Downloads |
 Feedback
|
Table Of Contents
Elements of pap_config.xml File
Using Database Connection Pool Provided by CEPM
Using Database Connection Pool Provided by WebLogic
Using Database Connection Pool Provided by WebSphere
Sample <db> Element Configuration Using CEPM Connection Pool
Sample <db> Element Configuration using the WebLogic Connection Pool
Sample <db> Element Configuration using the WebSphere Connection Pool
Sample <shared-repository> Element Configuration
Sample <handlers> Element Configuration
Retrieving NVPair in the handler implementation
Sample <authentication> Element Configuration
Sample <callbackhandlers> Element Configuration
Sample <xacml-log> Element Configuration
Sample <admin-logs> Element Configuration
Obtaining Documentation and Submitting a Service Request
CEPM PAP Configuration Guide
Revised: January 6, 2012, Doc Part No: OL-19571-01Contents
•
Elements of pap_config.xml File
•
About This Document
Objective
This document explains the various elements present in the Policy Administration Point (PAP) configuration file pap_config.xml. This file is located in the Cisco Enterprise Policy Manager (CEPM) installation directory
\<CEPM_HOME>\config\.Audience
This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.
Introduction
This document explains about the various elements present in the Cisco Enterprise Policy Manager (CEPM) PAP configuration file pap_config.xml. This file is located in CEPM installation directory \<CEPM_HOME>\config\.
The pap_config.xml file contains the following PAP configurations.
•
•
•
•
•
•
•
•
Password Encryption in CEPM
You must set the password value for some elements in pap_config.xml file. For example, database user password and JMS user password. These password values must be entered in an encrypted format.
To encrypt the password value:
Step 1
Step 2
•
encryptor.bat JAVA_HOME <password>
•
encryptor.sh JAVA_HOME <password>
JAVA_HOME is the environment variable that contains the location of the Java Runtime Environment (JRE) home directory. The <password> is the password of the user to be encrypted.
When this command is run, the encrypted password is displayed on the console.
Step 3
Case Sensitivity
The configuration values are not case sensitive (except for Java class names, user names, passwords, and file paths). For example the values: Oracle, oracle, and ORACLE are considered the same by the PAP.
Elements of pap_config.xml File
Here is a sample pap_config.xml file:
<?xml version="1.0" encoding="UTF-8"?><securent><db name="default"><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>username</username><password>XBKO7w9gh3tEq6iEZjvEnQ==</password><url>jdbc:oracle:thin:@10.77.116.162:1521:cepmdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db><jms><env><url>tcp://localhost:61616</url><connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory><username>ActiveMQConnection.DEFAULT_USER</username><password>c6p96kuD91p3Gwazl0JnE652dQh1QLrLMfnDulySruPVDpfLSgm3Mw==</password><replyTopic>replyTopicName2</replyTopic></env><reconnect_interval>100000</reconnect_interval><useJndi>false</useJndi><jndi><providerUrl>tcp://localhost:61616</providerUrl><providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFac tory><jndiUserName></jndiUserName><jndiPassword></jndiPassword></jndi></jms><shared_repository>true</shared_repository><handlers><common-properties><sessionuser>superuser</sessionuser><sessionpassword>admin</sessionpassword></common-properties><handler name="JMSSYNCHandler" enabled="false" type="*.*"><impl>net.securent.jms.PAPHandler</impl><properties></properties></handler><handler name="JMSPAPSYNCHandler" enabled="false" type="*.*" handlerType="posthook"><impl>com.cisco.epm.jms.SyncHandler</impl><properties></properties></handler></handlers><authentication type="db" class="net.securent.util.db.DBAuthenticator"><properties refer="true" name="default"><property name="db-type">oracle</property><property name="username">bprasad</property><property name="password" encrypted="true">xiicLTdcE2g=</property><property name="url">jdbc:oracle:thin:@bprasad-lpt:1521:bprasad</property><property name="driver">oracle.jdbc.driver.OracleDriver</property></properties></authentication><usermgr><implclass>net.securent.kernel.usermanager.db.DBUserMgr</implclass></usermgr><encryption><implementors><crypt>com.cisco.epm.util.auth.encryptor.crypt.DefaultCryptEncryptor</crypt></implementors></encryption><callbackhandlers><keycallbackhandler usedefault="true">com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider</keycallbackh andler></callbackhandlers><dao-configuration>config/dao_config.xml</dao-configuration><xacml-log type="db"><db refer="true" name="default"><properties><db-type>oracle</db-type><username>name</username><password>xiicLTdcE2g=</password><url>jdbc:oracle:thin:@bprasad-lpt:1521:bprasad</url><driver>oracle.jdbc.driver.OracleDriver</driver></properties></db></xacml-log><admin-logs><adminlog>com.cisco.epm.util.DBAdminLogHandler</adminlog></admin-logs></securent>The <securent> element is the topmost element (root element) of the PAP configuration file. All the other XML elements are the subelements of <securent>. The XML elements in the pap_config.xml file are explained in detail in the following sections.
