Most Recent Arcitura Education S90.20 Exam Dumps

Prepare for the Arcitura Education SOA Security Lab exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.

QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the Arcitura Education S90.20 exam and achieve success.

The questions for S90.20 were last updated on Mar 2, 2026.

Viewing page 1 out of 6 pages.
Viewing questions 1-5 out of 30 questions

Get All 30 Questions & Answers

Question No. 1

Service Consumer A submits a request message with security credentials to Service A (1). The identity store that Service A needs to use in order to authenticate the security credentials can only be accessed via a legacy system that resides in a different service inventory. Therefore, to authenticate Service Consumer A, Service A must first forward the security credentials to the legacy system (2). The legacy system then returns the requested identity to Service A (3). Service A authenticates Service Consumer A against the identity received from the legacy system. If the authentication is successful, Service A retrieves the requested data from Database A (4), and returns the data in a response message sent back to Service Consumer A (5). Service A belongs to Service Inventory A which further belongs to Security Domain A and the legacy system belongs to Service Inventory B which further belongs to Security Domain B .(The legacy system is encapsulated by other services within Service Inventory B, which are not shown in the diagram.) These two security domains trust each other. Communication between Service A and the legacy system is kept confidential using transport-layer security. No intermediary service agents currently exist between the two service inventories. However, it has been announced that due to the introduction of new systems, some intermediary service agents may be implemented in the near future. Additionally, the legacy system has been scheduled for retirement and will be replaced by a new identity management system that will provide a new identity store. Because the new identity store will need to serve many different systems, there are concerns that it could become a performance bottleneck. As a result, services (including Service A and other services in Security Domains A and B) will not be allowed to directly access the new identity store. Which of the following statements describes a solution that can accommodate the requirements of the new identity store, the authentication requirements of Service A, and can further ensure that message exchanges between Security Domains A and B remain confidential after intermediary service agents are introduced?

AApply the Trusted Subsystem pattern to implement a utility service abstracting the new identity management system. Service A forwards Service Consumer As credentials to the utility service to verify Service Consumer As identity. The utility service authenticates the request originating from Service A .After successful authentication, the utility service uses its own credentials to retrieve the requested identity, and then send the identity to Service A, Therefore, effectively reducing the processing need of the identity management system. The current transport-layer security can still be used, in order to secure the communication between Service A and the new utility service, as it more efficient than the message-layer security.

BApply the Trusted Subsystem pattern by abstracting away the new identity management system using a utility service that authenticates the request from Service A and then uses its own credentials to retrieve the requested identity from the new identity management system. For the utility service to authenticate Service As request, it needs to be provisioned with a new identity database that contains identities for all authorized service consumers of the new utility service. In order to secure the communication between Service A and the new utility service, use message-layer security as it provides security over multiple hops considering the need to secure the message in case an intermediary is introduced in future.

CReplicate the identity database used by the new identity management system. Because the Security Domains A and B trust each other, protection of the identity store is guaranteed. Use Service Agents to monitor changes to the identity database used by the new identity management system and to update the replica. This would satisfy the security needs of Service A, would eliminate the need to request services from Service Inventory B, and ensure that current identity information is available for Service A .Because Service A would not need to access services across different trust domains, the current transport-layer security is sufficient.

DApply the Brokered Authentication pattern to establish an authentication broker. Instead of Service A directly authenticating-Service Consumer A, Service Consumer A submits a request message with security credentials to the authentication broker, which authenticates Service Consumer A against the new identity store and then issues a SAML token to Service Consumer A that it can use for message exchanges with other services, if necessary. In order to secure cross-service inventory message exchanges, the Data Confidentiality pattern is applied to establish message-layer security.

Show Answer

Correct Answer: D

Question No. 2

Service Consumer A sends a request message to Service A (1) after which Service A retrieves financial data from Database A (2). Service A then sends a request message with the retrieved data to Service B (3). Service B exchanges messages with Service C (4) and Service D (5), which perform a series of calculations on the data and return the results to Service A .Service A uses these results to update Database A (7) and finally sends a response message to Service Consumer A (8). Component B has direct, independent access to Database A and is fully trusted by Database A .Both Component B and Database A reside within Organization A .Service Consumer A and Services A, B, C, and D are external to the organizational boundary of Organization A .

Component B is considered a mission critical program that requires guaranteed access to and fast response from Database A .Service A was recently the victim of a denial of service attack, which resulted in Database A becoming unavailable for extended periods of time (which further compromised Component B). Additionally, Services B, C, and D have repeatedly been victims of malicious intermediary attacks, which have further destabilized the performance of Service A .How can this architecture be improved to prevent these attacks?

AA utility service is created to encapsulate Database A and to assume responsibility for authenticating all access to the database by Service A and any other service consumers. Due to the mission critical requirements of Component B, the utility service further contains logic that strictly limits the amount of concurrent requests made to Database A from outside the organizational boundary. The Data Confidentiality and Data Origin Authentication patterns are applied to all message exchanged within the external service composition in order to establish message-layer security.

BService Consumer A generates a private/public key pair and sends this public key and identity information to Service A .Service A generates its own private/public key pair and sends it back to Service Consumer A .Service Consumer A uses the public key of Service A to encrypt a randomly generated session key and then sign the encrypted session key with the private key. The encrypted, signed session key is sent to Service A .Now, this session key can be used for secure message-layer communication between Service Consumer A and Service A .The Service Perimeter Guard pattern is applied to establish a perimeter service that encapsulates Database A in order to authenticate all external access requests.

CServices B, C, and D randomly generate Session Key K, and use this key to encrypt request and response messages with symmetric encryption. Session Key K is further encrypted itself asymmetrically. When each service acts as a service consumer by invoking another service, it decrypts the encrypted Session Key K and the invoked service uses the key to decrypt the encrypted response. Database A is replicated so that only the replicated version of the database can be accessed by Service A and other external service consumers.

DThe Direct Authentication pattern is applied so that when Service Consumer A submits security credentials, Service A will be able to evaluate the credentials in order to authenticate the request message. If the request message is permitted, Service A invokes the other services and accesses Database A .Database A is replicated so that only the replicated version of the database can be accessed by Service A and other external service consumers.

Show Answer

Correct Answer: A

Question No. 3

Service A exchanges messages with Service B multiple times during the same runtime service activity. Communication between Services A and B has been secured using transport-layer security. With each service request message sent to Service B (1A .IB), Service A includes an X.509 certificate, signed by an external Certificate Authority (CA). Service B validates the certificate by retrieving the public key of the CA (2A .2B) and verifying the digital signature of the X.509 certificate. Service B then performs a certificate revocation check against a separate external CA repository (3A, 3B). No intermediary service agents reside between Service A and Service B .Service B has recently suffered from poor runtime performance plus it has been the victim of an access-oriented attack. As a result, its security architecture must be changed to fulfill the following new requirements:

1. The performance of security-related processing carried out by Service B when communicating with Service A must be improved.

2. All request messages sent from Service A to Service B must be screened to ensure that they do not contain malicious content. Which of the following statements describes a solution that fulfills these requirements?

AEliminate the need to retrieve the public key from the Certificate Authority and to verify the certificate revocation information by extending the service contract of Service B to accept certificates only from pre-registered Certificate Authorities. This form of pre-registration ensures that Service B has the public key of the corresponding Certificate Authority.

BAdd a service agent to screen messages sent from Service A to Service B .The service agent can reject any message containing malicious content so that only verified messages are passed through to Service B .Instead of using X.509 certificates, use WS-Secure Conversation sessions. Service A can request a Security Context Token (SCT) from a Security Token Service and use the derived keys from the session key to secure communication with Service B .Service B retrieves the session key from the Security Token Service.

CApply the Trusted Subsystem pattern by introducing a new utility service between Service A and Service B .When Service A sends request messages, the utility service verifies the provided credentials and creates a customized security profile for Service A .The security profile contains authentication and access control statements that are then inherited by all subsequent request messages issued by Service A .As a result, performance is improved because Service A does not need to resubmit any additional credentials during subsequent message exchanged as part of the same runtime service activity. Furthermore, the utility service performs message screening logic to filter out malicious content.

DApply the Trusted Subsystem pattern to by introducing a new utility service. Because Service B is required to limit the use of external resources. Service A must ensure that no other services can request processing from Service B in order to prevent malicious content from infiltrating messages. This is achieved by creating a dedicated replica of Service B to be used by the utility service only. Upon receiving the request message and the accompanying security credentials from Service A .the utility service verifies the authentication information and the validity of the X.509 signature. If the authentication information is correct, then the utility service replicates the code of Service B, performs the necessary processing, and returns the response to Service A .

