CEPM PDP Configuration Guide [Cisco Policy Decision Point]

Table Of Contents

CEPM PDP Configuration Guide

Contents

About This Document

Objective

Audience

Introduction

Password Encryption in CEPM

Case Sensitivity

Elements of pdp_config.xml File

<shared-repository>

<pdpname>

<db>

Using Database Connection Pool Provided by CEPM

Using Database Connection Pool Provided by WebLogic

Using Database Connection Pool Provided by WebSphere

Sample <db> Element Configuration Using CEPM Connection Pool

Sample <db> Element Configuration Using the WebLogic Connection Pool

Sample <db> Element Configuration Using WebSphere Connection Pool

<jms>

Sample <shared-repository> Element Configuration (Shared Mode)

<dao-configuration>

<authentication>

Sample <authentication> Element Configuration

<encryption>

<xacml-parser>

<xacml-log>

Sample <xacml-log> Element Configuration

<pdp>

Sample <pdp> Element Configuration

<pip>

Sample <pip> Element Configuration

<cache>

Sample <cache> Element Configuration

<callbackhandlers>

Sample <callbackhandlers> Element Configuration

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

CEPM PDP Configuration Guide

Revised: December 20, 2011, Doc Part No: OL-19576-01

Contents

•About This Document

•Introduction

•Password Encryption in CEPM

•Elements of pdp_config.xml File

•Documentation Updates

•Related Documentation

•Obtaining Documentation and Submitting a Service Request

About This Document

Objective

This document explains the various elements present in the Policy Decision Point (PDP) configuration file pdp_config.xml. This file is located in the Cisco Entitlement Policy Manager (CEPM) installation directory \<CEPM_HOME>\config\pdp\.

Audience

This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.

Introduction

This document explains the various elements present in the Policy Decision Point (PDP) configuration file pdp_config.xml. This file is located in the Cisco Enterprise Policy Manager (CEPM) installation directory \<CEPM_HOME>\config\pdp\.

The pdp_config.xml file contains the following PDP configurations.

•Database connection: <db>

•JMS connection: <jms>

•PDP authentication: <authentication>

•Encryption algorithm and implementer: <encryption>

•XACML parser: <xacml-parser>

•XACML log: <xacml-log>

•PDP listeners: <pdp>

•Policy Information Point (PIP) data sources: <pip>

•PDP cache: <cache>

•Callback Handlers:<callbackhandlers>

Password Encryption in CEPM

You must set the password value for some elements in the pep_config.xml file.For example, PDP authentication password and PAP authentication password. The password values must be entered in an encrypted format.

To encrypt the password value:

Step 1 Run the encryptor.bat file, which is located in the \<CEPM_HOME>\installer\bin\ folder.

Step 2 Run the following command in the console:

•For Windows:

encryptor.bat JAVA_HOME <password>

•For Solaris/Linux:

encryptor.sh JAVA_HOME <password>

JAVA_HOME is the environment variable that contains the location of the Java Runtime Environment (JRE) home directory. The <password> is the password of the user to be encrypted.

When this command is run, the encrypted password is displayed on the console.

Step 3 Copy the encrypted password and paste it as the value for the appropriate <password> element in the pdp_config.xml file.

Case Sensitivity

The configuration values are not case sensitive (except for Java class names, user names, passwords, and file paths). For example, the values Oracle, oracle, and ORACLE are considered the same by the PDP.

