Guest

Cisco Subscriber Edge Services Manager

Release Notes for Cisco Subscriber Edge Services Manager 3.2

  • Viewing Options

  • PDF (416.5 KB)
  • Feedback
Release Notes for Cisco Subscriber Edge Services Manager (SESM) 3.2(2)

Table Of Contents

Release Notes for Cisco Subscriber Edge Services Manager (SESM) 3.2(2)

Contents

Introduction

Cisco Developer Support Program

SESM Deployment Options

SESM Application Suite

System Requirements

Supported Hardware

SESM Platforms

SSG Platforms

Software Compatibility

Captive Portal Compatibility

Port-bundle Host Key Compatibility

Complete ID Compatibility

Changes Made for SESM 3.2(2)

Stability improvements

New version of SPE with Improved Performance

JSP Source Files are No Longer Visible to Users

Location of Java Virtual Machine (JVM)

Installation Notes

Obtaining a License Number

Obtaining Cisco SESM Software Files

SSG, RADIUS Server, and LDAP Server Status During Installation

Installing the CDAT Sample Data

Upgrade Information

Installing SPE Schema Extensions in LDAP Mode

Upgrading from SESM Release 3.1(9) or 3.2(1)

Upgrading from SESM Release 3.1(3), 3.1(5), or 3.1(7)

Upgrading from Previous SESM Releases

Installing 3.2(2)

Migrating Previous SESM Installation Configurations and Web Portal Application

Upgrading from SESM Release 3.1(1)

Migrating an SESM Release 3.1(1) Web Portal Application

Uninstalling a Previous Installation

Important Notes

Modifying Java Server Pages

JMX Management Console

JDK Home Settings

Caveats

Related Documentation

Obtaining Documentation

World Wide Web

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information


Release Notes for Cisco Subscriber Edge Services Manager (SESM) 3.2(2)


These release notes contain important information regarding the Cisco Subscriber Edge Services Manager (Cisco SESM) 3.2(2).


Note For information about obtaining a license number, see the "Obtaining a License Number" section.


Contents

These release notes discuss the following topics:

Introduction

System Requirements

Obtaining Documentation

Changes Made for SESM 3.2(2)

Obtaining Technical Assistance

Installation Notes

Upgrade Information

Important Notes

Caveats

Related Documentation

Obtaining Documentation

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Introduction

Cisco SESM provides service selection and connection management in broadband and mobile wireless environments. Cisco SESM provides the end user (the subscriber) with a web portal for accessing multiple services. The ISPs and NAPs deploying Cisco SESM can customize the content of the web pages and thereby control the subscriber experience.

This release of SESM provides improved performance of the Web Portals (NWSP, PDA, WAP), CDAT and RDP, in LDAP deployments due to a new version of the Subscriber Policy Engine (SPE).

Further stability and performance related improvements in both RADIUS and LDAP deployments have also been made. It is highly recommended that existing customers should migrate to this latest version at their earliest opportunity.

This version of SESM also fixes a security risk, identified in the previous release of SESM, whereby under certain conditions subscribers could view the contents of JSP files.

Please refer to Changes Made for SESM 3.2(2) for details.

Cisco Developer Support Program

The Developer Support Program was developed to provide formalized support for Cisco interfaces to accelerate the delivery of compatible solutions to Cisco customers. The program web site at http://www.cisco.com/go/developersupport provides a central resource point for all your development needs. Alternatively, you can email: developer-support@cisco.com

SESM Deployment Options

SESM 3.2(2) supports the following deployment options:

RADIUS—In this deployment, the SESM web application and SSG query a RADIUS database for authentication and authorization information.

SPE—In this deployment, the Cisco Subscriber Policy Engine (SPE) provides the libraries and directory schema extensions that enable queries to an LDAP directory for authentication and authorization information.

Demo—In Demo mode, the SESM web application simulates the actions of an SESM application without using an SSG, RADIUS server, or LDAP directory.

SESM Application Suite

SESM 3.2(2) includes the following sample web portal applications that can be installed and configured for demonstration purposes or used as a starting point for customizations:

New World Service Provider (NWSP) portal—A comprehensive example of most features offered by the SESM web development kit.

Subscriber Portal—Designed to demonstrate deployment in the PWLAN, mobile, and broadband markets.

Wireless Access Protocol (WAP) portal—An application designed specifically for deployment in the mobile wireless industry.

Personal Digital Assistant (PDA) portal—An application with web pages formatted for a PDA device.

Optionally, you can install the following applications to configure the SESM captive portal solution:

Captive Portal application—A gateway application between the SSG and other applications in a captive portal solution. The default configuration for this application redirects subscriber browsers to either the Message Portal application or the NWSP application.

Message Portal application—SESM portal application that produces sample greetings and advertising pages to demonstrate SESM captive portal features.