Show Answer

Correct Answer: B

Question No. 4

Service A provides a data retrieval capability that can be used by a range of service consumers, including Service Consumer A .In order to retrieve the necessary data, Service Consumer A first sends a request message to Service A (1). Service A then exchanges request and response messages with Service B (2, 3), Service C (4, 5), and Service D (6. 7). After receiving all three response messages from Services B .C .and D, Service A assembles the collected data into a response message that it returns to Service Consumer A (8). The owner of Service A charges service consumers for each usage of the data retrieval capability. Recently, the owner of Service Consumer A has complained that the data returned by Service A is incorrect, incomplete, and from invalid sources. As evidence, the Service Consumer A owner has presented the owner of Service A with sample messages containing the incorrect and incomplete contents. As a result, the Service Consumer A owner has refused to pay the usage fees. Subsequent to an internal investigation, the owner of Service A determines that the data returned by Service A is consistently correct and complete. There are suspicions that the Service Consumer A owner is altering the original messages and issuing these complaints fraudulently in order to avoid paying the usage fees. How can the owner of Service A prove that Service A is returning correct and complete data and that this data originated from the correct sources?

AApply the Data Origin Authentication and the Data Confidentiality patterns to ensure that request and response messagesexchanged between Service A and Services B .C, and D are digitally signed and encrypted. This guarantees message integrity and confidentiality.

BApply the Data Origin Authentication pattern to verily that request and response messages exchanged by Service Consumer A and Service A and exchanged by Service A and Services B, C, and D originated from the claimed sources and have not been altered prior to transmission. Also, enhance the Service A architecture so that all messages sent to its service consumers are logged.

CApply the Brokered Authentication pattern to send the security credentials of Service Consumer A to Services B, C, and D.Service A can carry out the brokered authentication logic and therefore act as the intermediary security broker. Upon receiving Service Consumer A's request message, Service A can further verify the credentials against an external certificate authority, if the request is authenticated. Service A can create a signed SAML assertion containing Service Consumer A's credentials and the authorization information. Service A then forwards the original request message and the signed SAML assertion to Services B,C, and D .

DThe service contract of Service A can be extended with an ignorable WS-Policy assertion that states that all request and response messages are logged by Service A and that false complaints will be prosecuted.

Show Answer

Correct Answer: B

Question No. 5

Services A, B, and C reside in Service Inventory A and Services D, E, and F reside in Service Inventory B .Service B is an authentication broker that issues WS-Trust based SAML tokens to Services A and C upon receiving security credentials from Services A and C .Service E is an authentication broker that issues WS-Trust based SAML tokens to Services D and F upon receiving security credentials from Services D and E .Service B uses the Service Inventory A identify store to validate the security credentials of Services A and C .Service E uses the Service Inventory B identity store to validate the security credentials of Services D and F .It is decided to use Service E as the sole authentication broker for all services in Service Inventories A and B .Service B is kept as a secondary authentication broker for load balancing purposes. Specifically, it is to be used for situations where authentication requests are expected to be extra time consuming in order to limit the performance burden on Service E .Even though Service B has all the necessary functionality to fulfill this new responsibility, only Service E can issue SAML tokens to other services. How can these architectures be modified to support these new requirements?

AWhen time consuming authentication requests are identified, Service E can forward them to Service B .Upon performing the authentication, Service B sends its own signed SAML token to Service E .Because Service E trusts Service B .it can use the Service B-specific SAML token to issue an official SAML token that is then sent to the original service consumer (that requested authentication) and further used by other services.

BTo provide load balancing, a service agent needs to be implemented to intercept all incoming requests to Service E .The-service agent uses a random distribution of the authentication requests between Service B and Service E .Because the request messages are distributed in a random manner, the load between the two authentication brokers is balanced.

CBecause both Service B and Service E issue SAML tokens, these tokens are interchangeable. In order for both services to-receive the same amount of authentication requests, a shared key needs to be provided to them for signing the SAML tokens. By signing the SAML tokens with the same key, the SAML tokens generated by Service B cannot be distinguished from the SAML tokens generated by Service E .

DBecause the federation requirements ask for SAML tokens generated by Service E, Service B cannot function as an-authentication broker. To address the load balancing requirement, a new utility service needs to be introduced to provide functionality that is redundant with Service E .This essentially establishes a secondary authentication broker to which Service E can defer time-consuming authentication tasks at runtime.

Show Answer

Correct Answer: B

Unlock All Questions for Arcitura Education S90.20 Exam

Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits

Get All 30 Questions & Answers