<db>
The <db> element contains the subelements related to database connection details for connecting to the CEPM repository from the PAP UI.
CEPM supports the following databases servers:
–
–
–
This element also contains the subelements related to the database connection pool. The PAP allows you to use the database connection pool provided by any one of the following:
–
–
–
•
•
–
–
–
•
Using Database Connection Pool Provided by CEPM
You must configure the following <properties> subelements to use the database connection pool provided by CEPM:
•
–
–
–
•
•
•
Oracle Thin Driver
Format:
jdbc:oracle:thin:@<host>:<port>:<SID>where:
–
–
–
Example:
jdbc:oracle:thin:@131.107.0.23:1521:cepmdevOracle Thick Driver
Format:
jdbc:oracle:oci8:@<tns-listener-name>where:
<tns-listener-name>—The TNS LISTENER name of the database service. This is configured in the TNSNAMES.ORA file present in the Oracle client installation directory ORACLE_HOME/network/admin/
Example:
jdbc:oracle:oci8:@cepmdevMS SQL Server Driver
Format:
jdbc:sqlserver://<host>:<port>;databaseName=<DB name>where:
–
–
–
Example:
jdbc:sqlserver://131.107.2.205:3279;databaseName=cepmdevDB2 Driver
Format:
jdbc:db2j:net://<host>:<port>/<sid>where:
–
–
–
•
–
oracle.jdbc.driver.OracleDriver
–
com.microsoft.sqlserver.jdbc.SQLServerDriver
–
com.ibm.db2.jcc.DB2Driver
•
•
•
•
Note
•
–
–
Using Database Connection Pool Provided by WebLogic
You must configure the following <properties> subelements to use the database connection pool provided by the WebLogic server:
Note
•
–
–
–
•
•
<port> is the port number on which this service is available. The default port used by the WebLogic server is 7001.
•
•
•
•
Note
Using Database Connection Pool Provided by WebSphere
You must configure the following subelements of the <properties> element to use the database connection pool provided by the WebSphere server:
Note
•
–
–
–
•
•
<port> is the port number on which this service is available.