The SESM software includes the following additional supporting applications:

Cisco Distributed Administration Tool (CDAT)—A web-based interface that is used to create and maintain the subscriber, service, and policy information used by SESM and the Service Selection Gateway (SSG) in an SPE/LDAP mode deployment.

RADIUS Data Proxy (RDP) server—A RADIUS server that can proxy profile requests or use the SPE components to query the LDAP directory for profile information.

Web Services Gateway (WSG) application—Provides a Simple Objects Access Protocol (SOAP)-based interface that allows third-party web portals and subscriber management systems to integrate with the SESM and SSG solution.

Application Management—Java Management Extensions (JMX) based application management for all solution components.

Web Proxy— Allows SESM deployers to proxy http requests to another application.

Additional software components bundled in the Cisco SESM installation package are:

J2EE management components.

SPE component—For SESM running in SPE mode, this component provides the interface between SESM applications and the SPE directory.

System Requirements

This section describes hardware and software requirements for SESM deployments.

Supported Hardware

You can deploy SESM using the following platforms and devices.

SESM Platforms

SESM applications can run on any platform that supports the Java Runtime Environment (JRE). SESM installation images are available for Sparc Solaris, Linux and Windows. Platform details are shown in Table 1.

For details about memory requirements, see the chapter "Running SESM Components," in the Cisco Subscriber Edge Services Manager Web Portal Guide.

Table 1 SESM Platforms

Platform
Specifications

Solaris

If you are using a Sun Ultra or Enterprise system, you must use Solaris Version 8 or later. For live deployments, we recommend using an Enterprise class server with hot-swappable components.

SESM has been verified on Sun Ultra10 with Solaris-8.

Windows

For Windows installations, we highly recommend that you us hardware that meets the Windows Hardware Compatibility List (HCL) guidelines set by Microsoft.

SESM has been verified with Windows 2000.

Linux

SESM has been verified with Red Hat Linux Version 9.


SSG Platforms

Cisco SESM works with any router running Cisco IOS software with the Cisco Service Selection Gateway. The following devices work with SESM Release 3.2(2), when they are running Cisco IOS Release 12.3(1)T or the X train for Cisco IOS Release 12.2(8)B or later, with SSG enabled:

Cisco 6400 Universal Access Concentrator (UAC)

Cisco 72xx, 73xx, and 74xx series high-performance multifunction routers

Cisco 2600-XM modular routers

Cisco 3725 and 3745 multi-service access routers

Cisco MWAM blade on either the Cat-6000 chassis or 76xx chassis

Cisco 10000 series router

Software Compatibility

The following SESM features require support on the SSG:

Captive portal

Port-bundle host key

Complete ID

Captive Portal Compatibility

To use the captive portal feature in SESM to support unauthenticated user redirections:

The SSG device must be running Cisco IOS Release 12.2(2)B or later, or Release 12.1(5)DC1 or later.

The SSG TCP redirect feature must be configured appropriately.

To use the captive portal feature in SESM to support service redirections, initial logon redirections, and advertising redirections:

The SSG device must be running Cisco IOS Release 12.2(4)B or later, or Release 12.1(5)DC1 or later.

The SSG TCP redirect feature must be configured appropriately.

To use the full functionality of the captive portal HTTPS redirection feature:

The SSG device must be running Cisco IOS Release 12.2(16)B or later.

Port-bundle Host Key Compatibility

To use the port-bundle host key feature:

The SSG device must be running Cisco IOS Release 12.2(2)B or later.

The SSG host key feature must be configured appropriately.

The host key feature can be enabled and disabled on both the SESM and SSG products to ensure backwards compatibility.

Complete ID Compatibility

To use the complete ID feature for portal location awareness and branding, the SSG device must be running Cisco IOS Release 12.3(1)T or the X train for Cisco IOS Release 12.2(8)B or later.

Changes Made for SESM 3.2(2)

SESM version 3.2(2) contains the improvements detailed below.

It is highly recommended that existing customers should migrate to this latest version at their earliest opportunity.

Stability improvements

Under certain heavy load conditions, previous versions of SESM may have suffered problems where certain applications may have stopped responding after a period of prolonged use. This version has dramatically improved this situation, resulting in a more stable and responsive solution in general.

New version of SPE with Improved Performance

Previous versions of SESM suffered from less than optimal performance and throughput due to the Subscriber Policy Engine (SPE), affecting the SESM web portals, RDP and CDAT. SESM 3.2(2) addresses this issue and now includes a new version of SPE with improved performance.

SPE is the component in SESM which interfaces to the LDAP Directory and provides the Role Based Access Control (RBAC) functionality to SESM applications. The SPE is used by the SESM Web Portals (SP, NWSP, WAP and PDA), RDP and CDAT in SPE/LDAP deployments of SESM.

