Cisco ACE XML Gateway User Guide (Software Version 6.1) - Deploying the Policy [Cisco ACE XML Gateways]

Table Of Contents

Deploying the Policy

Deployment Overview

Who Can Deploy Policies

Deploying a Policy

Selectively Rolling Back Policy Changes

Reloading URL-Based Resources at Deployment

Approval-Based Deployment

Enabling Approval-Based Deployment

Viewing Approval Status and Requests

Approved Policy Status

Approval Request Status for Active Subpolicy

Requesting Approval of Policy Changes

Approving or Rejecting Policy Changes

Deploying an Approved Policy

Deploying the Policy

This chapter describes how to deploy a policy to the ACE XML Gateway. It covers these topics:

•Deployment Overview

•Deploying a Policy

•Selectively Rolling Back Policy Changes

•Reloading URL-Based Resources at Deployment

•Deploying an Approved Policy

Deployment Overview

As you make configuration changes in the console and save those changes, you're committing the changes to a working copy of the policy on the ACE XML Manager. The changes do not take effect at the Gateway until the working policy is deployed from the ACE XML Manager.

Deploying a policy transmits the policy from the ACE XML Manager to any ACE XML Gateways in the ACE XML Manager's administrative domain. Once deployed, the policy's rules and behaviors are applied by the ACE XML Gateway.

In a development or evaluation setting, it is likely that you will want to deploy the policy frequently, for example, to test the effect of changes. In a production setting, however, deployment should only occur after the policy has been tested and verified. If necessary, you can enable approval-based deployment features to control the deployment process.

You can deploy a policy selectively, for example, to a Gateway that has been recently added to the ACE XML Manager's domain. In general, however, all Gateway's in a particular domain should have the same policy.

The deployment process occurs in several steps.

1. The ACE XML Manager performs a basic review of the policy, looking for configuration errors and other potential problems.

2. The ACE XML Manager compiles the policy, transforming it into the native format of the ACE XML Gateway for execution.

3. The ACE XML Manager adds a timestamp and ID code to the policy, and saves it in its archive.

4. The ACE XML Manager transmits the policy to the ACE XML Gateway.

5. The ACE XML Gateway accepts the policy, stops services briefly, re-configures them to enforce the new policy, and restarts the services.

We recommend as a final step in verifying the success of a deployment that you check the status of the I/O processes on the System Management page. If there are problems in the policy, it could prevent the http-server or reactor processes from restarting. You can ensure that all processes are running in the I/O Processes table in the Gateway Status settings.

After completing the steps successfully, the ACE XML Gateway enforces the new policy.

Who Can Deploy Policies

In order to deploy a policy (or to approve one for deployment, if approval-based deployment is enabled) a user must have adequate permissions. Specifically, the user must:

•Be an Administrator or Privileged user with the Operations role

•Have access to the Shared subpolicy and the subpolicy to deploy.

Additionally, if approval-based deployment is enabled, the policy or subpolicy itself must be approved for deployment. An Administrator user can always deploy and approve policies. Operations role users may deploy policies if they have access to the subpolicy involved in the deployment as well as the Shared subpolicy. "Any subpolicy" access is required to approve a policy for deployment.

With approval-based deployment, users who do not have access to Shared instead request approval for policy changes to the administrator, who performs the actual deployment.

Deploying a Policy

Deploying a policy makes the changes in the current working policy take effect at the ACE XML Gateway. Only Administrator users and Privileged users with the Operations role can deploy policy changes in the web console.

Optionally, an Administrator approval-based deployment can be enabled in the web console. When enabled, only certain users can approve or deploy a policy. The procedure for deploying the policy with approval-based deployment enabled is similar to these standard deployment instructions, with a few extra steps. For more information, see Approval-Based Deployment.

When approval-based deployment is not active, deploy a policy as follows:

Step 1 While logged in to the web console as an Administrator user or as a Privileged user with the Operations role, if your policy contains subpolicies, set the active subpolicy to the one from which you want to deploy.

If there are subpolicies in a policy, deploying only moves the artifacts in the subpolicy that is active when deployment occurs. If you want to deploy changes from more than one subpolicy, you need to activate each subpolicy and deploy from the subpolicy one-by-one.

Step 2 Click the Deploy Policy button at the top of the page.

If resource-reloading is enabled, the Step 1 of 4: URL Resource Refresh page appears. This page lets you ensure that the policy has the latest versions of any resource files loaded from URL locations, such as certificates. For details, see "Reloading URL-Based Resources at Deployment" section.

If resource-reloading is not enabled, the ACE XML Manager displays the Step 1 of 3: Review Changes page. This page summarizes differences between the current policy and the policy to be deployed. For details, see "Selectively Rolling Back Policy Changes" section.

Step 3 If the URL Resource Refresh page appears, click the Reload Resources Now button to upload changed URL-based resources.

The ACE XML Manager attempts to retrieve new copies of all URL-based resources that the policy to deploy uses. It then displays the Review Changes page.

