CEPM Dotnet Agent Guide - Configuring the pep_config.xml File [Cisco Policy Enforcement Point]

Table Of Contents

Configuring pep_config.xml File

<cache>

<type>

<refresh>

<interval>

<prefetch>

<applicationgroup>

<application>

<loadbalance>

<pdps>

<http-proxy>

<apis>

<adapters>

<SSL>

Configuring pep_config.xml File

This appendix describes the structure of the PEP configuration file (pep_config.xml) that is embedded into the protected .NET application to avail fine grained authorization provided by CEPM and gives guidelines for configuring it to suit the requirements of your application.

The following is a sample pep_config.xml file:
<pep_config version="3.3">
<cache decisionCacheEnabled="true"  cacherefreshtype="onlyupdated" decisionsOnly="false" 
provider="net.securent.agent.sdk.cache.CacheProvider" 
implementor="Com.Cisco.Epm.Cache.Impl.NCache" 
eventProvider="Com.Cisco.Epm.Cache.Event.EventProvider" > 
    <type>TTL</type>
    <refresh enable="false">update</refresh>
    <interval>20</interval>
    <prefetch enable="false" type="user" bulkUsersPerRequest="10">
      <prefetchForApis>
        <api name="isUserAccessAllowed">
          
          
          
          
          
          
          
          
          
        </api>
        
      </prefetchForApis>
      
	  <groups>
        
        
      </groups>
      <roles>
        
        
      </roles>
      <resources>
        
        
      </resources>
   </prefetch>
   <applicationgroup>Prime group</applicationgroup>
   <application>Prime portal</application>
  </cache>
  <logs  enable="false" records="20" logsttl="10"/>
  <loadbalance enabled="false">
    <algorithm>roundrobin</algorithm>
    <refreshtime>10</refreshtime>
    <timeout>10000</timeout>
  </loadbalance>
  <pdps>
    <pdp>
      <protocol>soap</protocol>
      <username>admin</username>
      <password>h1BYu+lcwcM=</password>
      <url>http://localhost:8080/pdp/services/AuthorizationService</url>
      <timeout>1000</timeout>
    </pdp>
    
   </pdps>
  <http-proxy>
    <host></host>
    <port></port>
  </http-proxy>
  <apis>
    <api>
      <url>http://localhost:8080/cepm</url>
      <username>superuser</username>
      <password>h1BYu+lcwcM=</password>
      <repositoryname>Default Domain</repositoryname>
	  <timeout>10000</timeout>
    </api>
  </apis>
  <adapters>
    <soap>Com.Cisco.Epm.Soap.SoapTransportAdaptor</soap>
    <http>Com.Cisco.Epm.Http.HttpTransportAdaptor</http>
  </adapters>
  <ssl truststoreFile="C:\OpenSSL\bin\PEM\demoCA\keypair.p12" 
truststorePass="changeit"></ssl>
	<dncache>
    <cachepath>C:\DotnetCache\DNCache.xml</cachepath>
    <cachename>Cache</cachename>
  </dncache>
  <ncache>
    <cachename>TestCache</cachename>
  </ncache>
</pep_config>
<cache>

CEPM supports caching for the .NET application using NCache and DNCache. To avail the caching facility for your .NET application, you must put DNCache.dll and dncache.xml files (which are available in the distribution) in the ...\ApplicationName\bin\debug folder. Caching works only for the API methods IsUserAccessAllowed, IsRoleAccessAllowed, IsGroupAccessAllowed, and GetDecisions and their overloaded methods. The configuration to make use of the cache is done in the following tag:
<cache decisionCacheEnabled="true"  cacherefreshtype="onlyupdated" decisionsOnly="false" 
provider="net.securent.agent.sdk.cache.CacheProvider" 
implementor="Com.Cisco.Epm.Cache.Impl.NCache" 
eventProvider="Com.Cisco.Epm.Cache.Event.EventProvider" >
Update this tag by mentioning the provider and the implementor details. If you set this tag to false, caching is disabled.

The cache tags and their corresponding parameters can be updated according to the user requirement. A brief explanation of various parameters and child tags to be updated for caching follows.

•decisionCacheEnabled attribute

To enable the PEP cache mechanism, this attribute must be set to true.