JSP Source Files are No Longer Visible to Users

In previous versions of SESM, if a subscriber accessing the SESM Web Portal modifies the URL in a certain way, the contents of the JSP file would be displayed in subscriber's browser.

This may cause confidentiality and/or security issues since some customers may insert sensitive information either as a comment or embedded in the scripts themselves.

This problem was originally raised under DDTS CSCuk46790, and occurred when the SESM Web Portal was run under the Jetty web server bundled with SESM. In SESM 3.2(2) this problem has now been fixed and JSP source files can no longer be viewed by users.

Location of Java Virtual Machine (JVM)

For the 3.2(2) release, the install no longer searches for the Java Virtual Machine (JVM). The JRE (Java Runtime Environment) is now always installed into the directory:

<install directory for SESM>/_jvm

Note The start scripts still use JDK_HOME, which takes precedence. If you want to use a different version of JRE or SDK, you should either define a JDK_HOME environment variable or edit the start scripts to explicitly point to it.


The JVM installed with this release of SESM is now version 1.4.2-b28.

Installation Notes

The following sections highlight some important installation information.

See the Cisco Subscriber Edge Services Manager Installation Guide for complete installation instructions.

Obtaining a License Number

The SESM installation program provides for two types of installation:

Evaluation—You can install SESM using a RADIUS mode evaluation option or an SPE mode evaluation option. The evaluation options do not require a license number and do not have an expiration period. An evaluation installation provides full software functionality.

Licensed—You need a license number before deploying SESM in a production environment.

A license number is available on the License Certificate that is shipped with a purchased product. If you have purchased the product but have not yet received the CD-ROM and License Certificate, you can choose the evaluation option during installation. However, be sure to reinstall the SESM software using your license number when you receive the certificate.

The license number is important when you are requesting technical support for SESM from Cisco. After installation, the license number and the software version in the licensenum.txt file appear under the installation directory.

Obtaining Cisco SESM Software Files

You can download the SESM software from the Cisco.com web site or copy it from the SESM product CD-ROM. Cisco SESM software is contained in the following packages.

For Sun platforms: sesm-3.2.2-pkg-sol.tar

For Linux platforms: sesm-3.2.2-pkg-linux.tar

For Windows platforms: sesm-3.2.2-pkg-win32.zip

If you purchased a contract that allows you to obtain the SESM software from Cisco.com, follow these procedures:


Step 1 Open a web browser and go to:

http://www.cisco.com

Step 2 Click the Login button. Enter your Cisco user ID and password.

To access the Cisco images from the CCO Software Center, you must have a valid Cisco user ID and password. See your Cisco account representative if you need help.

Step 3 Click Technical Support.

Step 4 In the pop-up window, click Software Center.

Step 5 Click Network Management Software.

Step 6 Click Cisco Subscriber Edge Services Manager.

Step 7 Download the appropriate image based on the platform you intend to use for hosting the SESM web application.

SSG, RADIUS Server, and LDAP Server Status During Installation

The SSG and RADIUS components do not need to be installed and configured before you execute the Cisco SESM installation program. However, the installation program prompts you for configuration information about these components, such as IP addresses, ports, shared secrets, and other information required for the SESM components to communicate with them. You should know these values before you perform the installation. Otherwise, you will need to reconfigure the solution later.

A freshly installed LDAP directory needs to have SESM schema extensions and RBAC objects installed. At present, the only way to extend the LDAP directory schema is during SESM Installation. It is therefore necessary to have the LDAP directory installed, configured, and running with update rights to the directory, when installing SESM.

Installing the CDAT Sample Data

After installing SESM you must install the CDAT sample data.

The CDAT sample data contains SESM specific roles which build on the default SPE roles, and provide the correct privileges for subscriber self care.

Refer to the Cisco Subscriber Edge Services Manager Quick Start Guide for information on installing the CDAT sample data.

Upgrade Information

This section contains information about upgrading from previous releases of the software.

Installing SPE Schema Extensions in LDAP Mode

Upgrading from SESM Release 3.1(9) or 3.2(1)

The new version of SPE with this release of SESM is compatible with the SPE version supplied with SESM 3.1(9) and SESM 3.2(1). However, for SESM 3.2(1) to be fully compatible with LDAP data currently running with SESM 3.1(9) or SESM 3.2(1), it is necessary to update to the LDAP data so that for each "Rule", you add the attribute "policyKeywords = CISCO_AZN".

