancer needs to be configured as a transparent proxy or to attach the X-Forwarded-For header to the routed packets. For more information, see Load balance the Central Credential Provider2.
Client Certificate authentication: This method authenticates applications based on their client certificate that is signed by a trusted certificate authority (CA). The client certificate is used to establish a secure and trusted connection between the application and the CCP. If the load balancer terminates the SSL connection before proxying the traffic to the CCP, the CCP will not be able to verify the client certificate of the application. To enable the CCP to validate the client certificate, the load balancer needs to be configured as a pass-through proxy or to forward the client certificate to the CCP. For more information, see Load balance the Central Credential Provider2.
The other authentication methods are not affected by the load balancer, as they do not rely on the IP, hostname, or certificate of the application. For example, the OS User method authenticates applications based on their Windows domain user, the Path method authenticates applications based on their URL path, and the Hash method authenticates applications based on a hash value that is generated from the application ID and a shared secret. These methods do not require any special configuration on the load balancer or the CCP.
質問 # 34
You start up a Follower and try to connect to it with a REST call using the server certificate, but you get an SSL connection refused error.
What could be the problem and how should you fix it?
- A. The certificate is unnecessary. Use the command option to suppress SSL certificate checking.
- B. One of the PostgreSQL ports (5432. 1999) is blocked by the firewall Open those ports.
- C. The certificate does not contain the Follower hostname as a Subject Alternative Name (SAN). Generate a new certificate for the Follower.
- D. Port 443 is blocked; open that port.
正解:C
解説:
Explanation
The correct answer is A. The certificate does not contain the Follower hostname as a Subject Alternative Name (SAN). Generate a new certificate for the Follower.
A possible explanation is:
A Follower is a read-only node that replicates data from the Leader node in a Secrets Manager cluster. A Follower can serve requests from clients and applications that need to retrieve secrets or perform other read-only operations. To connect to a Follower with a REST call, the client or application needs to use the server certificate that was generated for the Follower during the installation process. The server certificate is used to establish a secure and trusted connection between the client or application and the Follower.
However, if the server certificate does not contain the Follower hostname as a Subject Alternative Name (SAN), the connection will fail with an SSL connection refused error. This is because the SAN is an extension of the X.509 certificate standard that allows the certificate to specify multiple hostnames or IP addresses that the certificate is valid for. If the Follower hostname is not included in the SAN, the client or application will not be able to verify the identity of the Follower, and will reject the connection.
To fix this problem, a new server certificate needs to be generated for the Follower, with the Follower hostname added to the SAN. The new certificate can be generated using the openssl command or another tool that supports the SAN extension. The new certificate also needs to be signed by the same certificate authority (CA) that signed the original certificate, and the CA certificate needs to be trusted by the client or application.
The new certificate then needs to be copied to the Follower node and configured in the nginx.conf file. The Follower node also needs to be restarted for the changes to take effect.
References = Secrets Manager Cluster Installation; Secrets Manager Cluster Configuration; Subject Alternative Name - Wikipedia
質問 # 35
You are setting up a Kubernetes integration with Conjur. With performance as the key deciding factor, namespace and service account will be used as identity characteristics.
Which authentication method should you choose?
- A. Connect (OIDC) authentication
- B. Certificate-based authentication
- C. JWT-based authentication
- D. API key authentication
正解:C
解説:
Explanation
According to the CyberArk Sentry Secrets Manager documentation, JWT-based authentication is the recommended method for authenticating Kubernetes pods with Conjur. JWT-based authentication uses JSON Web Tokens (JWTs) that are issued by the Kubernetes API server and signed by its private key. The JWTs contain the pod's namespace and service account as identity characteristics, which are verified by Conjur against a policy that defines the allowed namespaces and service accounts. JWT-based authentication is fast, scalable, and secure, as it does not require any additional certificates, secrets, or sidecars to be deployed on the pods. JWT-based authentication also supports rotation and revocation of the Kubernetes API server's private key, which enhances the security and resilience of the authentication process.
Certificate-based authentication is another method for authenticating Kubernetes pods with Conjur, but it is not the best option for performance. Certificate-based authentication uses X.509 certificates that are generated by a Conjur CA service and injected into the pods as Kubernetes secrets. The certificates contain the pod's namespace and service account as identity characteristics, which are verified by Conjur against a policy that defines the allowed namespaces and service accounts. Certificate-based authentication is secure and reliable, but it requires more resources and steps to generate, inject, and manage the certificates and secrets.
Certificate-based authentication also does not support rotation and revocation of the certificates, which may pose a security risk if the certificates are compromised or expired.