•cacheRefreshType attribute

This attribute value can be set to onlyupdated or all. When set to onlyupdated, then during the cache refresh process, only the changed data is copied from the PDP and is updated in the PEP cache. When set to all, then during the cache refresh process, all the data from the PDP cache gets copied to the PEP cache.

•decisionOnly attribute

This is a Boolean expression. If set to false, it stores the entire cache objects which contain decision, decision lifetime, and every entity attributes related to the decisions. If set to true, it stores only the decisions. Because the lifetime will not be persistent,, the cache for any policy will not be updated when its lifetime expires. It is important to note that for better performance, it is highly recommended to set this attribute to true.

•Provider attribute

Keep this tag unchanged.

•implementor attribute

The value of this implementor class is set according to the type of cache used. For DNCache, the implementor class must be set to:
Com.Cisco.Epm.Cache.Impl.DNCacheImpl
To enable DNCache for your PEP, you must install the DNCache in your system and create your own server instance.

For NCache, the implementor class must be set to:
Com.Cisco.Epm.Cache.Impl.NCache
Enabling NCache for PEP

Note The following procedures assume that you have NCache installed on your system.

To enable NCache:

Step 1 Go to Start > All Programs > NCahce > NCache Manager.

Step 2 In the NCacheManager console, create a new project by clicking File > New > Project.

Step 3 In the NCache Explorer (left navigation pane), right click NCacheManagement and click Create New Cache. The New Cache Wizard appears.

Step 4 Enter the server name of the system where this new cache is created. Click Next.

Step 5 Enter the Cache Name in web.config file in the following format:
<appSettings>
    	<add key="CacheName" value="cepmcache"/>
</appSettings>
The same name must be mentioned in client.nconf file. Click Next.

Step 6 Set the heap size. Click Next.

Step 7 Follow the wizard guidelines for setting up advanced options.

Step 8 Click Finish. The new cache is displayed in the NCache Explorer.

Step 9 Right click the newly created cache and click Start. This starts the selected cache instance.

Step 10 Open pep_config.xml file and update the <cache> tag by setting the value of implementor class as:
net.securent.admin.sdk.cache.impl.DNCacheImpl
Save and close the config file.

Step 11 Copy client.nconf file into the classpath of the PEP. Update this file by entering the server name and cache ID as configured in Step 3 and Step 4. Save and close the file.

Configuring DNCache for PEP

To enable DNCache for your PEP, you must add the <appSettings> tag (key-value pairs) in your application.config file (or web.config file for web application). A sample tag is given here:
<appSettings>
    <add key="CachePath" value="C:\DotnetCache\DNCache.xml"/>
    <add key="CacheName" value="Cache"/>
</appSettings>
You must replace the values in this tag as per your requirements

The above values must match with the values given in the DNCache tag in pep_config.xml file. For example:
	<dncache>
    <cachepath>C:\DotnetCache\DNCache.xml</cachepath>
    <cachename>Cache</cachename>
  </dncache>
<type>

This tag can be set to TTL (time to live) or session.

Set its value to TTL.

<refresh>

The enable attribute value can be set to true or false. If set to false, PEP will never refresh its cache (except during start-up if the <prefetch> element's enable attribute is set to true). If set to true, the PEP refreshes its cache after every few second's time interval as specified in the <interval> element (as explained in the <interval> element below).

The <refresh> element can be set to invalidate or update. Setting <refresh> to invalidate erases the cache during the refresh cycle. Setting <refresh> to update, updates the PEP cache according to the value set for cacherefreshtype attribute (as explained earlier).

If the PEP is deployed in the clustered cache mode, then if the <refresh> element's enable attribute value is set to true, the PEP acts as a primary cache for the other PEPs in the same cluster. As primary cache, PEP refreshes its cache with the changed data and also refreshes all the PEP caches that are present in the same cache cluster. If this attribute value is set to false, then the PEP acts as a secondary cache and it never refreshes its own cache, but depends upon the primary cache PEP/PDP to refresh its cache.

<interval>

This tag defines the periodicity (in seconds) of cache refresh activity. For example, if you want to refresh the cached data after every 60 seconds, then set <interval> value to 60.

<prefetch>

This element is configured to prefetch the policy information and store in the PEP cache, when the PEP component gets loaded in Java Virtual Machine (JVM).

