|
Table Of Contents
Elements of pap_config.xml File
Using Database Connection Pool Provided by CEPM
Using Database Connection Pool Provided by WebLogic
Using Database Connection Pool Provided by WebSphere
Sample <db> Element Configuration Using CEPM Connection Pool
Sample <db> Element Configuration using the WebLogic Connection Pool
Sample <db> Element Configuration using the WebSphere Connection Pool
Sample <shared-repository> Element Configuration
Sample <handlers> Element Configuration
Retrieving NVPair in the handler implementation
Sample <authentication> Element Configuration
Sample <callbackhandlers> Element Configuration
Sample <xacml-log> Element Configuration
Sample <admin-logs> Element Configuration
Obtaining Documentation and Submitting a Service Request
CEPM PAP Configuration Guide
Revised: January 6, 2012, Doc Part No: OL-19571-01Contents
•Elements of pap_config.xml File
•Obtaining Documentation and Submitting a Service Request
About This Document
Objective
This document explains the various elements present in the Policy Administration Point (PAP) configuration file pap_config.xml. This file is located in the Cisco Enterprise Policy Manager (CEPM) installation directory
\<CEPM_HOME>\config\
.Audience
This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.
Introduction
This document explains about the various elements present in the Cisco Enterprise Policy Manager (CEPM) PAP configuration file pap_config.xml. This file is located in CEPM installation directory \<CEPM_HOME>\config\.
The pap_config.xml file contains the following PAP configurations.
•Database connection: <db>
•JMS connection: <jms>
•Prehook handlers: <handlers>
•UI authentication: <authentication>
•Encryption algorithm and implementer: <encryption>
•Callback handlers <callbackhandlers>
•XACML log: <xacml-log>
•Admin logs <admin-logs>
Password Encryption in CEPM
You must set the password value for some elements in pap_config.xml file. For example, database user password and JMS user password. These password values must be entered in an encrypted format.
To encrypt the password value:
Step 1 Run the encryptor.bat file, which is located in the \<CEPM_HOME>\installer\bin\ folder.
Step 2 Run the following command at the console:
•For Windows:
encryptor.bat JAVA_HOME <password>
•For Solaris/Linux:
encryptor.sh JAVA_HOME <password>
JAVA_HOME is the environment variable that contains the location of the Java Runtime Environment (JRE) home directory. The <password> is the password of the user to be encrypted.
When this command is run, the encrypted password is displayed on the console.
Step 3 Copy the encrypted password and paste it as the value for the appropriate <password> element in the pap_config.xml file.
Case Sensitivity
The configuration values are not case sensitive (except for Java class names, user names, passwords, and file paths). For example the values: Oracle, oracle, and ORACLE are considered the same by the PAP.
Elements of pap_config.xml File
Here is a sample pap_config.xml file:
<?xml version="1.0" encoding="UTF-8"?><securent><db name="default"><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>username</username><password>XBKO7w9gh3tEq6iEZjvEnQ==</password><url>jdbc:oracle:thin:@10.77.116.162:1521:cepmdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db><jms><env><url>tcp://localhost:61616</url><connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory><username>ActiveMQConnection.DEFAULT_USER</username><password>c6p96kuD91p3Gwazl0JnE652dQh1QLrLMfnDulySruPVDpfLSgm3Mw==</password><replyTopic>replyTopicName2</replyTopic></env><reconnect_interval>100000</reconnect_interval><useJndi>false</useJndi><jndi><providerUrl>tcp://localhost:61616</providerUrl><providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFac tory><jndiUserName></jndiUserName><jndiPassword></jndiPassword></jndi></jms><shared_repository>true</shared_repository><handlers><common-properties><sessionuser>superuser</sessionuser><sessionpassword>admin</sessionpassword></common-properties><handler name="JMSSYNCHandler" enabled="false" type="*.*"><impl>net.securent.jms.PAPHandler</impl><properties></properties></handler><handler name="JMSPAPSYNCHandler" enabled="false" type="*.*" handlerType="posthook"><impl>com.cisco.epm.jms.SyncHandler</impl><properties></properties></handler></handlers><authentication type="db" class="net.securent.util.db.DBAuthenticator"><properties refer="true" name="default"><property name="db-type">oracle</property><property name="username">bprasad</property><property name="password" encrypted="true">xiicLTdcE2g=</property><property name="url">jdbc:oracle:thin:@bprasad-lpt:1521:bprasad</property><property name="driver">oracle.jdbc.driver.OracleDriver</property></properties></authentication><usermgr><implclass>net.securent.kernel.usermanager.db.DBUserMgr</implclass></usermgr><encryption><implementors><crypt>com.cisco.epm.util.auth.encryptor.crypt.DefaultCryptEncryptor</crypt></implementors></encryption><callbackhandlers><keycallbackhandler usedefault="true">com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider</keycallbackh andler></callbackhandlers><dao-configuration>config/dao_config.xml</dao-configuration><xacml-log type="db"><db refer="true" name="default"><properties><db-type>oracle</db-type><username>name</username><password>xiicLTdcE2g=</password><url>jdbc:oracle:thin:@bprasad-lpt:1521:bprasad</url><driver>oracle.jdbc.driver.OracleDriver</driver></properties></db></xacml-log><admin-logs><adminlog>com.cisco.epm.util.DBAdminLogHandler</adminlog></admin-logs></securent>The <securent> element is the topmost element (root element) of the PAP configuration file. All the other XML elements are the subelements of <securent>. The XML elements in the pap_config.xml file are explained in detail in the following sections.