Elements of pdp_config.xml File

Here is a sample pdp_config.xml file:
<?xml version="1.0" encoding="UTF-8"?>

<securent>
	<shared_repository>true</shared_repository>
	<pdpname>EntitlementServer1</pdpname>
	<db name="default">
		<impl>net.securent.util.db.ConnectionPool</impl>
		<properties>
	        <db-type>oracle</db-type>
            <username>hrbhatt</username>
            <password>nfQXOMv8c0Q=</password>
            <url>jdbc:oracle:thin:@host:1521:cepmdev</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
			<maxconnections>200</maxconnections>
			<maxconnectiontime>120</maxconnectiontime>
			<idleconnectiontime>300</idleconnectiontime>
			<poolName>Default Domain</poolName>
			<eventenable>
				<value>false</value>
			</eventenable>
		</properties>
	</db>
	<jms>
		<env>
			<url>tcp://host:61616</url>
			<connectionFactory>
				org.apache.activemq.ActiveMQConnectionFactory
			</connectionFactory>
			<username>ActiveMQConnection.DEFAULT_USER</username>
			<password>
				c6p96kuD91p3Gwazl0JnE652dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
			</password>
		</env>
		<reconnect_interval>100000</reconnect_interval>
		<useJndi>false</useJndi>
		<jndi>
			<jndiName>jndiName</jndiName>
			<providerUrl>tcp://host:61616</providerUrl>
			<providerCtxFactory>
				org.apache.activemq.jndi.ActiveMQInitialContextFactory
			</providerCtxFactory>
			<jndiUserName></jndiUserName>
			<jndiPassword></jndiPassword>
		</jndi>
	</jms>
	<authentication enable="false" type="db"
		class="net.securent.util.db.PDPAuthenticator">
		<properties refer="true" name="default">
			<property name="db-type">oracle</property>
			<property name="username">surendra</property>
			<property name="password" encrypted="true">
				XBKO7w9gh3tEq6iEZjvEnQ==
			</property>
			<property name="url">
				jdbc:oracle:thin:@host:1521:cepmdev
			</property>
			<property name="driver">
				oracle.jdbc.driver.OracleDriver
			</property>
		</properties>
	</authentication>
	<encryption>
		<implementors>
			<crypt>
				com.cisco.epm.util.auth.encryptor.crypt.DefaultCryptEncryptor
			</crypt>
		</implementors>
	</encryption>
	<callbackhandlers>
		<keycallbackhandler usedefault="true">
			com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider
		</keycallbackhandler>
	</callbackhandlers>
	<xacml-parser>
		<impl>net.securent.util.pep.XacmlGenerator</impl>
	</xacml-parser>
	<dao-configuration>config/pdp/dao_config.xml</dao-configuration>
	<xacml-log>
		<enable logRequestResponse="false">false</enable>
		<log-impl>net.securent.pdp.xacmllog.DBXacmlLogWriter</log-impl>
		<db refer="true" name="default">
			<properties>
				<db-type>oracle</db-type>
				<username>swetha</username>
				<password>p4zwLWZ2Arc=</password>
				<url>jdbc:oracle:thin:@host:1521:devbdb</url>
				<driver>oracle.jdbc.driver.OracleDriver</driver>
			</properties>
		</db>
	</xacml-log>
	<pdp attributeEnable="false" cloningCheckEnable="false" retry="1000">
		<listeners>
			<listener>
				
				<responseType>Object</responseType>
				<enabled>true</enabled>
				<name>http</name>
				<listenerClass>
					net.securent.pdp.listener.http.HttpListener
				</listenerClass>
				<processorClass>
					net.securent.pdp.listener.http.HttpProcessor
				</processorClass>
				<parameters />
			</listener>
			<listener>
				<enabled>false</enabled>
				<name>rmi</name>
				<listenerClass>
					net.securent.pdp.listener.rmi.RMIListener
				</listenerClass>
				<processorClass>
					net.securent.pdp.listener.rmi.RMIProcessor
				</processorClass>
				<parameters>
					<host>131.107.0.42</host>
					<port>10001</port>
					<jndiName>pdpObj</jndiName>
				</parameters>
			</listener>
		</listeners>
	</pdp>
	<pip>
		<attributesources>
			<source>
				<type>database</type>
				<metadataImpl>
					net.securent.pip.db.DataBasePIPMetaData
				</metadataImpl>
				<attributeImpl>
					net.securent.pip.db.DBAttribute
				</attributeImpl>
				<attributeEvaluator>
					net.securent.pip.db.DBAttributeEvaluator
				</attributeEvaluator>
			</source>
			<source>
				<type>ldap</type>
				<metadataImpl>
					net.securent.pip.ldap.LDAPPIPMetaData
				</metadataImpl>
				<attributeImpl>
					net.securent.pip.ldap.LDAPAttribute
				</attributeImpl>
				<attributeEvaluator>
					net.securent.pip.ldap.LDAPAttributeEvaluator
				</attributeEvaluator>
			</source>
			<source>
				<type>Java</type>
				<metadataImpl>
					net.securent.pip.java.JavaPIPMetaData
				</metadataImpl>
				<attributeImpl>
					net.securent.pip.java.JavaAttribute
				</attributeImpl>
				<attributeEvaluator>
					net.securent.pip.java.JavaAttributeEvaluator
				</attributeEvaluator>
			</source>
			<source>
				<type>Webservice</type>
				<metadataImpl>
					net.securent.pip.webservice.WebservicePIPMetaData
				</metadataImpl>
				<attributeImpl>
					net.securent.pip.webservice.WebserviceAttribute
				</attributeImpl>
				<attributeEvaluator>
					net.securent.pip.webservice.WebserviceAttributeEvaluator
				</attributeEvaluator>
			</source>
		</attributesources>
	</pip>
	<cache decisionCacheEnabled="false" cacherefreshtype="all"
		decisionsOnly="true" provider="net.securent.pdp.cache.CacheProvider"
		implementor="net.securent.admin.sdk.cache.impl.JBossCache"
		eventProvider="net.securent.pdp.event.EventProvider">
		<type>TTL</type>
		<interval>200</interval>
		<refresh enable="false">update</refresh>
		<prefetch enable="true" type="user" bulkUsersPerRequest="2">
			<applications>
				<application name="appGrp:app1">
					<prefetchForApis>
						<api name="isUserAccessAllowed">
							