•
•
•
•
Note
Sample <db> Element Configuration Using CEPM Connection Pool
Case 1: Oracle Database with Thin Driver
<db name="mydb"> <!-- name of the database connection --><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@localhost:1521:cepmdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Case 2: Oracle Database with Thick Driver
<db name="mydb"> <!-- name of the database connection --><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:oci8:@cepmdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Case 3: MS SQL Server Database
<db name="mydb"> <!-- name of the database connection --> <impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>mssql</db-type><username>testuser3</username><password>R7mNxexTum8=</password><url> jdbc:sqlserver://localhsot:1433;databaseName=cepmdev</url><driver>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Case 4: DB2 Database
<db name="mydb"> <!-- name of the database connection --> <impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>db2</db-type><username>username</username><password>EncryptedPassword</password><driver>com.ibm.db2.jcc.DB2Driver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Sample <db> Element Configuration using the WebLogic Connection Pool
Note
<db name="mydb"> <!-- name of the database connection --><!-- Weblogic provided connection pool class --><impl>net.securent.util.db.WebLogicConnectionPool</impl><properties><db-type>oracle</db-type><initial-context-factory>weblogic.jndi.WLInitialContextFactory</initial-context-factory><context-provider-url>t3://localhost:7001</context-provider-url><context-username>weblogic</context-username><context-password>++7XL4YWJ/FEq6iEZjvEnQ==</context-password><datasource-jndi>SampleJNDIFromSecurentDomain</datasource-jndi><poolName>Default Domain</poolName><!-- same as the domain name --><eventenable><value>true</value></eventenable></properties></db>Sample <db> Element Configuration using the WebSphere Connection Pool
Note
<db name="mydb"><!-- name of the database connection --><!-- WebSphere provided connection pool class --><impl>net.securent.util.db.WebSphereConnectionPool</impl><properties><db-type>oracle</db-type><initial-context-factory>com.ibm.websphere.naming.WsnInitialContextFactory</initial-context-factory><context-provider-url>iiop://localhost:2809</context-provider-url><context-username>webshere</context-username><context-password>uYgp9FZIEnREq6iEZjvEnQ==</context-password><datasource-jndi>WSJNDI</datasource-jndi><poolName>Default Domain</poolName><!-- same as the domain name --><eventenable><value>true</value></eventenable></properties></db><dao-configuration>
DAO (Data Access Objects) is an application program interface (API) that allows a programmer to request access to various databases. The <dao-configuration> element contains the name and path of the configuration file that contains the list of DAO interface classes used in the PAP to access various databases. CEPM supports Oracle and MS SQL Server databases. The DAO configuration file is present in the installation directory \<CEPM_HOME>\config/dao_config.xml.
By default, its value is set to config/dao_config.xml.
Note
<shared-repository>
Set the <shared-repository> element value to False for PAP and True for Policy Decision Point (PDP) components in order to post the event detials from PAP to PDP policy cache.
If this value is set to False, the PAP communicates with the PDP using Java Messaging Service (JMS). JMS configuration details are required in order to post the event detials from PAP to PDP policy cache. In this case, you must configure the <jms> element. For details on configuring the <jms> element, see "<jms>".
For examples of PAP configuration examples related to shared and non-shared modes of operation between the PAP and the PDP, refer to "<jms>".
<jms>
The <jms> element contains the subelements for configuring the JMS properties for the PAP to communicate with the PDP when these two components are configured in non-shared mode. CEPM supports the following JMS providers:
•
•
•
Note
<shared_repository>false</shared_repository>
<handler name="JMSSYNCHandler" enabled="true" type="*.*">
<impl>net.securent.jms.PAPHandler</impl>
</handler>The following are the <jms> subelement:
•
•
If <useJndi> value is set to True, this:
–
–
If <useJndi> value is set to False, this:
–
–
•
–
Format:
For ActiveMQ—tcp://<machine IP Address>:<port>
For WebLogic JMS—t3://<machine IP Address>:<port>
For Tibco JMS—tcp://<machine IP Address>:<port>
where <machine IP Address> is the IP address of the machine on which JMS Service is available and <port> is the port number on which this service is available.
–
For ActiveMQ—org.apache.activemqActiveMQConnectionFactory
For WebLogic JMS—weblogic.jms.ConnectionFactory
For Tibco JMS—com.tibco.tibjms.TibjmsTopicConnectionFactory
–
Note
–
Note
–
•
–
Format:
–
–
–
where <machine IP Address> is the IP address of the machine on which JMS Service is available and <port> is the port number on which this service is available.
Example:
–
–
–
For more details on how to set these values, refer to Note.
–
–
–
–
–
–
Sample <shared-repository> Element Configuration
The <shared_repository> element value should be set to False. The database details configured under the <db> element are the same for the PAP and PDP. JMS configuration details are required in order to post the event detials from PAP to PDP policy cache.
