無料Ping Identity PAP-001プレミアム試験エンジンPDFをダウンロード 更新された72問があります [Q26-Q45]

Share

無料Ping Identity PAP-001プレミアム試験エンジンPDFをダウンロード 更新された72問があります

検証済みPAP-001リアル試験問題集PDF豪華お試しセット


Ping Identity PAP-001 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • 一般的なメンテナンスとファイルシステム:このセクションでは、システムエンジニアのスキルを評価し、ライセンス管理、バックアップ、構成のインポート/エクスポート、監査、製品のアップグレードといったメンテナンスタスクについて扱います。また、ログファイルの目的や、重要な構成ファイルを含むPingAccessファイルシステム構造の概要についても学習します。
トピック 2
  • 一般設定:このセクションでは、セキュリティ管理者のスキルを評価し、PingAccess内のアプリケーション、仮想ホスト、Webセッションなどの様々なオブジェクトタイプについて解説します。アプリケーションリソースのプロパティ管理、Webセッションの作成、IDマッピングの設定、管理コンソールの効率的な操作方法について解説します。
トピック 3
  • インストールと初期設定:このセクションでは、システムエンジニアのスキルを評価し、インストールの前提条件、PingAccessのインストールと削除の方法、構成データベースのパスワード保護について確認します。run.propertiesエントリの役割を説明し、オンプレミスの基本的なPingAccessクラスターの設定方法の概要を示します。

 

質問 # 26
A company has removed the requirement to record back-channel requests from PingAccess to PingFederate in the audit log.
Where should the administrator update this behavior without affecting existing applications?

  • A. Token Provider
  • B. Token Validation
  • C. Web Sessions
  • D. Sites

正解:B

解説:
PingAccess can be configured to log or suppress back-channel requests that occur duringtoken validation with an OAuth/OpenID Connect provider such as PingFederate. These requests happen when PingAccess calls PingFederate to validate access tokens or retrieve key material.
* Exact Extract from PingAccess documentation:
"Back-channel requests are logged during token validation by default. To prevent these requests from being written to the audit log, update theToken Validationsettings in PingAccess." This makesToken Validationthe correct location for changing the behavior without modifying application- specific configurations.
Why other options are wrong:
* B. Web Sessions
* Incorrect. Web Sessions control user session management and cookie handling, not back-channel token validation traffic.
* C. Sites
* Incorrect. Sites are the definitions of backend servers that PingAccess proxies to. This setting does not affect back-channel logging to PingFederate.
* D. Token Provider
* Incorrect. The Token Provider defines the OIDC/OAuth server (e.g., PingFederate) and its endpoints, but the logging of back-channel requests is not controlled here.
Thus, the correct answer isA. Token Validation.
Reference:PingAccess Administration Guide-Managing Token Validationsection.


質問 # 27
Which two variables should be set in order for the PingAccess service script to start? (Choose 2 answers.)

  • A. PA_HOME
  • B. JAVA_PATH
  • C. J2EE_HOME
  • D. JAVA_HOME
  • E. PA_PATH

正解:A、D

解説:
PingAccess service scripts depend on knowing:
* Where the Java runtime is installed (JAVA_HOME)
* Where PingAccess itself is installed (PA_HOME)
Exact Extract:
"The PingAccess startup scripts require theJAVA_HOMEenvironment variable to locate the JDK/JRE and thePA_HOMEvariable to locate the PingAccess installation directory."
* Option A (J2EE_HOME)is irrelevant to PingAccess.
* Option B (JAVA_HOME)is correct - needed for Java execution.
* Option C (PA_PATH)is not a standard variable.
* Option D (PA_HOME)is correct - required to point to the PingAccess installation root.
* Option E (JAVA_PATH)is not valid;PATHcan include Java, butJAVA_HOMEis the correct environment variable.
Reference:PingAccess Installation Guide -Environment Variables


質問 # 28
An administrator needs to use attributes that are not currently available in theIdentity Mapping Attribute Namedropdown. Which action should the administrator take?