•enable attribute

The enable attribute value can be set to true or false. If set to true, all the data is refreshed during the PEP startup. If set to false, the PEP does not refresh its data during startup.

•type attribute

The type attribute can be set to user or resource.

If set to user, then all the resources belonging to all the users are refreshed in the cache. The user value can be set when there are fewer number of users compared to the number of resources, thus minimizing the number of API calls and reducing network traffic.

If set to resource, then all the users belonging to all the resources are refreshed in the cache. The resource value can be set when there are few number of resources compared to the number of users.

•bulkUsersPerRequest attribute

The bulkUsersPerRequest attribute value is applicable only when the type attribute value (described earlier) is set to user. The intention is to reduce the network traffic. The bulkUsersPerRequest attribute value specifies the batch size of the number of users for which the prefetch will be done.

For example, if there are total of 100 users and the bulkUsersPerRequest attribute value is set to 10, the PDP fetches the policy information (allowed/denied resources) of the 100 users in the batches of 10 users each because the policy information is fetched in ten batches, i.e. tenrequests.

<prefetch> can have multiple <api> subelements. Each <api> subelement contains a PEP API method name to call during prefetch operation as per the requirement.

•<prefetchForApis>

This element defines the selective prefetch mechanism to filter out with respect to the groups, roles and resources.

•<groups>

This element is configured to prefetch the users that belong to the configured group. For example there are 10 users (User1.....to User10). User1 to User5 are mapped to Group1. Specify the <group> that is (<group>SampleGroup:SampleApplication:Group1</group>).The <prefecthForApis> fetches only 5 users (User1 to User5), since only 5 users are mapped to Group1.

•<roles>

This element is configured to prefetch the users that belong to the configured role. For example there are 10 users (User1.....to User10). User1 to User5 are mapped to Role2. Specify the <role> that is (<role>SampleGroup:SampleApplication:Role2</role>).The <prefecthForApis> fetches only 5 users (User1 to User5), since only 5 users are mapped to Role2.

•<resources>

This element is configured to prefetch the users that belong to the configured resource. For example there are 10 users (User1.....to User10). User4 to User9 are mapped to resource Send Trades. Specify the <resources> that is (<resource>Prime group:Prime portal:Send Trades</resource>).The <prefecthForApis> fetches only 6 users (User4 to User9), since only 6 users are mapped to Send Trades.

The <prefetchForApis> element works in conjunction with <groups>,<roles> and <resources>. For example there are 10 users (User1.....to User10). User1 to User5 are mapped to Grp1.User3 to User7 are mapped to role1 and User4 to User9 are mapped to resource Send Trades.The <prefetchForApis> fetches only 2 users (User4 and User5), since only 2 users are commonly mapped to Grp1,role1and Send Trades (Grp1 union Role1 union SendTrades).

<applicationgroup>

Set this tag value to the application group name for which the PEP is deployed.

<application>

Set this tag value to the application name for which the PEP is deployed.

<loadbalance>

When the enabled attribute value is set to true, the PEP component implements the load-balancing mechanism while referencing various PDPs. If set to false, the load-balancing mechanism is not implemented.

Note When multiple PDPs are associated with a single PEP, the load-balancing mechanism can be used. (Refer to the Cisco Enterprise Policy Manager Developer Guide for more information about the load-balancing mechanism in the PEP.)

The <loadbalance> element contains the following subelements:

•<algorithm>

This subelement decides the type of algorithm to run while the load-balancing mechanism is implemented. Set it to roundrobin.

•<refreshtime>

This subelement decides the time interval (in minutes) after which PEP should check the status of all the PDPs configured in the <pdps> element and refresh its cache with the individual PDP's status (that is active or inactive).

•<timeout>

This element decides the time interval (in milliseconds) for which the PEP component should wait for the response after making a request to PDP, so as to assess PDPs status as active or inactive. For example, if the value is set to 1000, when the PEP makes a request to PDP for status check and if the PEP does not receive response within 1000 milliseconds, the PEP sets the status of that PDP to inactive in its own cache.

<pdps>

This tag contains the configuration details for all the PDPs that need to be referenced from this PEP component. Each PDP configuration needs to be provided in a separate <pdp> tag.

The following child tags that should be configured for each PDP entry:

•<protocol>

This tag decides the protocol for PEP-PDP communication. The .NET PEP Agent uses SOAP or HTTP protocol to communicate with the PDP.