<!-- Shared Repository Flag --><!-- set its value to false so that PAP and PDP use the same database instanceto store their data --><shared_repository>false</shared_repository><!—- Entitlement Repository Database Details. As shared_repository flag is setto false, following database details are common for both, PAP and PDP --><db name="mydb"><!-- using CEPM provided database connection pool class --><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@131.107.0.23:1521:secdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName> <!-- same as the domain name --><eventenable><value>false</value></eventenable></properties></db>CEPM supports the following JMS providers:
•
•
•
Set the <useJndi> value to true if you have to look up the JMS service provider using JNDI. For more information on how to set various subelements present under the<jms> tag, refer to"<jms>".
Case 1: ActiveMQ JMS without JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>false</useJndi><reconnect_interval>120000</reconnect_interval><env><url>tcp://131.107.0.68:61616</url><connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory><username>ActiveMQConnection.DEFAULT_USER</username><password>dQh1QLrLMfnDulySruPVDpfLSgm3Mw==</password><!-- password is encrypted from ActiveMQConnection.DEFAULT_PASSWORD --><replyTopic>replyTopicName</replyTopic></env></jms>Case 2: ActiveMQ JMS with JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>true</useJndi><reconnect_interval>120000</reconnect_interval><env><connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory><replyTopic>replyTopicName</replyTopic></env><jndi><providerUrl>tcp://localhost:61616</providerUrl><providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory><jndiUserName>jndiuser</jndiUserName><jndiPassword>h1QLrLMfnDulySru==</jndiPassword></jndi></jms>Case 3: WebLogic JMS without JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>false</useJndi><reconnect_interval>120000</reconnect_interval><env><url>t3://localhost:7011</url><connectionFactory>weblogic.jms.ConnectionFactory</connectionFactory><username>jmsuser</username><password>ruPVDpfLSgm3Mw==</password><replyTopic>replyTopicName</replyTopic></env></jms>Case 4: WebLogic JMS with JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>true</useJndi><reconnect_interval>120000</reconnect_interval><env><connectionFactory>weblogic.jms.ConnectionFactory</connectionFactory><replyTopic>replyTopicName</replyTopic></env><jndi><providerUrl> t3://localhost:7011</providerUrl><providerCtxFactory>weblogic.jndi.WLInitialContextFactory</providerCtxFactory><jndiUserName>jndiuser</jndiUserName><jndiPassword>h1QLrLMfnDulySru==</jndiPassword></jndi></jms>Case 5: Tibco JMS without JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>false</useJndi><reconnect_interval>120000</reconnect_interval><env><url>tcp://localhost:7222</url><connectionFactory>com.tibco.tibjms.TibjmsTopicConnectionFactory</connectionFactory><username>jmsuser</username><password>ruPVDpfLSgm3Mw==</password><replyTopic>replyTopicName</replyTopic></env></jms>Case 6: Tibco JMS with JNDI Lookup
<!-- set Shared Repository Flag value to false so that PAP and PDP use differentdatabase instances to store their data --><shared_repository>false</shared_repository><!—- JMS Details --><jms><useJndi>true</useJndi><reconnect_interval>120000</reconnect_interval><env><connectionFactory>com.tibco.tibjms.TibjmsTopicConnectionFactory</connectionFactory><replyTopic>replyTopicName</replyTopic></env><jndi><providerUrl>tcp://localhost:7222</providerUrl><providerCtxFactory>com.tibco.tibjms.naming.TibjmsInitialContextFactory</providerCtxFactory><jndiUserName>jndiuser</jndiUserName><jndiPassword>h1QLrLMfnDulySru==</jndiPassword></jndi></jms><handlers>
This element contains the subelements for configuring the prehook handlers for the PAP. A prehook handler is a Java class routine that gets executed when the PAP user tries to update data in the PAP database from the PAP UI while performing any of the following operations:
•
•
•
•
•
•
•
•
•
•
For more information about the prehook handler, refer to CEPM User Guide.
The following are the subelements of the <handler> element.
•
This contains the subelements related to the session user.
•
Name of the session user.
•
Password of the above user. (This is not in encrypted format).
Note
•
This contains the attributes and subelements for configuring various prehook handlers.
•
Name of the handler. You can provide your customized handler name.
Custom Handlers: You can customize any handler name by modifying the <handlers> tag of pap_config.xml as well as the corresponding handlername in the api_configuration.xml file located in /CEPM-V3.3.0.0/config folder. Make sure that the custom handler name must match in both of these files failing which may throw errors or exceptions. For example, if you want to change the 'UserResourceMapping' handler to 'UserPolicyMapping', you must modify these files in the following manner:
In pap_config.xml file change the handler tag-
<handler name="UserResourceMapping" enabled="true" type="*.*" application="Prime group:Prime portal">to
<handler name="UserPolicyMapping" enabled="true" type="*.*" application="Prime group:Prime portal">If you are using user to resource mapping i.e mapUserToResources API from IMapping interface will have its coresponding handler tag as "RoleResourceMapping" while action is "map". The corresponding API tag in api_configuration.xml file is as follows:
<api name="MappingImpl:mapUserToResources" prehook-rollback="false" posthook-rollback="false"><handlerName>UserResourceMapping</handlerName><actionEvent><action>Map</action><actionType>MapUserToResources</actionType><actionSource>com.cisco.epm.pap.api.vo.User</actionSource></actionEvent></api>Change the <HandlerName> tag -
<handlerName>UserResourceMapping</handlerName>to
<handlerName>UserPolicyMapping</handlerName>•
If set to true, then this handler is called for the event configured in the type attribute explained below. If set to false, then this handler is never called.
•
You can set here the type of the event for which this handler should be called.
Note
The following possible event types can be set:
Note
•
You can evaluate this tag as prehook or posthook. If set to prehook the handler procedure to be invoked before the client callbacks, whereas in case of posthook, first the API is called and after that the handler is invoked.
•
Name of the implementation class of the handler. If you are using older APIs (CEPM V3.2), the impl class should be net.securent.util.handler.<HandlerName>. For new APIs, this should be com.cisco.epm.util.handler.<HandlerName>.
Example - To use the Role Handler, depending on the version, the impl class should be net.securent.util.handler.RoleHandler or com.cisco.epm.util.handler.RoleHandler
Note
•
This may contain any number of subelements that you want to define and use in the handler class. For example, you can provide the database connection details in this section as follows.
<properties><username>sectest</username><password encrypted="false">sectest</password><url>jdbc:oracle:thin:@localhost:1521:devbdb</url><driver>oracle.jdbc.driver.OracleDriver</driver></properties>Here the <password> element has an encrypted attribute. If it is set to true, then you can use an encrypted password to connect to the database. This is just an example to explain how you can define your own property elements and attributes as per your requirement.
Note
Sample <handlers> Element Configuration
<handlers><common-properties><sessionuser>superuser</sessionuser><sessionpassword>admin</sessionpassword></common-properties><handler name="JMSPAPSYNCHandler" enabled="false" type="*.*"handlerType="posthook"><impl>com.cisco.epm.jms.SyncHandler</impl><properties></properties></handler></handlers><handler name="RoleHandler" enabled="true" type="RoleHandler" handlerType="pre-hook"><impl>com.cisco.epm.util.handler.RoleHandler</impl><properties><username>tempuser</username><password encrypted="false">tempuser</password><url>jdbc:oracle:thin:@localhost:1521:cepmdev</url><driver>oracle.jdbc.driver.OracleDriver</driver></properties></handller>Retrieving NVPair in the handler implementation
In compliance with the XACML standard, CEPM uses NVPair objects to store properties of an entity or entity type. You can get the key value pairs of these properties by invoking the event.getNVPairs() method where event is the incomming object into handle method of a handler class - handle(Object object,com.cisco.epm.pap.api.handler.ActionEvent event).