API key authentication and Connect (OIDC) authentication are not valid methods for authenticating Kubernetes pods with Conjur. API key authentication is used for authenticating hosts, users, and applications that have a Conjur identity and an API key. Connect (OIDC) authentication is used for authenticating users and applications that have an OpenID Connect identity and a token. These methods are not suitable for Kubernetes pods, as they do not use the pod's namespace and service account as identity characteristics, and they require additional secrets or tokens to be stored and managed on the pods. References: = JWT Authenticator | CyberArk Docs; Certificate Authenticator | CyberArk Docs; API Key Authenticator | CyberArk Docs; Connect Authenticator | CyberArk Docs
質問 # 36
When loading policy, you receive a 422 Response from Conjur with a message.
What could cause this issue?
- A. incorrect Vault Conjur Synchronizer URL
- B. incorrect Leader URL
- C. misconfigured Load Balancer health check
- D. malformed Policy file
正解:D
解説:
Explanation
The most likely cause for this issue is A. malformed Policy file. A 422 Response from Conjur indicates that the request was well-formed but was unable to be followed due to semantic errors. A common semantic error when loading policy is having a malformed Policy file, which means that the Policy file does not follow the correct syntax, structure, or logic of the Conjur Policy language. A malformed Policy file can result from typos, missing or extra characters, incorrect indentation, invalid references, or other mistakes that prevent Conjur from parsing and applying the Policy file. The message that accompanies the 422 Response will usually provide more details about the error and the location of the problem in the Policy file.
To resolve this issue, you should review the Policy file and check for any errors or inconsistencies. You can use a YAML validator or a text editor with syntax highlighting to help you identify and correct any syntax errors. You can also use the Conjur Policy Simulator to test and debug your Policy file before loading it to Conjur. The Conjur Policy Simulator is a web-based tool that allows you to upload your Policy file and see how it will affect the Conjur data model, without actually loading it to Conjur. You can also use the Conjur Policy Simulator to compare different versions of your Policy file and see the changes and conflicts between them. For more information, refer to the following resources:
Policy - CyberArk, Section "Policy"
Policy Language - CyberArk, Section "Policy Language"
Conjur Policy Simulator - CyberArk, Section "Conjur Policy Simulator"
質問 # 37
What is a possible Conjur node role change?
- A. A Follower may be promoted to a Leader.
- B. A Leader may be demoted to a Standby in the event of a failover.
- C. A Standby may be promoted to a Follower.
- D. A Standby may be promoted to a Leader.
正解:D
解説:
Explanation
According to the CyberArk Sentry Secrets Manager documentation, Conjur is a secrets management solution that consists of a leader node and one or more follower nodes. The leader node is responsible for managing the secrets, policies, and audit records, while the follower nodes are read-only replicas that can serve secrets requests from applications. Additionally, Conjur supports a standby node, which is a special type of follower node that can be promoted to a leader node in case of a leader failure. A standby node is synchronized with the leader node and can take over its role in a disaster recovery scenario. A possible Conjur node role change is when a standby node is promoted to a leader node, either manually or automatically, using the auto-failover feature. A follower node cannot be promoted to a leader node, as it does not have the same data and functionality as the leader node. A standby node cannot be promoted to a follower node, as it already has the same capabilities as a follower node, plus the ability to become a leader node. A leader node cannot be demoted to a standby node in the event of a failover, as it would lose its data and functionality and would not be able to resume its role as a leader node. References: 1: Conjur Architecture 2: Deploying Conjur on AWS 3: Auto-failover
質問 # 38
While installing the first CP in an environment, errors that occurred when the environment was created are displayed; however, the installation procedure continued and finished successfully.
What should you do?
- A. Run setup.exe again and select 'Recreate Vault Environment'. Provide the details of a user with more privileges when prompted by the installer.
- B. Review the PV WA lags to determine which REST API call used during the installation failed.
- C. Review the lag file 'CreateEnv.loq' and investigate any error messages it contains.
- D. Continue configuring the application to use the CP. No further action is needed since the successful installation makes the error message benign.
正解:C
解説:
Explanation
B: Review the log file 'CreateEnv.log' and investigate any error messages it contains.
This is the best option because the CreateEnv.log file records the steps and results of creating the CP environment in the Vault during the installation. The CP environment includes the safe, the provider user, the application user, and the application identity. If any errors occurred when creating the CP environment, they will be logged in this file and may indicate a problem with the Vault connection, the credential file, the permissions, or the configuration. Reviewing the log file can help to identify and resolve the root cause of the errors and ensure the CP environment is properly set up.
Continuing configuring the application to use the CP without further action is not a good option because it may lead to unexpected or inconsistent behavior of the CP or the application. The errors that occurred when creating the CP environment may affect the security, availability, or integrity of the credentials or the application. Ignoring the errors may also make it harder to troubleshoot or fix them later.