							
							
							
							
							
							
							
							
						</api>
					</prefetchForApis>
					<groups>
						
						
					</groups>
					<roles>
						
						
					</roles>
					<resources>
						
						
					</resources>
				</application>
			</applications>
		</prefetch>
		<pip cacheenabled="false">
			
			<metaDataInterval>60</metaDataInterval>
		</pip>
	</cache>
</securent>
The <securent> element is the topmost element (root element) of the PDP configuration file. All the other XML elements are the subelements of <securent>. The XML elements in the pdp_config.xml file are as explained in the following sections.

<shared-repository>

Set the <shared-repository> element value to False for Policy Administration Point (PAP) and True for Policy Decision Point (PDP) components in order to post the event detials from PAP to PDP policy cache.

If this value is set to False, the PAP communicates with the PDP using Java Messaging Service (JMS). JMS configuration details are required in order to post the event details from PAP to PDP policy cache. In that case, you must configure the <jms> element as explained in the later section of the guide.

For PAP configuration examples related to the shared and non-shared mode of operation between the PAP and PDP, refer to "<jms>".

<pdpname>

Set the <pdpname> value to the name of the PDP. This is optional if the PDP deployed in shared repository mode, that is, when the <shared-repository> element value is set to True.

<db>

The <db> element contains the subelements related to database connection details of the PDP database.

The PDP supports the following databases servers:

–Oracle (9i/10g/11g)

–Microsoft SQL Server (2000/2005)

–DB2

This element also contains the subelements related to the database connection pool. The PDP allows you to use the database connection pool provided by any one of the following:

–CEPM

–WebLogic Server

–WebSphere Server

•<impl>—Name of the Java class used for the database connection pool. Configure the following class names depending on the database connection pool provider:

–CEPM—This is configured by default as net.securent.util.db.ConnectionPool

–WebLogic server—This is configured by default as net.securent.util.db.WebLogicConnectionPool

–WebSphere server—This is configured by default as net.securent.util.db.WebSphereConnectionPool

•<properties>—The subelements in this section vary depending on the database connection pool class used in the <impl> element. This is the database connection pool provided either by CEPM or the WebLogic server.

Using Database Connection Pool Provided by CEPM

You must configure the following <properties> subelements to use the database connection pool provided by CEPM:

•<db-type>—Type of the PDP database. CEPM supports Oracle, Microsoft SQL Server and DB2 databases. If you are using:

–Oracle database, set the database value to oracle.

–Microsoft SQL Server database, set the database value to mssql.

–DB2 database, set the database value to db2.

•<username>—Name of the database user to connect to the PDP database.

•<password>—Password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

•<url>—JDBC connection string to connect to the PDP database. PDP supports Oracle thin driver, Oracle thick driver (that is, the OCI driver) and MS SQL Server driver. Thus the database connection URL can have one of the following formats as per the database driver used.

Oracle Thin Driver

Format:
jdbc:oracle:thin:@<host>:<port>:<SID>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<SID>—The SID of Oracle database.

Example:
jdbc:oracle:thin:@131.107.0.23:1521:cepmdev
Oracle Thick Driver

Format:
jdbc:oracle:oci8:@<tns-listener-name>
where:

<tns-listener-name>—The TNS LISTENER name of the database service. This is configured in the TNSNAMES.ORA file present in the Oracle client installation directory ORACLE_HOME/network/admin/

Example:
jdbc:oracle:oci8:@cepmdev
MS SQL Server Driver

Format:
jdbc:sqlserver://<host>:<port>;databaseName=<DB name>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<DB name>—The SQL Server database name.

Example:
jdbc:sqlserver://131.107.2.205:3279;databaseName=cepmdev
DB2 Driver

Format:
jdbc:db2j:net://<host>:<port>/<sid>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<SID>—The SID of DB2 database.

•<driver>—JDBC driver class.

–For Oracle:

oracle.jdbc.driver.OracleDriver

–For MS SQL Server:

com.microsoft.sqlserver.jdbc.SQLServerDriver

–For DB2:

com.ibm.db2.jcc.DB2Driver

•<maxconnections>—Maximum number of database connections in pool.

•<maxconnectiontime>—Maximum time in seconds to wait for the database connection to be available.

•<idleconnectiontime>—Number of seconds a connection should remain unused in the pool before the connection is disconnected and closed.

•<poolName>—Name of the connection pool. By default, it is set to Default Domain.

Note The pool name is same as the domain name that the PAP administrator selects when logging in to the PAP console. This is set duringthe PAP installation. The value for this element should not be edited manually.

