HashiCorp HashiCorp Certifications VA-002-P Questions & Answers

• Question 121:

  Which TCP port does Vault replication use?

  A. 8200

  B. 8201

  C. 8300

  D. 8301

  Correct Answer: B

  Check below link for details:- https://learn.hashicorp.com/vault/operations/ops-reference- architecture

• Question 122:

  In a Consul cluster, participating nodes can be only one of two types. Select the valid types. (select two)

  A. follower

  B. secondary

  C. active

  D. primary

  E. leader

  F. passive

  Correct Answer: AE

  Within each datacenter, we have a mixture of clients and servers. It is expected that there be between three to five servers. This strikes a balance between availability in the case of failure and performance, as consensus gets progressively slower as more machines are added. However, there is no limit to the number of clients, and they can easily scale into the thousands or tens of thousands. Server or Leader - It indicates whether the agent is running in server or client mode. Server nodes participate in the consensus quorum, storing cluster state, and handling queries. At any given time, the peer set elects a single node to be the leader. The leader is responsible for ingesting new log entries, replicating to followers, and managing when an entry is considered committed. Client or Follower - Client nodes make up the majority of the cluster, and they are very lightweight as they interface with the server nodes for most operations and maintain a very little state of their own. Reference link:- https://www.consul.io/docs/internals/ architecture.html

• Question 123:

  What does the following API request return?

  1.

  $ curl \

  2.

  --header "X-Vault-Token: ..." \

  3.

  --request POST \

  4.

  --data @payload.json \

  5.

  http://127.0.0.1:8200/v1/sys/tools/random/164

  A. a random string of 164 characters

  B. a random token valid for 164 uses

  C. None

  D. a secured secret based on 164 bytes of data

  Correct Answer: A

  This endpoint returns high-quality random bytes of the specified length.

• Question 124:

  Which of the following is not an activity associated with the Vault transit secrets engine?

  A. encrypt

  B. decrypt

  C. update

  D. rewrap

  Correct Answer: C

  Since Vault does not store any data, hence Vault transit secrets engine does not support update activity.

• Question 125:

  You want to encrypt a credit card number using the transit secrets engine. You enter the following command and receive an error. What can you do to ensure that the credit card number is properly encrypted and the ciphertext is returned?

  1.

  $ vault write -format=json transit/encrypt/creditcards plaintext="1234 5678 9101 1121"

  2.

  Error writing data to transit/encrypt/orders: Error making API request.

  3.

  4.

  URL: PUT http://10.25.16.165:8200/v1/transit/encrypt/creditcards

  5.

  Code: 400. Errors:

  6.

  7.

  * illegal base64 data at input byte 4

  A. credit card numbers are not supported using the transit secrets engine since it is considered sensitive data

  B. the token used to issue the encryption request does not have the appropriate permissions

  C. the plain text data needs to be encoded to base64

  D. the credit card number should not include spaces

  Correct Answer: C

  When you send data to Vault for encryption, it must be in the form of base64-encoded plaintext for safe transport.

• Question 126:

  You've deployed Vault in your production environment and are curious to understand metrics on your Vault cluster, such as the number of writes to the backend, the status of WALs, and the seal status. What feature would you configure in order to view these metrics?

  A. audit device

  B. telemetry

  C. nothing to configure, these are available in the Vault log found on the OS

  D. enable logs for each individual secrets engines

  Correct Answer: B

  The Vault server process collects various runtime metrics about the performance of different libraries and subsystems. These metrics are aggregated on a ten-second interval and are retained for one minute. This telemetry information can be used for debugging or otherwise getting a better view of what Vault is doing. Telemetry information can be streamed directly from Vault to a range of metrics aggregation solutions as described in the telemetry Stanza documentation. Reference link:- https://www.vaultproject.io/docs/ internals/telemetry

• Question 127:

  What are the primary benefits of running Vault in a production deployment over dev server mode? (select two)

  A. ability to enable auth methods

  B. persistent storage

  C. encryption via TLS

  D. faster deployment

  E. access to all of the secret engines

  Correct Answer: BC

  Dev server mode stores its data in memory, therefore if the Vault service is shut down, any data stored will be lost. Additionally, dev server mode does not use TLS, and all data is sent in cleartext.

• Question 128:

  Your organization is running Vault open source and has decided it wants to use the Identity secrets engine. You log into Vault but are unable to find it in the list to enable. What gives?

  

  A. because you are running open-source and the identity secrets engine is an Enterprise feature, it is not available to enable.

  B. the identity secrets engine was deprecated in previous versions

  C. this secrets engine will be mounted by default.

  D. the policy attached to your user doesn't allow access to the Identity secrets engine.

  Correct Answer: C

  The Identity secrets engine is the identity management solution for Vault. It internally maintains the clients who are recognized by Vault. This secrets engine will be mounted by default. This secrets engine cannot be disabled or moved. Reference link:- https://www.vaultproject.io/docs/secrets/identity

• Question 129:

  What system endpoint can you query to determine which node is the leader of a cluster?

  A. /sys/tools

  B. /sys/leader

  C. /sys/health

  D. /sys/init

  Correct Answer: B

  The /sys/leader endpoint is used to check the current leader of Vault as well as high availability status.

• Question 130:

  An application requires a specific key/value to be updated in order to process a batch job. The value should be either "true" or "false". However, when developers have been updating the value, sometimes they mistype the value or capitalize on the value, causing the batch job not to run. What feature of a Vault policy can be used in order to restrict the entry to the required values?

  A. added an allowed_parameters value to the policy

  B. use a * wildcard at the end of the policy

  C. change the policy to include the list capability

  D. add a deny statement for all possible misspellings of the value

  Correct Answer: A

  allowed_parameters - Whitelists a list of keys and values that are permitted on the given path. Setting a parameter with a value of the empty list allows the parameter to contain any value. Reference link:- https:// www.vaultproject.io/docs/concepts/policies