Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > CyberArk > CyberArk Certifications > SECRET-SEN > SECRET-SEN Online Practice Questions and Answers

SECRET-SEN Online Practice Questions and Answers

Questions 4

What is a main advantage of using dual accounts in password management?

A. Since passwords are cached for both rotation accounts, it ensures the password for an application will not be changed, reducing the amount of blackout dates when a password expires.

B. It ensures passwords are rotated every 90 days, which respects the expected downtime for a system, database, or application

C. It ensures no delays are incurred when the application needs credentials because a password that is currently used by an application will never be changed

D. Since there are two active accounts, it doubles the probability that a system, database, or application will successfully authenticate.

Buy Now

Correct Answer: C

Dual accounts is a password management method that uses two accounts with identical privileges to access a system, database, or application. One account is active and the other is inactive at any given time. The active account remains untouched during password rotation, while the inactive account has its password changed after a grace period. This way, the application can always use the active account without experiencing any delays or errors due to password expiration or change. The advantage of using dual accounts is that it ensures business continuity and seamless access to the target resource, especially for high load and critical applications. References: Manage Dual Accounts, Configure dual accounts

Questions 5

You have a PowerShell script that is being used on 1000 workstations. It requires a Windows Domain credential that is currently hard coded in the script.

What is the simplest solution to remove that credential from the Script?

A. Modify the script to use the CLI SDK to fetch the secret at runtime using Credential Providers installed on each workstation.

B. Modify the script to make a SOAP call to retrieve the secret from the Central Credential Provider.

C. Modify the script to run on WebSphere using the Application Server Credential Provider to retrieve the secret.

D. Use Conjur Summon to invoke the script and inject the secret at run time.

Buy Now

Correct Answer: D

Conjur Summon is an open source utility that can fetch secrets from Conjur and export them as environment variables to a sub-process environment. This way, the secrets are not exposed or stored in the script, but are only available at run time. To use Conjur Summon, you need to install the summon-conjur provider on each workstation, define the secrets in a secrets.yml file, and wrap the PowerShell script in summon. For example, if the secret ID is win/domain/cred, the

secrets.yml file would look like this:

DOMAIN_CRED: !var win/domain/cred

And the summon command would look like this:

summon --provider summon-conjur powershell script.ps1 This will inject the secret value of win/domain/cred as an environment variable named DOMAIN_CRED to the PowerShell script. The script can then access the secret using the

$env:DOMAIN_CRED syntax.

References: Summon-inject secrets, cyberark/summon-conjur

Questions 6

Which statement is correct about this message?

Message: "[number-of-deleted-rows] rows has successfully deleted "CEADBR009D Finished vacuum"?

A. It notes the number of records deleted from the database and does not require any action.

B. The user specified for Conjur does not have the appropriate permissions to retrieve the audit database (audit .db).

C. When audit retention was performed, the query on the Ul audit database (audit.db) generated an error.

D. The Vault Conjur Synchronizer successfully deleted the password objects that were marked for deletion in the PVWA.

Buy Now

Correct Answer: A

This is the correct answer because the message indicates that the audit retention process has successfully completed and deleted the specified number of rows from the audit database (audit.db). The audit retention process is a scheduled task that runs periodically to delete old audit records from the audit database based on the retention period configured in the Conjur UI. The audit retention process also performs a vacuum operation to reclaim the disk space and optimize the database performance. The message does not require any action from the user, as it is a normal and expected outcome of the audit retention process. This answer is based on the CyberArk Secrets Manager documentation1 and the CyberArk Secrets Manager training course2. The other options are not correct statements about the message. The message does not imply that the user specified for Conjur does not have the appropriate permissions to retrieve the audit database, as the message is not an error or a warning, but a confirmation of the audit retention process. The user specified for Conjur is the user that is used to connect to the Conjur server and perform operations on the Conjur resources, such as roles, policies, secrets, and audit records. The user specified for Conjur needs to have the appropriate permissions to access the audit database, but the message does not indicate any problem with the user permissions. The message does not imply that when audit retention was performed, the query on the UI audit database generated an error, as the message is not an error or a warning, but a confirmation of the audit retention process. The query on the UI audit database is the query that is used to display the audit records in the Conjur UI. The query on the UI audit database is not related to the audit retention process, which is a background task that runs on the Conjur server and deletes the old audit records from the audit database. The message does not indicate any problem with the query on the UI audit database. The message does not imply that the Vault Conjur Synchronizer successfully deleted the password objects that were marked for deletion in the PVWA, as the message is not related to the Vault Conjur Synchronizer or the password objects. The Vault Conjur Synchronizer is a service that synchronizes secrets from the CyberArk Vault to the Conjur database. The password objects are the accounts in the CyberArk Vault that store the credentials for various platforms and devices. The message is related to the audit retention process, which deletes the old audit records from the audit database. The message does not indicate any problem or action with the Vault Conjur Synchronizer or the password objects.