•<eventenable>—Set its value to True, in the following scenarios:

–If you want to use getUpdatedUsersAsArray() or getUpdtaedUsers() API methods of the ISubject interface. These API methods get all the users whose permissions are modified by a specific administrator for a specific duration for a specific application.

–If the Policy Enforcement Point (PEP) needs to update the cache data with only the changed decisions.

Using Database Connection Pool Provided by WebLogic

You must configure the following <properties> subelements to use the database connection pool provided by the WebLogic server:

Note The values for the following subelements can be empty if the PDP application and WebLogic server are deployed in the same Java Virtual Machine (JVM): <context-provider-url>, <context-username>, <context-password>.

•<db-type>—This specifies the PAP database type. CEPM supports Oracle and Microsoft SQL Server databases. If you are using:

–Oracle database, set the database value to oracle.

–Microsoft SQL Server database, set the database value to mssql.

–DB2 database, set the database value to db2.

•<initial-context-factory>—Set its value to weblogic.jndi.WLInitialContextFactory.

•<context-provider-url>—Set its value to t3://<Machine IP Address>:<port> where <Machine IP Address> is the IP address of the machine on which the WebLogic application server is running and

<port> is the port number on which this service is available. The default port used by the WebLogic server is 7001.

Note This value is optional if PDP is running in the same JVM as the Weblogic application server

•<context-username>—Set its value to the user name of the WebLogic context. By default, its value is set to weblogic.

•<context-password>—The password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

Note This value is optional if PDP is running in the same JVM as the Weblogic application server

•<datasource-jndi>—Set its value to the appropriate JNDI datasource name.

•<poolName>—This is the name of the database connection pool. By default, its value is set to Default Domain.

Note The pool name is the domain name that the PDP administrator chooses when logging in to the PAP application. This is set during the PAP installation. You must not edit the value for this element manually.

Using Database Connection Pool Provided by WebSphere

You must configure the following subelements of the <properties> element to use the database connection pool provided by the WebSphere server:

Note The values for the following subelements can be empty if the PAP application and WebSphere server are deployed in the same JVM: <context-provider-url>, <context-username>, <context-password>.

•<db-type>—This specifies the PAP database type. CEPM supports Oracle and Microsoft SQL Server databases. If you are using:

–Oracle database, set the database value to oracle.

–Microsoft SQL Server database, set the database value to mssql.

–DB2 database, set the database value to db2.

•<initial-context-factory>—Set its value to com.ibm.websphere.naming.WsnInitialContextFactory.

•<context-provider-url>—Set its value to t3://<Machine IP Address>:<port> where <Machine IP Address> is the IP address of the machine on which the WebLogic application server is running and

<port> is the port number on which this service is available.

•<context-username>—Set its value to the user name of the WebSphere context.

•<context-password>—The password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

•<datasource-jndi>—Set its value to the appropriate JNDI datasource name.

•<poolName>—This is the name of the database connection pool. By default, its value is set to Default Domain.

Note The pool name is the domain name that the PAP administrator chooses when logging in to the PAP application. This is set during the PAP installation. You must not edit the value for this element manually.

Sample <db> Element Configuration Using CEPM Connection Pool

Case 1: Using Oracle Database with Thin Driver
   <db name="default"> 
	 
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
			<db-type>oracle</db-type>
            <username>##USER_NAME##</username>
            <password>##PASSWORD##</password>
            <url>##URL##</url>
            <driver>##DRIVER##</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>##DOMAIN##</poolName>
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
Case 2: Using Oracle Database with Thick Driver
   <db name="default"> 
	 
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
			<db-type>oracle</db-type>
            <username>##USER_NAME##</username>
            <password>##PASSWORD##</password>
			<url>jdbc:oracle:oci8:@secdev</url>
			<driver>##DRIVER##</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>##DOMAIN##</poolName>
			<eventenable>
                <value>false</value>
			</eventenable>
        </properties>
    </db>
Case 3: Using MS SQL Server Database
   <db name="default"> 
	   
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>mssql</db-type>
            <username>testuser3</username>
            <password>R7mNxexTum8=</password>
            <url>jdbc:sqlserver://localhost:3279;databaseName=cepmdev</url>
            <driver>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver>
            <maxconnections>20</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName>
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
Sample <db> Element Configuration Using the WebLogic Connection Pool

The values for the following subelements can be empty if the PDP component and WebLogic server are deployed in the same JVM: <context-provider-url>, <context-username>, <context-password>.
   <db name="default"> 
	   
        <impl>net.securent.util.db.WebLogicConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <initial-context-factory>
                weblogic.jndi.WLInitialContextFactory
            </initial-context-factory>
            <context-provider-url>t3://host:7001</context-provider-url>
            <context-username>weblogic</context-username>
            <context-password>++7XL4YWJ/FEq6iEZjvEnQ==</context-password>
            <datasource-jndi>defaultpool</datasource-jndi>
            <poolName>Default Domain</poolName> 
			<eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
Sample <db> Element Configuration Using WebSphere Connection Pool

