Mulesoft MuleSoft Certified Platform Architect MCPA-LEVEL-1-MAINTENANCE Questions & Answers

• Question 71:

  What is a best practice when building System APIs?

  A. Document the API using an easily consumable asset like a RAML definition

  B. Model all API resources and methods to closely mimic the operations of the backend system

  C. Build an Enterprise Data Model (Canonical Data Model) for each backend system and apply it to System APIs

  D. Expose to API clients all technical details of the API implementation's interaction wifch the backend system

  Correct Answer: B

  Model all API resources and methods to closely mimic the operations of the backend system.

  *****************************************

  >> There are NO fixed and straight best practices while opting data models for APIs. They are completly contextual and depends on number of factors. Based upon those factors, an enterprise can choose if they have to go with Enterprise

  Canonical Data Model or Bounded Context Model etc.

  >> One should NEVER expose the technical details of API implementation to their API clients. Only the API interface/ RAML is exposed to API clients. >> It is true that the RAML definitions of APIs should be as detailed as possible and should

  reflect most of the documentation. However, just that is NOT enough to call your API as best documented API. There should be even more documentation on Anypoint Exchange with API Notebooks etc. to make and create a developer

  friendly API and repository.. >> The best practice always when creating System APIs is to create their API interfaces by modeling their resources and methods to closely reflect the operations and functionalities of that backend system.

• Question 72:

  What Anypoint Platform Capabilities listed below fall under APIs and API Invocations/Consumers category? Select TWO.

  A. API Operations and Management

  B. API Runtime Execution and Hosting

  C. API Consumer Engagement

  D. API Design and Development

  Correct Answer: D

  API Design and Development and API Runtime Execution and Hosting *****************************************

  >> API Design and Development - Anypoint Studio, Anypoint Design Center, Anypoint Connectors

  >> API Runtime Execution and Hosting - Mule Runtimes, CloudHub, Runtime Services >> API Operations and Management - Anypoint API Manager, Anypoint Exchange >> API Consumer Management - API Contracts, Public Portals,

  Anypoint Exchange, API

  Notebooks

  Correct Answers: API Operations and Management and API Consumer Engagement *****************************************

  >> API Design and Development - Anypoint Studio, Anypoint Design Center, Anypoint Connectors

  >> API Runtime Execution and Hosting - Mule Runtimes, CloudHub, Runtime Services >> API Operations and Management - Anypoint API Manager, Anypoint Exchange >> API Consumer Management - API Contracts, Public Portals,

  Anypoint Exchange, API Notebooks

• Question 73:

  An organization has several APIs that accept JSON data over HTTP POST. The APIs are all publicly available and are associated with several mobile applications and web applications.

  The organization does NOT want to use any authentication or compliance policies for these APIs, but at the same time, is worried that some bad actor could send payloads that could somehow compromise the applications or servers running the API implementations.

  What out-of-the-box Anypoint Platform policy can address exposure to this threat?

  A. Shut out bad actors by using HTTPS mutual authentication for all API invocations

  B. Apply an IP blacklist policy to all APIs; the blacklist will Include all bad actors

  C. Apply a Header injection and removal policy that detects the malicious data before it is used

  D. Apply a JSON threat protection policy to all APIs to detect potential threat vectors

  Correct Answer: D

  Apply a JSON threat protection policy to all APIs to detect potential threat vectors

  *****************************************

  >> Usually, if the APIs are designed and developed for specific consumers (known consumers/customers) then we would IP Whitelist the same to ensure that traffic only comes from them.

  >> However, as this scenario states that the APIs are publicly available and being used by so many mobile and web applications, it is NOT possible to identify and blacklist all possible bad actors.

  >> So, JSON threat protection policy is the best chance to prevent any bad JSON payloads from such bad actors.

• Question 74:

  What is a key requirement when using an external Identity Provider for Client Management in Anypoint Platform?

  A. Single sign-on is required to sign in to Anypoint Platform

  B. The application network must include System APIs that interact with the Identity Provider

  C. To invoke OAuth 2.0-protected APIs managed by Anypoint Platform, API clients must submit access tokens issued by that same Identity Provider

  D. APIs managed by Anypoint Platform must be protected by SAML 2.0 policies

  Correct Answer: C

  https://www.folkstalk.com/2019/11/mulesoft-integration-and-platform.html To invoke OAuth 2.0-protected APIs managed by Anypoint Platform, API clients must submit access tokens issued by that same Identity Provider

  *****************************************

  >> It is NOT necessary that single sign-on is required to sign in to Anypoint Platform because we are using an external Identity Provider for Client Management >> It is NOT necessary that all APIs managed by Anypoint Platform must be

  protected by SAML 2.0 policies because we are using an external Identity Provider for Client Management

  >> Not TRUE that the application network must include System APIs that interact with the Identity Provider because we are using an external Identity Provider for Client Management Only TRUE statement in the given options is - "To invoke

  OAuth 2.0-protected APIs managed by Anypoint Platform, API clients must submit access tokens issued by that same Identity Provider"

  References:

  https://docs.mulesoft.com/api-manager/2.x/external-oauth-2.0-token-validation-policy https://blogs.mulesoft.com/dev/api-dev/api-security-ways-to-authenticate-and-authorize/

• Question 75:

  What CANNOT be effectively enforced using an API policy in Anypoint Platform?

  A. Guarding against Denial of Service attacks

  B. Maintaining tamper-proof credentials between APIs

  C. Logging HTTP requests and responses

  D. Backend system overloading

  Correct Answer: A

  Guarding against Denial of Service attacks *****************************************

  >> Backend system overloading can be handled by enforcing "Spike Control Policy" >> Logging HTTP requests and responses can be done by enforcing "Message Logging Policy"

  >> Credentials can be tamper-proofed using "Security" and "Compliance" Policies However, unfortunately, there is no proper way currently on Anypoint Platform to guard against DOS attacks.

  Reference: https://help.mulesoft.com/s/article/DDos-Dos-at

• Question 76:

  How are an API implementation, API client, and API consumer combined to invoke and process an API?

  A. The API consumer creates an API implementation, which receives API invocations from an API such that they are processed for an API client

  B. The API client creates an API consumer, which receives API invocations from an API such that they are processed for an API implementation

  C. The ApI consumer creates an API client, which sends API invocations to an API such that they are processed by an API implementation

  D. The ApI client creates an API consumer, which sends API invocations to an API such that they are processed by an API implementation

  Correct Answer: C

  The API consumer creates an API client, which sends API invocations to an API such that they are processed by an API implementation *****************************************

  Terminology:

  >> API Client - It is a piece of code or program the is written to invoke an API >> API Consumer - An owner/entity who owns the API Client. API Consumers write API clients.

  >> API - The provider of the API functionality. Typically an API Instance on API Manager where they are managed and operated.

  >> API Implementation - The actual piece of code written by API provider where the functionality of the API is implemented. Typically, these are Mule Applications running on Runtime Manager.

• Question 77:

  How can the application of a rate limiting API policy be accurately reflected in the RAML definition of an API?

  A. By refining the resource definitions by adding a description of the rate limiting policy behavior

  B. By refining the request definitions by adding a remaining Requests query parameter with description, type, and example

  C. By refining the response definitions by adding the out-of-the-box Anypoint Platform rate- limit-enforcement securityScheme with description, type, and example

  D. By refining the response definitions by adding the x-ratelimit-* response headers with description, type, and example

  Correct Answer: D

  By refining the response definitions by adding the x-ratelimit-* response headers with description, type, and example *****************************************

  

  References: https://docs.mulesoft.com/api-manager/2.x/rate-limiting-and-throttling#response-headers https://docs.mulesoft.com/api-manager/2.x/rate-limiting-and-throttling-sla-based- policies#response-headers

• Question 78:

  Which layer in the API-led connectivity focuses on unlocking key systems, legacy systems, data sources etc and exposes the functionality?

  A. Experience Layer

  B. Process Layer

  C. System Layer

  Correct Answer: C

  System Layer

  

  The APIs used in an API-led approach to connectivity fall into three categories:

  System APIs -these usually access the core systems of record and provide a means of insulating the user from the complexity or any changes to the underlying systems. Once built, many users, can access data without any need to learn the

  underlying systems and can reuse these APIs in multiple projects.

  Process APIs -These APIs interact with and shape data within a single system or across systems (breaking down data silos) and are created here without a dependence on the source systems from which that data originates, as well as the

  target channels through which that data is delivered.

  Experience APIs -Experience APIs are the means by which data can be reconfigured so that it is most easily consumed by its intended audience, all from a common data source, rather than setting up separate point-to-point integrations for

  each channel. An Experience API is usually created with API-first design principles where the API is designed for the specific user experience in mind.

• Question 79:

  A system API has a guaranteed SLA of 100 ms per request. The system API is deployed to a primary environment as well as to a disaster recovery (DR) environment, with different DNS names in each environment. An upstream process API invokes the system API and the main goal of this process API is to respond to client requests in the least possible time. In what order should the system APIs be invoked, and what changes should be made in order to speed up the response time for requests from the process API?

  A. In parallel, invoke the system API deployed to the primary environment and the system API deployed to the DR environment, and ONLY use the first response

  B. In parallel, invoke the system API deployed to the primary environment and the system API deployed to the DR environment using a scatter-gather configured with a timeout, and then merge the responses

  C. Invoke the system API deployed to the primary environment, and if it fails, invoke the system API deployed to the DR environment

  D. Invoke ONLY the system API deployed to the primary environment, and add timeout and retry logic to avoid intermittent failures

  Correct Answer: A

  In parallel, invoke the system API deployed to the primary environment and the system API deployed to the DR environment, and ONLY use the first response.

  *****************************************

  >> The API requirement in the given scenario is to respond in least possible time. >> The option that is suggesting to first try the API in primary environment and then fallback to API in DR environment would result in successful response but

  NOT in least possible time. So, this is NOT a right choice of implementation for given requirement. >> Another option that is suggesting to ONLY invoke API in primary environment and to add timeout and retries may also result in successful

  response upon retries but NOT in least possible time. So, this is also NOT a right choice of implementation for given requirement.

  >> One more option that is suggesting to invoke API in primary environment and API in DR environment in parallel using Scatter-Gather would result in wrong API response as it would return merged results and moreover, Scatter-Gather

  does things in parallel which is true but still completes its scope only on finishing all routes inside it. So again, NOT a right choice of implementation for given requirement

  The Correct choice is to invoke the API in primary environment and the API in DR environment parallelly, and using ONLY the first response received from one of them.

• Question 80:

  An API has been updated in Anypoint exchange by its API producer from version 3.1.1 to 3.2.0 following accepted semantic versioning practices and the changes have been communicated via the APIs public portal. The API endpoint does NOT change in the new version. How should the developer of an API client respond to this change?

  A. The API producer should be requested to run the old version in parallel with the new one

  B. The API producer should be contacted to understand the change to existing functionality

  C. The API client code only needs to be changed if it needs to take advantage of the new features

  D. The API clients need to update the code on their side and need to do full regression

  Correct Answer: C