Cisco Policy Enforcement Point

Table Of Contents

CEPM SSPI Agent Guide

Contents

About This Document

Objective

Audience

SSPI Approach to Protect WebLogic Applications

Integrating the SSPI Agent with Your Application

Sample <weblogic-resource> Tags for Supported Resource Types

Example of a Customized SSPI Authorization Process

How to Protect Actions of a WebLogic Portal

Integrating the SSPI Agent in Static Application Using In-Process PDP

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

CEPM SSPI Agent Guide

---

Revised: January 17, 2011, Doc Part No: OL-19572-01

Contents

•About This Document

•SSPI Approach to Protect WebLogic Applications

•Integrating the SSPI Agent with Your Application

•Sample <weblogic-resource> Tags for Supported Resource Types

•Example of a Customized SSPI Authorization Process

•How to Protect Actions of a WebLogic Portal

•Integrating the SSPI Agent in Static Application Using In-Process PDP

•Documentation Updates

•Related Documentation

•Obtaining Documentation and Submitting a Service Request

About This Document

Objective

This document provides guidelines for the deployment of the SSPI Agent and explains the features supported by CEPM customized authorization provider for applications running in the WebLogic (BEA WebLogic V9.2). It also provides a step-by-step procedure for the integration of the SSPI Agent in static applications with in-process Policy Decision Point (PDP) configuration.

Audience

This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.

SSPI Approach to Protect WebLogic Applications

WebLogic security providers are modules that plug into a WebLogic Server security realm to provide security services to applications. The provider determines whether access should be granted or denied to BEA WebLogic Server resources.

If the WebLogic security providers supplied with the WebLogic Server product does not fully meet your security requirements, you can supplement or replace them with custom security providers. WebLogic supports a number of security providers and CEPM implements the WebLogic Authorization Provider. This Authorization Provider can be used for protecting WebLogic Portal resources (for example, Desktop, Books, Pages, Portlets), Enterprise JavaBeans (EJBs), Java Message Service (JMS), Web Services, URL, Java Database Connectivity (JDBC), and Server.

CEPM implementation makes calls to its decision APIs and then returns the right result based on the decision. CEPM implements the following SSPI Framework method:

public Result isAccessAllowed(Subject subject,Map roles,Resource resource,ContextHandler 
handler, Direction direction)

This method, in turn, calls the following CEPM PEP method:

isUserAccessAllowed(String subject, String resource,String action,Map environmentVar) 

Method Description:

•subject refers to the principal user. If there are multiple users, then the first principal is considered the subject for this method.

•role refers to the key value pair of the role assigned to the principal user. The role key for this method must be given as wls_role. For example,

role key wls_role

role value Admin

•resource refers to the WebLogic resource being protected.

•action refers to the user privileges on the protected resource, such as edit, view, and delete.

•environmentVar holds the key value pairs of role details, group details, principal details, and contextHandler details. The values for these keys can be comma-separated multiple values, for example:

key wls_role

value MedRecAdmin,Anonymous,Admin

key wls_group

value Administrators,MedRecAdmins

key wls_principal

value admin@avitek.com

context key HttpServletResponse

context value Http Request: /images/button_bg_hover.gif, Http Request: 
/images/login_patient.gif

Figure 1 CEPM Authorization Process

CEPM authorization process is carried out in the following manner:

1. A user or system process requests a WebLogic resource for performing a given operation.

2. The resource container, which handles the type of WebLogic resource being requested, receives the request (for example, the EJB container receives the request for Portlet resource).

3. The resource container calls the WebLogic Security Framework, passing in the subject, the WebLogic resource, and optionally the ContextHandler object (to provide additional input for the decision).

4. The WebLogic Security Framework delegates the actual decision about whether the subject is entitled to perform the requested action on the WebLogic resource to the configured authorization providers.

5. The access decisions of the authorization providers use various pieces of information about the request. They too construct a set of callback objects that represent the type of information being requested.

6. The isAccessAllowed method of each configured authorization provider's access decision is called to determine if the subject is authorized to perform the requested access, based on the subject, WebLogic resource, and action. Each isAccessAllowed method can return one of two values:

–PERMIT indicates that the requested access is permitted.

–DENY indicates that the requested access is explicitly denied.