The values for the following subelements can be empty if the PDP component and WebLogic server are deployed in the same JVM: <context-provider-url>, <context-username>, <context-password>.
   <db name="default"> 
	   
        <impl> net.securent.util.db.WebSphereConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <initial-context-factory>
                com.ibm.websphere.naming.WsnInitialContextFactory
            </initial-context-factory>
            <context-provider-url>iiop://host:2809</context-provider-url>
            <context-username>webshere</context-username>
            <context-password> uYgp9FZIEnREq6iEZjvEnQ==</context-password>
            <datasource-jndi>WSJNDI</datasource-jndi>
            <poolName>Default Domain</poolName> 
			<eventenable>
                <value>false</value>
            </eventenable>
</properties>
    </db>
<jms>

The <jms> element contains the subelements for configuring the JMS properties for the PDP to communicate with the PAP when these two components are configured in non-shared mode. CEPM supports following JMS providers:

•ActiveMQ from Apache (comes bundled with PDP by default)

•WebLogic JMS

•Tibco JMS

Note For the JMS mechanism to work in the non-shared mode of PAP-PDP operation, the <shared_repository> element value should be set to False.

<shared_repository>false</shared_repository>

The following are the <jms> subelements:

•<reconnect_interval>—This contains the time-interval in milliseconds between the reconnect attempts for the PAP to connect to the JMS server, in case the JMS server is down.

•<useJndi>—Set its value to True, if you have to lookup the JMS service provider using JNDI.

If <useJndi> value is set to True, this:

–Provides values for the <env> subelements—<connectionFactory> and <replyTopic>. The PAP ignores values set for subelements <url>, <username>, and <password>.

–Provides details for the <jndi> subelements—<providerUrl>, <providerCtxFactory>, <jndiUserName>,k and <jndiPassword>.

If <useJndi> value is set to False, this:

–Provides details for the <env> subelements—<url>, <connectionFactory>, <username>, <password>, and <replyTopic>.

–The PAP ignores the <jndi> element so you do not need to set the values for its subelements <providerUrl>, <providerCtxFactory>, <jndiUserName>, and <jndiPassword>.

•<env>—This element contains the following subelements related to the JMS connection. For more details on how to set these values, please refer to the Note.

–<url>—JMS Server URL.

Format:

For ActiveMQ—tcp://<machine IP Address>:<port>

For WebLogic JMS—t3://<machine IP Address>:<port>

For Tibco JMS—tcp://<machine IP Address>:<port>

where <machine IP Address> is the IP address of the machine on which JMS Service is available and <port> is the port number on which this service is available.

–<connectionFactory>—Java class name of the JMS Provider's Context Factory.

For ActiveMQ—org.apache.activemqActiveMQConnectionFactory

For WebLogic JMS—weblogic.jms.ConnectionFactory

For Tibco JMS—com.tibco.tibjms.TibjmsTopicConnectionFactory

–<username>—Name of the JMS server user.

Note If you are using ActiveMQ JMS, set the <username> value to ActiveMQConnection.DEFAULT_USER.

–<password>—Password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

Note If you are using ActiveMQ JMS, set the <password> value to the encrypted value of ActiveMQConnection.DEFAULT_PASSWORD.

–<replyTopic>—Name of the JMS Topic to which the reply should be sent by the receiver of the message.

•<jndi>—Set the subelements for this element if you have to lookup the messaging service provider using JNDI. For this, first set the <useJndi> element value toTrue, as explained earlier. The <jndi> element contains the following subelements: <providerUrl>, <providerCtxFactory>, <jndiUserName>, and <jndiPassword>

–<providerUrl>—JMS Server URL. This value should be the same as provided for <url> subelement of the <env> element explained earlier.

Format:

–For ActiveMQ—tcp://<machine IP Address>:<port>

–For WebLogic JMS—t3://<machine IP Address>:<port>

–For Tibco JMS—tcp://<machine IP Address>:<port>

where <machine IP Address> is the IP address of the machine on which JMS Service is available and <port> is the port number on which this service is available.

Example:

–For ActiveMQ—tcp://131.107.0.68:61616

–For WebLogic JMS—t3://131.107.0.68:7011

–For Tibco JMS—tcp://131.107.0.68:7222

For more details on how to set these values, refer to Note.

–<providerCtxFactory>—The Java class name of the remote JMS Provider's JNDI lookup service.

–For ActiveMQ—org.apache.activemq.jndi.ActiveMQInitialContextFactory

–For WebLogic JMS—weblogic.jndi.WLInitialContextFactory

–For Tibco JMS—com.tibco.tibjms.naming.TibjmsInitialContextFactory

–<jndiUserName>—Set its value to JNDI user name.