This can be done by creating an LDIF file and using the "ldapmodify" command to update the LDAP data. Taking as an example "goldrule" from the sample data, the contents of the LDIF file will be:

dn: cn=goldrule,ou=sesm,o=cisco 
changetype: modify 
add: policyKeywords 
policyKeywords: CISCO_AZN  

The above must be repeated for each "Rule", then to update the LDAP data use the following command:

ldapmodify -h <ipaddress> -p <port> -c -v -D "cn=admin,ou=sesm,o=cisco" -w <password> 
-f <ldif-file> 

Upgrading from SESM Release 3.1(3), 3.1(5), or 3.1(7)

If you are upgrading from SESM Release 3.1(3), 3.1(5), or 3.1(7), you must install the new SPE schema extensions, using the SESM software installation program.

Ensure that the following steps are performed:


Step 1 Export your data

Step 2 Reinstall the directory

Step 3 Install the new SPE schema extensions

Step 4 Import your data


Upgrading from Previous SESM Releases

This section provides information on upgrading from SESM 3.1(3), 3.1(5), 3.1(7) or 3.1(9) releases to SESM 3.2(2).

Installing 3.2(2)

When upgrading, it is recommended to install SESM 3.2(2) in a separate location from your previous SESM installation. By default, this version will be installed in ...cisco/sesm_3.2.2.


Step 1 If you want to use the same installation directory as the previous version, before you begin the installation:

Ensure that a backup copy of your previous SESM installation is stored in a safe location. If you want to migrate your NWSP application to the new installation, you will need to copy files later from this location.

Uninstall the previous release of SESM using instructions in the "Uninstalling a Previous Installation" section.

Step 2 Install the SESM Release 3.2(2) software. For information on installing the software, see the Cisco Subscriber Edge Services Manager Installation Guide.


To preserve your previous SESM installation customizations, including changes to configuration files and customized web applications, follow the instructions in the following section.

Migrating Previous SESM Installation Configurations and Web Portal Application

To migrate SESM Release 3.1(3), 3.1(5), 3.1(7) or 3.1(9) configurations and web portal application to SESM 3.2(2), after installation, perform the following steps:


Step 1 Copy the NWSP web application in \install_dir\nwsp as follows:

To create your own web portal, copy to \install_dir\mywebapp, where \install_dir is the location in which you installed SESM Release 3.2(2), and mywebapp is the name of your SESM web application. This creates an SESM web application named mywebapp under \install_dir.

You will need to copy files later from the unmodified \install_dir\nwsp directory to the new \install_dir\mywebapp.

If you want to use the NWSP web application without creating your own web application, copy the entire nwsp directory to another location before making any modifications.

You will need to copy files later from this unmodified backup nwsp directory to the \install_dir\nwsp directory.

Omit Steps 3a, 3b, 3d, and Step 12. Replace mywebapp with nwsp in the remaining steps.

Step 2 Copy the following files from the install location of the SESM 3.2(2) software:

a. In \install_dir\jetty\bin, copy startNWSP.sh to startMYWEBAPP.sh. Edit the startMYWEBAPP.sh file and replace APP=nwsp with APP=mywebapp. (For an SESM installation on a Windows platform, the suffix of the start file is .cmd.)

b. In \install_dir\jetty\config, copy nwsp.jetty.xml to mywebapp.jetty.xml. Edit the mywebapp.jetty.xml file and replace nwspkeystore with mywebappkeystore. Also, replace any comments that refer to NWSP.

c. In \install_dir\jetty\config, copy mywebappkeystore from your previous installation into this directory.

d. In \install_dir\jetty\config, copy nwsp.web-jetty.xml to mywebapp.web-jetty.xml.

Step 3 Migrate the previous SESM installation configurations to SESM 3.2(2). Use either of the following methods:

When the application is running, use the Application Manager to update attributes to the values used in the previous installation. Be sure to use the apply and store operations to persist the new values across application restarts.

When the application is not running, edit the XML files, updating attribute values to the values used in the previous installation.

Step 4 Verify the previous steps by starting the web application mywebapp in Demo mode.

a. In the /jetty/bin directory, run the start script. For example, on UNIX:

startMYWEBAPP.sh -mode Demo

b. Log in to the web application using the user name golduser and the password cisco. You should be able to use the SESM web application in Demo mode.

c. Stop the server.


Note To update the directory structure for a SESM web application, you usually must update only the contents of the WEB-INF subdirectory with the customizations for your web application. Step 5 overwrites almost the entire web application directory structure with the old web application directory. You then update certain files.

If your web application consists of minimal changes to the NWSP web application components, it may be more appropriate for you to leave the new SESM web application directory as is, and then overwrite only certain subdirectories from the previous SESM directory structure, such as the pages and images directories. If web.xml has been customized, then follow the instructions in the Step 11 for updating this file.


Step 5 Copy the following directories (and all directories and files under them) from your previous SESM web application into the \install_dir\mywebapp location of the SESM Release 3.2(2) software.

docroot

docs

Step 6 In the install location of the SESM Release 3.2(2) software, rename the docroot directory to webapp.