Questions 7

Which statement is true for the Conjur Command Line Interface (CLI)?

A. It is supported on Windows, Red Hat Enterprise Linux, and macOS.

B. It can only be run from the Conjur Leader node.

C. It is required for working with the Conjur REST API.

D. It does not implement the Conjur REST API for managing Conjur resources.

Buy Now

Correct Answer: A

This is the correct answer because the Conjur CLI is a tool that allows users to interact with the Conjur REST API from the command line. The Conjur CLI can be run on Windows, Red Hat Enterprise Linux, and macOS operating systems, as well as in Docker containers. The Conjur CLI can be installed using various methods, such as downloading the executable file, using a package manager, or pulling the Docker image. The Conjur CLI supports Conjur Enterprise 12.9 or later versions. This answer is based on the CyberArk Secrets Manager documentation1 and the CyberArk Secrets Manager training course2. The other options are not true statements for the Conjur CLI. The Conjur CLI can be run from any machine that has network access to the Conjur server, not only from the Conjur Leader node. The Conjur Leader node is the node that performs read/write operations on the Conjur database and policy engine, and hosts the Conjur UI and API endpoints. The Conjur CLI is not required for working with the Conjur REST API, as users can also use other tools, such as curl, Postman, or web browsers, to send HTTP requests to the Conjur REST API. The Conjur CLI does implement the Conjur REST API for managing Conjur resources, such as roles, policies, secrets, and audit records. The Conjur CLI provides a set of commands that correspond to the Conjur REST API endpoints and allow users to perform various operations on the Conjur resources.

Questions 8

Which API endpoint can be used to discover secrets inside of Conjur?

A. Resources

B. Roles

C. Policies

D. WhoAmi

Buy Now

Correct Answer: A

Conjur is a secrets management solution that securely stores and manages secrets and credentials used by applications, DevOps tools, and other systems. Conjur provides a REST API that enables users to perform various operations on Conjur objects, such as secrets, policies, roles, and resources. The API endpoint for each Conjur object is composed of the base URL of the Conjur server, followed by the object type and identifier. For example, the API endpoint for a secret named db-password in the dev/my-app policy is: https:///secrets/dev/my-app/db-password To discover secrets inside of Conjur, the API endpoint that can be used is Resources. Resources are Conjur objects that have permissions and annotations associated with them, such as secrets, hosts, groups, and layers. The Resources API endpoint allows users to list, search, and filter resources based on various criteria, such as kind, owner, policy, and annotation. For example, the following API request will return a list of all secrets owned by the user alice: https:///resources?kind=variableandowner=user:alice The Resources API endpoint can help users to discover secrets inside of Conjur by providing information such as the name, ID, policy, owner, and annotations of each secret. Users can also use the Resources API endpoint to check the permissions and audit records of each secret, and to retrieve the secret value if they have the read permission. References: Conjur API; Resources API; Secrets API

Questions 9

In the event of a failover of the Vault server from the primary to the DR, which configuration option ensures that a CP will continue being able to refresh its cache?

A. Add the DR Vault IP address to the "Address" parameter in the file main_appprovider.conf. . found in the AppProviderConf safe.

B. Add the IP address of the DR vault to the "Address" parameter in the file Vault.ini.file on the machine on which the CP is installed.

C. In the Password Vault Web Access UI, add the IP address of the DR Vault in the Disaster Recovery section under Applications > Options.

D. In the Conjur UI, add the IP address of the DR Vault in the Disaster Recovery section under Cluster Config > Credential Provider > Options.