Note Reloading URL-based resources cannot be undone. If you think you may need to revert to a previously saved version of a resource, be sure save a copy of the current version of the resource before you click the Reload Resources Now button.

Alternatively, click Continue To Next Step to skip reloading resources.

Step 4 Click the Continue to Next Step button to continue the deployment process.

The Step 2 of 3: Basic Policy Review page lists conditions that would prevent successful deployment. Links on the page provide access to affected policy objects so you can make any changes needed to fix the problems.

To discontinue deploying the new policy, click the Exit To Policy Manager button.

Step 5 Review and, if necessary, address any compilation warnings or errors displayed.

The ACE XML Manager performs extensive compile-time policy checking to help ensure the integrity of the deployed policy. As you resolve each potential problem, the ACE XML Manager removes its associated warning from the Basic Policy Review page. To return to the Basic Policy Review page after resolving a problem, use your browser's Back button. Alternatively, click the Deploy button to restart the deployment process.

Step 6 When you have addressed the warnings on the Basic Policy Review page, click the Continue To Next Step button to continue the deployment process.

The Compile and Deploy page appears. A "Please wait" message may appear for several seconds as the policy is compiled. Compilation transforms the policy to the native executable format of the ACE XML Gateway. When finished, the page displays information about the compiled policy, including its timestamp and the ID number assigned by the ACE XML Manager.

Step 7 Type a description for this policy version in the Policy Description field.

This description helps to document the policy in the console. It appears in the Description column of the policy history. By default, this is an optional field. However, the administrator of the ACE XML Manager can make descriptions required from the Manager Settings page.

Step 8 Specify the appliances to which you want to transfer the compiled policy by checking the box next to its address or hostname. An out-of-date status for a Gateway indicates that the compiled policy is different from the currently deployed policy.

Note It's possible to deploy a policy to some but not all of the appliances in a cluster. Do not do this, however, unless you are certain of the reasons for it. This is not a normal deployment strategy for the ACE XML Gateway. Under normal circumstances you should deploy the policy either to all or to none of the Gateways controlled by the ACE XML Manager in a given cluster.

Step 9 Click the Deploy To Selected Gateways button to finish deploying the policy.

The ACE XML Manager transmits the policy to the selected appliances, where it will be enforced on network traffic.

The Compile and Deploy screen reappears, displaying the results of the deployment: for each previously selected Gateway, the Status column displays Up to Date, the Deployed Policy Description column displays the description of the new policy, and the Deployed Policy Timestamp&ID column reflects the policy ID and timestamp of the new deployment.

The new policy is now in effect at the ACE XML Gateway.

Selectively Rolling Back Policy Changes

At any time, you can selectively roll back or accept changes encapsulated by a policy version, as follows:

Step 1 As an Administrator user or as a Privileged user with the Operations role in the console, click the Policy Manager link in the navigation menu.

Step 2 In the policy history section at the bottom of the Policy Manager, click the Roll Back button next to the policy version to review.

The Roll Back To description page appears. In place of the italicized replaceable description text is the text that appears in the Date Saved and Description columns of the specified policy's entry in the policy history.

Step 3 Click Accept addition or Accept deletion checkboxes as necessary to accept or reject individual changes to the policy.

A checkmark in an Accept addition checkbox indicates approval of the action specified. Removing a checkmark indicates your rejection of the action its label specifies.

Step 4 Click Save Changes to confirm your changes.

The Policy Manager page appears and the working policy reflects the choices you just confirmed. You can now request administrative approval of the changed policy or, if you have sufficient privileges, you can deploy it yourself.

Reloading URL-Based Resources at Deployment

The Gateway policy may include resource files that were loaded into the policy from a location specified by URL. In general, the ACE XML Gateway does not attempt to retrieve remote resources at runtime. Instead, it stores the resource in the policy. However, every time you deploy the policy, you can refresh the copy of the resource with the version located at the URL specified when the resource was originally loaded into the policy, as follows:

Step 1 Click the URL Resource Refresh button in the Review section of the Policy Manager page.

The URL Resource Refresh page appears.This page lists each network-based resource the working policy uses, along with the URL that provides the resource, the time of the last attempt at reloading the resource, and the result of that attempt.

Step 2 Click the Reload Resources Now button.

Note This operation cannot be undone. If you think you may need to revert to a previously saved version of a resource, be sure to save the current version of the resource before you click the Reload Resources Now button.

The ACE XML Manager attempts to download a new copy of each resource in the list. As it proceeds, it updates the Last Reloaded and Result columns to reflect the status of each attempt.

Step 3 Click the Continue To Next Step button, at the bottom of the URL Resource Refresh page.

The ACE XML Manager retrieves URL-specified resources.

Approval-Based Deployment

In approval-based (or two-stage) deployment, a policy developer first requests approval for changes made to the policy. The administrator reviews and either approves or rejects the changes. Once approved, the changes can be deployed by the administrator.