Running setup.exe again and selecting 'Recreate Vault Environment' is not a good option because it may overwrite or delete the existing CP environment and cause more errors or conflicts. Recreating the Vault environment should only be done after reviewing the log file and understanding the cause of the errors.
Moreover, recreating the Vault environment may require more privileges than creating it for the first time, as some objects may be already in use or locked.
Reviewing the PVWA logs to determine which REST API call used during the installation failed is not a good option because it may not provide enough information or context to understand or resolve the errors. The PVWA logs may show the HTTP status codes or messages of the REST API calls, but they may not show the details or parameters of the calls or the responses. The PVWA logs may also contain other unrelated or irrelevant entries that may confuse or distract from the errors. The CreateEnv.log file is a more specific and reliable source of information for the errors that occurred when creating the CP environment.
質問 # 39
When using the Seed Fetcher to deploy Kubernetes Followers, an error occurs in the Seed Fetcher container.
You check the logs and discover that although the Seed Fetcher was able to authenticate, it shows a 500 error in the log and does not successfully retrieve a seed file. What is the cause?
- A. The synchronizer service crashed and needs to be restarted.
- B. The certificate based on the Follower DNS name is not present on the Leader.
- C. The host you configured does not have access to see the certificates.
- D. The Leader does not have the authenticator webservice enabled.
正解:B
解説:
Explanation
The cause of the issue is A. The certificate based on the Follower DNS name is not present on the Leader. This means that the Leader does not have a certificate file that matches the Follower DNS name used in the seed request, and therefore cannot generate a valid seed file for the Follower. This results in a 500 error in the Seed Fetcher container log. To resolve the issue, you need to import a certificate with the Follower DNS name as the subject alt name on the Leader, and create a copy of the certificate file with a name that matches the Follower DNS name used in the seed request1.
質問 # 40
A customer wants to minimize the Kubernetes application code developers must change to adopt Conjur for secrets access.
Which solutions can meet this requirement? (Choose two.)
- A. Secretless
- B. Application Server Credential Provider
- C. CPM Push-to-File
- D. Secrets Provider
- E. authn-Azure
正解:A、D
解説:
Explanation
Secrets Provider and Secretless are two solutions that can minimize the Kubernetes application code changes required to adopt Conjur for secrets access. Secrets Provider is a Kubernetes Job or Deployment that runs as an init container or application container alongside the application pod. It retrieves secrets from Conjur and writes them to one or more files in a shared, mounted volume. The application can then consume the secrets from the files without any code changes, as reading local files is a common and platform-agnostic method. Secretless is a sidecar proxy that runs as a separate container in the same pod as the application. It intercepts the application's requests to protected resources, such as databases or web services, and injects the secrets from Conjur into the requests. The application does not need to handle any secrets in its code, as Secretless handles the authentication and authorization for it. References: CyberArk Secrets Provider for Kubernetes, Secretless Broker
質問 # 41
Arrange the steps of a Conjur authentication flow in the correct sequence.
正解:
解説:
Explanation
References:
CyberArk Sentry Secrets Manager
documentation: https://docs.cyberark.com/Portal/Content/Resources/_TopNav/cc_Portal.htm CyberArk Sentry Secrets Manager course materials: https://training.cyberark.com/learn CyberArk whitepapers and technical resources: https://www.cyberark.com/resources/home/cyberark-secrets-manager The authentication flow begins with the requester presenting their credentials to Conjur. This can be in the form of a username and password, an API key, or another supported method.
Conjur verifies the presented credentials against its internal database. If the credentials are valid, Conjur generates and returns a short-lived access token to the requester.
The requester includes the access token with every subsequent request to access Conjur resources. This allows Conjur to identify the requester and authorize their access to specific secrets and functionalities based on configured policies.
Finally, each request is evaluated against the Conjur RBAC (Role-Based Access Control) rules defined in its policy. These rules determine which users and roles have access to specific resources and what actions they can perform. Only requests that comply with these rules are granted access.
質問 # 42
During the configuration of Conjur, what is a possible deployment scenario?
- A. The Conjur Leader cluster is deployed outside of a Kubernetes environment; Followers can run inside or outside the environment.
- B. The Conjur Leader cluster and Followers are deployed inside a Kubernetes environment.
- C. The Leader cluster is deployed outside a Kubernetes environment; Followers and Standbys can run inside or outside the environment.
- D. The Leader and Followers are deployed outside of a Kubernetes environment; Slandbys can run inside a Kubernetes environment.
正解:C
質問 # 43
......
合格できるCyberArk Secret-Sen試験情報と無料練習テスト:https://jp.fast2test.com/Secret-Sen-premium-file.html