Integrating the SSPI Agent with Your Application

To integrate CEPM SSPI Agent with your application, follow these steps:

---

Step 1 Unzip the following distribution into your system, depending on your requirement:

•CEPM_SSPIAgentV3.3.0.0.zip—This distribution contains jar files for papclient-V3.3.0.0.jar, pepclient-V3.3.0.0.jar, CEPM_Commons-V3.3.0.0.jar, and CEPMAuthorizer.jar (which contains other SSPI related jar files).

•CEPM_SSPIAgentV3.3.0.0_Unbundled.zip—This distribution contains CEPMAuthorizer.jar (which contains PAP-, PEP-, and SSPI-related files) along with other jar files available in individually (unbundled).

•CEPM_SSPIAgentV3.3.0.0_InProcessPDP.zip—This distribution contains jar files such as Inprocess_pdp.jar, CEPMInprocessAuthorizer.jar (which contains SSPI-related files), and other third-party libs.

Refer to the "Integrating the SSPI Agent in Static Application Using In-Process PDP" section to know more about the process of integrating the SSPI Agent with a static application where the in-process PDP is used.

Step 2 From the unzipped folder, copy CEPMAuthorizer.jar file into the $BEA_HOME\weblogic92\server\lib\mbeantypes folder.

Step 3 Open the pep_config.xml file located in the unzipped folder and update the <sspi-config> tag followed by the <record> tag as given below, depending on your application-specific requirements:

Sample <sspi_config> tag:

<sspi-config>

        <app-group name="Prime groupone">

            <enterprise-application name="portalApp">

                <web-application name="groupspace">

                    <weblogic-resource type="wlp" 
enableaction="true">*</weblogic-resource>

<subject source="header" attributename="referer"/>

                	<http-headers>

                    	<headername>*</headername>

               	</http-headers>

                	<session-attribute>

                    	<attributename>*</attributename>

                	</session-attribute>

                </web-application>

            </enterprise-application>

        </app-group>

</sspi-config>

<record>true</record>

•Update the <app-group name=> tag with the value of the application group name from your PAP such as:

<app-group name="AppGroupOne">

where AppGroupOne is the name of the application group.

•Update the <enterprise-application name=> tag with the name of the enterprise application that needs to be checked for entitlement such as:

<enterprise-application name="MyPortal">

where MyPortal is the name of the enterprise application.

•Update the <web-application name=> tag with the name of the web application which needs to be checked for entitlement

<web-application name="WebAppOne">

where WebAppOne is the name of the web application.

•Update the <weblogic-resource> tag with the following modifications:

–Set the WebLogic resource-type attribute. The possible values are wlp, ejb, webservice, jdbc, jms, url, and svr.

–Set the enableaction attribute to true or false. If this attribute value is set to true, then additional information is taken from the weblogic-resource type as resource actions for checking entitlement using CEPM. (Refer to "How to Protect Actions of a WebLogic Portal" section to see how the portal actions are protected.)

–Update the resource names that need to be checked for entitlement. The possible values can be either a single or multiple resource names separated by comma or "*" representing all the resources of the type mentioned in weblogic-resource type.

---

Note The <subject> tag is used to provide additional input for URL resources, details of which are mentioned in "Sample <weblogic-resource> Tags for Supported Resource Types" section for URL resource type.

---

•The <record> tag can be set to either true or false. Setting it to true results in automatic creation of resources, if they are not found during decision making. But it assumes that the application group and application in the PAP with the same name as mentioned in the <sspi_config> tag already exist. If you do not want these resource creations to happen, then set the tag to false.

Step 4 Copy the pep_config.xml file to the portal server folder from where you start your WebLogic (that is, the folder where the startWLS.cmd or startWeblogic.cmd file exists).

For example, if you set the entitlement to an application called MyPortal, then copy the configuration file to $BEA_HOME\weblogic92\samples\domains\MyPortal folder.

Step 5 Start the WebLogic server using the startWeblogic.cmd.

Step 6 Open the WebLogic server administration console (for example, http://<host>:<port>/console).

Step 7 Under the Security option, choose Realms > myRealm > Providers > Authorization.

Step 8 In the left pane, click Lock and Edit.

Step 9 Configure a new authorizer as CEPMAuthorizer and choose SSPIAuthorizer from the drop-down menu.

Name—CEPMAuthorizer

Type—SSPIAuthorizer

Step 10 While deploying any application or module, select Custom Roles and Policies: Use only roles and policies that are defined in the Administration Console for the security model.

Step 11 Before restarting the server, keep the following jar files bundled with your chosen distribution:

•If you are using CEPM_SSPIAgentV3.3.0.0.zip, copy the axis.jar, axis-ant.jar, commons-discovery-0.2.jar, log4j-1.2.5.jar, commons-logging-1.0.4.jar, jaxrpc.jar, soap.jar, saaj.jar, and wsdl4j-1.5.1.jar files in the lib folder of your application domain.

•If you are using CEPM_SSPIAgentV3.3.0.0_Unbundled.zip, copy the pep.jar, papclient.jar, CEPM_Commons.jar, axis-ant.jar, and log4j-1.2.14.jar files to the lib folder of your application domain.

Step 12 Open the $BEA_HOME\weblogic92\samples\domains\portal\config.xml file and update the <security-configuration> tag by adding <enforce-valid-basic-auth-credentials> parameter set to false.

Here is sample code of the <security-configuration> tag highlighting the added parameter:

<security-configuration xmlns:xacml="http://www.bea.com/ns/weblogic/90/security/xacml">

     <name>Defaultdomain</name>

    <realm>

        <sec:authentication-provider xsi:type="wls:default-authenticatorType"/>

        <sec:authentication-provider xsi:type="wls:default-identity-asserterType">

        <sec:active-type>AuthenticatedUser</sec:active-type>

        </sec:authentication-provider>

        <sec:role-mapper xsi:type="xacml:xacml-role-mapperType"/>

        <sec:authorizer xsi:type="xacml:xacml-authorizerType"/>

        <sec:adjudicator xsi:type="wls:default-adjudicatorType"/>

        <sec:credential-mapper xsi:type="wls:default-credential-mapperType"/>

        <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"/>

        <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>

        <sec:name>myrealm</sec:name>

    </realm>

    <default-realm>myrealm</default-realm>

    <credential-encrypted>{3dCW3ZYs9vKlrDC==</credential-encrypted>

    <node-manager-username>weblogic</node-manager-username>

    <node-manager-password-encrypted>{3DES}EJQzqZf8w==</node-manager-password-encrypted>

    <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

</security-configuration>

What is the <enforce-valid-basic-auth-credentials> flag?

For WebLogic Server versions 9.2 and later, client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource. The setting of the Security Configuration MBean flag <enforce-valid-basic-auth-credentials> determines this behavior. (The DomainMBean can return the new Security Configuration MBean for the domain.) It specifies whether or not the system should allow requests with invalid HTTP BASIC authentication credentials to access unsecured resources.

---

Note The Security Configuration MBean provides domain-wide security configuration information. The enforce-valid-basic-auth-credentials flag affects the entire domain.

---

The <enforce-valid-basic-auth-credentials> flag is True by default, and WebLogic Server authentication is performed. If authentication fails, the request is rejected. WebLogic Server must therefore have knowledge of the user and password.

You may want to change the default behavior if you rely on an alternate authentication mechanism. For example, you might use a backend web service to authenticate the client, and WebLogic Server does not need to know about the user. With the default authentication enforcement enabled, the web service can do its own authentication, but only if WebLogic Server authentication first succeeds.

If you explicitly set the <enforce-valid-basic-auth-credentials flag> to False, WebLogic Server does not perform authentication for HTTP BASIC authentication client requests for which access control was not enabled for the target resource.

Step 13 Add the Java environmental variables, such as CEPM_AGENT_CONFIG, CEPM_HOME, and CEPM_DECISION_CACHE_CONFIG to JAVA_PROPERTIES of setDomainEnv.cmd for specifying the directory path of pep_config.xml, SSPI_HOME, and jbosscache.xml files. For example:

DCEPM_AGENT_CONFIG=$SSPI_HOME\config\pep\pep_config.xml 
-Dlog4j.configuration=<SSPI_HOME>\config\logging\logging.xml 
-DCEPM_DECISION_CACHE_CONFIG=$SSPI_HOME\config\jbosscache\jbosscache.xml

Step 14 Restart the WebLogic server.

The PAP and PDP to which your SSPI Agent is connecting should be already running.

When the WebLogic server is restarted, if the agent is initialized properly, the message "SSPI CEPMAuthorizationProvider initialized" is displayed.

Step 15 Check entitlements for your application.

If the resource has an access, it returns PERMIT displaying the message

The user is entitled to perform the operation.

Otherwise, it returns DENY with the message

The user is not entitled to perform the operation.

---

Note Creating WebLogic portal resources in the PAP (WLP_Resource_ Discovery):

---

a. Copy the groupspace.community or .portal file to the current folder and rename it as resource.xml.

b. Place CEPMAuthorizer.jar, papclient.jar, and CEPM_Commons.jar files in the classpath.

c. Set CEPM_AGENT_CONFIG and CEPM_HOME in runresourcediscoverywlp.bat file.

-DCEPM_AGENT_CONFIG=<SSPI_HOME>\config\pep\pep_config.xml 
-Dlog4j.configuration=<SSPI_HOME>\config\logging\logging.xml

---

Note It is important to note that this file should contain only one enterprise-application and web-application tag.

---

d. Run the runresourcediscoverywlp.bat file.

---

Sample <weblogic-resource> Tags for Supported Resource Types

If the resource is of type "WebLogic portal":

<weblogic-resource type="wlp" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *, which means all portal resource types (for example, Portlets, Pages, Desktop, and Book) will be checked for entitlement. You can set an individual or multiple resource types depending on the number of resources in this tag by mentioning their names separated with comma. For example, if you want only portlets and pages to be protected, then the tag must be updated as:

<weblogic-resource type="wlp" enableaction="true">Portlet,Page</weblogic-resource>

For a given WebLogic portal, the resources are identified in the following manner:

type=<wlp>, EntApp=portalApp, Webapp=groupspace, Resource=Portlet  
communitySamplePortal  Discussion_Portlet_1, Capability=maximized

In CEPM, portalApp will be the application, groupspace/Discussion_Portlet_1 will be the resource hierarchy and maximized will be the action if enableaction is set to true.

For the preceding application and resources, the following resource structure must be maintained in the <sspi> tag of the pep_config.xml file:

<enterprise-application name="portalApp">

    <web-application name="groupspace">

	<weblogic-resource type="wlp" enableaction="false">*</weblogic-resource>

	/web-application>

 </enterprise-application>

If the resource is of type "EJB":

<weblogic-resource type="ejb" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *, which means all the EJBs are checked for entitlement. You can also mention any single or multiple EJBs separated by comma as the tag value. If this attribute value is set to true, then all the EJB methods are considered as resource actions.

For a given EJB resource, the resources are identified in the following manner:

type=<ejb>, application=MedRecEAR, module=sessionEjbs, ejb=RecordSessionEJB, 
method=create, methodInterface=Home, signature={}

In CEPM, MedRecEAR will be the application, sessionEjbs/RecordSessionEJB will be the resource hierarchy, and create will be the action in CEPM.

For the preceding application and resources, the following resource structure must be maintained in the sspi tag of the pep_config.xml file:

<enterprise-application name="MedRecEAR">

	<web-application name="sessionEjbs">

	<weblogic-resource type="ejb" enableaction="true">*</weblogic-resource>

	</web-application>

</enterprise-application>

If the resource is of type "webservices":

<weblogic-resource type="webservices" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. If the enableaction attribute value is set to true, then all the WebService methods will be considered as resource actions and hence can be entitled using CEPM.

For a given WebService, the resources are identified in the following manner:

type=<webservices>, application=webservicesJwsSimpleEar, 
contextPath=/jws_basic_simple, webService=SimpleSoapPort, method=sayHello, 
signature={java.lang.String}

In this case, webservicesJwsSimpleEar will be the application, jws_basic_simple/SimpleSoapPort will be the resource hierarchy, and sayHello will be the action in CEPM.

For the preceding application and resources, the following resource structure must be maintained in the <sspi> tag of the pep_config.xml file:

<enterprise-application name="webservicesJwsSimpleEar">

	<web-application name="/jws_basic_simple">

	<weblogic-resource type="webservices" enableaction="true">*</weblogic-resource>

	</web-application>

 </enterprise-application>

If the resource is of type "jdbc":

<weblogic-resource type="jdbc" enableaction="true">*</weblogic-resource>

You can edit the values of <weblogic-resource> to * to check entitlement for all JDBC resources or you can provide multiple resource names separated by a comma.

For a given JDBC resource, the resources are identified in the following manner:

type=<jdbc>, application=MedRecEAR, module=MedRecAppScopedDataSourceXA, 
resourceType=ConnectionPool, resource=MedRecDataSourceXA, action=reserve

In this case, MedRecEAR will be the application, MedRecAppScopedDataSourceXA/ConnectionPool/MedRecDataSourceXA will be the resource hierarchy, and reserve will be the action in CEPM.

For the preceding application and resources, the following resource structure must be maintained in the <sspi> tag of the pep_config.xml file:

<enterprise-application name="MedRecEAR">

	<web-application name="MedRecAppScopedDataSourceXA">

<weblogic-resource type="jdbc" enableaction="true">*</weblogic-resource>

	</web-application>

</enterprise-application>

If the resource is of type "JMS":

<weblogic-resource type="jms" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. If the enableaction attribute value is set to true, then send and receive will be considered as resource actions and hence can be entitled using CEPM.

For a given JMS resource type, the resources are identified in the following manner:

type=<jms>, application=MedRecEAR, destinationType=queue, 
resource=XML_UPLOAD_MDB_QUEUE, action=receive

In this case, MedRecEAR will be the application, queue/XML_UPLOAD_MDB_QUEUE will be the resource hierarchy, and receive will be the action in CEPM.

For the preceding application and resources, the following resource structure must be maintained in the <sspi> tag of the pep_config.xml file:

<enterprise-application name="MedRecEAR">

	<web-application name="queue">

	<weblogic-resource type="jms" enableaction="true">*</weblogic-resource>

	</web-application>

</enterprise-application>

If the resource is of type "URL":

<weblogic-resource type="url" enableaction="true">*</weblogic-resource>

<subject source="header" attributename="referer"/>

    <http-headers>

        <headername>*</headername>

    </http-headers>

    <session-attribute>

        <attributename>*</attributename>

    </session-attribute>

Here, the value of this tag is set to *. If the enableaction attribute value is set to true, then all the HTTP methods will be considered as resource actions and hence can be entitled using CEPM.

The user can also provide additional information to the SSPI Agent by configuring the following tags:

•In the <subject> tag, source can be either header or session. If the source is header, the value of the referrer will be taken from the header. If the source is session, the value of the referrer will be taken from the session.

•Whatever values given in <http-header> and <session-attribute> tags will be passed as environmental attributes. The value can be set to * (to read all attributes present in the header or session) or with the one or more attribute names separated by a comma.

For a given URL resource type, the resources are identified in the following manner:

type=<url>, application=MedRecEAR, contextPath=/patient, uri=/record.do, 
httpMethod=GET

In this case, MedRecEAR will be the application, patient/record.do will be the resource hierarchy, and GET will be the action in CEPM.

For the preceding application and resources, the following resource structure must be maintained in the <sspi> tag of the pep_config.xml file:

<enterprise-application name="MedRecEAR">

	<web-application name="patient">

	<weblogic-resource type="url" enableaction="true">*</weblogic-resource>

	</web-application>

 </enterprise-application>

If the resource is of type "JNDI":

<weblogic-resource type="jndi" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. If the enableaction attribute value is set to true, then jndi resource actions will be considered as resource actions and hence can be entitled using CEPM.

For a given JNDI resource type, the resources are identified in the following manner:

type=<jndi>, application=, path={TesterEJB}, action=lookup

In this case, ServerApps will be the application, TesterEJB will be the resource hierarchy, and lookup will be the action in CEPM.

For the above mentioned application and resources, following resource structure must be maintained in the <sspi> tag of the pep_config.xml file:

<enterprise-application name="ServerApp">

	<web-application name="ServerApp">

	     <weblogic-resource type="jndi" enableaction="true">*</weblogic-resource>

	</web-application>

</enterprise-application>

If the resource is of type "Server":

<weblogic-resource type="svr" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. If the enableaction attribute value is set to true, then boot will be considered as an action and hence can be entitled using CEPM.

For a given Server resource type, the resources are identified in the following manner:

type=<svr>, application=, server=AdminServer, action=boot

In this case, the application name is set to null. In this effect, whenever Server is the resource type, the ServerApp will be the application by default, AdminServer will be the resource, and boot will be the action in CEPM.

For the preceding application and resources, the following resource structure must be maintained in the <sspi> tag of the pep_config.xml file:

<enterprise-application name="ServerApp">

	<web-application name="ServerApp">

<weblogic-resource type="jndi" enableaction="true">*</weblogic-resource>

	</web-application>

</enterprise-application>

Example of a Customized SSPI Authorization Process

---

Step 1 Login to the sample portal running in the WebLogic server. The username entered in the login page is taken as the subject in the authorization request.

---

Note In the absence of the subject (that is, if the subject is null), the subject is consideredas "wls_anonymous_user".

---

The sample portal contains three portlets. For example:

•beaportlet

•dev2dev

•secportlet

Figure 2 Sample Portal

Step 2 Assume that necessary arrangements are made in the administration console by creating a resource hierarchy with the sample portal as the application and portlets as resources. To control the access of all or any of the portlets of the sample portal, configure the entitlement policies by defining allow policies on all the portlets from the user-based screen as shown in Policy Creation

Figure 3 Policy Creation

This setting reflects in the sample portal in the following way, that is, you can view all the portlets in the portal.

Figure 4 Portlet View

Step 3 Set a deny policy on secportlet.portlet in the administration console as shown in Deny Policy:

Figure 5 Deny Policy

This setting makes secportlet.portlet unavailable in the sample portal.

Figure 6 Secportlet in Sample Portal

Step 4 Similarly, set deny policies on secportlet.portlet and dev2dev.portlet in the administration console (as shown in the Deny Policy-secportlet.portlet and dev2dev):

Figure 7 Deny Policy-secportlet.portlet and dev2dev

As a result, you the user cannot access the selected portlets in the sample portal.

Figure 8 Sample Portal without selected portlets

In this way the authorization process is done by customizing the SSPI in the WebLogic server using CEPM for protecting resources like Portlets, Pages, Books, Desktop, and EJB.

---

How to Protect Actions of a WebLogic Portal

The SSPI Agent can be used to protect the actions (modes) of a WebLogic portal. With the help of the administration console, you can control the use of few actions available in the portal. A WebLogic portal can have various actions (a few shown in WebLogic Portal). At present, you can control access of actions such as View, Edit, Delete, Minimize, and Maximize only. You cannot control other actions such as Help and Float.

Figure 9 WebLogic Portal

To use this SSPI Agent feature, you must create these actions under the corresponding portal in the resource tree in the administration console (as shown in Action creation in Sample Portal).

Figure 10 Action creation in Sample Portal

You must define allow or deny policy on different actions, which will have different effects as described in .

Table 1 Actions with Allow and Deny Policy

Action	Allow	Deny
Minimize	User can minimize the portlet using this button.	The user cannot view the Minimize button.
Maximize	User can maximize the portlet using this button.	The user cannot view the Maximize button.
Edit	User can edit the content of the portlet using this button.	The user cannot view the Edit button.
Delete	User cannot view the portlet using this button.	The user cannot view the Delete button.
View	User can view the contents of the portlet using this button.	The user cannot view the View button.

Integrating the SSPI Agent in Static Application Using In-Process PDP

To integrate the SSPI Agent in Static Application using in-process PDP, follow these steps:

---

Step 1 Unzip the SSPI_With_INPROCESSPDP_Consolidated.zip file to the desired location. Extract the zip file to your local machine. The extracted folder path is referred to as SSPI_INPROCESSPDP_HOME.

Step 2 Open the configure.properties file from the ...SSPI_INPROCESSPDP_HOME/bin folder and update the parameters in the following sequence:

a. Update the DOMAIN_NAME= parameter with the domain name (repository name).

b. Update CEPM.DB_SELECTION= parameter with database properties. If no selection is made, it will default to Oracle.

c. Update the following database properties:

–CEPM.DB_URL= Database URL in the form of jdbc:oracle:thin:@host:port:databaseName

–CEPM.DB_USR= Database user name

–CEPM.DB_PWD= Database password

–CEPM.DB_DRIVER= Database driver name

---

Note The database password is configured in encrypted format in the configuration files. To get an encrypted password, run the <CEPM_HOME>\bin\encryptor.bat(sh) file using the following command:

For windows—encryptor.bat JAVA_HOME Password

For Solaris/Linux—encryptor.sh JAVA_HOME Password

Where JAVA_HOME is replaced with the corresponding folder path for JAVA_HOME and Password is replaced with the chosen database password.

When this command is executed, an encrypted password is displayed. You must copy this encrypted password in the Password parameter of the database properties in the configure.properties file.

---

Step 3 Run the configure.bat(sh) file from the ...\SSPI_INPROCESSPDP_HOME\bin folder as per your OS requirement. This will modify the pdp_config.xml file to the required database details.

Step 4 Copy CEPMInprocessAuthorizer.jar file from SSPI_INPROCESSPDP_HOME into the $BEA_HOME\weblogic92\server\lib\mbeantypes folder.

Step 5 Add Java properties, such as CEPM.AGENTCONFIG, CEPM_HOME, and CEPM.DECISIONCACHECONFIG to JAVA_PROPERTIES of setDomainEnv.cmd for specifying the directory path of the pdp_config.xml, CEPM_HOME, and jbosscache.xml files. For example:

JAVA_PROPERTIES = -DCEPM.AGENTCONFIG=$SSPI_INPROCESSPDP_HOME\config\pdp\pdp_config.xml 
-DCEPM_HOME=$SSPI_INPROCESSPDP_HOME 
-DCEPM.DECISIONCACHECONFIG=$SSPI_INPROCESSPDP_HOME\config\jbosscache\jbosscache.xml

Step 6 Edit the sspi-config tag values in the pdp_config.xml file. Refer to "Sample <weblogic-resource> Tags for Supported Resource Types" section for supported resource types.

Step 7 Start the WebLogic server by running the startWeblogic.cmd file from the $BEA_HOME\weblogic92\samples\domains\portal\bin folder.

Step 8 Open the WebLogic server administration console.

Step 9 In the left pane, click Security Realms.

Step 10 Go to myRealm > Providers > Authorization > Lock and Edit.

Step 11 Click New.

Step 12 Configure a new authorizer as CEPMAuthorizer and choose SSPIAuthorizer from the drop-down list.

•Name—CEPMAuthorizer

•Type—SSPIAuthorizer

Step 13 Click CEPMAuthorizer link.

Step 14 Click Provider Specific, check Policy Deployment Enabled, and click Save.

Step 15 In the top left corner, click Activate Changes.

Step 16 While deploying any application or module, select Custom Roles and Policies. Use only roles and policies that are defined in the administration console for the security model.

Step 17 Copy the thirdpartylib_inprocess.jar and InProcessPDP.jar files to the lib folder of your application domain (that is, $BEA_HOME\weblogic92\samples\domains\portal\lib).

---

Note If your database is MSSQL, then copy the sqljdbc.jar file to the lib folder of your application domain. Similarly, if your database is DB2, copy the db2jcc.jar, db2jcc_javax.jar, and db2jcc_license_cu.jar files to the lib folder of your application domain.

---

Step 18 With WebLogic9.2, add the following tag to the config.xml file found in your application domain (that is, $BEA_HOME\weblogic92\samples\domains\portal\config).

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

This should be a part of <security-configuration> tag.

Step 19 Restart the WebLogic server.

Step 20 Run the application and the resources you set for checking the entitlement. On the Server console, the message The user is entitled to perform the operation" is displayed if the user is entitled to perform the operation. If the user is not entitled to perform the operation, the message "The user is not entitled to perform the operation" is displayed.

---

Documentation Updates

Table 2 Updates to CEPM SSPI Agent Guide

Date	Description
July 9, 2009	Minor edits and template/boilerplate updates for publication to Cisco.com
April 3, 2009	Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0

Related Documentation

CEPM_User_Guide_V3.3.0.0.pdf

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2009 Cisco Systems, Inc. All rights reserved