•<username>

This tag contains the user name value to connect to the PDP.

•<password>

This tag contains the password value for the above mentioned user name.

•<url>

This tag contains the URL of the PDP service.

•<timeout>

This tag decides the time interval (in seconds) for which PEP should wait for the response after making a request to PDP. If a response is not received by the PEP from the PDP in this configured time interval, the PEP considers it as an error request.

<http-proxy>

This tag contains the configuration details for the proxy server. If proxy server is not being used, then give the empty values for its child tags. The following child tags should be configured to connect to the proxy-server.

•<host>

This tag contains the machine IP address of the proxy server.

•<port>

This tag contains the port number for the proxy service.

<apis>

This tag contains the configuration details of the PAP server. These values are used by the PEP API to access the PAP application. The following child tags that should be configured to access the PAP server.

•<url>

This tag contains the URL of the PAP server.

•<username>

This tag contains the user name to connect to the PAP server.

•<password>

This tag contains the password for the above user.

•<repositoryname>

This tag contains the name of the repository to connect to in the PAP server.

<adapters>

This tag contains the name of the adapter that is used by the PEP application to access PDP. .NET PEP uses SOAP and HTTP protocols to communicate with PDP. Do not update this value, which are by default set as shown below.
<adapters>
<soap>Com.Cisco.Epm.Soap.SoapTransportAdaptor</soap>
<http>Com.Cisco.Epm.Http.HttpTransportAdaptor</http>
</adapters>
<SSL>

If you enable SSL for PEP-PDP communication, use this tag to set the directory path of the truststore certificate and the truststore password.