  • A. Create a Web Session Attribute rule for the additional attributes
  • B. Request that the additional attributes be added by the web developer
  • C. Create a Rewrite Content rule for the additional attributes
  • D. Request that the additional attributes be added by the token provider administrator

正解:D

解説:
Identity Mapping in PingAccess relies on attributes provided by thetoken provider(e.g., PingFederate, OIDC provider). If the desired attributes are not present in the dropdown, it means they are not being provided in the token or userinfo response.
Exact Extract:
"Attributes available in identity mappings are those provided in the web session by the token provider. If attributes are missing, they must be added to the token by the identity provider."
* Option Ais correct - the token provider administrator must configure the IdP to include the additional attributes.
* Option Bis incorrect - rewrite rules modify content but do not supply new identity attributes.
* Option Cis incorrect - developers cannot directly add identity attributes; they must come from the IdP.
* Option Dis incorrect - Web Session Attribute rules only evaluate available attributes; they don't create new ones.
Reference:PingAccess Administration Guide -Identity Mapping and Attributes


質問 # 29
An administrator must onboard a new application from the application team. The application has multiple paths that will need different rules. What would be the first step in this process?

  • A. Application
  • B. Identity mapping
  • C. Web session
  • D. Resource

正解:A

解説:
All onboarding in PingAccess begins with defining anApplication. Once the application exists, the administrator can defineResourceswithin it and assign different rules to those resources.
Exact Extract:
"Before you can configure resources and rules, you must first create an application in PingAccess."
* Option A (Identity Mapping)may be required later but not the first step.
* Option B (Web Session)can be shared but is not the first onboarding step.
* Option C (Application)is correct - the starting point for onboarding.
* Option D (Resource)comes after creating the application.
Reference:PingAccess Administration Guide -Creating Applications


質問 # 30
A change is made to the configuration that prevents user access to an application. No one claims to have made the change. Which log file should the administrator use to determine who made the change?

  • A. pingaccess_api_audit.log
  • B. pingaccess_agent_audit.log
  • C. pingaccess.log
  • D. pingaccess_engine_audit.log

正解:A

解説:
All administrative API calls that change PingAccess configuration are logged inpingaccess_api_audit.log.
This allows administrators to track who made configuration changes.
Exact Extract:
"Thepingaccess_api_audit.logfile contains entries for all administrative API calls and is used to audit configuration changes."
* Option A (pingaccess.log)contains runtime system messages but not detailed API audit entries.
* Option B (pingaccess_engine_audit.log)is specific to engine request/response audit logging.
* Option C (pingaccess_agent_audit.log)is used for PingAccess Agent traffic auditing, not administrative changes.
* Option D (pingaccess_api_audit.log)is correct - it tracks admin API modifications.
Reference:PingAccess Administration Guide -Log Files


質問 # 31
Which of the following is a processing rule?

  • A. HTTP Request Header
  • B. Cross-Origin Request
  • C. HTTP Request Parameter
  • D. Web Session Attribute

正解:B

解説:
PingAccess rules are categorized intoAccess Control RulesandProcessing Rules.
* Processing Rulesmodify or add to HTTP requests and responses.
* Cross-Origin Request (CORS)is specifically listed as aProcessing Rule, because it modifies response headers to support cross-origin requests.
Exact Extract:
"Processing rules apply to HTTP traffic, such as Cross-Origin Resource Sharing (CORS), header injection, or response modification."
* Option A (Web Session Attribute)is an access control rule.
* Option B (Cross-Origin Request)is correct - this is a processing rule.
* Option C (HTTP Request Parameter)is an access control rule.
* Option D (HTTP Request Header)is an access control rule.
Reference:PingAccess Administration Guide -Rules Overview


質問 # 32
A PingAccess administrator needs to configure PingAccess to validate tokens. Which two options can the administrator use? (Choose 2 answers)

  • A. Common SAML provider
  • B. Kerberos
  • C. PingAuthorize
  • D. PingFederate
  • E. Common OIDC provider

正解:D、E

解説:
PingAccess validates access tokens usingAccess Token Managers, which are typically backed by PingFederateor ageneric OIDC provider.
Exact Extract:
"PingAccess validates tokens through Access Token Managers, which can be configured against PingFederate or a common OIDC provider."
* Option A (PingFederate)is correct - the most common token provider.
* Option B (Kerberos)is not supported for token validation.
* Option C (SAML provider)is incorrect - PingAccess does not natively consume SAML assertions.
* Option D (Common OIDC provider)is correct - tokens can be validated against any OIDC- compliant IdP.
* Option E (PingAuthorize)is an authorization engine, not a token provider.
Reference:PingAccess Administration Guide -Access Token Managers


質問 # 33
What is the purpose of thepa.operational.modeconfiguration setting?