–<jndiPassword>

Password of the user in encrypted format. For more details about password encryption, refer to "Password Encryption in CEPM" section.

Sample <shared-repository> Element Configuration (Shared Mode)

The <shared_repository> element value should be set to True. The database details configured under the <db> element are the same for the PAP and PDP. JMS configuration details are required in order to post the event detials from PAP to PDP policy cache.
 
   <shared_repository>true</shared_repository> 
    <!—- PDP Database Details. As shared_repository flag is set to true, following 
         database details are common for both, PAP and PDP, i.e. the following 
         details for <db> element should match the corresponding <db> element 
         details present in the pap_config.xml file. -->
    <db name="mydb">
        
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <username>username</username>
            <password>R7mNxexTum8=</password>
            <url>jdbc:oracle:thin:@10.77.116.162:1521:cepmdev</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName> 
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
CEPM supports the following JMS providers:

•ActiveMQ from Apache (This comes bundled with the PAP by default).

•WebLogic JMS

•Tibco JMS

Set the <useJndi> value to True if you have to look up the JMS service provider using JNDI. Refer to the above Note to know more about how to set various subelements present under the <jms> element.

Case 1: Using ActiveMQ JMS without JNDI Lookup
    
   <shared_repository>true</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>true</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <url>tcp://host:61616</url>
            <connectionFactory>  
               org.apache.activemq.ActiveMQConnectionFactory
            </connectionFactory>
            <username>ActiveMQConnection.DEFAULT_USER</username>        
            <password>dQh1QLrLMfnDulySruPVDpfLSgm3Mw==</password>
		</env>
    </jms>
Case 2: Using ActiveMQ JMS with JNDI Lookup
    
   <shared_repository>true</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>true</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <connectionFactory>  
               org.apache.activemq.ActiveMQConnectionFactory
            </connectionFactory>
		</env>
        <jndi>
			<jndiName>jndiName</jndiName> 				
	<providerUrl>tcp://host:61616</providerUrl>
            <providerCtxFactory>
                org.apache.activemq.jndi.ActiveMQInitialContextFactory
            </providerCtxFactory>
            <jndiUserName>jndiuser</jndiUserName>
            <jndiPassword>h1QLrLMfnDulySru==</jndiPassword>
        </jndi>
    </jms>
Case 3: Using WebLogic JMS Without JNDI Lookup
    
   <shared_repository>true</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>true</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <url>t3://host:7011</url>
            <connectionFactory>weblogic.jms.ConnectionFactory</connectionFactory>
            <username>jmsuser</username>        
            <password>ruPVDpfLSgm3Mw==</password>
	</env>
    </jms>
Case 4: Using WebLogic JMS with JNDI Lookup
    
   <shared_repository>true</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>true</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <connectionFactory>weblogic.jms.ConnectionFactory</connectionFactory>
	</env>
        <jndi>
            <providerUrl> t3://host:7011</providerUrl>
            <providerCtxFactory>
                weblogic.jndi.WLInitialContextFactory
            </providerCtxFactory>
            <jndiUserName>jndiuser</jndiUserName>
            <jndiPassword>h1QLrLMfnDulySru==</jndiPassword>
        </jndi>
    </jms>
Case 5: Using Tibco JMS Without JNDI Lookup
    
   <shared_repository>true</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>true</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <url>tcp://host:7222</url>
            <connectionFactory>  
               com.tibco.tibjms.TibjmsTopicConnectionFactory
            </connectionFactory>
            <username>jmsuser</username>        
            <password>ruPVDpfLSgm3Mw==</password>
	</env>
    </jms>
Case 6: Using Tibco JMS with JNDI Lookup
 
   <shared_repository>true</shared_repository>
   <!—- JMS Details -->    
    <jms>
        <useJndi>true</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <connectionFactory>  
               com.tibco.tibjms.TibjmsTopicConnectionFactory
            </connectionFactory>
            <replyTopic>replyTopicName</replyTopic>
        </env>
        <jndi>
            <providerUrl>tcp://host:7222</providerUrl>
            <providerCtxFactory>
                com.tibco.tibjms.naming.TibjmsInitialContextFactory
            </providerCtxFactory>
            <jndiUserName>jndiuser</jndiUserName>
            <jndiPassword>h1QLrLMfnDulySru==</jndiPassword>
        </jndi>     
</jms>
<dao-configuration>

DAO (Data Access Objects) is an application program interface (API) that lets a programmer request access to various databases. The <dao-configuration> element contains the name and path of the configuration file that contains the list of DAO interface classes used in the PDP to access various databases. CEPM supports Oracle and MS SQL Server databases. The DAO configuration file is present in the installation directory <CEPM_HOME>\config\pdp\dao_config.xml.