When this feature is enabled, privileged users can still edit policies just as always, but the Deploy section of the Policy Manager is replaced by a Submit section, where users request administrative approval of changes to the working policy.

If requesting approval from within a subpolicy, only the changes from within that subpolicy are represented by the change request. A user working in multiple subpolicies will need to request approval within each subpolicy.

The procedures applicable to approval-based deployment are:

•Enabling Approval-Based Deployment

•Viewing Approval Status and Requests

•Requesting Approval of Policy Changes

•Approving or Rejecting Policy Changes

•Deploying an Approved Policy

Enabling Approval-Based Deployment

Approval-based deployment is disabled by default. To enable it, follow these steps:

Step 1 As the Administrator user in the ACE XML Manager web console, click the System Management link in the navigation menu.

Step 2 Click the link labelled Manager Settings, which is to the right of the ACE XML Manager heading.

Step 3 In the General settings area, find the Workflow configuration options, and enable the Use approval-based deployment option.

Step 4 Click the Save Changes button.

The System Management page appears.

Step 5 Log out of the ACE XML Manager's web console.

Step 6 Verify that approval-based deployment is enabled by logging into the ACE XML Manager web console as a non-administrative user in the Operations role.

Step 7 Click the Policy Manager link in the navigation menu.

If the configuration change succeeded, a Submit section appears in place of the Deploy section.

Viewing Approval Status and Requests

When approval-based deployment is enabled, the Manager Dashboard provides additional information concerning the status of subpolicy deployment, as discussed in this section.

Approved Policy Status

At the top of the Dashboard, the Approved Policy Status section lists proposed policy changes awaiting the approval of an administrative user.

The Approved Policy Status section appears only when approval-based deployment is enabled. Only privileged users (those with the ability to edit or deploy policies) can view this section of the Dashboard.

This section displays only subpolicies available to the user account logged into the ACE XML Manager. If the user has "any subpolicy" access, this section displays the status of all subpolicies simultaneously. Otherwise, it displays the status of the active subpolicy only; to view the approval status of another subpolicy, you must make that subpolicy the active subpolicy.

For each subpolicy visible to the account logged into the ACE XML Manager, this section lists the following information:

Date and time the subpolicy was last approved

•Whether the most-recently approved version was deployed

•Date and time of the request for approval of the new or changed subpolicy

•The username of the web console user who originated the request

If you have policy-review privileges, a Review button appears next to each pending request.

Approval Request Status for Active Subpolicy

The Approval Request Status For section on the Dashboard lists outstanding requests for approval of changes to the active subpolicy.

Only privileged users (those with the ability to edit or deploy policies) can view this section of the Dashboard. This section displays the status of the active subpolicy only; to view the status of another subpolicy, make that subpolicy the active subpolicy.

This section lists the status of each request for approval as one of the following values:

•Approved—A policy reviewer has authorized deployment of the subpolicy. A user in the Operations role who has "any subpolicy" access can transmit this policy to the ACE XML Gateway for enforcement.

•Approval Requested—A user has requested that a policy reviewer authorize the deployment of a new or changed subpolicy. Before approving the subpolicy, the reviewer inspects the differences between this policy or subpolicy and the one the ACE XML Gateway enforces currently.The reviewer can approve or deny each change individually to ensure that the policy ultimately deployed to the ACE XML Gateway performs as intended.

•Rejected—A policy reviewer has denied authorization to deploy a new or changed subpolicy. After changing the unacceptable portions of the policy, you can request approval again.

Requesting Approval of Policy Changes

If approval-based deployment is enabled, new or changed subpolicies cannot be deployed until the change is approved by an administrator or privileged user with the operations role.

To request approval of a new or changed subpolicy:

Step 1 Make the subpolicy with changes to be approved active in the console, and click the Request Approval button at the top of the page.

If resource-reloading is enabled, the Step 1 of 4: URL Resource Refresh page appears. Before deploying a policy, you can use the Resource Refresh page to ensure that the policy has the latest versions of any remotely hosted resources, such as schemas or certificates obtained from URLs. For details, see "Reloading URL-Based Resources at Deployment" section.

If resource-reloading is not enabled, the ACE XML Manager displays the Step 1 of 3: Review Changes page. This page summarizes differences between the current policy and the policy to be deployed. For details on the Review Changes page, see "Selectively Rolling Back Policy Changes" section.

Step 2 If the URL Resource Refresh page appears, click the Reload Resources Now button to load URL-based resources.

The ACE XML Manager attempts to retrieve new copies of all URL-based resources that the policy to deploy uses. When finished, it displays the Review Changes page.

Note Reloading of URL-based resources cannot be undone. If you think you may need to revert to a previously saved version of a resource, make sure you have archived a backup copy of the current version of the resource before you click the Reload Resources Now button.

Step 3 Click the Continue to Next Step button.

The Step 2 of 3: Basic Policy Review page appears. This page shows warnings about possible problems the changed policy might introduce.