  • A. To determine if a cluster node is enabled or disabled
  • B. To determine if a server should participate in cluster replication
  • C. To determine the role the server performs in a cluster
  • D. To determine whether a server is a development or production server

正解:C

解説:
Thepa.operational.modeproperty inrun.propertiesdefines therole of the nodein a PingAccess deployment (e.
g.,STANDALONE,CLUSTERED_CONSOLE,CLUSTERED_CONSOLE_REPLICA,ENGINE).
Exact Extract:
"Thepa.operational.modeproperty determines the role of the server in the cluster, such as standalone, console, console replica, or engine."
* Option Ais incorrect - replication is implicit in certain roles, not controlled directly.
* Option Bis correct - the setting specifies whether the node is admin console, replica, or engine.
* Option Cis incorrect - development vs production is not a function of this setting.
* Option Dis incorrect - it does not enable/disable nodes.
Reference:PingAccess Administration Guide -run.properties


質問 # 34
Which two options can be changed in therun.propertiesfile? (Choose 2 answers.)

  • A. X-Frame-Options header
  • B. Operational mode for PingAccess
  • C. URL for heartbeat endpoint
  • D. Default logs location
  • E. Logging levels

正解:B、E

解説:
Therun.propertiesfile in PingAccess is the primary configuration file that defines system-level runtime behavior. According to PingAccess documentation:
* Exact Extract:
"Therun.propertiesfile contains configuration properties for PingAccess, including operational mode, logging levels, admin authentication fallback, cluster settings, and system defaults." (PingAccess Administrator's Guide -run.properties Reference) From this, we can determine:
* C. Operational mode for PingAccess#CorrectThe propertypa.operational.modeinrun.properties defines whether the node operates asSTANDALONE,CLUSTERED_CONSOLE, CLUSTERED_CONSOLE_REPLICA, orCLUSTERED_ENGINE. This is one of the core configurable options.
* E. Logging levels#CorrectProperties such aslog.leveland other logging configurations are explicitly defined inrun.properties, allowing administrators to adjust the verbosity of logs (DEBUG, INFO, WARN, ERROR).
Why the others are incorrect:
* A. Default logs location#IncorrectThe log file path is not controlled viarun.properties. It is defined in log4j2.xml, not inrun.properties.
* B. URL for heartbeat endpoint#IncorrectThe heartbeat endpoint (/pa/heartbeat.ping) is a fixed system endpoint and is not configurable inrun.properties.
* D. X-Frame-Options header#IncorrectSecurity headers likeX-Frame-Optionsare managed under application security policies or global response headers, not inrun.properties.
Reference:PingAccess Administrator's Guide -run.properties Reference(section describingpa.operational.
modeand logging configuration properties).


質問 # 35
An administrator must protect an application on multiple domains or hosts. What should the administrator configure to complete this action?

  • A. Redirects
  • B. Virtual Hosts
  • C. Sites
  • D. Rules

正解:B

解説:
Applications in PingAccess can be associated with multipleVirtual Hosts. Each virtual host defines an FQDN and port combination through which the application is exposed, allowing protection across multiple domains or hostnames.
Exact Extract:
"Virtual hosts specify the fully qualified domain names (FQDNs) and ports that PingAccess uses to expose applications."
* Option A (Sites)represent the target back-end servers, not the external FQDN.
* Option B (Virtual Hosts)is correct - use multiple virtual hosts for multiple domains.
* Option C (Redirects)are unrelated to multi-domain application protection.
* Option D (Rules)define access policies, not hostnames.
Reference:PingAccess Administration Guide -Virtual Hosts


質問 # 36
An administrator needs to support SLO (Single Logout) for a protected web application. What must be configured in a PingAccess Web Session in this situation?