Step 7 From the unmodified nwsp directory (in the installation directory or backup location), copy the following files into the corresponding SESM Release 3.2(2) location of your web application:

webapp\WEB-INF\lib\com.cisco.sesm.i18nl10n.jar

webapp\WEB-INF\lib\com.cisco.sesm.logging.jar

webapp\WEB-INF\lib\com.cisco.sesm.model.jar

webapp\WEB-INF\lib\com.cisco.sesm.platform.jar

webapp\WEB-INF\lib\com.cisco.sesm.radius.jar

webapp\WEB-INF\lib\com.cisco.sesm.types.jar

webapp\WEB-INF\lib\com.cisco.sesm.util.jar

webapp\WEB-INF\lib\com.cisco.sesm.webapps.jar

webapp\WEB-INF\lib\com.cisco.sesm.dess.jar

webapp\WEB-INF\lib\com.cisco.sesm.auth.jar

webapp\WEB-INF\lib\com.cisco.sesm.authentication.jar

webapp\WEB-INF\lib\com.cisco.sesm.gsal.jar

webapp\WEB-INF\lib\com.cisco.sesm.protect.jar

webapp\WEB-INF\lib\com.cisco.sesm.jakarta-regexp1.2.jar

webapp\WEB-INF\lib\com.cisco.sesm.log4j-1.2.6.jar

webapp\WEB-INF\lib\com.cisco.sesm.appmgmt.remotemgmt.jar

webapp\WEB-INF\lib\jsp.jar

webapp\WEB-INF\lib\*.tld

For deployments in which a WAR file will be created, copy these additional files:

webapp\WEB-INF\lib\com.cisco.contextlib.jar

webapp\WEB-INF\lib\nitrusri.jar

webapp\WEB-INF\lib\nitrustools.jar

For SPE/LDAP mode deployments only, copy these additional files:

webapp\WEB-INF\lib\dess.jar

webapp\WEB-INF\lib\auth.jar

webapp\WEB-INF\lib\authentication.jar

webapp\WEB-INF\lib\protect.jar

Step 8 Depending on whether your web application contains customized versions of the JSP pages in the webapp\decorators directory, do one of the following:

If your web application does not contain customized JSP pages in webapp\decorators, copy all files in webapp\decorators from the unmodified nwsp directory (in the installation directory or backup location), into the webapp\decorators directory at the SESM Release 3.2(2) location of your web application.

If your web application does contain customized JSP pages in webapp\decorators, do the following:

a. Use a diff utility to compare your web application's files in webapp\decorators with the same files in the unmodified nwsp directory (in the installation directory or backup location),

b. Copy all files in webapp\decorators from the unmodified nwsp directory (in the installation directory or backup location), into the corresponding SESM Release 3.2(2) location (webapp\decorators) of your web application.

c. Using the diff output from step a, replicate any customizations in all files in webapp\decorators of your SESM Release 3.2(2) web application.

Step 9 In the SESM Release 3.2(2) location that contains your web application, change the name of the webapp\WEB-INF\web.xml file to web.xml.OLD. The file web.xml is the web application's deployment descriptor file.

Step 10 Do one of the following depending on whether you have updated jsp.jar file (using the precompile.sh script).

If you have updated the jsp.jar file, copy the WEB-INF\web.xml from the unmodified nwsp directory (in the installation directory or backup location), to web.xml.

If you have not updated the jsp.jar file, copy the webapp\WEB-INF\web.recompile.xml file from the unmodified nwsp directory (in the installation directory or backup location), into the corresponding SESM Release 3.2(2) location that contains your web application, and rename the file web.xml.


Tip The web.recompile.xml file causes the web application's JSP pages to be used rather than any precompiled JSP pages. The web server compiles each JSP page the first time the JSP page is requested after the web application is started. For information on how to use precompiled JSP pages, see the Cisco Subscriber Edge Services Manager Web Developer Guide.


Step 11 If your SESM web application's deployment descriptor file (web.xml) is customized in any way, modify the deployment descriptor file that you created in Step 10 so that it includes those customizations. For example, the number or order of user-shape dimensions that your web application uses may be different from the number or order found in the standard web.xml or web.recompile.xml file.

Step 12 In the mywebapp\config\ directory of the SESM Release 3.2(2) location, rename the file nwsp.xml to mywebapp.xml.

Step 13 In the mywebapp\config\ directory of the SESM Release 3.2(2) location, change the attribute values in mywebapp.xml file so that their values are identical to the values used in your previous SESM installation. Use either of the following methods:

a. When the application is running, use the Agent View to update attributes to the values used in the previous installation. Be sure to use the apply and store operations to persist the new values across application restarts.

b. When the application is not running, edit the mywebapp.xml file, updating attribute values to the values used in the previous SESM installation.