<db>
The <db> element contains the subelements related to database connection details for connecting to the CEPM repository from the PAP UI.
CEPM supports the following databases servers:
–Oracle
–Microsoft SQL Server
–DB2
This element also contains the subelements related to the database connection pool. The PAP allows you to use the database connection pool provided by any one of the following:
–CEPM
–WebLogic Server
–WebSphere Server
•name attribute—Provides a name for this database connection. By default, it is set to value default.
•<impl>—Name of the Java class used for the database connection pool. Configure the following class names depending on the database connection pool provider:
–CEPM—This is configured by default as net.securent.util.db.ConnectionPool
–WebLogic server—This is configured by default as net.securent.util.db.WebLogicConnectionPool
–WebSphere server—This is configured by default as net.securent.util.db.WebSphereConnectionPool
•<properties>—The subelements in this section vary depending on the database connection pool class used in the <impl> element. This is the database connection pool provided either by CEPM or the WebLogic server.
Using Database Connection Pool Provided by CEPM
You must configure the following <properties> subelements to use the database connection pool provided by CEPM:
•<db-type>—Type of the PAP database. CEPM supports Oracle, Microsoft SQL Server and DB2 databases. If you are using:
–Oracle database, set the database value to oracle.
–Microsoft SQL Server database, set the database value to mssql.
–DB2 database, set the database value to db2.
•<username>—Name of the database user to connect to the PAP database.
•<password>—Password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
•<url>—JDBC connection string to connect to the PAP database. The PAP supports Oracle Thin driver, Oracle Thick driver which is the OCI driver and MS SQL Server driver. The database connection URL can contain one of the following formats based on the database driver used.
Oracle Thin Driver
Format:
jdbc:oracle:thin:@<host>:<port>:<SID>where:
–<host>—The machine IP address where the database is running.
–<port>—The port number where the database listener is running.
–<SID>—The SID of Oracle database.
Example:
jdbc:oracle:thin:@131.107.0.23:1521:cepmdevOracle Thick Driver
Format:
jdbc:oracle:oci8:@<tns-listener-name>where:
<tns-listener-name>—The TNS LISTENER name of the database service. This is configured in the TNSNAMES.ORA file present in the Oracle client installation directory ORACLE_HOME/network/admin/
Example:
jdbc:oracle:oci8:@cepmdevMS SQL Server Driver
Format:
jdbc:sqlserver://<host>:<port>;databaseName=<DB name>where:
–<host>—The machine IP address where the database is running.
–<port>—The port number where the database listener is running.
–<DB name>—The SQL Server database name.
Example:
jdbc:sqlserver://131.107.2.205:3279;databaseName=cepmdevDB2 Driver
Format:
jdbc:db2j:net://<host>:<port>/<sid>where:
–<host>—The machine IP address where the database is running.
–<port>—The port number where the database listener is running.
–<SID>—The SID of DB2 database.
•<driver>—JDBC driver class.
–For Oracle:
oracle.jdbc.driver.OracleDriver
–For MS SQL Server:
com.microsoft.sqlserver.jdbc.SQLServerDriver
–For DB2:
com.ibm.db2.jcc.DB2Driver
•<maxconnections>—Maximum number of database connections in pool.
•<maxconnectiontime>—Maximum time in seconds to wait for the database connection to be available.
•<idleconnectiontime>—Number of seconds a connection should remain unused in the pool before the connection is disconnected and closed.
•<poolName>—Name of the connection pool. By default, it is set to Default Domain.
Note The pool name is same as the domain name that the PAP administrator selects when logging in to the PAP console. This is set duringthe PAP installation. The value for this element should not be edited manually.
•<eventenable>—Set its value to True, in the following scenarios:
–If you want to use getUpdatedUsersAsArray() or getUpdtaedUsers() API methods of the ISubject interface. These API methods get all the users whose permissions are modified by a specific administrator for a specific duration for a specific application.
–If the Policy Enforcement Point (PEP) needs to update the cache data with only the changed decisions.
Using Database Connection Pool Provided by WebLogic
You must configure the following <properties> subelements to use the database connection pool provided by the WebLogic server:
Note The values for the following subelements can be empty if the PAP application and WebLogic server are deployed in the same Java Virtual Machine (JVM): <context-provider-url>, <context-username>, <context-password>.
•<db-type>—This specifies the PAP database type. CEPM supports Oracle and Microsoft SQL Server databases. If you are using:
–Oracle database, set the database value to oracle.
–Microsoft SQL Server database, set the database value to mssql.
–DB2 database, set the database value to db2.
•<initial-context-factory>—Set its value to weblogic.jndi.WLInitialContextFactory.
•<context-provider-url>—Set its value to t3://<Machine IP Address>:<port> where <Machine IP Address> is the IP address of the machine on which the WebLogic application server is running and
<port> is the port number on which this service is available. The default port used by the WebLogic server is 7001.
•<context-username>—Set its value to the user name of the WebLogic context. By default, its value is set to weblogic.
•<context-password>—The password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
•<datasource-jndi>—Set its value to the appropriate JNDI datasource name.
•<poolName>—This is the name of the database connection pool. By default, its value is set to Default Domain.
Note The pool name is same as the domain name that the PAP administrator selects when logging-in to the PAP application. This is set during the PAP installation. The value for this element should not be edited manually.
Using Database Connection Pool Provided by WebSphere
You must configure the following subelements of the <properties> element to use the database connection pool provided by the WebSphere server:
Note The values for the following subelements can be empty if the PAP application and WebSphere server are deployed in the same JVM: <context-provider-url>, <context-username>, <context-password>.
•<db-type>—This specifies the PAP database type. CEPM supports Oracle and Microsoft SQL Server databases. If you are using:
–Oracle database, set the database value to oracle.
–Microsoft SQL Server database, set the database value to mssql.
–DB2 database, set the database value to db2.
•<initial-context-factory>—Set its value to com.ibm.websphere.naming.WsnInitialContextFactory.
•<context-provider-url>—Set its value to t3://<Machine IP Address>:<port> where <Machine IP Address> is the IP address of the machine on which the WebLogic application server is running and
<port> is the port number on which this service is available.
•<context-username>—Set its value to the user name of the WebSphere context.
•<context-password>—The password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
•<datasource-jndi>—Set its value to the appropriate JNDI datasource name.
•<poolName>—This is the name of the database connection pool. By default, its value is set to Default Domain.
Note The pool name is same as the domain name that the PAP administrator selects when logging-in to the PAP application. This is set during the PAP installation. The value for this element should not be edited manually.
Sample <db> Element Configuration Using CEPM Connection Pool
Case 1: Oracle Database with Thin Driver
<db name="mydb"> <!-- name of the database connection --><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@localhost:1521:cepmdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Case 2: Oracle Database with Thick Driver
<db name="mydb"> <!-- name of the database connection --><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:oci8:@cepmdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Case 3: MS SQL Server Database
<db name="mydb"> <!-- name of the database connection --> <impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>mssql</db-type><username>testuser3</username><password>R7mNxexTum8=</password><url> jdbc:sqlserver://localhsot:1433;databaseName=cepmdev</url><driver>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Case 4: DB2 Database
<db name="mydb"> <!-- name of the database connection --> <impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>db2</db-type><username>username</username><password>EncryptedPassword</password><driver>com.ibm.db2.jcc.DB2Driver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Sample <db> Element Configuration using the WebLogic Connection Pool
Note The values for the following subelements can be null if the PAP application and WebLogic server are deployed in the same JVM—<context-provider-url>, <context-username>, <context-password>.
<db name="mydb"> <!-- name of the database connection --><!-- Weblogic provided connection pool class --><impl>net.securent.util.db.WebLogicConnectionPool</impl><properties><db-type>oracle</db-type><initial-context-factory>weblogic.jndi.WLInitialContextFactory</initial-context-factory><context-provider-url>t3://localhost:7001</context-provider-url><context-username>weblogic</context-username><context-password>++7XL4YWJ/FEq6iEZjvEnQ==</context-password><datasource-jndi>SampleJNDIFromSecurentDomain</datasource-jndi><poolName>Default Domain</poolName><!-- same as the domain name -->
<eventenable><value>true</value></eventenable></properties></db>Sample <db> Element Configuration using the WebSphere Connection Pool
Note The values for the following subelements can be null if the PAP application and WebSphere server are deployed in the same JVM—<context-provider-url>, <context-username>, <context-password>.
<db name="mydb"><!-- name of the database connection --><!-- WebSphere provided connection pool class --><impl>net.securent.util.db.WebSphereConnectionPool</impl><properties><db-type>oracle</db-type><initial-context-factory>com.ibm.websphere.naming.WsnInitialContextFactory</initial-context-factory><context-provider-url>iiop://localhost:2809</context-provider-url><context-username>webshere</context-username><context-password>uYgp9FZIEnREq6iEZjvEnQ==</context-password><datasource-jndi>WSJNDI</datasource-jndi><poolName>Default Domain</poolName><!-- same as the domain name -->
<eventenable><value>true</value></eventenable></properties></db><dao-configuration>
DAO (Data Access Objects) is an application program interface (API) that allows a programmer to request access to various databases. The <dao-configuration> element contains the name and path of the configuration file that contains the list of DAO interface classes used in the PAP to access various databases. CEPM supports Oracle and MS SQL Server databases. The DAO configuration file is present in the installation directory \<CEPM_HOME>\config/dao_config.xml.
By default, its value is set to config/dao_config.xml.
Note The value of this element should not be edited.
<shared-repository>
Set the <shared-repository> element value to False for PAP and True for Policy Decision Point (PDP) components in order to post the event detials from PAP to PDP policy cache.
If this value is set to False, the PAP communicates with the PDP using Java Messaging Service (JMS). JMS configuration details are required in order to post the event detials from PAP to PDP policy cache. In this case, you must configure the <jms> element. For details on configuring the <jms> element, see "<jms>".
For examples of PAP configuration examples related to shared and non-shared modes of operation between the PAP and the PDP, refer to "<jms>".
<jms>
The <jms> element contains the subelements for configuring the JMS properties for the PAP to communicate with the PDP when these two components are configured in non-shared mode. CEPM supports the following JMS providers:
•ActiveMQ from Apache (comes bundled with the PAP by default)
•WebLogic JMS
•Tibco JMS
Note For the JMS mechanism to work in the non-shared mode of PAP-PDP operation, use the following configuration settings for the <shared_repository> and <handler> elements:
<shared_repository>false</shared_repository>
<handler name="JMSSYNCHandler" enabled="true" type="*.*">
<impl>net.securent.jms.PAPHandler</impl>
</handler>The following are the <jms> subelement:
•<reconnect_interval>—This contains the time-interval in milliseconds between the reconnect attempts for the PAP to connect to the JMS server, in case the JMS server is down.
•<useJndi>—Set its value to true, if you have to lookup the JMS service provider using JNDI.
If <useJndi> value is set to True, this:
–Provides values for the <env> subelements—<connectionFactory> and <replyTopic>. The PAP ignores values set for subelements <url>, <username>, and <password>.
–Provides details for the <jndi> subelements—<providerUrl>, <providerCtxFactory>, <jndiUserName>,k and <jndiPassword>.
If <useJndi> value is set to False, this:
–Provides details for the <env> subelements—<url>, <connectionFactory>, <username>, <password>, and <replyTopic>.
–The PAP ignores the <jndi> element so you do not need to set the values for its subelements <providerUrl>, <providerCtxFactory>, <jndiUserName>, and <jndiPassword>.
•<env>—This element contains the following subelements related to the JMS connection. For more details on how to set these values, please refer to the Note.
–<url>—JMS Server URL.
Format:
For ActiveMQ—tcp://<machine IP Address>:<port>
For WebLogic JMS—t3://<machine IP Address>:<port>
For Tibco JMS—tcp://<machine IP Address>:<port>
where <machine IP Address> is the IP address of the machine on which JMS Service is available and <port> is the port number on which this service is available.
–<connectionFactory>—Java class name of the JMS Provider's Context Factory.
For ActiveMQ—org.apache.activemqActiveMQConnectionFactory
For WebLogic JMS—weblogic.jms.ConnectionFactory
For Tibco JMS—com.tibco.tibjms.TibjmsTopicConnectionFactory
–<username>—Name of the JMS server user.
Note If you are using ActiveMQ JMS, set the <username> value to ActiveMQConnection.DEFAULT_USER.
–<password>—Password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
Note If you are using ActiveMQ JMS, set the <password> value to the encrypted value of ActiveMQConnection.DEFAULT_PASSWORD.
–<replyTopic>—Name of the JMS Topic to which the reply should be sent by the receiver of the message.
•<jndi>—Set the subelements for this element if you have to lookup the messaging service provider using JNDI. For this, first set the <useJndi> element value to true, as explained earlier. The <jndi> element contains the following subelements: <providerUrl>, <providerCtxFactory>, <jndiUserName>, and <jndiPassword>
–<providerUrl>—JMS Server URL. This value should be the same as provided for <url> subelement of the <env> element explained earlier.
Format:
–For ActiveMQ—tcp://<machine IP Address>:<port>
–For WebLogic JMS—t3://<machine IP Address>:<port>
–For Tibco JMS—tcp://<machine IP Address>:<port>
where <machine IP Address> is the IP address of the machine on which JMS Service is available and <port> is the port number on which this service is available.
Example:
–For ActiveMQ—tcp://131.107.0.68:61616
–For WebLogic JMS—t3://131.107.0.68:7011
–For Tibco JMS—tcp://131.107.0.68:7222
For more details on how to set these values, refer to Note.
–<providerCtxFactory>—The Java class name of the remote JMS Provider's JNDI lookup service.
–For ActiveMQ—org.apache.activemq.jndi.ActiveMQInitialContextFactory
–For WebLogic JMS—weblogic.jndi.WLInitialContextFactory
–For Tibco JMS—com.tibco.tibjms.naming.TibjmsInitialContextFactory
–<jndiUserName>—Set its value to JNDI user name.
–<jndiPassword>—Password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
Sample <shared-repository> Element Configuration
The <shared_repository> element value should be set to False. The database details configured under the <db> element are the same for the PAP and PDP. JMS configuration details are required in order to post the event detials from PAP to PDP policy cache.
<!-- Shared Repository Flag --><!-- set its value to false so that PAP and PDP use the same database instanceto store their data --><shared_repository>false</shared_repository><!—- Entitlement Repository Database Details. As shared_repository flag is setto false, following database details are common for both, PAP and PDP --><db name="mydb"><!-- using CEPM provided database connection pool class --><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@131.107.0.23:1521:secdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName> <!-- same as the domain name --><eventenable><value>false</value></eventenable></properties></db>CEPM supports the following JMS providers:
•ActiveMQ from Apache (This comes bundled with the PAP by default).
•WebLogic JMS
•Tibco JMS
Set the <useJndi> value to true if you have to look up the JMS service provider using JNDI. For more information on how to set various subelements present under the<jms> tag, refer to"<jms>".
Case 1: ActiveMQ JMS without JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>false</useJndi><reconnect_interval>120000</reconnect_interval><env><url>tcp://131.107.0.68:61616</url><connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory><username>ActiveMQConnection.DEFAULT_USER</username><password>dQh1QLrLMfnDulySruPVDpfLSgm3Mw==</password><!-- password is encrypted from ActiveMQConnection.DEFAULT_PASSWORD --><replyTopic>replyTopicName</replyTopic></env></jms>Case 2: ActiveMQ JMS with JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>true</useJndi><reconnect_interval>120000</reconnect_interval><env><connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory><replyTopic>replyTopicName</replyTopic></env><jndi><providerUrl>tcp://localhost:61616</providerUrl><providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory><jndiUserName>jndiuser</jndiUserName><jndiPassword>h1QLrLMfnDulySru==</jndiPassword></jndi></jms>Case 3: WebLogic JMS without JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>false</useJndi><reconnect_interval>120000</reconnect_interval><env><url>t3://localhost:7011</url><connectionFactory>weblogic.jms.ConnectionFactory</connectionFactory><username>jmsuser</username><password>ruPVDpfLSgm3Mw==</password><replyTopic>replyTopicName</replyTopic></env></jms>Case 4: WebLogic JMS with JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>true</useJndi><reconnect_interval>120000</reconnect_interval><env><connectionFactory>weblogic.jms.ConnectionFactory</connectionFactory><replyTopic>replyTopicName</replyTopic></env><jndi><providerUrl> t3://localhost:7011</providerUrl><providerCtxFactory>weblogic.jndi.WLInitialContextFactory</providerCtxFactory><jndiUserName>jndiuser</jndiUserName><jndiPassword>h1QLrLMfnDulySru==</jndiPassword></jndi></jms>Case 5: Tibco JMS without JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>false</useJndi><reconnect_interval>120000</reconnect_interval><env><url>tcp://localhost:7222</url><connectionFactory>com.tibco.tibjms.TibjmsTopicConnectionFactory</connectionFactory><username>jmsuser</username><password>ruPVDpfLSgm3Mw==</password><replyTopic>replyTopicName</replyTopic></env></jms>Case 6: Tibco JMS with JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>true</useJndi><reconnect_interval>120000</reconnect_interval><env><connectionFactory>com.tibco.tibjms.TibjmsTopicConnectionFactory</connectionFactory><replyTopic>replyTopicName</replyTopic></env><jndi><providerUrl>tcp://localhost:7222</providerUrl><providerCtxFactory>com.tibco.tibjms.naming.TibjmsInitialContextFactory</providerCtxFactory><jndiUserName>jndiuser</jndiUserName><jndiPassword>h1QLrLMfnDulySru==</jndiPassword></jndi></jms><handlers>
This element contains the subelements for configuring the prehook handlers for the PAP. A prehook handler is a Java class routine that gets executed when the PAP user tries to update data in the PAP database from the PAP UI while performing any of the following operations:
•User based entitlement
•Assign resources
•Role-based entitlement
•Group-based entitlement
•Group role mapping
•Group role assignment
•User role mapping
•User group mapping
•User role assignment
•Bulk user deletion
For more information about the prehook handler, refer to CEPM User Guide.
The following are the subelements of the <handler> element.
•<common-properties>
This contains the subelements related to the session user.
•<sessionuser>
Name of the session user.
•<sessionpassword>
Password of the above user. (This is not in encrypted format).
Note These properties are not mandatory. You can set any number properties here as per your requirement and when they have been configured, these properties will be available for all the handlers configured in the <handler> element.
•<handler>
This contains the attributes and subelements for configuring various prehook handlers.
•name attribute
Name of the handler. You can provide your customized handler name.
Custom Handlers: You can customize any handler name by modifying the <handlers> tag of pap_config.xml as well as the corresponding handlername in the api_configuration.xml file located in /CEPM-V3.3.0.0/config folder. Make sure that the custom handler name must match in both of these files failing which may throw errors or exceptions. For example, if you want to change the 'UserResourceMapping' handler to 'UserPolicyMapping', you must modify these files in the following manner:
In pap_config.xml file change the handler tag-
<handler name="UserResourceMapping" enabled="true" type="*.*" application="Prime group:Prime portal">to
<handler name="UserPolicyMapping" enabled="true" type="*.*" application="Prime group:Prime portal">If you are using user to resource mapping i.e mapUserToResources API from IMapping interface will have its coresponding handler tag as "RoleResourceMapping" while action is "map". The corresponding API tag in api_configuration.xml file is as follows:
<api name="MappingImpl:mapUserToResources" prehook-rollback="false" posthook-rollback="false"><handlerName>UserResourceMapping</handlerName><actionEvent><action>Map</action><actionType>MapUserToResources</actionType><actionSource>com.cisco.epm.pap.api.vo.User</actionSource></actionEvent></api>Change the <HandlerName> tag -
<handlerName>UserResourceMapping</handlerName>to
<handlerName>UserPolicyMapping</handlerName>•enabled attribute
If set to true, then this handler is called for the event configured in the type attribute explained below. If set to false, then this handler is never called.
•type attribute
You can set here the type of the event for which this handler should be called.
Note This table is updated with inclusion of the entire list of handlers and the relevant action types.
The following possible event types can be set:
Note If you set the type attribute to "*.*", the handler is called for all the action types mentioned in the table.
•handlerType attribute
You can evaluate this tag as prehook or posthook. If set to prehook the handler procedure to be invoked before the client callbacks, whereas in case of posthook, first the API is called and after that the handler is invoked.
•<impl>
Name of the implementation class of the handler. If you are using older APIs (CEPM V3.2), the impl class should be net.securent.util.handler.<HandlerName>. For new APIs, this should be com.cisco.epm.util.handler.<HandlerName>.
Example - To use the Role Handler, depending on the version, the impl class should be net.securent.util.handler.RoleHandler or com.cisco.epm.util.handler.RoleHandler
Note If you want to trigger your own entity handler by implementing the old handler class you will get handler exceptionwhile the corresponding event is taking palce in PAP User interface. For example, if you trigger the RoleHandler by implementing <net.securent.util.handler.RoleHandler> class, you will get handler exception while creating, editing or deleting a role in the PAP console.
•<properties>
This may contain any number of subelements that you want to define and use in the handler class. For example, you can provide the database connection details in this section as follows.
<properties><username>sectest</username><password encrypted="false">sectest</password><url>jdbc:oracle:thin:@localhost:1521:devbdb</url><driver>oracle.jdbc.driver.OracleDriver</driver></properties>Here the <password> element has an encrypted attribute. If it is set to true, then you can use an encrypted password to connect to the database. This is just an example to explain how you can define your own property elements and attributes as per your requirement.
Note By default, the pap_config.xml file contains the handler class net.securent.jms.PAPHandler pre-configured. This handler is provided by CEPM and should be enabled when the PAP and PDP are configured to interact with each other in non-shared mode (that is, using JMS). For more information about the non-shared mode of the PAP and PDP interaction, refer to CEPM User Guide.
Sample <handlers> Element Configuration
<handlers><common-properties><sessionuser>superuser</sessionuser><sessionpassword>admin</sessionpassword></common-properties><handler name="JMSPAPSYNCHandler" enabled="false" type="*.*"handlerType="posthook"><impl>com.cisco.epm.jms.SyncHandler</impl><properties></properties></handler></handlers><handler name="RoleHandler" enabled="true" type="RoleHandler" handlerType="pre-hook"><impl>com.cisco.epm.util.handler.RoleHandler</impl><properties><username>tempuser</username><password encrypted="false">tempuser</password><url>jdbc:oracle:thin:@localhost:1521:cepmdev</url><driver>oracle.jdbc.driver.OracleDriver</driver></properties></handller>Retrieving NVPair in the handler implementation
In compliance with the XACML standard, CEPM uses NVPair objects to store properties of an entity or entity type. You can get the key value pairs of these properties by invoking the event.getNVPairs() method where event is the incomming object into handle method of a handler class - handle(Object object,com.cisco.epm.pap.api.handler.ActionEvent event).
Following tables contains the list of keys and value types based on the APIs that you are using in the handle method:
Following is the sample code to retrieve the key value pairs from the NVPair object :
public.void handle(Object object,com.cisco.epm.pap.api.handler.ActionEvent event){NVPair nvPairList[] = null;nvPairList = event.getNvPair();if (nvPairList != null) {for (int i = 0; i < nvPairList.length; i++) {if (nvPairList[i].getKey().equalsIgnoreCase("transactional"))transactional = CommonUtil.getStringAsBoolean((String) nvPairList[i].getValue());else if (nvPairList[i].getKey().equalsIgnoreCase("override"))override = CommonUtil.getStringAsBoolean((String) nvPairList[i].getValue());else if (nvPairList[i].getKey().equalsIgnoreCase("roleBundleFQN"))roleBundleFQN = (String) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("contextFQN"))roleBundleFQN = (String) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("activeStatus"))activeStatus = (String) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("recurrence"))recurrence = (Boolean) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("policyAttribCol"))policyAttribCol = (Boolean) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("recurrence"))recurrence = CommonUtil.getStringAsBoolean(((String) nvPairList[i].getValue()));else if (nvPairList[i].getKey().equalsIgnoreCase("policyAttribCol"))policyAttribCol = CommonUtil.getStringAsBoolean(((String) nvPairList[i].getValue()));else if (nvPairList[i].getKey().equalsIgnoreCase("permission"))permission = CommonUtil.getStringAsBoolean((String) nvPairList[i].getValue());else if (nvPairList[i].getKey().equalsIgnoreCase("appliedRule"))appliedRule = CommonUtil.getStringAsBoolean((String) nvPairList[i].getValue());}}}<authentication>
The <authentication> element contains the subelements for configuring the user authentication repository details to login to the PAP console. In the PAP console, user authentication can be performed against the user data that is stored in either the database or in the LDAP server. PAP user authentication can be also configured in such a way that existing authentication implementation present in the protected application can be used for this purpose (this is also called Single Sign-On [SSO]).
•CEPM supports following databases servers:
–Oracle
–Microsoft SQL Server
–DB2
•CEPM supports following LDAP service providers:
–Sun One Directory Server
–Novell eDirectory Server
–Active Directory Server
The following are the subelements of the <authentication> element:
•type attribute—Set its value to:
–db—user authentication details are stored in the database.
–ldap—user authentication details are stored in the LDAP server.
–sso—user authentication will be carried out by the protected application.
•<class>—Name of Java class for authentication.
Set its value to:
–For db authentication—net.securent.util.db.DBAuthenticator
–For ldap authentication—net.securent.util.db.LocalLDAPAuthenticator
–For sso authentication—net.securent.util.db.SSOAuthenticator
•<properties>—This contains the attributes and subelements for configuring the data source details where the user authentication related information is stored.
•refer attribute—Set its value toTrue, if the details for user authentication are stored in the same database instance where CEPM data resides.
(CEPM repository details are configured in the <db> element). In this case, set the same value for this name attribute that was set for the name attribute of <db> element (for example: default).
In this case, you do not have to provide the data source connection details for the subelement <property>.
Set its value to False, if the data source details for user authentication information is not stored in the database instance that is configured for the <db> element. In this case, you will have to provide the data source connection details for the subelement <property>.
•name attribute—If the refer attribute is set to True, then provide the same database name that was configured for the <db> element (for example: default), or provide a new name.
•<property>—Set multiple property element values, if user authentication information is not stored in the database instance that is configured for the <db> element.
You have to specify three different sets of <property> elements depending upon the type of the data source—database, ldap, or sso (as set for the type attribute of the <authentication> element).
Database Data Source
<property name="db-type">[value]</property>
If you are using:
–Oracle database, set the value of the database to oracle.
–Microsoft SQL Server database, set the value of the database to mssql.
–IBM DB2, set the value of the database to db2.
<property name="username">[value]</property>
Set value to the name of the PAP database user.
<property name="password" encrypted="true">[value]</property>
Set the value for the user password in encrypted format and set the encrypted attribute value to True. Set encrypted attribute value to False, if you do not want to set the password value in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
<property name="url">[value]</property>
Set the value to the JDBC connection string to connect to the PAP database. The PAP supports Oracle Thin Driver, Oracle Thick Driver (that is, OCI driver), and MS SQL Server driver. The database connection URL can have one of the following formats based on the database driver used.
Oracle Thin Driver
Format:
jdbc:oracle:thin:@<host>:<port>:<SID>where:
–<host>—The machine IP address where the database is running.
–<port> —The port number where the database listener is running.
–<SID> —The SID of Oracle database.
Example:
jdbc:oracle:thin:@131.107.0.23:1521:secdevOracle Thick Driver
Format:
jdbc:oracle:oci8:@<tns-listener-name>where:
<tns-listener-name> — The TNS LISTENER name of the database service. This is configured in the TNSNAMES.ORA file present in the Oracle client installation directory: /ORACLE_HOME/network/admin/
Example:
jdbc:oracle:oci8:@secdevMS SQL Server Driver
Format:
jdbc:sqlserver://<host>:<port>;databaseName=<DB name>where:
–<host>—The machine IP address where the database is running.
–<port> —The port number where the database listener is running.
–<database name> — The SQL Server database name.
Example:
jdbc:sqlserver://131.107.2.205:3279;databaseName= secdev<property name="driver">[value]</property>
DB2 Driver
Format:
jdbc:db2j:net://<host>:<port>/<sid>where:
–<host> —The machine IP address where the database is running.
–<port> —The port number where the database listener is running.
–<SID> —The SID of DB2 database.
Set value to the JDBC driver class.
–For Oracle—oracle.jdbc.driver.OracleDriver.
–For MS SQL Server—com.microsoft.sqlserver.jdbc.SQLServerDriver.
–For DB2—com.ibm.db2.jcc.DB2Driver.
LDAP Server Data Source
<property name="ldap-type">[value]</property>
Set the value to name of the LDAP service provider. CEPM supports three LDAP service providers.
–Sun One Directory Server—set <ldap-type> value to SunOne.
–Novell eDirectory Server —set <ldap-type> value to Novell.
–Active Directory Server—set <ldap-type> value to AD.
<property name="url">[value]</property>
Set the value to LDAP server URL.
<property name="port">[value]</property>
Set the value to LDAP server port.
<property name="ldapdn">[value]</property>
Set the value to LDAP server Base DN.
<property name="userdn">[value]</property>
Set the value to LDAP server User DN.
<property name="password" encrypted="true">[value]</property>
Set the value for password of the user in encrypted format and set encrypted attribute value is set to True. set encrypted attribute value is set to False, if you do not want to set the password value in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
<property name="superuser-role">[value]</property>
Set value to the name of the role to which the super user belongs.
SSO Data Source
If authentication type is single sign-on (sso), then one property element needs to be configured with a name that has request or session as the value.
Example:
<property name="request">[value]</property>
Here set the value to the request/session attribute name that contains the value as the name of the user.
Sample <authentication> Element Configuration
Case 1: Database Authentication when User Authentication Information is Stored in the Same Database Instance where CEPM Data Resides
In this case, set the refer attribute value to true and the name attribute value to the same database name value as provided for the name attribute value of the <db> element (that is, CEPM repository).
<!-- UI Authentication Details --><authentication type="db" class="net.securent.util.db.DBAuthenticator"><properties refer="true" name="pap_db"><!-- here name value is same as the one that is set for <db> name as shown in the following section - Entitlement Repository Database Details --></properties></authentication><!—- Entitlement Repository Database Details --><db name="pap_db"><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@131.107.0.23:1521:secdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Case 2: Database Authentication when User Authentication Information is Stored in Different Database Instance from the One where CEPM Data Resides
In this case, set the refer attribute value to false and provide new database connection details of the database instance (<db-type>, <username>, <password>, <url>, <driver>) where the UI authentication details are stored.
<!-- UI Authentication Details --><authentication type="db" class="net.securent.util.db.DBAuthenticator"><properties refer="false" name="my_db"><!-- here name value is different from the one that is set for <db> name as shown in the following section - Entitlement Repository Database Details --><property name="db-type">oracle</property><property name="username">testuser2</property><property name="password" encrypted="true">xiicLTdcE2g=</property><property name="url"> jdbc:oracle:thin:@131.107.0.10:1521:sectest </property><property name="driver">oracle.jdbc.driver.OracleDriver</property></properties></authentication><!—- Entitlement Repository Database Details --><db name="pap_db"><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@131.107.0.23:1521:secdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>
Case 3: LDAP AuthenticationThe following example considers SunOne LDAP server as the data source for UI authentication information.
<!-- UI Authentication Details --><authentication type="ldap" class="net.securent.util.db.LocalLDAPAuthenticator"><properties refer="false" name="default"><property name="ldap-type">AD</property><property name="ldapdn"> dc=win2k-ad,dc=win2k-ad,dc=bodhtree,dc=co,dc=in</property><property name="userdn">cn=administrator,cn=users,dc=win2k-ad,dc=win2k-ad, dc=bodhtree,dc=co,dc=in</property><property name="password" encrypted="true">xiicLTdcE2g=</property><property name="url">ldap://131.107.2.204</property><property name="port">389</property><property name="superuser-role">Test</property> </properties></authentication>Case 4: SSO Authentication
The following example considers SSO authentication, where the authentication will not be carried out by CEPM, but the authentication implementation present in the existing protected application will be used.
<!-- UI Authentication Details --><authentication type="sso" class="net.securent.util.db.SSOAuthenticator"><properties refer="false" name="default"><property name="request">username</property></properties></authentication><encryption>
The <encryption> element contains the subelements for configuring multiple Java classes for implementing various encryption algorithms used for encrypting passwords of the PAP database user, JMS server user, LDAP server user, and so on.
The following are the subelements of the <encryption> element:
•<implementors>—This contains various encryption Java classes.
•<crypt>—Set its value to net.securent.util.auth.encryptor.DefaultCryptEncryptor.
Note The PAP supports only the crypt password scheme. The algorithm that crypt uses is based on the Data Encryption Standard (DES).
<callbackhandlers>
The callbackhandlers element contains the subelements related to the encryption configuration.The password encryption program optionally consumes user provided input for key store location, key store password, and key name. When these parameters are not specified together, the default encryption key is used. When the default encryption key is used, the user is not required to provide a key from the getSecret() method or a KeyCallback implementation.
The following are the subelements of the <callbackhandlers> element:
•<keycallbackhandlers>—This element writes its there own implementation class by implementing the IkeyCallback interface.
Set its value to com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider.
•usedefault attribute—Set its value to True to use the default encryption key. Otherwise, set its value to False.
Sample <callbackhandlers> Element Configuration
<callbackhandlers><keycallbackhandler usedefault="true">com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider</keycallbackh andler></callbackhandlers><xacml-log>
The PDP component has the option to log the Xacml requests that are recieved from the PEP and the Xacml responses sent to the PEP in a database that is configured in the <xacml-log> section of the PDP configuration file pdp_config.xml.
The PDP log can be viewed through the PAP UI from the Runtime Logs section.To view the logs generated by multiple PDPs. Perform the following configuration in the PAP and in each PDP:
•PDP configuration for Xacml log: Configure all the PDPs to store their log information in a common database instance.
For this, configure the <xacml-log> section of the PDP configuration file, pdp_config.xml, and provide the same database connection details.
•PAP configuration for Xacml log: Configure the PAP to connect to the previously mentioned database instance where all the PDPs store their Xacml log information. This is done by configuring the <xacml-log> element in pap_config.xml file as explained below.
The following are the subelements of the <xacml-log> element:
•type attribute—Set its value to db. PDPs store Xacml logs in database.
•<db>—This contains the attributes and subelements for configuring database connection details where the Xacml log information is stored. Set these values if the type attribute value (mentioned above) is set to db.
•refer attribute—Set its value to True, if the Xacml log information is stored in the PAP database itself. The Xacml log database is the same database as given in the <db> element.
In this scenario, you do not have to provide the database connection details for the following <properties> subelements—<db-type>, <username>, <password>, <url>, <driver>.
Set its value toFalse, if the Xacml log database is different from the PAP database, that is, different from the one that is configured for the <db> element. In this case, you will have to provide the database connection details for the following <properties> subelements—<db-type>, <username>, <password>, <url>, <driver>.
•name attribute—If the refer attribute is set to True, provide the same database name as configured for the <db> element, or provide a new name.
•<properties>—Set its subelements if the Xacml log database is different from the PAP database, if the refer attribute value is set to False. The subelements of the <properties> element are:
–<db-type>—Set its value to oracle if Xacml log information is stored inthe Oracle database. Set its value to mssql if it is stored in the Microsoft SQL Server database.
–<username>—Name of the database user where Xacml log information is stored.
–<password>—The password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
–<url>—JDBC connection string to connect to the database where the Xacml log information is stored.
–<driver>—JDBC driver class.
Sample <xacml-log> Element Configuration
Case 1: Database Logging when xacml-log Information is stored in a Same Database Instance where CEPM Data Resides (PAP Database)
In this case, set the refer attribute value to True and the name attribute value to the same database name value as provided for the name attribute value of the <db> element which is the CEPM repository.
<!-- XACML Log Details --><xacml-log type="db"><db refer="true" name="default"><properties><db-type>oracle</db-type><username>bprasad</username><password>xiicLTdcE2g=</password><url>jdbc:oracle:thin:@bprasad-lpt:1521:bprasad</url><driver>oracle.jdbc.driver.OracleDriver</driver></properties></db></xacml-log>Case 2: Database Logging when xacml-log Information is stored in a Different Database Instance from the One where CEPM Data Resides (PAP Database)
In this case, set the refer attribute value toFalse and provide new database connection details of the database instance <db-type>, <username>, <password>, <url>, <driver>, where the UI authentication details are stored.
<!-- XACML Log Details --><xacml-log type="db"><db refer="false" name="default"><db-type>oracle</db-type><username>bprasad</username><password>ZFPx34KVJsQ=</password><url>jdbc:oracle:thin:@bprasad-lpt:1521:bprasad</url><driver>oracle.jdbc.driver.OracleDriver</driver></db></xacml-log><!—- Entitlement Repository Database Details --><db name="pap_db"><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@131.107.0.23:1521:secdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db><admin-logs>
Admin Logs are configurable, write your own implementation class which extends java.util.logging,Handler and override the methods like publish, flush and close. This Admin logs work for only new refactorized API's.
•<adminlog>—Set its value to com.cisco.epm.util.DBAdminLogHandler.
Sample <admin-logs> Element Configuration
<admin-logs><adminlog>com.cisco.epm.util.DBAdminLogHandler</adminlog></admin-logs>Documentation Updates
Table 3 Updates to CEPM PAP Configuration Guide
Date DescriptionDecember 19, 2011
Updated shared repository information based on doc bug ID CSCtw86827.
July 7, 2009
Minor edits and template/boilerplate updates for publication to Cisco.com
April 3, 2009
Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0
Related Documentation
CEPM_User_Guide_V3.3.0.0.pdf
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.