Buy Now

Correct Answer: B

This is the correct answer because the Vault.ini file on the CP machine contains the configuration settings for the CP to connect to the Vault server. The Address parameter specifies the IP address or hostname of the Vault server that the CP will use to communicate with the Vault. In the event of a failover of the Vault server from the primary to the DR, the CP needs to update the Address parameter with the IP address of the DR Vault server in order to continue being able to refresh its cache. The cache is a local storage of credentials that the CP retrieves from the Vault and provides to the applications. The cache is refreshed periodically based on the RefreshInterval parameter in the Vault.ini file. This answer is based on the CyberArk Secrets Manager documentation1 and the CyberArk Secrets Manager training course2. The other options are not correct because they do not ensure that the CP will continue being able to refresh its cache in the event of a failover of the Vault server from the primary to the DR. Adding the DR Vault IP address to the Address parameter in the main_appprovider.conf.. file in the AppProviderConf safe is not a valid option, as this file does not contain the Address parameter. The main_appprovider.conf file contains the configuration settings for the basic provider, such as the AppProviderVaultParmsFile, the AppProviderPort, and the AppProviderCacheMode. The Address parameter is only found in the Vault.ini file on the CP machine. In the Password Vault Web Access (PVWA) UI, adding the IP address of the DR Vault in the Disaster Recovery section under Applications > Options is not a valid option, as this section does not exist in the PVWA UI. The PVWA UI does not have a Disaster Recovery section under Applications > Options. The PVWA UI has a Disaster Recovery section under Administration > Options, but this section is used to configure the DR Vault settings, such as the DR Vault IP address, the DR Vault user, and the DR Vault password. These settings are not related to the CP configuration or cache refresh. In the Conjur UI, adding the IP address of the DR Vault in the Disaster Recovery section under Cluster Config > Credential Provider > Options is not a valid option, as this section does not exist in the Conjur UI. The Conjur UI does not have a Cluster Config, Credential Provider, or Options section. The Conjur UI has a Cluster Config section under Settings, but this section is used to configure the Conjur cluster settings, such as the master IP address, the follower IP address, and the seed fetcher IP address. These settings are not related to the CP configuration or cache refresh.

Questions 10

While retrieving a secret through REST, the secret retrieval fails to find a matching secret. You know the secret onboarding process was completed, the secret is in the expected safe with the expected object name, and the CCP is able to provide secrets to other applications.

What is the most likely cause for this issue?

A. The application ID or Application Provider does not have the correct permissions on the safe.

B. The client certificate fingerprint is not trusted.

C. The service account running the application does not have the correct permissions on the safe.

D. The OS user does not have the correct permissions on the safe

Buy Now

Correct Answer: A

The most likely cause for this issue is A. The application ID or Application Provider does not have the correct permissions on the safe. The CyberArk Central Credential Provider (CCP) is a web service that enables applications to retrieve secrets from the CyberArk Vault using REST API calls. The CCP requires an application ID or an Application Provider to authenticate and authorize the application before returning the requested secret. The application ID or Application Provider must have the Retrieve and List permissions on the safe where the secret is stored, otherwise the CCP will not be able to find the matching secret and will return an error. To resolve this issue, you should verify that the application ID or Application Provider has the correct permissions on the safe, and that the safe name and object name are correctly specified in the REST API call. You can use the CyberArk Privileged Access Security Web Access (PVWA) or the PrivateArk Client to check and modify the permissions on the safe. You can also use the CyberArk REST API Tester or a tool like Postman to test the REST API call and see the response from the CCP. For more information, refer to the following resources: Credential Providers - Centralized Credential Management | CyberArk, Section "Central Credential Provider" Credential Provider - CyberArk, Section "Using the Credential Provider" How to Build Your Secrets Management REST API's into Postman, Section "How to Build Your Secrets Management REST API's into Postman"

Questions 11

Refer to the exhibit.

In which example will auto-failover occur?

A. Option A

B. Option B

C. Option C

D. Option D

Buy Now

Correct Answer: C

According to the CyberArk Sentry Secrets Manager documentation, auto- failover is a feature that enables the automatic promotion of a standby node to a leader node in case of a leader failure. Auto-failover requires a quorum, which is a majority of nodes in the cluster that are available and synchronized. A quorum ensures that only one node can be promoted to a leader at a time and prevents split-brain scenarios. In the exhibit, each option shows a network diagram of a load balancer and four nodes, one of which is crossed out with a red X, indicating a leader failure. The text below each diagram indicates whether there is a quorum or not. Option C is the only example where auto- failover will occur, because there is a quorum of three out of four nodes, and one of the standby nodes can be promoted to a leader. Option A will not have auto-failover, because there is no quorum, as only two out of four nodes are available. Option B will not have autofailover, because there is no quorum, as only one out of four nodes is available. Option D will not have auto-failover, because there is no quorum, as none of the nodes are available. References:

1: Auto-failover

2: Configure auto-failover

Questions 12

DRAG DROP

Match each cloud platform to the correct Conjur authenticator.

Select and Place:

Buy Now

Correct Answer:

AWS -> authn-iam Azure -> authn-azure GCP -> authn-gcp JWT Provider -> authn-jwt Conjur supports different authenticators for different cloud platforms. Each authenticator allows a resource or service running on the cloud platform to authenticate to Conjur using a unique identity token signed by the cloud provider. The following are the descriptions of each authenticator: authn-iam: Enables an AWS resource to use its AWS IAM role to authenticate with Conjur. The resource sends a request to the AWS Security Token Service (STS) to get a signed AWS access token, and then sends the token to Conjur for verification. authn-azure: Enables an Azure resource to authenticate with Conjur. The resource sends a request to the Azure Instance Metadata Service (IMDS) to get a signed Azure access token, and then sends the token to Conjur for verification. authn-gcp: Enables a Google Cloud Platform resource to authenticate with Conjur. The resource sends a request to the Google Cloud Identity and Access Management (IAM) service to get a signed Google identity token, and then sends the token to Conjur for verification. authn-jwt: Enables an application to authenticate to Conjur using a JWT from a JWT Provider. The application obtains a JWT from the JWT Provider, and then sends the JWT to Conjur for verification. References: You can find more information about the Conjur authenticators in the following resources: Supported Conjur Cloud authenticators Configure Conjur Cloud authenticators GCP Authenticator

Questions 13

DRAG DROP

Findings were obtained after cataloging pending Secrets Manager use cases.

Arrange the findings in the correct order for prioritization.

Select and Place:

Buy Now

Correct Answer:

The correct order for prioritization of the findings is as follows: A new vulnerability scanner project is nearing completion and is expected to go into production soon. This scanner is owned by the Security Team that owns CyberArk. This finding should be prioritized first because it has the highest urgency, feasibility, and alignment with the Security Team's goals. The vulnerability scanner is a critical security tool that needs to protect its credentials from unauthorized access. The Security Team can leverage their own expertise and authority to implement the Secrets Manager solution for this project without much delay or dependency. A large, high performance application under PCI DSS regulation will require many CPs. This will require a license purchase. The procurement process can take 6-12 months. The development team is eager to work with Security on this project. This finding should be prioritized second because it has a high impact, compliance requirement, and stakeholder support. The application handles sensitive payment card data that needs to be secured by the Secrets Manager solution. The development team is willing to collaborate with the Security Team on this project and can help with the technical aspects of the implementation. However, this finding also has a high cost and a long lead time due to the license purchase and the procurement process. A small, internally developed application under HIPPA regulation needs updates to the application code to retrieve secrets from a Secrets Manager solution. The development team stated they cannot accommodate this work before next quarter. This finding should be prioritized third because it has a moderate impact, compliance requirement, and feasibility. The application handles protected health information that needs to be secured by the Secrets Manager solution. The development team is aware of the need to update the application code to integrate with the Secrets Manager solution, but they have other priorities and constraints that prevent them from doing so in the near term.

Here's the reasoning behind this order:

1.

New vulnerability scanner project:

This project directly impacts CyberArk's Security Team, making it a high priority due to potential internal security concerns. Additionally, its near-completion state suggests a quicker implementation timeframe.

2.

Large application under PCI DSS:

While this application requires significant resources and time investment due to license purchase and development, its high performance and PCI DSS regulation compliance mandate prioritization. Delaying this project could potentially lead to

security vulnerabilities and compliance issues.

3.

Small application under HIPAA:

Although HIPAA regulation necessitates compliance, the application's size and development team's delay request suggest a lower priority compared to the previous two projects. However, it should still be addressed within the next quarter as

mandated by the development team.

Exam Code: SECRET-SEN
Exam Name: CyberArk Sentry - Secrets Manager
Last Update: Jul 05, 2026
Questions: 60

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2026 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.