	CEPM Dotnet Agent Guide
	Configuring the pep_config.xml File
CEPM Dotnet Agent Guide Preface Introduction Deploying CEPM Agent in a .NET Application Deploying the Cisco Agent in a COM Application Configuring the pep_config.xml File Configuring the log.config File Load Balancing in the PEP	Download this chapter Configuring the pep_config.xml File Download the complete book CEPM Dotnet Agent Guide (PDF - 570 KB) Feedback Table Of Contents Configuring pep_config.xml File <cache> <type> <refresh> <interval> <prefetch> <applicationgroup> <application> <loadbalance> <pdps> <http-proxy> <apis> <adapters> <SSL> Configuring pep_config.xml File This appendix describes the structure of the PEP configuration file (pep_config.xml) that is embedded into the protected .NET application to avail fine grained authorization provided by CEPM and gives guidelines for configuring it to suit the requirements of your application. The following is a sample pep_config.xml file: <pep_config version="3.3"> <cache decisionCacheEnabled="true" cacherefreshtype="onlyupdated" decisionsOnly="false" provider="net.securent.agent.sdk.cache.CacheProvider" implementor="Com.Cisco.Epm.Cache.Impl.NCache" eventProvider="Com.Cisco.Epm.Cache.Event.EventProvider" > <type>TTL</type> <refresh enable="false">update</refresh> <interval>20</interval> <prefetch enable="false" type="user" bulkUsersPerRequest="10"> <prefetchForApis> <api name="isUserAccessAllowed"> <!-- Prefetch based on message attributes --> <!-- Attribute for Context --> <!--<message-attribute name="urn:cisco.cepm:3.3:xacml:context-name" override="true">TestAppGrp:TestApp:Context1</message-attribute> --> <!-- Attribute for Role Bundle --> <!--<message-attribute name="urn:cisco.cepm:3.3:xacml:rolebundle-name" override="true">Rb1</message-attribute>--> <!-- Attribute for Resource Type --> <!--<message-attribute name="urn:cisco.cepm:3.3:xacml:resource-type-name" override="true">TestAppGrp:TestApp:ResType</message-attribute>--> <!-- Attribute for any attributes --> <!--<message-attribute name="Key1" override="true">Value1</message-attribute>--> </api> <!-- api name="getDecisionsByResourceTypeForAnyAction"/--> </prefetchForApis> <!-- Selective prefetch for configured Groups, Roles, Resources entities--> <groups> <!-- FQN of GroupName --> <!-- <group>TestAppGrp:TestApp:Grp1</group> --> </groups> <roles> <!-- FQN of RoleName --> <!-- <role>Prime group:Prime portal:Internal Dev:Internal Dev Tokyo</role> --> </roles> <resources> <!-- FQN of ResourceName --> <!-- <resource>TestAppGrp:TestApp:Res3</resource> --> </resources> </prefetch> <applicationgroup>Prime group</applicationgroup> <application>Prime portal</application> </cache> <logs enable="false" records="20" logsttl="10"/> <loadbalance enabled="false"> <algorithm>roundrobin</algorithm> <refreshtime>10</refreshtime> <timeout>10000</timeout> </loadbalance> <pdps> <pdp> <protocol>soap</protocol> <username>admin</username> <password>h1BYu+lcwcM=</password> <url>http://localhost:8080/pdp/services/AuthorizationService</url> <timeout>1000</timeout> </pdp> <!--<pdp> <protocol>http</protocol> <username>admin</username> <password>h1BYu+lcwcM=</password> <url>http://localhost:8080/pdp/AuthorizationEndPoint</url> <timeout>10000</timeout> </pdp>--> </pdps> <http-proxy> <host></host> <port></port> </http-proxy> <apis> <api> <url>http://localhost:8080/cepm</url> <username>superuser</username> <password>h1BYu+lcwcM=</password> <repositoryname>Default Domain</repositoryname> <timeout>10000</timeout> </api> </apis> <adapters> <soap>Com.Cisco.Epm.Soap.SoapTransportAdaptor</soap> <http>Com.Cisco.Epm.Http.HttpTransportAdaptor</http> </adapters> <ssl truststoreFile="C:\OpenSSL\bin\PEM\demoCA\keypair.p12" truststorePass="changeit"></ssl> <dncache> <cachepath>C:\DotnetCache\DNCache.xml</cachepath> <cachename>Cache</cachename> </dncache> <ncache> <cachename>TestCache</cachename> </ncache> </pep_config> <cache> CEPM supports caching for the .NET application using NCache and DNCache. To avail the caching facility for your .NET application, you must put DNCache.dll and dncache.xml files (which are available in the distribution) in the ...\ApplicationName\bin\debug folder. Caching works only for the API methods IsUserAccessAllowed, IsRoleAccessAllowed, IsGroupAccessAllowed, and GetDecisions and their overloaded methods. The configuration to make use of the cache is done in the following tag: <cache decisionCacheEnabled="true" cacherefreshtype="onlyupdated" decisionsOnly="false" provider="net.securent.agent.sdk.cache.CacheProvider" implementor="Com.Cisco.Epm.Cache.Impl.NCache" eventProvider="Com.Cisco.Epm.Cache.Event.EventProvider" > Update this tag by mentioning the provider and the implementor details. If you set this tag to false, caching is disabled. The cache tags and their corresponding parameters can be updated according to the user requirement. A brief explanation of various parameters and child tags to be updated for caching follows. •decisionCacheEnabled attribute To enable the PEP cache mechanism, this attribute must be set to true. •cacheRefreshType attribute This attribute value can be set to onlyupdated or all. When set to onlyupdated, then during the cache refresh process, only the changed data is copied from the PDP and is updated in the PEP cache. When set to all, then during the cache refresh process, all the data from the PDP cache gets copied to the PEP cache. •decisionOnly attribute This is a Boolean expression. If set to false, it stores the entire cache objects which contain decision, decision lifetime, and every entity attributes related to the decisions. If set to true, it stores only the decisions. Because the lifetime will not be persistent,, the cache for any policy will not be updated when its lifetime expires. It is important to note that for better performance, it is highly recommended to set this attribute to true. •Provider attribute Keep this tag unchanged. •implementor attribute The value of this implementor class is set according to the type of cache used. For DNCache, the implementor class must be set to: Com.Cisco.Epm.Cache.Impl.DNCacheImpl To enable DNCache for your PEP, you must install the DNCache in your system and create your own server instance. For NCache, the implementor class must be set to: Com.Cisco.Epm.Cache.Impl.NCache Enabling NCache for PEP Note The following procedures assume that you have NCache installed on your system. To enable NCache: Step 1 Go to Start > All Programs > NCahce > NCache Manager. Step 2 In the NCacheManager console, create a new project by clicking File > New > Project. Step 3 In the NCache Explorer (left navigation pane), right click NCacheManagement and click Create New Cache. The New Cache Wizard appears. Step 4 Enter the server name of the system where this new cache is created. Click Next. Step 5 Enter the Cache Name in web.config file in the following format: <appSettings> <add key="CacheName" value="cepmcache"/> </appSettings> The same name must be mentioned in client.nconf file. Click Next. Step 6 Set the heap size. Click Next. Step 7 Follow the wizard guidelines for setting up advanced options. Step 8 Click Finish. The new cache is displayed in the NCache Explorer. Step 9 Right click the newly created cache and click Start. This starts the selected cache instance. Step 10 Open pep_config.xml file and update the <cache> tag by setting the value of implementor class as: net.securent.admin.sdk.cache.impl.DNCacheImpl Save and close the config file. Step 11 Copy client.nconf file into the classpath of the PEP. Update this file by entering the server name and cache ID as configured in Step 3 and Step 4. Save and close the file. Configuring DNCache for PEP To enable DNCache for your PEP, you must add the <appSettings> tag (key-value pairs) in your application.config file (or web.config file for web application). A sample tag is given here: <appSettings> <add key="CachePath" value="C:\DotnetCache\DNCache.xml"/> <add key="CacheName" value="Cache"/> </appSettings> You must replace the values in this tag as per your requirements The above values must match with the values given in the DNCache tag in pep_config.xml file. For example: <dncache> <cachepath>C:\DotnetCache\DNCache.xml</cachepath> <cachename>Cache</cachename> </dncache> <type> This tag can be set to TTL (time to live) or session. Set its value to TTL. <refresh> The enable attribute value can be set to true or false. If set to false, PEP will never refresh its cache (except during start-up if the <prefetch> element's enable attribute is set to true). If set to true, the PEP refreshes its cache after every few second's time interval as specified in the <interval> element (as explained in the <interval> element below). The <refresh> element can be set to invalidate or update. Setting <refresh> to invalidate erases the cache during the refresh cycle. Setting <refresh> to update, updates the PEP cache according to the value set for cacherefreshtype attribute (as explained earlier). If the PEP is deployed in the clustered cache mode, then if the <refresh> element's enable attribute value is set to true, the PEP acts as a primary cache for the other PEPs in the same cluster. As primary cache, PEP refreshes its cache with the changed data and also refreshes all the PEP caches that are present in the same cache cluster. If this attribute value is set to false, then the PEP acts as a secondary cache and it never refreshes its own cache, but depends upon the primary cache PEP/PDP to refresh its cache. <interval> This tag defines the periodicity (in seconds) of cache refresh activity. For example, if you want to refresh the cached data after every 60 seconds, then set <interval> value to 60. <prefetch> This element is configured to prefetch the policy information and store in the PEP cache, when the PEP component gets loaded in Java Virtual Machine (JVM). •enable attribute The enable attribute value can be set to true or false. If set to true, all the data is refreshed during the PEP startup. If set to false, the PEP does not refresh its data during startup. •type attribute The type attribute can be set to user or resource. If set to user, then all the resources belonging to all the users are refreshed in the cache. The user value can be set when there are fewer number of users compared to the number of resources, thus minimizing the number of API calls and reducing network traffic. If set to resource, then all the users belonging to all the resources are refreshed in the cache. The resource value can be set when there are few number of resources compared to the number of users. •bulkUsersPerRequest attribute The bulkUsersPerRequest attribute value is applicable only when the type attribute value (described earlier) is set to user. The intention is to reduce the network traffic. The bulkUsersPerRequest attribute value specifies the batch size of the number of users for which the prefetch will be done. For example, if there are total of 100 users and the bulkUsersPerRequest attribute value is set to 10, the PDP fetches the policy information (allowed/denied resources) of the 100 users in the batches of 10 users each because the policy information is fetched in ten batches, i.e. tenrequests. <prefetch> can have multiple <api> subelements. Each <api> subelement contains a PEP API method name to call during prefetch operation as per the requirement. •<prefetchForApis> This element defines the selective prefetch mechanism to filter out with respect to the groups, roles and resources. •<groups> This element is configured to prefetch the users that belong to the configured group. For example there are 10 users (User1.....to User10). User1 to User5 are mapped to Group1. Specify the <group> that is (<group>SampleGroup:SampleApplication:Group1</group>).The <prefecthForApis> fetches only 5 users (User1 to User5), since only 5 users are mapped to Group1. •<roles> This element is configured to prefetch the users that belong to the configured role. For example there are 10 users (User1.....to User10). User1 to User5 are mapped to Role2. Specify the <role> that is (<role>SampleGroup:SampleApplication:Role2</role>).The <prefecthForApis> fetches only 5 users (User1 to User5), since only 5 users are mapped to Role2. •<resources> This element is configured to prefetch the users that belong to the configured resource. For example there are 10 users (User1.....to User10). User4 to User9 are mapped to resource Send Trades. Specify the <resources> that is (<resource>Prime group:Prime portal:Send Trades</resource>).The <prefecthForApis> fetches only 6 users (User4 to User9), since only 6 users are mapped to Send Trades. The <prefetchForApis> element works in conjunction with <groups>,<roles> and <resources>. For example there are 10 users (User1.....to User10). User1 to User5 are mapped to Grp1.User3 to User7 are mapped to role1 and User4 to User9 are mapped to resource Send Trades.The <prefetchForApis> fetches only 2 users (User4 and User5), since only 2 users are commonly mapped to Grp1,role1and Send Trades (Grp1 union Role1 union SendTrades). <applicationgroup> Set this tag value to the application group name for which the PEP is deployed. <application> Set this tag value to the application name for which the PEP is deployed. <loadbalance> When the enabled attribute value is set to true, the PEP component implements the load-balancing mechanism while referencing various PDPs. If set to false, the load-balancing mechanism is not implemented. Note When multiple PDPs are associated with a single PEP, the load-balancing mechanism can be used. (Refer to the Cisco Enterprise Policy Manager Developer Guide for more information about the load-balancing mechanism in the PEP.) The <loadbalance> element contains the following subelements: •<algorithm> This subelement decides the type of algorithm to run while the load-balancing mechanism is implemented. Set it to roundrobin. •<refreshtime> This subelement decides the time interval (in minutes) after which PEP should check the status of all the PDPs configured in the <pdps> element and refresh its cache with the individual PDP's status (that is active or inactive). •<timeout> This element decides the time interval (in milliseconds) for which the PEP component should wait for the response after making a request to PDP, so as to assess PDPs status as active or inactive. For example, if the value is set to 1000, when the PEP makes a request to PDP for status check and if the PEP does not receive response within 1000 milliseconds, the PEP sets the status of that PDP to inactive in its own cache. <pdps> This tag contains the configuration details for all the PDPs that need to be referenced from this PEP component. Each PDP configuration needs to be provided in a separate <pdp> tag. The following child tags that should be configured for each PDP entry: •<protocol> This tag decides the protocol for PEP-PDP communication. The .NET PEP Agent uses SOAP or HTTP protocol to communicate with the PDP. •<username> This tag contains the user name value to connect to the PDP. •<password> This tag contains the password value for the above mentioned user name. •<url> This tag contains the URL of the PDP service. •<timeout> This tag decides the time interval (in seconds) for which PEP should wait for the response after making a request to PDP. If a response is not received by the PEP from the PDP in this configured time interval, the PEP considers it as an error request. <http-proxy> This tag contains the configuration details for the proxy server. If proxy server is not being used, then give the empty values for its child tags. The following child tags should be configured to connect to the proxy-server. •<host> This tag contains the machine IP address of the proxy server. •<port> This tag contains the port number for the proxy service. <apis> This tag contains the configuration details of the PAP server. These values are used by the PEP API to access the PAP application. The following child tags that should be configured to access the PAP server. •<url> This tag contains the URL of the PAP server. •<username> This tag contains the user name to connect to the PAP server. •<password> This tag contains the password for the above user. •<repositoryname> This tag contains the name of the repository to connect to in the PAP server. <adapters> This tag contains the name of the adapter that is used by the PEP application to access PDP. .NET PEP uses SOAP and HTTP protocols to communicate with PDP. Do not update this value, which are by default set as shown below. <adapters> <soap>Com.Cisco.Epm.Soap.SoapTransportAdaptor</soap> <http>Com.Cisco.Epm.Http.HttpTransportAdaptor</http> </adapters> <SSL> If you enable SSL for PEP-PDP communication, use this tag to set the directory path of the truststore certificate and the truststore password.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks