Arcitura Education S90.20 Exam - Topic 1 Question 7 Discussion

Actual exam question for Arcitura Education's S90.20 exam

Question #: 7
Topic #: 1

Services A, B and C belong to Service Inventory A .Services D, E and F belong to Service Inventory B .Service C acts as an authentication broker for Service Inventory A .Service F acts as an authentication broker for Service Inventory B .Both of the authentication brokers use Kerberos-based authentication technologies. Upon receiving a request message from a service consumer, Services C and F authenticate the request using a local identity store and then use a separate Ticket Granting Service (not shown) to issue the Kerberos ticket to the service consumer. Currently, tickets issued in one service inventory are not valid in the other. For example, if Service A wants to communicate with Services D or E, it must request a ticket from the Service Inventory B authentication broker (Service F). Because Service Inventory A and B trust each other, the current cross-inventory authentication is considered unnecessarily redundant. How can these service inventory architectures be improved to avoid redundant authentication?

ACreate a single, enterprise-wide service inventory by merging Service Inventories A and B .Instead of the current Kerberos-based brokered authentication, the merged service inventory can use X.509 digital certificates to remove the burden from the local authentication brokers. Designate either Service C or Service F as the central authentication service with the responsibility to validate service consumer X.509 digital certificates. After successful validation, the authentication service can issue a signed SAML token to be used within the entire service inventory.

BThe same Kerberos tickets can be used across both service inventories by updating the security policies of the services that require Kerberos tickets. Because each authentication broker issues Kerberos tickets, the only difference between these tickets is the identity of the issuer. For-example, because services in Service Inventory A already accept Kerberos tickets issued by Service C, Service F just needs to be included in the security policies of these services. Similarly, services in Service Inventory B that accept Kerberos tickets issued by Service F need to include the acceptance of Kerberos tickets issued by Service C in their security policies.

CA trust relationship needs to be established between the two authentication brokers. This trust relationship can enable the authentication brokers to accept Kerberos tickets issued by each other.

DReplace Services C and F with a single authentication broker so that one single token can be used with services across both service inventories. This can be achieved by merging the content of the two identity stores.

Show Suggested Answer

Suggested Answer: C

by Lenna at May 05, 2022, 04:10 AM

Limited Time Offer

25%

5 months ago

Ah, this is a good one. I remember learning about this in class. I'm pretty confident the answer is B - using the ManagedExecutors utility class to define the execution properties.

upvoted 0 times

...