Following tables contains the list of keys and value types based on the APIs that you are using in the handle method:
Following is the sample code to retrieve the key value pairs from the NVPair object :
public.void handle(Object object,com.cisco.epm.pap.api.handler.ActionEvent event){NVPair nvPairList[] = null;nvPairList = event.getNvPair();if (nvPairList != null) {for (int i = 0; i < nvPairList.length; i++) {if (nvPairList[i].getKey().equalsIgnoreCase("transactional"))transactional = CommonUtil.getStringAsBoolean((String) nvPairList[i].getValue());else if (nvPairList[i].getKey().equalsIgnoreCase("override"))override = CommonUtil.getStringAsBoolean((String) nvPairList[i].getValue());else if (nvPairList[i].getKey().equalsIgnoreCase("roleBundleFQN"))roleBundleFQN = (String) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("contextFQN"))roleBundleFQN = (String) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("activeStatus"))activeStatus = (String) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("recurrence"))recurrence = (Boolean) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("policyAttribCol"))policyAttribCol = (Boolean) nvPairList[i].getValue();else if (nvPairList[i].getKey().equalsIgnoreCase("recurrence"))recurrence = CommonUtil.getStringAsBoolean(((String) nvPairList[i].getValue()));else if (nvPairList[i].getKey().equalsIgnoreCase("policyAttribCol"))policyAttribCol = CommonUtil.getStringAsBoolean(((String) nvPairList[i].getValue()));else if (nvPairList[i].getKey().equalsIgnoreCase("permission"))permission = CommonUtil.getStringAsBoolean((String) nvPairList[i].getValue());else if (nvPairList[i].getKey().equalsIgnoreCase("appliedRule"))appliedRule = CommonUtil.getStringAsBoolean((String) nvPairList[i].getValue());}}}<authentication>
The <authentication> element contains the subelements for configuring the user authentication repository details to login to the PAP console. In the PAP console, user authentication can be performed against the user data that is stored in either the database or in the LDAP server. PAP user authentication can be also configured in such a way that existing authentication implementation present in the protected application can be used for this purpose (this is also called Single Sign-On [SSO]).
•
–
–
–
•
–
–
–
The following are the subelements of the <authentication> element:
•
–
–
–
•
Set its value to:
–
–
–
•
•
(CEPM repository details are configured in the <db> element). In this case, set the same value for this name attribute that was set for the name attribute of <db> element (for example: default).
In this case, you do not have to provide the data source connection details for the subelement <property>.
Set its value to False, if the data source details for user authentication information is not stored in the database instance that is configured for the <db> element. In this case, you will have to provide the data source connection details for the subelement <property>.
•
•
You have to specify three different sets of <property> elements depending upon the type of the data source—database, ldap, or sso (as set for the type attribute of the <authentication> element).
Database Data Source
<property name="db-type">[value]</property>
If you are using:
–
–
–
<property name="username">[value]</property>
Set value to the name of the PAP database user.
<property name="password" encrypted="true">[value]</property>
Set the value for the user password in encrypted format and set the encrypted attribute value to True. Set encrypted attribute value to False, if you do not want to set the password value in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
<property name="url">[value]</property>
Set the value to the JDBC connection string to connect to the PAP database. The PAP supports Oracle Thin Driver, Oracle Thick Driver (that is, OCI driver), and MS SQL Server driver. The database connection URL can have one of the following formats based on the database driver used.
Oracle Thin Driver
Format:
jdbc:oracle:thin:@<host>:<port>:<SID>where:
–
–
–
Example:
jdbc:oracle:thin:@131.107.0.23:1521:secdevOracle Thick Driver
Format:
jdbc:oracle:oci8:@<tns-listener-name>where:
<tns-listener-name> — The TNS LISTENER name of the database service. This is configured in the TNSNAMES.ORA file present in the Oracle client installation directory: /ORACLE_HOME/network/admin/
Example:
jdbc:oracle:oci8:@secdevMS SQL Server Driver
Format:
jdbc:sqlserver://<host>:<port>;databaseName=<DB name>where:
–
–
–
Example:
jdbc:sqlserver://131.107.2.205:3279;databaseName= secdev<property name="driver">[value]</property>
DB2 Driver
Format:
jdbc:db2j:net://<host>:<port>/<sid>where:
–
–
–
Set value to the JDBC driver class.
–
–
–
LDAP Server Data Source
<property name="ldap-type">[value]</property>
Set the value to name of the LDAP service provider. CEPM supports three LDAP service providers.
–
–
–
<property name="url">[value]</property>
Set the value to LDAP server URL.
<property name="port">[value]</property>
Set the value to LDAP server port.
<property name="ldapdn">[value]</property>
Set the value to LDAP server Base DN.
<property name="userdn">[value]</property>
Set the value to LDAP server User DN.
<property name="password" encrypted="true">[value]</property>
Set the value for password of the user in encrypted format and set encrypted attribute value is set to True. set encrypted attribute value is set to False, if you do not want to set the password value in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.
<property name="superuser-role">[value]</property>
Set value to the name of the role to which the super user belongs.
SSO Data Source
If authentication type is single sign-on (sso), then one property element needs to be configured with a name that has request or session as the value.
Example:
<property name="request">[value]</property>
Here set the value to the request/session attribute name that contains the value as the name of the user.
Sample <authentication> Element Configuration
Case 1: Database Authentication when User Authentication Information is Stored in the Same Database Instance where CEPM Data Resides
In this case, set the refer attribute value to true and the name attribute value to the same database name value as provided for the name attribute value of the <db> element (that is, CEPM repository).
<!-- UI Authentication Details --><authentication type="db" class="net.securent.util.db.DBAuthenticator"><properties refer="true" name="pap_db"><!-- here name value is same as the one that is set for <db> name as shown in the following section - Entitlement Repository Database Details --></properties></authentication><!—- Entitlement Repository Database Details --><db name="pap_db"><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@131.107.0.23:1521:secdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>Case 2: Database Authentication when User Authentication Information is Stored in Different Database Instance from the One where CEPM Data Resides
In this case, set the refer attribute value to false and provide new database connection details of the database instance (<db-type>, <username>, <password>, <url>, <driver>) where the UI authentication details are stored.
<!-- UI Authentication Details --><authentication type="db" class="net.securent.util.db.DBAuthenticator"><properties refer="false" name="my_db"><!-- here name value is different from the one that is set for <db> name as shown in the following section - Entitlement Repository Database Details --><property name="db-type">oracle</property><property name="username">testuser2</property><property name="password" encrypted="true">xiicLTdcE2g=</property><property name="url"> jdbc:oracle:thin:@131.107.0.10:1521:sectest </property><property name="driver">oracle.jdbc.driver.OracleDriver</property></properties></authentication><!—- Entitlement Repository Database Details --><db name="pap_db"><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@131.107.0.23:1521:secdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db>
Case 3: LDAP AuthenticationThe following example considers SunOne LDAP server as the data source for UI authentication information.
<!-- UI Authentication Details --><authentication type="ldap" class="net.securent.util.db.LocalLDAPAuthenticator"><properties refer="false" name="default"><property name="ldap-type">AD</property><property name="ldapdn"> dc=win2k-ad,dc=win2k-ad,dc=bodhtree,dc=co,dc=in</property><property name="userdn">cn=administrator,cn=users,dc=win2k-ad,dc=win2k-ad, dc=bodhtree,dc=co,dc=in</property><property name="password" encrypted="true">xiicLTdcE2g=</property><property name="url">ldap://131.107.2.204</property><property name="port">389</property><property name="superuser-role">Test</property> </properties></authentication>Case 4: SSO Authentication
The following example considers SSO authentication, where the authentication will not be carried out by CEPM, but the authentication implementation present in the existing protected application will be used.
<!-- UI Authentication Details --><authentication type="sso" class="net.securent.util.db.SSOAuthenticator"><properties refer="false" name="default"><property name="request">username</property></properties></authentication><encryption>
The <encryption> element contains the subelements for configuring multiple Java classes for implementing various encryption algorithms used for encrypting passwords of the PAP database user, JMS server user, LDAP server user, and so on.