  • A. SLO scope
  • B. Refresh User Attributes
  • C. Validate Session
  • D. Idle timeout

正解:A

解説:
To enableSingle Logout (SLO), theSLO scopemust be defined in the PingAccess Web Session configuration. This determines which sessions are ended when a logout request occurs.
Exact Extract:
"The SLO scope option in a web session specifies which applications are included in a logout event when Single Logout is triggered."
* Option A (SLO scope)is correct; it explicitly enables SLO support by linking session termination across apps.
* Option B (Idle timeout)is unrelated; this controls session expiration, not SLO.
* Option C (Validate Session)ensures session state is synchronized but does not configure SLO.
* Option D (Refresh User Attributes)is unrelated; it only controls whether attributes are reloaded.
Reference:PingAccess Administration Guide -Configuring Web Sessions


質問 # 37
What is the purpose of theadmin.authconfiguration setting?

  • A. To enable automatic authentication to the PingAccess administrative console.
  • B. To configure SSO for the administrative user interface.
  • C. To define the method to use for authenticating to the administrative API.
  • D. To override the SSO configuration for the administrative user interface.

正解:D

解説:
Theadmin.authsetting in therun.propertiesfile is used to specify a fallback authentication method for the administrative console.
Exact Extract from official documentation:
"To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication." This makes it clear that the purpose ofadmin.authis tooverrideany configured SSO for the admin UI and enforce native (basic) authentication instead.
* Option Ais incorrect because theadmin.authsetting does not configure SSO. SSO for the admin UI is configured separately.
* Option Bis incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.
* Option Cis correct because it directly reflects the documented behavior:admin.authoverrides SSO configuration for the administrative UI and enables native authentication.
* Option Dis incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.
Reference:PingAccess User Interface Reference Guide -Configuring Admin UI SSO Authentication


質問 # 38
An organization wants to take advantage of a new product feature that requires upgrading the PingAccess cluster from 7.3 to the current version. The administrator downloads the required files and places the files on the PingAccess servers. What should the administrator do next?

  • A. Disable Key Rolling.
  • B. Disable cluster communication.
  • C. Upgrade the Admin Console.
  • D. Upgrade the Replica Admin.

正解:C

解説:
When upgrading a PingAccess cluster, theAdmin Console node must always be upgraded firstbefore any replica admin or engine nodes. This ensures that the configuration and schema changes introduced in the new version are properly applied and replicated.
Exact Extract (from PingAccess documentation):
"In a clustered environment, you must first upgrade theadministrative console nodebefore upgrading any replica administrative nodes or engine nodes." Why A is correct:
* A. Upgrade the Admin Console- This is correct because the admin console node acts as the configuration master in a PingAccess cluster. Upgrading it first ensures the new version schema is available to replicas and engines.
Why the other options are incorrect:
* B. Disable cluster communication- This is not required for standard upgrades. Cluster communication remains in place to synchronize changes after the upgrade.
* C. Disable Key Rolling- Key rolling is unrelated to the upgrade process. It is a feature used for key rotation, not version upgrades.
* D. Upgrade the Replica Admin- This is incorrect because upgrading a replica admin before the primary administrative console is against the documented procedure and would cause replication issues.
Reference:
Upgrading PingAccess in a Clustered Environment(PingAccess Upgrade Guide) PingAccess Administration Guide - Upgrade Process


質問 # 39
The application team has changed their directory paths. An administrator must adjust the following paths:
* /images/sitel/
* /images/sitel/checkout/default.html
* /images/sitel/homepage/english/default.html
Which pattern would match the paths?

  • A. /images/aitel/checkout
  • B. /images/site*
  • C. /images/sitel/english/*
  • D. /images/sitel/*

正解:D

解説:
The pattern/images/sitel/*matches all subpaths and files under the/images/sitel/directory, including nested paths.
Exact Extract:
"The asterisk (*) matches zero or more characters within the path. For example,/images/sitel/*matches all resources under thesitelfolder."
* Option Ais incorrect - it references/aitel/instead of/sitel/.
* Option Bis incorrect -/site*matches strings beginning with "site", but may also match "siteX" incorrectly.
* Option Cis incorrect - it only matches resources under/english/, missing other folders.
* Option Dis correct -/images/sitel/*covers all given examples.
Reference:PingAccess Administration Guide -Resource Path Matching


質問 # 40
An administrator is integrating a new PingAccess Proxied Application for which the target site uses a certificate issued by a publicly trusted Certificate Authority.
How should the administrator configure PingAccess to trust the target site?