By default, its value is set to config/pdp/dao_config.xml.

Note The value of this element should not be edited.

<authentication>

The <authentication> element contains the subelements related to the connection details of the repository where the user credentials for authenticating the PEP requests are stored. In PDP, user authentication details are stored in either the database server or in the LDAP server. PDP authentication can be also configured in such a way that existing authentication implementation present in the protected application can be used for this purpose.

•CEPM supports following databases servers:

–Oracle

–Microsoft SQL Server

–DB2

•CEPM supports following LDAP service providers:

–Sun One Directory Server

–Novell eDirectory Server

–Active Directory Server

The following are the subelements of the <authentication> element:

•type attribute—Set its value to:

–db—user authentication details are stored in the database.

–ldap—user authentication details are stored in the LDAP server.

–sso—user authentication will be carried out by the protected application.

•<class>—Name of Java class for authentication.

Set its value to:

–For db authentication—net.securent.util.db.DBAuthenticator

–For ldap authentication—net.securent.util.db.LocalLDAPAuthenticator

–For sso authentication—net.securent.util.db.SSOAuthenticator

•<properties>—This contains the attributes and subelements for configuring the data source details where the user authentication related information is stored.

•refer attribute—Set its value toTrue, if the details for user authentication are stored in the same database instance where CEPM data resides.

(CEPM repository details are configured in the <db> element). In this case, set the same value for this name attribute that was set for the name attribute of <db> element (for example: default).

In this case, you do not have to provide the data source connection details for the subelement <property>.

Set its value to False, if the data source details for user authentication information is not stored in the database instance that is configured for the <db> element. In this case, you will have to provide the data source connection details for the subelement <property>.

•name attribute—If the refer attribute is set to True, then provide the same database name that was configured for the <db> element (for example: default), or provide a new name.

•<property>—Set multiple property element values, if user authentication information is not stored in the database instance that is configured for the <db> element.

You have to specify three different sets of <property> elements depending upon the type of the data source—database, ldap, or sso (as set for the type attribute of the <authentication> element).

Database Data Source

<property name="db-type">[value]</property>

If you are using:

–Oracle database, set the value of the database to oracle.

–Microsoft SQL Server database, set the value of the database to mssql.

–IBM DB2, set the value of the database to db2.

<property name="username">[value]</property>

Set value to the name of the PAP database user.

<property name="password" encrypted="true">[value]</property>

Set the value for the user password in encrypted format and set the encrypted attribute value to True. Set encrypted attribute value to False, if you do not want to set the password value in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

<property name="url">[value]</property>

Set the value to the JDBC connection string to connect to the PAP database. The PAP supports Oracle Thin Driver, Oracle Thick Driver (that is, OCI driver), and MS SQL Server driver. The database connection URL can have one of the following formats based on the database driver used.

Oracle Thin Driver

Format:
jdbc:oracle:thin:@<host>:<port>:<SID>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<SID>—The SID of Oracle database.

Example:
jdbc:oracle:thin:@131.107.0.23:1521:secdev
Oracle Thick Driver

Format:
jdbc:oracle:oci8:@<tns-listener-name>
where:

<tns-listener-name> — The TNS LISTENER name of the database service. This is configured in the TNSNAMES.ORA file present in the Oracle client installation directory: /ORACLE_HOME/network/admin/

Example:
jdbc:oracle:oci8:@secdev
MS SQL Server Driver

Format:
jdbc:sqlserver://<host>:<port>;databaseName=<DB name>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<database name>—The SQL Server database name.

Example:
jdbc:sqlserver://131.107.2.205:3279;databaseName= secdev
<property name="driver">[value]</property>

DB2 Driver

Format:
jdbc:db2j:net://<host>:<port>/<sid>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<SID>—The SID of DB2 database.

Set value to the JDBC driver class.

–For Oracle—oracle.jdbc.driver.OracleDriver.

–For MS SQL Server—com.microsoft.sqlserver.jdbc.SQLServerDriver.

–For DB2—com.ibm.db2.jcc.DB2Driver.

LDAP Server Data Source

<property name="ldap-type">[value]</property>

Set the value to name of the LDAP service provider. CEPM supports three LDAP service providers.

–Sun One Directory Server—set <ldap-type> value to SunOne.

–Novell eDirectory Server —set <ldap-type> value to Novell.

–Active Directory Server—set <ldap-type> value to AD.

<property name="url">[value]</property>

Set the value to LDAP server URL.

<property name="port">[value]</property>

Set the value to LDAP server port.

<property name="ldapdn">[value]</property>

Set the value to LDAP server Base DN.

<property name="userdn">[value]</property>

Set the value to LDAP server User DN.