The following are the subelements of the <encryption> element:
•
•
Note
<callbackhandlers>
The callbackhandlers element contains the subelements related to the encryption configuration.The password encryption program optionally consumes user provided input for key store location, key store password, and key name. When these parameters are not specified together, the default encryption key is used. When the default encryption key is used, the user is not required to provide a key from the getSecret() method or a KeyCallback implementation.
The following are the subelements of the <callbackhandlers> element:
•
Set its value to com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider.
•
Sample <callbackhandlers> Element Configuration
<callbackhandlers><keycallbackhandler usedefault="true">com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider</keycallbackh andler></callbackhandlers><xacml-log>
The PDP component has the option to log the Xacml requests that are recieved from the PEP and the Xacml responses sent to the PEP in a database that is configured in the <xacml-log> section of the PDP configuration file pdp_config.xml.
The PDP log can be viewed through the PAP UI from the Runtime Logs section.To view the logs generated by multiple PDPs. Perform the following configuration in the PAP and in each PDP:
•
For this, configure the <xacml-log> section of the PDP configuration file, pdp_config.xml, and provide the same database connection details.
•
The following are the subelements of the <xacml-log> element:
•
•
•
In this scenario, you do not have to provide the database connection details for the following <properties> subelements—<db-type>, <username>, <password>, <url>, <driver>.
Set its value toFalse, if the Xacml log database is different from the PAP database, that is, different from the one that is configured for the <db> element. In this case, you will have to provide the database connection details for the following <properties> subelements—<db-type>, <username>, <password>, <url>, <driver>.
•
•
–
–
–
–
–
Sample <xacml-log> Element Configuration
Case 1: Database Logging when xacml-log Information is stored in a Same Database Instance where CEPM Data Resides (PAP Database)
In this case, set the refer attribute value to True and the name attribute value to the same database name value as provided for the name attribute value of the <db> element which is the CEPM repository.
<!-- XACML Log Details --><xacml-log type="db"><db refer="true" name="default"><properties><db-type>oracle</db-type><username>bprasad</username><password>xiicLTdcE2g=</password><url>jdbc:oracle:thin:@bprasad-lpt:1521:bprasad</url><driver>oracle.jdbc.driver.OracleDriver</driver></properties></db></xacml-log>Case 2: Database Logging when xacml-log Information is stored in a Different Database Instance from the One where CEPM Data Resides (PAP Database)
In this case, set the refer attribute value toFalse and provide new database connection details of the database instance <db-type>, <username>, <password>, <url>, <driver>, where the UI authentication details are stored.
<!-- XACML Log Details --><xacml-log type="db"><db refer="false" name="default"><db-type>oracle</db-type><username>bprasad</username><password>ZFPx34KVJsQ=</password><url>jdbc:oracle:thin:@bprasad-lpt:1521:bprasad</url><driver>oracle.jdbc.driver.OracleDriver</driver></db></xacml-log><!—- Entitlement Repository Database Details --><db name="pap_db"><impl>net.securent.util.db.ConnectionPool</impl><properties><db-type>oracle</db-type><username>testuser</username><password>R7mNxexTum8=</password><url>jdbc:oracle:thin:@131.107.0.23:1521:secdev</url><driver>oracle.jdbc.driver.OracleDriver</driver><maxconnections>20</maxconnections><maxconnectiontime>120</maxconnectiontime><idleconnectiontime>300</idleconnectiontime><poolName>Default Domain</poolName><eventenable><value>true</value></eventenable></properties></db><admin-logs>
Admin Logs are configurable, write your own implementation class which extends java.util.logging,Handler and override the methods like publish, flush and close. This Admin logs work for only new refactorized API's.
•
Sample <admin-logs> Element Configuration
<admin-logs><adminlog>com.cisco.epm.util.DBAdminLogHandler</adminlog></admin-logs>Documentation Updates
Table 3 Updates to CEPM PAP Configuration Guide
December 19, 2011
Updated shared repository information based on doc bug ID CSCtw86827.
July 7, 2009
Minor edits and template/boilerplate updates for publication to Cisco.com
April 3, 2009
Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0
Related Documentation
CEPM_User_Guide_V3.3.0.0.pdf
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