  • A. Import the certificate chain into Key Pairs and add it to a Trusted Certificate Group
  • B. Drop the certificate chain into a Trusted Certificate Group
  • C. Import the certificate chain into Key Pairs
  • D. Configure the PingAccess Site to use the Java Trust Store Certificate Group

正解:D

解説:
Publicly trusted Certificate Authorities are already included in theJava Trust Store Certificate Group, which PingAccess can use directly. This avoids importing the certificate manually.
Exact Extract:
"If the target site uses a certificate from a well-known public CA, configure the site to use the Java Trust Store Certificate Group."
* Option Ais incorrect - Key Pairs store private keys for SSL termination, not public CA trust anchors.
* Option Bis correct - Java Trust Store already contains trusted public CAs.
* Option Cis incorrect - again, Key Pairs are not used for trust validation.
* Option Dis unnecessary for public CAs - only internal/self-signed certs must be imported.
Reference:PingAccess Administration Guide -Trusted Certificate Groups


質問 # 41
Anycompany has several applications that need to load images and fonts fromwww.anycompany.com. Users are currently getting CORS errors. How should the Cross-Origin Request rule be set to allow secure access?

  • A. Allowed Origins towww.anycompany.comand enable the Allow Credentials option
  • B. Allowed Origins value for each of the listed domains
  • C. Allowed Origins to*and enable the Allow Credentials option
  • D. Allowed Origins to*.anycompany.comand disable the Allow Credentials option

正解:A

解説:
To prevent CORS errors, administrators must configure aCross-Origin Request (CORS) Processing Rule.
The secure practice is to allow thespecific trusted domain(www.anycompany.com) and, when cookies or credentials are required, to enableAllow Credentials.
Exact Extract:
"For secure CORS, specify exact origins rather than wildcards. Enable 'Allow Credentials' when client-side resources must include cookies or authentication data."
* Option Ais incomplete - multiple values are possible, but in this case onlywww.anycompany.comis required.
* Option Bis less secure - using a wildcard (*.anycompany.com) broadens exposure unnecessarily.
* Option Cis insecure -*with credentials is disallowed by CORS specifications.
* Option Dis correct - restricts access to the trusted domain and allows credentialed requests.
Reference:PingAccess Administration Guide -Cross-Origin Request Rule


質問 # 42
An administrator needs to configure a signed JWT identity mapping for an application that expects to be able to validate the signature. Which endpoint does the application need to access to validate the signature?

  • A. /pa/aidc/cb
  • B. /pa-admin-api/v3/authTokenManagement
  • C. /pa-admin-api/v3/identityMappinga/descriptora/jwtidentitymapping
  • D. /pa/authtoken/JWKS

正解:D

解説:
Applications consuming signed JWTs need theJSON Web Key Set (JWKS)endpoint to retrieve the public keys used for validating JWT signatures. PingAccess exposes this at/pa/authtoken/JWKS.
Exact Extract:
"When using JWT identity mapping, applications can obtain the signing keys from the/pa/authtoken
/JWKSendpoint to validate the JWT signature."
* Option Ais correct -/pa/authtoken/JWKSprovides the key set for signature validation.
* Option Bis incorrect - that's an administrative API for configuring identity mappings, not a runtime validation endpoint.
* Option Cis incorrect -/pa/aidc/cbis the OIDC callback endpoint.
* Option Dis incorrect -/pa-admin-api/v3/authTokenManagementis for admin token management, not JWT validation.
Reference:PingAccess Administration Guide -JWT Identity Mapping


質問 # 43
For a Web Application, theid_tokenmust be transmitted through a back channel with the OIDC standards- based approach. Which action should the administrator perform in the Web Session to meet this requirement?