Step 4 Review the warnings. You may choose to resolve the issue that generated the warning or to overlook the warning for now. If you need to alter your policy to resolve a warning, click Exit to Policy Manager to exit the approval process and edit your policy.

When finished, click the Continue to Next Step button.

Step 5 In the Step 3 of 3: Submit Request page, type a short description or comment in the Description field.

The description is typically used to characterize the changes in the submission to an administrator or other developer. It is visible to any user that has policy-viewing permissions.

Step 6 Optionally, send email notification of the request as follows:

a. Click the Send e-mail notification of this approval request button.

b. Type the addresses of recipients in the To e-mail address field.

c. Type the sender's email address in the From e-mail address field. Normally, this would be the address of the requestor.

Step 7 Click the Submit Request button.

The approval request appears in the Dashboard page. For an administrator user or privileged user with the operations role, the request appears in the Approved Policy Status pane at the top of the Dashboard. For users who have access to the Shared subpolicy. the request appears in the Approval Request Status for Shared section.

Approving or Rejecting Policy Changes

Administrators or privileged users with the operations role can review and approve or reject policy changes. A change request needs to be approved before the changed policy can be deployed to the ACE XML Gateway.

In the Manager Dashboard, the Approved Policy Status section displays the most recently proposed and the most recently approved changes for each subpolicy. Each row shows the subpolicy's last date of approval, deployment status, and most recent change awaiting approval. For a complete list of all approval requests, see the policy history at the bottom of the Policy Manager page.

If you have policy deployment privileges, a Review button appears next to the most recent request that awaits approval. When you click the Review button, the ACE XML Manager treats all pending changes affecting that subpolicy as one subpolicy that you can approve or reject in total. To approve or reject changes selectively, see "Selectively Rolling Back Policy Changes" section.

To accept or reject all changes to the active subpolicy:

Step 1 As an Administrator or Privileged user with the Operations role in the console, in the Approved Policy Status section of the Dashboard, click the Review button at the far right of the row describing the policy to be approved or rejected.

Step 2 In the Review Approval Request page, approve or reject the policy as follows:

•To approve all changes, click the Approve Changes button.

•To reject all changes, click the Reject Changes button.

•To exit without making any changes, leaving the approval request still pending, click the Cancel Review button.

The Dashboard page appears. The Approved Policy Status and Approval Request Status areas reflect the results of your choice.

The policy-approval process allows an administrator to accept or reject a policy in its entirety. Following an approval, you can effect selective approval by using the roll back process in the Policy Manager. For more information, see Selectively Rolling Back Policy Changes.

Deploying an Approved Policy

Once a policy approval request has been submitted and approved, the changes encapsulated in the request can be deployed by an Administrator user or Privileged user with the Operations role.

If subpolicies exist in the policy, deploying only moves the artifacts in the subpolicy that is active (including Shared) when the deployment occurs. If you want to deploy changes from more than one subpolicy, you need to activate each subpolicy and deploy from the subpolicy one-by-one.

To deploy the policy with approval-based deployment enabled, follow these steps:

Step 1 In the web console, click the Deploy Approved Policy button to compile the policy and transmit it to the ACE XML Gateway for enforcement.

The Step 2 of 3: Basic Policy Review page lists the approval status. Although a similar review appears for policy submission, the Basic Policy Review page may appear a second time since the policy may have changed after submission.

Step 2 Review and respond to any warnings in the ACE XML Manager.

Because the policy has already been approved, you cannot change it. If you are not willing to deploy the policy as it is, you must click the Exit to Policy Manager button to cancel the deployment. Subsequently, you can edit the policy in the Policy Manager and resubmit it for approval.

Step 3 If satisfied with the approved policy, click the Continue To Next Step button to continue the deployment process.

The Compile and Deploy screen displays the message "Please wait" as it compiles the policy, transforming it to the native executable format of the ACE XML Gateway. When finished, it displays the message "This policy is compiled and can now be deployed," along with controls that enable you to specify the ACE XML Gateway appliances that are to load and enforce this policy.

Step 4 Click the check box next to each Gateway appliance that is to receive this policy.

Note It's possible to deploy a policy to some but not all Gateways in a cluster. Do not do this unless you are certain of the reasons for it. Under normal circumstances you should deploy the policy to either all or none of the Gateways in a cluster.

Step 5 Click the Deploy To Selected Gateways button to finish deploying the policy.

The ACE XML Manager transmits the policy to the selected Gateways, which accept the policy and reconfigure themselves to enforce it. The Compile and Deploy screen displays the results of the deployment. The Timestamp&ID column reflects the policy ID and timestamp of the new deployment.

Your new policy is now in effect.

	Cisco ACE XML Gateway User Guide (Software Version 6.1)
	Deploying the Policy
Cisco ACE XML Gateway User Guide (Software Version 6.1) Preface Introducing the Cisco ACE XML Gateway Basic Concepts First Steps Working with Virtual Services Working with Handlers, Routes, and Service Descriptors Controlling Access to Services Authenticating Requests to Backend Systems Editing and Maintaining Virtual Services Using Variables in Paths Validating Messages Processing SOAP Messages XML Encryption and XML Signature Transforming Messages with XSLT Configuring Destination Server Settings Working with Ports and Hostnames Working with JMS Traffic Working with TIB/RV and MQ Services Working with ebXML Traffic Securing Traffic with SSL/TLS Configuring Reactor Processing Caching Service Responses Mapping HTTP Error Responses Setting Global Traffic Rules Securing Web Applications Working with Virtual Web Applications Working with Profiles Developing Rules and Signatures Managing Resource Files Deploying the Policy Managing the Policy Publishing Service Information Monitoring System Status Managing Web Console Users Managing Gateway Clusters Configuring the Manager Web Console Using the ACE XML Manager SOAP API Troubleshooting Log Messages	Download this chapter Deploying the Policy Download the complete book Cisco ACE XML Gateway User Guide Book-Length PDF (PDF - 10 MB) Feedback Table Of Contents Deploying the Policy Deployment Overview Who Can Deploy Policies Deploying a Policy Selectively Rolling Back Policy Changes Reloading URL-Based Resources at Deployment Approval-Based Deployment Enabling Approval-Based Deployment Viewing Approval Status and Requests Approved Policy Status Approval Request Status for Active Subpolicy Requesting Approval of Policy Changes Approving or Rejecting Policy Changes Deploying an Approved Policy Deploying the Policy This chapter describes how to deploy a policy to the ACE XML Gateway. It covers these topics: •Deployment Overview •Deploying a Policy •Selectively Rolling Back Policy Changes •Reloading URL-Based Resources at Deployment •Deploying an Approved Policy Deployment Overview As you make configuration changes in the console and save those changes, you're committing the changes to a working copy of the policy on the ACE XML Manager. The changes do not take effect at the Gateway until the working policy is deployed from the ACE XML Manager. Deploying a policy transmits the policy from the ACE XML Manager to any ACE XML Gateways in the ACE XML Manager's administrative domain. Once deployed, the policy's rules and behaviors are applied by the ACE XML Gateway. In a development or evaluation setting, it is likely that you will want to deploy the policy frequently, for example, to test the effect of changes. In a production setting, however, deployment should only occur after the policy has been tested and verified. If necessary, you can enable approval-based deployment features to control the deployment process. You can deploy a policy selectively, for example, to a Gateway that has been recently added to the ACE XML Manager's domain. In general, however, all Gateway's in a particular domain should have the same policy. The deployment process occurs in several steps. 1. The ACE XML Manager performs a basic review of the policy, looking for configuration errors and other potential problems. 2. The ACE XML Manager compiles the policy, transforming it into the native format of the ACE XML Gateway for execution. 3. The ACE XML Manager adds a timestamp and ID code to the policy, and saves it in its archive. 4. The ACE XML Manager transmits the policy to the ACE XML Gateway. 5. The ACE XML Gateway accepts the policy, stops services briefly, re-configures them to enforce the new policy, and restarts the services. We recommend as a final step in verifying the success of a deployment that you check the status of the I/O processes on the System Management page. If there are problems in the policy, it could prevent the http-server or reactor processes from restarting. You can ensure that all processes are running in the I/O Processes table in the Gateway Status settings. After completing the steps successfully, the ACE XML Gateway enforces the new policy. Who Can Deploy Policies In order to deploy a policy (or to approve one for deployment, if approval-based deployment is enabled) a user must have adequate permissions. Specifically, the user must: •Be an Administrator or Privileged user with the Operations role •Have access to the Shared subpolicy and the subpolicy to deploy. Additionally, if approval-based deployment is enabled, the policy or subpolicy itself must be approved for deployment. An Administrator user can always deploy and approve policies. Operations role users may deploy policies if they have access to the subpolicy involved in the deployment as well as the Shared subpolicy. "Any subpolicy" access is required to approve a policy for deployment. With approval-based deployment, users who do not have access to Shared instead request approval for policy changes to the administrator, who performs the actual deployment. Deploying a Policy Deploying a policy makes the changes in the current working policy take effect at the ACE XML Gateway. Only Administrator users and Privileged users with the Operations role can deploy policy changes in the web console. Optionally, an Administrator approval-based deployment can be enabled in the web console. When enabled, only certain users can approve or deploy a policy. The procedure for deploying the policy with approval-based deployment enabled is similar to these standard deployment instructions, with a few extra steps. For more information, see Approval-Based Deployment. When approval-based deployment is not active, deploy a policy as follows: Step 1 While logged in to the web console as an `Administrator` user or as a `Privileged` user with the `Operations` role, if your policy contains subpolicies, set the active subpolicy to the one from which you want to deploy. If there are subpolicies in a policy, deploying only moves the artifacts in the subpolicy that is active when deployment occurs. If you want to deploy changes from more than one subpolicy, you need to activate each subpolicy and deploy from the subpolicy one-by-one. Step 2 Click the Deploy Policy button at the top of the page. If resource-reloading is enabled, the Step 1 of 4: URL Resource Refresh page appears. This page lets you ensure that the policy has the latest versions of any resource files loaded from URL locations, such as certificates. For details, see "Reloading URL-Based Resources at Deployment" section. If resource-reloading is not enabled, the ACE XML Manager displays the Step 1 of 3: Review Changes page. This page summarizes differences between the current policy and the policy to be deployed. For details, see "Selectively Rolling Back Policy Changes" section. Step 3 If the URL Resource Refresh page appears, click the Reload Resources Now button to upload changed URL-based resources. The ACE XML Manager attempts to retrieve new copies of all URL-based resources that the policy to deploy uses. It then displays the Review Changes page. Note Reloading URL-based resources cannot be undone. If you think you may need to revert to a previously saved version of a resource, be sure save a copy of the current version of the resource before you click the Reload Resources Now button. Alternatively, click Continue To Next Step to skip reloading resources. Step 4 Click the Continue to Next Step button to continue the deployment process. The Step 2 of 3: Basic Policy Review page lists conditions that would prevent successful deployment. Links on the page provide access to affected policy objects so you can make any changes needed to fix the problems. To discontinue deploying the new policy, click the Exit To Policy Manager button. Step 5 Review and, if necessary, address any compilation warnings or errors displayed. The ACE XML Manager performs extensive compile-time policy checking to help ensure the integrity of the deployed policy. As you resolve each potential problem, the ACE XML Manager removes its associated warning from the Basic Policy Review page. To return to the Basic Policy Review page after resolving a problem, use your browser's Back button. Alternatively, click the Deploy button to restart the deployment process. Step 6 When you have addressed the warnings on the Basic Policy Review page, click the Continue To Next Step button to continue the deployment process. The Compile and Deploy page appears. A "Please wait" message may appear for several seconds as the policy is compiled. Compilation transforms the policy to the native executable format of the ACE XML Gateway. When finished, the page displays information about the compiled policy, including its timestamp and the ID number assigned by the ACE XML Manager. Step 7 Type a description for this policy version in the Policy Description field. This description helps to document the policy in the console. It appears in the Description column of the policy history. By default, this is an optional field. However, the administrator of the ACE XML Manager can make descriptions required from the Manager Settings page. Step 8 Specify the appliances to which you want to transfer the compiled policy by checking the box next to its address or hostname. An out-of-date status for a Gateway indicates that the compiled policy is different from the currently deployed policy. Note It's possible to deploy a policy to some but not all of the appliances in a cluster. Do not do this, however, unless you are certain of the reasons for it. This is not a normal deployment strategy for the ACE XML Gateway. Under normal circumstances you should deploy the policy either to all or to none of the Gateways controlled by the ACE XML Manager in a given cluster. Step 9 Click the Deploy To Selected Gateways button to finish deploying the policy. The ACE XML Manager transmits the policy to the selected appliances, where it will be enforced on network traffic. The Compile and Deploy screen reappears, displaying the results of the deployment: for each previously selected Gateway, the Status column displays Up to Date, the Deployed Policy Description column displays the description of the new policy, and the Deployed Policy Timestamp&ID column reflects the policy ID and timestamp of the new deployment. The new policy is now in effect at the ACE XML Gateway. Selectively Rolling Back Policy Changes At any time, you can selectively roll back or accept changes encapsulated by a policy version, as follows: Step 1 As an `Administrator` user or as a `Privileged` user with the `Operations` role in the console, click the Policy Manager link in the navigation menu. Step 2 In the policy history section at the bottom of the Policy Manager, click the Roll Back button next to the policy version to review. The Roll Back To description page appears. In place of the italicized replaceable description text is the text that appears in the Date Saved and Description columns of the specified policy's entry in the policy history. Step 3 Click Accept addition or Accept deletion checkboxes as necessary to accept or reject individual changes to the policy. A checkmark in an Accept addition checkbox indicates approval of the action specified. Removing a checkmark indicates your rejection of the action its label specifies. Step 4 Click Save Changes to confirm your changes. The Policy Manager page appears and the working policy reflects the choices you just confirmed. You can now request administrative approval of the changed policy or, if you have sufficient privileges, you can deploy it yourself. Reloading URL-Based Resources at Deployment The Gateway policy may include resource files that were loaded into the policy from a location specified by URL. In general, the ACE XML Gateway does not attempt to retrieve remote resources at runtime. Instead, it stores the resource in the policy. However, every time you deploy the policy, you can refresh the copy of the resource with the version located at the URL specified when the resource was originally loaded into the policy, as follows: Step 1 Click the URL Resource Refresh button in the Review section of the Policy Manager page. The URL Resource Refresh page appears.This page lists each network-based resource the working policy uses, along with the URL that provides the resource, the time of the last attempt at reloading the resource, and the result of that attempt. Step 2 Click the Reload Resources Now button. Note This operation cannot be undone. If you think you may need to revert to a previously saved version of a resource, be sure to save the current version of the resource before you click the Reload Resources Now button. The ACE XML Manager attempts to download a new copy of each resource in the list. As it proceeds, it updates the Last Reloaded and Result columns to reflect the status of each attempt. Step 3 Click the Continue To Next Step button, at the bottom of the URL Resource Refresh page. The ACE XML Manager retrieves URL-specified resources. Approval-Based Deployment In approval-based (or two-stage) deployment, a policy developer first requests approval for changes made to the policy. The administrator reviews and either approves or rejects the changes. Once approved, the changes can be deployed by the administrator. When this feature is enabled, privileged users can still edit policies just as always, but the Deploy section of the Policy Manager is replaced by a Submit section, where users request administrative approval of changes to the working policy. If requesting approval from within a subpolicy, only the changes from within that subpolicy are represented by the change request. A user working in multiple subpolicies will need to request approval within each subpolicy. The procedures applicable to approval-based deployment are: •Enabling Approval-Based Deployment •Viewing Approval Status and Requests •Requesting Approval of Policy Changes •Approving or Rejecting Policy Changes •Deploying an Approved Policy Enabling Approval-Based Deployment Approval-based deployment is disabled by default. To enable it, follow these steps: Step 1 As the `Administrator` user in the ACE XML Manager web console, click the System Management link in the navigation menu. Step 2 Click the link labelled Manager Settings, which is to the right of the ACE XML Manager heading. Step 3 In the General settings area, find the Workflow configuration options, and enable the Use approval-based deployment option. Step 4 Click the Save Changes button. The System Management page appears. Step 5 Log out of the ACE XML Manager's web console. Step 6 Verify that approval-based deployment is enabled by logging into the ACE XML Manager web console as a non-administrative user in the Operations role. Step 7 Click the Policy Manager link in the navigation menu. If the configuration change succeeded, a Submit section appears in place of the Deploy section. Viewing Approval Status and Requests When approval-based deployment is enabled, the Manager Dashboard provides additional information concerning the status of subpolicy deployment, as discussed in this section. Approved Policy Status At the top of the Dashboard, the Approved Policy Status section lists proposed policy changes awaiting the approval of an administrative user. The Approved Policy Status section appears only when approval-based deployment is enabled. Only privileged users (those with the ability to edit or deploy policies) can view this section of the Dashboard. This section displays only subpolicies available to the user account logged into the ACE XML Manager. If the user has "any subpolicy" access, this section displays the status of all subpolicies simultaneously. Otherwise, it displays the status of the active subpolicy only; to view the approval status of another subpolicy, you must make that subpolicy the active subpolicy. For each subpolicy visible to the account logged into the ACE XML Manager, this section lists the following information: Date and time the subpolicy was last approved •Whether the most-recently approved version was deployed •Date and time of the request for approval of the new or changed subpolicy •The username of the web console user who originated the request If you have policy-review privileges, a Review button appears next to each pending request. Approval Request Status for Active Subpolicy The Approval Request Status For section on the Dashboard lists outstanding requests for approval of changes to the active subpolicy. Only privileged users (those with the ability to edit or deploy policies) can view this section of the Dashboard. This section displays the status of the active subpolicy only; to view the status of another subpolicy, make that subpolicy the active subpolicy. This section lists the status of each request for approval as one of the following values: •Approved—A policy reviewer has authorized deployment of the subpolicy. A user in the Operations role who has "any subpolicy" access can transmit this policy to the ACE XML Gateway for enforcement. •Approval Requested—A user has requested that a policy reviewer authorize the deployment of a new or changed subpolicy. Before approving the subpolicy, the reviewer inspects the differences between this policy or subpolicy and the one the ACE XML Gateway enforces currently.The reviewer can approve or deny each change individually to ensure that the policy ultimately deployed to the ACE XML Gateway performs as intended. •Rejected—A policy reviewer has denied authorization to deploy a new or changed subpolicy. After changing the unacceptable portions of the policy, you can request approval again. Requesting Approval of Policy Changes If approval-based deployment is enabled, new or changed subpolicies cannot be deployed until the change is approved by an administrator or privileged user with the operations role. To request approval of a new or changed subpolicy: Step 1 Make the subpolicy with changes to be approved active in the console, and click the Request Approval button at the top of the page. If resource-reloading is enabled, the Step 1 of 4: URL Resource Refresh page appears. Before deploying a policy, you can use the Resource Refresh page to ensure that the policy has the latest versions of any remotely hosted resources, such as schemas or certificates obtained from URLs. For details, see "Reloading URL-Based Resources at Deployment" section. If resource-reloading is not enabled, the ACE XML Manager displays the Step 1 of 3: Review Changes page. This page summarizes differences between the current policy and the policy to be deployed. For details on the Review Changes page, see "Selectively Rolling Back Policy Changes" section. Step 2 If the URL Resource Refresh page appears, click the Reload Resources Now button to load URL-based resources. The ACE XML Manager attempts to retrieve new copies of all URL-based resources that the policy to deploy uses. When finished, it displays the Review Changes page. Note Reloading of URL-based resources cannot be undone. If you think you may need to revert to a previously saved version of a resource, make sure you have archived a backup copy of the current version of the resource before you click the Reload Resources Now button. Step 3 Click the Continue to Next Step button. The Step 2 of 3: Basic Policy Review page appears. This page shows warnings about possible problems the changed policy might introduce. Step 4 Review the warnings. You may choose to resolve the issue that generated the warning or to overlook the warning for now. If you need to alter your policy to resolve a warning, click Exit to Policy Manager to exit the approval process and edit your policy. When finished, click the Continue to Next Step button. Step 5 In the Step 3 of 3: Submit Request page, type a short description or comment in the Description field. The description is typically used to characterize the changes in the submission to an administrator or other developer. It is visible to any user that has policy-viewing permissions. Step 6 Optionally, send email notification of the request as follows: a. Click the Send e-mail notification of this approval request button. b. Type the addresses of recipients in the To e-mail address field. c. Type the sender's email address in the From e-mail address field. Normally, this would be the address of the requestor. Step 7 Click the Submit Request button. The approval request appears in the Dashboard page. For an administrator user or privileged user with the operations role, the request appears in the Approved Policy Status pane at the top of the Dashboard. For users who have access to the Shared subpolicy. the request appears in the Approval Request Status for Shared section. Approving or Rejecting Policy Changes Administrators or privileged users with the operations role can review and approve or reject policy changes. A change request needs to be approved before the changed policy can be deployed to the ACE XML Gateway. In the Manager Dashboard, the Approved Policy Status section displays the most recently proposed and the most recently approved changes for each subpolicy. Each row shows the subpolicy's last date of approval, deployment status, and most recent change awaiting approval. For a complete list of all approval requests, see the policy history at the bottom of the Policy Manager page. If you have policy deployment privileges, a Review button appears next to the most recent request that awaits approval. When you click the Review button, the ACE XML Manager treats all pending changes affecting that subpolicy as one subpolicy that you can approve or reject in total. To approve or reject changes selectively, see "Selectively Rolling Back Policy Changes" section. To accept or reject all changes to the active subpolicy: Step 1 As an Administrator or Privileged user with the Operations role in the console, in the Approved Policy Status section of the Dashboard, click the Review button at the far right of the row describing the policy to be approved or rejected. Step 2 In the Review Approval Request page, approve or reject the policy as follows: •To approve all changes, click the Approve Changes button. •To reject all changes, click the Reject Changes button. •To exit without making any changes, leaving the approval request still pending, click the Cancel Review button. The Dashboard page appears. The Approved Policy Status and Approval Request Status areas reflect the results of your choice. The policy-approval process allows an administrator to accept or reject a policy in its entirety. Following an approval, you can effect selective approval by using the roll back process in the Policy Manager. For more information, see Selectively Rolling Back Policy Changes. Deploying an Approved Policy Once a policy approval request has been submitted and approved, the changes encapsulated in the request can be deployed by an Administrator user or Privileged user with the Operations role. If subpolicies exist in the policy, deploying only moves the artifacts in the subpolicy that is active (including Shared) when the deployment occurs. If you want to deploy changes from more than one subpolicy, you need to activate each subpolicy and deploy from the subpolicy one-by-one. To deploy the policy with approval-based deployment enabled, follow these steps: Step 1 In the web console, click the Deploy Approved Policy button to compile the policy and transmit it to the ACE XML Gateway for enforcement. The Step 2 of 3: Basic Policy Review page lists the approval status. Although a similar review appears for policy submission, the Basic Policy Review page may appear a second time since the policy may have changed after submission. Step 2 Review and respond to any warnings in the ACE XML Manager. Because the policy has already been approved, you cannot change it. If you are not willing to deploy the policy as it is, you must click the Exit to Policy Manager button to cancel the deployment. Subsequently, you can edit the policy in the Policy Manager and resubmit it for approval. Step 3 If satisfied with the approved policy, click the Continue To Next Step button to continue the deployment process. The Compile and Deploy screen displays the message "Please wait" as it compiles the policy, transforming it to the native executable format of the ACE XML Gateway. When finished, it displays the message "This policy is compiled and can now be deployed," along with controls that enable you to specify the ACE XML Gateway appliances that are to load and enforce this policy. Step 4 Click the check box next to each Gateway appliance that is to receive this policy. Note It's possible to deploy a policy to some but not all Gateways in a cluster. Do not do this unless you are certain of the reasons for it. Under normal circumstances you should deploy the policy to either all or none of the Gateways in a cluster. Step 5 Click the Deploy To Selected Gateways button to finish deploying the policy. The ACE XML Manager transmits the policy to the selected Gateways, which accept the policy and reconfigure themselves to enforce it. The Compile and Deploy screen displays the results of the deployment. The Timestamp&ID column reflects the policy ID and timestamp of the new deployment. Your new policy is now in effect.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks