1Z0-574 | The Improve Guide To 1Z0-574 exam

Q31. Which of the following interactions does not occur as part of a web-based single sign-on scenario? 

A. A gateway, deployed In the Web Server, intercepts requests destined for protected resource 

B. The user is prompted for login credentials when a protected resource is accessed and the user has not (recently) logged In. 

C. Credentials are passed to the application for validation. 

D. Authorization checks are optionally performed before the user is permitted access to the application. 

E. A cookie is returned, which is used to permit access to other protected resources in that domain 

Answer: C 

Explanation: The application does not handle the validation. 

Q32. Which of the following is not an objective or function of the WS-Trust standard? 

A. to enable applications to construct trusted SOAP message exchanges 

B. to synchronize Identities across security domains 

C. to exchange tokens in order to overcome differencesin supported technology between service consumers and service providers 

D. to exchange tokensin order to mapidentities supplied by service consumers with identities supported by service providers 

Answer: A 

Explanation: Oracle STS leverages the WS-Trust standard protocol to manage token exchange between the Web Service Client (WSC) and the Web Service Provider (WSP) (not C). WS-Trust provides a standard way to send security token requests to any Security Token Service (STS) (not D). This specification can be used to manage token transformation when crossing the various security boundaries of the information system (not B). 

Reference: Scalable Identity Propagation and Token Translation through Oracle Security Token 

Service, Oracle White Paper 

Q33. There are various network topologies that can be used when deploying the Service-Oriented Integration architecture. One deployment option includes three networks: production network, services network and maintenance network. Which statement best describes the uses of these three networks? 

A. The production networkisused for all production network traffic. The services networks is used to deploy and configure SOA Services. The maintenance network is used by the operations team to manage the infrastructure. 

B. The production network provides connectivity to applications and client access to the Mediation Layer. The services network provides connectivity between the Mediation Layer and the SOA Services. The maintenance network is used by the operations team to manage the infrastructure. 

C. The production network provides connectivity to applications and client access to the Mediation Layer- The services networks is used to deploy and configure SOA Services. The maintenance network is used by the operations team to manage the infrastructure. 

D. The production network is used for all production network traffic. The services network provides connectivity between the Mediation Layer and the SOA Services. The maintenance network is by the operations team to manage the infrastructure. 

E. The production network is used for all production network traffic. The services networks is used to deploy and configure SOA Services. The maintenance network is trusted network, providing administrator access to all hardware and software. 

Answer: B 

Explanation: Note: Mediation can be broadly defined as resolving the differences between two or more systems in order to integrate them seamlessly. A typical IT architecture has a variety of systems and components that are fundamentally different. A better alternative to embedding the mediation logic into each of these systems would be to provide the mediation capability in the SOA infrastructure. 

Reference: Oracle Reference Architecture, SOA Infrastructure, Release 3.0 

Q34. The Mediation Layer in the Logical View of the Service-Oriented Integration architecture provides several capabilities. Which of the following are capabilities provided by the Mediation Layer? 

A. enrichment - adding data elements to a data entity to give the entity increased Information 

B. routing - sending the client request to the appropriate provider (s) based on some criteria 

C. message transformation - converting the request message format to a different message form, appropriate for the provider 

D. choreography - defining the messages that flow back and forth between systems that are participating in a business process 

E. protocol mediation - converting a client request from one protocol to a different protocol used by provider 

Answer: B,C,E 

Explanation: The Mediation Layer provides loose coupling for the entire architecture. It decouples the layers of the architecture as well as decoupling external users of the layers from the specific layers in the architecture. The key capabilities in this layer include: 

* Routing - Routing provides the ability to send the client request to the appropriate provider based on some criteria. The routing may even include sending the client request to multiple providers. This capability facilitates location transparency, versioning, scalability, partitioning, request pipelining, SLA management, etc. 

* Protocol Mediation - Protocol mediation is the ability to handle a client request using one protocol (e.g. WS*, JMS, REST) with a provider using a different protocol. This provides protocol decoupling between the provider and the consumer. Message Transformation - Message transformation allows a client request using one message format to be handled by a provider that expects a different message format. This provides message format decoupling between the provider and the consumer. 

* Discovery - Discovery is the mechanism by which a client finds a provider of a particular SOA Service. Discovery can occur at design time or runtime. 

* Monitoring - Monitoring captures runtime information about the messages flowing through the mediation layer. Since the mediation layer is an intermediary for message traffic, it provides a centralized monitoring capability. 

* Policy Enforcement - Policy enforcement provides consistent application of policies (e.g. WS-SecurityPolicy) across all messages flowing through the mediation layer. Since the mediation layer is an intermediary for message traffic, it provides a centralized policy enforcement capability. 

Reference: Oracle Reference Architecture, Service-Oriented Integration, Release 3.0 

Q35. Data is often said to exist in one of three states: 

1. In motion – being transmitted over a network or connection 

2. At rest – persisted in a queue, disk, file, and so on 

3. In memory – loaded into computer memory 

The third state, in memory, is seldom mentioned in security standards, texts and requirements. Why? 

A. Computer memory has built-in parity checking which protects against malicious alteration 

B. No one has direct access to a computer’s memory, therefore it is the safest place to be. 

C. All modern computers (developed since the mid-90s) automatically store data in memory in encrypted from to help ensure confidentiality and integrity, because of this, more emphasis has been placed on raising the level of protection in the other two states. 

D. This state is often overlooked. Data in memory can easily be viewed by anyone with system administrator. 

Answer: D 

Explanation: In Memory - a term used here to describe data that is currently being processed and therefore exposed to any program, diagnostic tool, operating system command, virus, etc. that is able to access memory. 

Reference: Oracle Reference Architecture,Security, Release 3.1 

Q36. Conceptually, the ORA model of a "modern UI" defines which three layers from the following list? 

A. Unified User Interface layer provides the control and visual elements that define the interaction that the user has with the system. 

B. Integration layer provides connectors to simplify and standardize Interaction with back-end - terns. 

C. Device Management layer provides transformation and transcoding to support a wide variety of devices. 

D. Browser Mediation layer adapts output to conform to the standards and capabilities of each browser type. 

E. User Interface Services layer provides reusable functions specialized to the needs of the end 

F. Access and Incorporation layer provides the capability to Incorporate data and functionality from any number of back-end systems into the user interface. 

Answer: A,E,F 

Explanation: Note: 

A: The Unified User Interface layer provides the control and visual elements that define the interaction the user has with the system. This layer separates the way the user interacts with the system from the underlying functionality provided by the system. This has many advantages including allowing different display devices to be supported via control and visual elements specialized for the device since, for example, mobile devices do not have nearly the screen real estate of a desktop computer. 

E: The User Interface Services layer provides a set of functionality that can be used and reused in a variety of ways to deliver various user interfaces specialized to the needs of the end user. This illustrates that the underlying functionality is separated from the visual and control elements built into the user interface. The services provided by this layer may come from a variety of sources located anywhere that is network accessible. 

F: The Access and Incorporation layer provides the capability to incorporate data and functionality from any number of backend systems into the user interface. Generally, there are two types of backend systems that need be incorporated into the user interface: systems that are designed for use with user interface (e.g. LDAP, dedicated database) and systems that are not (e.g. legacy applications). The former type systems can be access directly by the user interface architecture. Ideally the latter type should be accessed via a robust integration architecture rather than relying on point-to-point integrations. This distinction is the reason that the term “incorporation” is used in this Conceptual View instead of the term “integration.” A suitable integration architecture is described in the ORA Service-Oriented Integration document. 

Reference: Oracle Reference Architecture, User Interaction, Release 3.0 

Q37. Which of the following statements best describes the ideal role of an application owner with respect to defining application security? 

A. The application owner must become knowledgeable about security risks, threats, classifications, and policies in order to define security requirements for his or her applications. The more on owner learns about security, the more secure his or her applications will become. 

B. The application owner should hire a security expert to define security requirements for his or herapplications, based on current Industry best practices. Actively implementing the latest trends will best ensure a secure application environment. 

C. The application owner should recommend adherence to common established practices for assessments, classifications, architecture, and policies that have been defined, and are actively maintained, by security experts across the organization. Deviations may be necessary, butapplication owners should strive to be consistent with best practices that have been adopted by the organization. 

D. The application owner, whenever possible, should elect to deploy applications into a public cloud computing environment. Doing so effectivelydelegatesresponsibility and accountability of concerns to another company. The owner doesn't need to be concerned with security as long as the cloud provider has been certified. 

Answer: C 

Explanation: Application ownership can have an effect on application security. Ownership, in this sense, refers to the person, department, or organization that has authority over the security protections and processes that are followed. Owners have a role in expressing policy. They may choose to set strict policies and follow best practices and reference architectures. Or, they may choose to be lax on security and/or set their own standards. Ideally, an enterprise-class security architecture and processes are developed by pooling industry best practices and ideas, and all applications follow a common strategy without being compromised by ownership issues. 

Reference: Oracle Reference Architecture,Security, Release 3.1 

Q38. How do you enable risk profiling on the Authentication Service? 

A. Risk profiling is a feature of Oracle Identity Manager (OIM). It can be performed on any collection of users, groups, and/or roles. Risk profiling is an available option for OIM 11g. An administrator must install the license and configure the set of identities to profile. 

B. Risk profiling is a standard feature of Oracle Access Manager (OAM). It is enabled by default, but configured to only profile administrative Identities. The OAM administrator can configure additional identities individually, or by group, or enable profiling on all users. 

C. Risk profiling is a feature of Oracle Adaptive Access Manager (OAAM), OAAM works in conjunction with OAM to provide value-add authentication features. OAAM will assess anomalies based on configurable rules, behavior, and risk analysis and will challenge users when risks ore detected. 

D. Risk profiling is a feature of Oracle Advanced Security. This comprehensive suite provides value-odd authentication and authorization capabilities including multi-factor authentication and rule-based authorization. OAS is a separately installed product that integrates with OAM, OIM, and Oracle Entitlements Server (OES). 

E. Risk profiling is a feature of Oracle Virtual Directory (OVD). It will assess risk based on login attempts, login devices, login locations, and so on, and take action based on configurable rules. Possible actions include denying access, terminating sessions, and raising alerts. Sample rules are provided out of the box, and additional rules can be added via the IVD administrative console. 

Answer: C 

Explanation: The Oracle Adaptive Access Manager (OAAM) is part of the Oracle Identity Management product suite that provides access control services to web and other online applications. 

The premise was simple in that the existing authentication technologies were unsatisfactory and easy to compromise. No authenticationtechnology can really provide its full and intended security benefits unless the computer and computer network are re-designed from the grounds up. Oracle Adaptive Access Manager has two components, the strong Authentication-agnostic security component and the application-agnostic Risk component. One simple example of the Strong Authentication component is that a User can choose a personalized keypad and use mouse clicks to enter password to prevent passwords being stolen with key loggers and being phished or pharmed. The Risk Component analyzes the authentication and transaction data for abnormalities and anomalies in real-time to prevent fraud and also in off-line mode to identify and detect internet fraud. 

Note: Oracle Access Manager (OAM) - OAM provides an identity management and access control system that is shared by all applications. It offers a centralized and automated single sign-on (SSO) solution for managing who has access to what information across IT infrastructure. Oracle Adaptive Access Manager (OAAM) - OAAM provides superior protection for businesses and their customers through strong yet easy-to-deploy multifactor authentication and proactive, real-time fraud prevention. Oracle Identity Manager (OIM) - OIM is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories; and improves regulatory compliance by providing granular reports that attest to who has access to what resources Oracle Virtual Directory (OVD) - OVD virtually aggregates identity information from multiple sources and presents a real-time unified view without storing or copying the identity data itself. 

Q39. What one the three primary concerns that developers following this architecture should strive to conform to? 

A. Personalization 

B. Modular development 

C. Internationalization 

D. Localization 

E. The Model View-Controller (MVC) pattern 

F. Federation 

Answer: B,E,F 

Explanation: The Development View of the architecture describes aspects of the architecture that are of interest to developers building assets that conform to and leverage the architecture. There are three primary concerns that developers following this architecture should strive to conform with: the model-view-controller (MVC) pattern, modular development, and federation. 

Reference: Oracle Reference Architecture, User Interaction, Release 3.0 

Q40. Which of the following are true statements about the benefits of standardizing on a common security framework? 

A. Security requirements no longer need to be specified for eachindividual application; the framework will automatically determine what security needs to be applied. 

B. A common set of security services and information can be used across the organization, promoting Infrastructure reuseand minimizing inconsistencies. 

C. Secure application integrationis made easier via standardization on a preferred subset of technologies and options. 

D. Administration and auditing are improved due to rationalization and standardization of identities, attributes, roles, policies, and so on. 

E. Interoperability amid federation are easier to achieve via the adoption of common security and technology standards. 

Answer: A,B,E 

Explanation: In order to provide security in a consistent manner, a common set of infrastructure, e.g. a security framework, must be used. The purpose of this framework is to rationalize security across the enterprise by: 

* Establishing a master set of security data that reflect the policies, IT resources, participants and their attributes across the entire domain of security 

* Mapping organizational structures, computing resources, and users to roles in a way that clearly depicts access privileges for the organization 

* Maintaining fine-grained access rules based on roles that have been established for the organization 

* Propagating the master security data to individual applications and systems that enforce security (A) 

* Detecting changes to security data residing on systems that have not been propagated from the master source of record, and sending alerts regarding these inconsistencies 

* Providing common security services, such as authentication, authorization, credential mapping, auditing, etc. that solutions can leverage going forward in place of custom-developed and proprietary functions (B) 

* Facilitating interoperability between systems and trust between security domains by acting as a trusted authority and brokering credentials as needed(E) 

* Centrally managing security policies for SOA Service interactions 

The security framework should provide these types of capabilities as a value-add to the existing infrastructure. The intent is not to discard the capabilities built into current applications, but rather to provide a common foundation that enhances security across the enterprise. Security enforcement can still be performed locally, but security data should be modeled and managed holistically. 

Incorrect: 

C: Not a main goal. 

D: Ease of administration and auditing is not a main goal here. 

Reference: Oracle Reference Architecture,Security, Release 3.1, 4.1.1 Purpose of a Security Framework