  • A. Set the login type to POST
  • B. Set the request preservation to None
  • C. Set the request preservation to POST
  • D. Set the login type to code

正解:D

解説:
To transmit theid_tokenvia a back channel according to OIDC best practices, the application must use the Authorization Code Flow(login type =code). This ensures tokens are retrieved securely via the back channel instead of being exposed in the browser.
Exact Extract:
"For back-channel transmission of ID tokens, configure the OIDC login type as Authorization Code."
* Option Ais correct - setting login type to code ensures back-channel delivery.
* Option Bis incorrect - request preservation concerns request method persistence, not OIDC flow.
* Option Cis incorrect - POST is not a valid login type; only Code, Implicit, or Hybrid.
* Option Dis incorrect - request preservation has no bearing on token delivery.
Reference:PingAccess Administration Guide -Configuring OIDC Web Sessions


質問 # 44
An administrator is preparing to rebuild an unrecoverable primary console and must promote the replica admin node. Which two actions must the administrator take? (Choose 2 answers.)

  • A. Changepa.operational.modetoCLUSTERED_CONSOLE_REPLICAon one of the engine nodes.
  • B. Restart all nodes in the cluster.
  • C. Modifybootstrap.propertiesand set theengine.admin.configuration.hostvalue to point at the replica admin node.
  • D. Restart the replica admin node.
  • E. Changepa.operational.modetoCLUSTERED_CONSOLEon the replica admin node.

正解:C、E

解説:
From the "Promoting the replica administrative node" documentation:
* Exact Extract:
"Open the<PA_HOME>/conf/run.propertiesfile in a text editor. Locate thepa.operational.modeline and change the value fromCLUSTERED_CONSOLE_REPLICAtoCLUSTERED_CONSOLE. These properties are case-sensitive. Do not restart the replica node during the promotion process."Ping Identity Documentation
* Also from the documentation under "Next steps" / manual promotion / "Using the admin API ..."When promoting the replica, there is also mention of setting the new host-port in the primary admin configuration so that engine nodes and configuration references now point to the promoted replica. One of the API properties iseditRunPropertyFile(to flip the mode), another iseditPrimaryHostPort, which causes the primary-admin host setting to be updated.Ping Identity Documentation Using those facts:
Why C is correct:
* Option C says:Changepa.operational.modetoCLUSTERED_CONSOLEon the replica admin node.
This directly matches the documented manual promotion step: switchpa.operational.
modefromCLUSTERED_CONSOLE_REPLICA#CLUSTERED_CONSOLE.Ping Identity
Documentation+1
* This is essential for promoting the replica to primary console.
Why E is correct:
* Option E:Modifybootstrap.propertiesand set theengine.admin.configuration.hostvalue to point at the replica admin node.While the documentation doesn't always name the exact propertyengine.admin.
configuration.host, the "promote via admin API" includes updating the "primary host:port" in the configuration so that engine nodes' configuration queries (or whatever is used by engines) point to the new primary. This maps to ensuring that engine nodes know that the promoted replica is now the administrative node. This requiring modifying the bootstrap or configuration that engine nodes use to find the administrative host is essential.Ping Identity Documentation Why the other options are incorrect:
* A.Changepa.operational.modetoCLUSTERED_CONSOLE_REPLICAon one of the engine nodes.No.
Engine nodes should havepa.operational.mode = CLUSTERED_ENGINE, not console modes.
CLUSTERED_CONSOLE_REPLICAis an admin/replica console mode, not applicable for engines.
docs.ping.directory+2Ping Identity Documentation+2
* B.Restart all nodes in the cluster.The documentation explicitly saysdo not restartthe replica node during the promotion process because restart can cause file corruption or failure to properly promote.
Only certain restarts are neededafterconfiguration updates. So restarting all nodes is not a correct required action.Ping Identity Documentation
* D.Restart the replica admin node.As above, for manual promotion, a restart of the replica admin node is notrequired (and is even discouraged during the promotion process). The change inrun.propertiesis detected without restarting.Ping Identity Documentation Reference:PingAccess Reference Guide -Promoting the replica administrative node / Manually promoting the replica administrative nodePing Identity Documentation+1


質問 # 45
......

あなたを合格させるPing Identity試験にPAP-001試験問題集:https://www.jpntest.com/shiken/PAP-001-mondaishu

PAP-001問題集PDF最新 [2025年最新] 究極の学習ガイド:https://drive.google.com/open?id=1AOs_9uT1OSoMSdVsXwS6yHxG7_jP83qS

弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

オンラインサポート時間:( UTC+9 ) 9:00-24:00
月曜日から土曜日まで

サポート:現在連絡