Searches for Java Classes. The deployer should be aware that the SESM web portals are, by default, run in a mode that is compliant with the Java 2, Enterprise Edition (J2EE) specification. This mode is controlled by the following line in the Jetty container MBean configuration file (for example, \install_dir\jetty\config\nwsp.jetty.xml):

<Set name="classLoaderJava2Compliant">TRUE</Set>

The preceding line has the following effects on how the web server searches for classes from JAR files:

If classLoaderJava2Compliant is set to TRUE, classes from any JAR files in the \web_app_name\webapp\WEB-INF\lib directory are used after classes from any JAR files in the system CLASSPATH. This mode is compliant with J2EE.

If classLoaderJava2Compliant is set to FALSE, classes from any JAR files in the \web_app_name\webapp\WEB-INF\lib directory are used before classes from any JAR files in the system CLASSPATH. This mode is compliant with the Java 2 Servlet Specification.

Upgrading from SESM Release 3.1(1)

This section provides information on upgrading from SESM Release 3.1(1) to SESM Release 3.2(2).

Migrating an SESM Release 3.1(1) Web Portal Application

Significant improvements and changes were made to the JSP pages and other web components of the SESM web application (New World Service Provider) starting with Release 3.1(3) including:

The SESM web components that accomplish decoration were re-engineered.

The Java code for interactions with the SESM model was moved from the JSP pages to the SESM control servlets. This change should minimize the modifications to the JSP pages as the SESM model evolves in the future.

Implementing these changes required that numerous Java classes and methods be deprecated for SESM Release 3.1(3). In subsequent SESM releases, these classes and methods were removed.

Because of this extensive redesign, it is not practical to use JSP pages that were developed for SESM Release 3.1(1). After SESM 3.1(3), these JSP pages would need to be modified so as to replace use of the deprecated classes and methods that have now been removed. This task would be achieved by referring to the Javadoc included in the SESM installation.

Instead of modifying the JSP pages, the recommended strategy for migrating an SESM Release 3.1(1) web application is to use the SESM Release 3.2(2) software and web components, including the JSP pages and deployment descriptor file in a sample web application like NWSP. Using this approach, you would typically do the following:

1. Recreate the customizations from your SESM Release 3.1(1) web application in the set of JSP pages in the SESM Release 3.2(2) NWSP. For this step, you might need to accomplish one or more of the following changes to the sample SESM Release 3.2(2) web application:

Modify the functionality of the web application

Customize the look and feel of web elements such as icons, images, background colors, and style sheets

Localize web elements

Code revised or new JSP-page dimension decorators for the user-shape mechanism

If you use Dreamweaver UltraDev or Dreamweaver MX and the templates provided with the sample NWSP web application, the HTML customizations can be accomplished more efficiently. For detailed information on customizing and developing an SESM Release 3.2(2) web application, see the Cisco Subscriber Edge Services Manager Web Developer Guide at:

http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/webdevgd/index.htm

2. Configure the SESM Release 3.2(2) web application deployment descriptor file (web.xml) as described in the Cisco Subscriber Edge Services Manager Web Developer Guide at:

http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/webdevgd/ch3_adv.htm

3. Configure the customized SESM Release 3.2(2) web application as described in the Cisco Subscriber Edge Services Manager Installation Guide at:

http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/instconf/05portal.htm

4. Precompile the finalized production JSP pages using the directions and script provided in the Cisco Subscriber Edge Services Manager Web Developer Guide.

Uninstalling a Previous Installation

Use the uninstall utility provided with the SESM product to remove a previous installation. The uninstall utility is located in the following directory:

installDir
_uninst
   uninstall.bin or uninstall.exe

The uninstall utility does the following:

Lets you choose the components to uninstall.

Verifies the installation directory that is being uninstalled.

Uninstalls the SESM components. It does not remove the installation directory, only the contents under the installation directory.

After you run the uninstall utility, you can safely reinstall one or more SESM components into the same directory.


Note Do not uninstall SESM by manually deleting the contents of the installation directory. If you manually remove the contents of the directory and then attempt a reinstall into the same directory, the reinstall might not be complete.


Important Notes

The following sections describe some important considerations related to the Cisco SESM.

Modifying Java Server Pages

The SESM portal applications use precompiled JavaServer Pages (JSP). If you modify the JSP pages in one of the SESM portal applications, you must recompile the JSP pages before the changes are visible in the application. For information on recompiling, see the Cisco Subscriber Edge Services Manager Web Developer Guide.

JMX Management Console

The Sun example JMX server includes an HTML adaptor server that produces a web-based management console. The JMX HTML adaptor server forms the basis of the remote management and configuration support provided by the CDAT management application. For example, an administrator can make configuration changes and can have these changes persisted with this new support.


Note In an earlier release, we recommended that the JMX HTML adaptor server functionality be removed when deployed in a production environment.

Starting with SESM Release 3.1(5), the JMX HTML adaptor server is required if a deployer needs this feature as part of the CDAT management application.


To protect access to SESM application management consoles, the JMX interface prompts for a username and password. For additional security, the deployer could deploy the SESM application behind a firewall.

For information about configuring the login values for SESM application management consoles, see the Cisco Subscriber Edge Services Manager Application Management Guide.

JDK Home Settings

The JVM used by the SESM applications is determined by the setting of the JDK_HOME variable in the SESM start scripts, for example .../jetty/bin/start.sh. However, the SESM start scripts give precedence to a JDK_HOME environment variable, if one is set.

Caveats

Table 2 describes known problems in SESM Release 3.2(2):

Table 2 Caveats in SESM Release 3.2(2)

Category
Caveat
Description

General Issues

CSCuk28056

When a subscriber with inherited Cisco AV Pairs from a user group creates a subaccount from the NWSP application, the subaccount does not inherit the parent's AV Pairs. If the parent account has a Local Cisco AV Pair, the subaccount inherits that AV Pair.

Workaround: After a subscriber creates a subaccount, an administrator must use CDAT to set the Cisco AV Pairs either in the subaccount or in the parent account.

CSCuk31287

A user group member is erroneously autoconnected to a service when the following conditions are true:

The user group has a subscribed service which is defined as auto-logon.

The service is a member of a service group, but the user is not subscribed to the service group.

When the user logs on, the service is autoconnected even though the user is not subscribed to the service group.

Workaround: Do not define services in a service group as auto-logon in a user group.

Installation Issues

CSCuk45717

Silent Install doesn't work on Windows.

Workaround: The Silent Install option does not work on Windows. Use GUI or Console install instead.

CSCuk46052

SESM stop scripts do not work when SESM applications are started with long command paths.

Workaround: Do not start SESM applications with long command paths. Instead, go to the directory containing the SESM start script and start the application from there. This will ensure that the corresponding stop script will work

CSCuk46065

Various Windows Services Problems

1. There are no Windows Service scripts provided for installing as Windows Services, the Message Portal, Web Proxy, Web Services Gateway or Remote Management Interface. Please note that CDAT-Application Management is reliant on the RMI running and so CDAT-AM can not be used as a Windows Service.

2. Start-Up of the RDP as a Windows Service is not successful.

3. Start-Up of the CDAT as a Windows Service is not successful.

Workaround: There are no workarounds for the above issues and so the SESM applications mentioned can not be installed/used as Windows Services.

Installation Issues (continued)

CSCuk44745

SPE authentication fails if SESM is installed in SPE mode directly from a CD-ROM, when using iPlanet directory.

This is because the installer attempts to create a temporary file on the CD-ROM for modifications to the SPE. Although this is not possible, no installation errors occur unless logging is enabled during installation.

As a result, it is not possible to authenticate against the SPE after installation.

The same problem occurs if you run the installer from the hard disk but do not have write access to that location.

This problem affects all platforms.

Workaround: When installing SESM from a CD-ROM, it is recommended that the contents of the CD-ROM are copied to hard disk and the installer is run from there. Make sure that you have write access to the location of the install image.

CSCuk44912

If you are installing SESM with NDS, you cannot choose a type of Password Encryption Algorithm. User passwords will only be stored SHA encrypted.

Workaround: None

CSCuk49356

SESM processes that are not stopped before un-installing SESM stay alive and associated ports remain busy. Before un-installing SESM, stop all SESM applications.

RDP Issues

CSCuk39441

Primary Service At Group Level not working.

If a subscriber has a Primary Service by virtue of inheriting it from a User Group, then the RDP will not pass the IP Pool associated with the Primary Service to the SSG.

Workaround: Either assign the Primary Service to the User profile or assign a Pool Name to the User Group profile

CSCuk49376

Under load conditions, there is a possibility that occasional RADIUS Authentication Requests sent to the RDP may be lost or ignored. When the RDP opens a UDP socket for receiving Authentication Requests, the default mode of operation is for the RDP application to request the Operating System to set the Socket Receive Buffer length to 4k Bytes. Packet loss may occur when a sudden burst of Authentication Requests is sent to the RDP, because the Receive Buffer is filled up faster than the RDP can read and process the requests. When the Receive Buffer is full, further Authentication Requests, sent to the RDP, are lost.

The setting of the Socket Receive Buffer length is an Operating System dependent operation. Some Operating Systems will accept the request while others will ignore it, setting the Buffer length to a default value. This packet loss has been noticed while using Linux.

Workaround: The usual IOS RADIUS retry mechanism, where the timeout and number of retries are configurable.

CDAT Issues

CSCuk29592

If an administrator deletes a service from CDAT that is defined as an autoconnected service in a subscriber's profile, some service-related attributes might not be deleted from the directory. The problem occurs regardless of whether the subscriber is logged in or logged out. These redundant attributes do not have an impact on the subscriber.

Workaround: There is no impact in leaving these attributes in the directory, but administrators can manually remove the attributes if they wish.

CSCuk31892

CDAT cannot distinguish between local and inherited generic RADIUS attributes in a user profile when the user is a member of a group for which the generic attributes are defined.

Workaround: None

CSCuk30471

CDAT cannot distinguish between user and group pool names.

Workaround: None

CSCdv02447

When CDAT displays subaccounts, it displays group membership and not blocked roles.

Workaround: You can manipulate these values using an LDAP server administration tool such as ConsoleOne, or by using the appropriate NWSP application self-care feature to modify the roles of a subaccount.

CSCuk32178

In CDAT, the Service Filters attributes are not inherited by the user from a user group.

Workaround: If these attributes are required, they must be directly assigned to each user.

CDAT Issues (continued)

CSCuk43101

Within the SESM Application Management 'SSG' screen, it is only possible to create and edit Subnet Attributes that have an Attribute type of 'IP'. Other valid Subnet Attributes are listed below, but these cannot be specified on a per-subnet basis because the 'Attribute Value' field is required to be 'IP'.

Other Valid Attributes:

MASK
PORT
SECRET
TIMEOUTSECS
RETRIES
BUNDLE_LENGTH
IP
SESSION_<attribute>

Workaround: To set any of the listed Attributes on a per-subnet basis, you are required to edit the appropriate application configuration file.

As an example, if you wish to create a new mapping for the 192.168.2.0/24 client subnet and a SESSION_LOCATION Attribute (or type 'london') within the NWSP web portal, you would add a line similar to the following:

<Call name="setSubnetAttribute"><Arg>192.168.2.0</Arg><Arg>255.255.255.0
</Arg><Arg>SESSION_LOCATION</Arg><Arg>london</Arg></Call>

For these changes to take effect, save the configuration file and restart the application.

CSCuk44001

A user is not able to set the 'Country' field in the SESM 'My Account' page.

Workaround: None

Note This is only an issue where SESM is installed in SPE mode, using an LDAP directory as its datastore.

CSCuk44022

After a user has logged in to the SESM CDAT Directory Management application, they are unable to access the CDAT Help page. If they attempt to do so, they will see the following error reported in the browser:

HTTP Error: 500 String index out of range: -1
RequestURI=/help

Workaround: None. For help with the CDAT Directory Management application, please refer to the online SESM Documentation.

WSG Issues

CSCuk49409

The Web Server Gateway (WSG) application supports both SSL and HTTPS. However, the SSL certificate bundled with this application has expired (as have the SSL certificates bundled with the other SESM applications). Consequently, it is not possible to use the WSG demo Client (<install-directory>/wsg/bin/wsgClient.sh) for SSL communication with WSG, without updating the certificate.

Workaround: Update the certificate.

CSCuk48372

When the Web Services Gateway (WSG) does not have an active SESM Session (e.g. WSG SESM Session has expired) and it is subsequently sent a De-authentication request, it will respond with a successful indication, but the SSG Host Object will not be deactivated.

Workaround: The WSG Client application should send a Get Status request before sending the De-authentication request.


Related Documentation

See the following documentation regarding SESM.

Cisco Subscriber Edge Services Manager Quick Start Guide

Cisco Subscriber Edge Services Manager Solutions Guide

Cisco Subscriber Edge Services Manager Installation Guide

Cisco Subscriber Edge Services Manager Deployment Guide

Cisco Subscriber Edge Services Manager Web Portal Guide

Cisco Subscriber Edge Services Manager Captive Portal Guide

Cisco Subscriber Edge Services Manager RADIUS Data Proxy Guide

Cisco Subscriber Edge Services Manager Troubleshooting Guide

Cisco Subscriber Edge Services Manager Platform SDK Programmer Guide

Cisco Subscriber Edge Services Manager Application Management Guide

Cisco Subscriber Edge Services Manager Web Services Gateways Guide

Cisco Subscriber Edge Services Manager Plug and Play Guide

Cisco Distributed Administration Tool Guide

Cisco Subscriber Edge Services Manager Web Developer Guide

The online location for SESM documentation is:

http://www.cisco.com/univercd/cc/td/doc/solution/sesm/index.htm

Obtaining Documentation

The following sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following URL:

http://www.cisco.com

Translated documentation is available at the following URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

Cisco documentation is available in the following ways:

Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.

Cisco TAC Website

The Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

The online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/go/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html