<property name="password" encrypted="true">[value]</property>

Set the value for password of the user in encrypted format and set encrypted attribute value is set to True. set encrypted attribute value is set to False, if you do not want to set the password value in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

<property name="superuser-role">[value]</property>

Set value to the name of the role to which the super user belongs.

SSO Data Source

If authentication type is single sign-on (sso), then one property element needs to be configured with a name that has request or session as the value.

Example:

<property name="request">[value]</property>

Here set the value to the request/session attribute name that contains the value as the name of the user.

Sample <authentication> Element Configuration

Case 1: PDP Authentication Details are Stored in the Same Database Instance as Configured for the <securent><db> Element

(A) PDP authentication details are stored in PAP database.
    
    <shared_repository>true</shared_repository> 
    <!—- PDP Database Connection Configuration -->
    <db authEnable="true" name="pap_db">
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties></properties>
    </db>
    
 
    <authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="true" name="pap_db"></properties>
     </authentication>
(B) PDP authentication details are stored in a PDP database that is different from the PAP database.
    
    <shared_repository>false</shared_repository> 
    <!—- PDP Database Connection Configuration -->
    <db authEnable="true" name="pdp_db">
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <username>user2</username>
            <password>XBKO7w9gh3vTFr8u41H9JQ==</password>
            <url>jdbc:oracle:thin:@host:1521:securent</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
            <maxconnections>20</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName>    
        <properties>
    </db>
    
 
    <authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="true" name="pdp_db"></properties>
    </authentication>
Case 2: PDP Authentication Details are Stored in a Database Instance that is Different from the PDP Database Instance

(A) Oracle Database Using Thin Driver

<authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="false" name="my_db">             
            <property name="db-type">oracle</property>
            <property name="username">testuser</property>
            <property name="password" encrypted="true">xiicLTdcE2g=</property>
            <property name="url">   
                 jdbc:oracle:thin:@host:1521:cepmdev 
            </property>
            <property name="driver">oracle.jdbc.driver.OracleDriver</property>
        </properties>
</authentication>
(B) Oracle Database Using Thick Driver

<authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="false" name="my_db">             
            <property name="db-type">oracle</property>
            <property name="username">testuser</property>
            <property name="password" encrypted="true">xiicLTdcE2g=</property>
            <property name="url">   
                 jdbc:oracle:oci8:@cepmdev 
            </property>
            <property name="driver">oracle.jdbc.driver.OracleDriver</property>
        </properties>
</authentication>
(C) MS SQL Server Database

<authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="false" name="my_db">             
            <property name="db-type">oracle</property>
            <property name="username">testuser</property>
            <property name="password" encrypted="true">xiicLTdcE2g=</property>
            <property name="url">   
                 jdbc:sqlserver://host:3279;databaseName=cepmdev 
            </property>
            <property name="driver">        
                 com.microsoft.sqlserver.jdbc.SQLServerDriver  
            </property>
        </properties>
</authentication>
Case 3: PDP Authentication Details are Stored in an LDAP Server
  
  <authentication type="ldap" class="net.securent.util.db.LocalLDAPAuthenticator">
        <properties refer="false" name="default">
                <property name="ldap-type">AD</property>
                <property name="ldapdn"> 
                         dc=win2k-ad,dc=win2k-ad,dc=bodhtree,dc=co,dc=in
                </property>
                <property name="userdn">
                         cn=administrator,cn=users,dc=win2k-ad,dc=win2k-ad,  
                         dc=bodhtree,dc=co,dc=in
                </property>
                <property name="password" encrypted="true">  
                         xiicLTdcE2g= 
                </property>
                <property name="url">ldap://131.107.2.204</property>
                <property name="port">389</property>
                <property name="superuser-role">Test</property> 
        </properties>
    </authentication>
Case 4: PDP Authentication is Done Using the Existing Authentication Framework Present in the Protected Application (SSO Authentication)

The following example considers SSO authentication, that is, the authentication will not be carried out by CEPM, but the authentication implementation in the existing protected application will be used.
    
  <authentication type="sso" class="net.securent.util.db.SSOAuthenticator">
        <properties refer="false" name="default">
           <property name="request">username</property>
         </properties>
    </authentication>
<encryption>

The <encryption> element contains the subelements for configuring multiple Java classes for implementing various encryption algorithms used for encrypting passwords of the PDP database user, JMS server user, LDAP server user, and so on.

The following are the subelements of <encryption> element:

•<implementors>—This contains various encryption Java classes.

•<crypt>—Set its value to com.cisco.epm.util.auth.encryptor.DefaultCryptEncryptor.

Note The PDP supports only the crypt password scheme. The algorithm that crypt uses is based on the Data Encryption Standard (DES).

<xacml-parser>

The <xacml-parcer> element contains the subelements related to the Xacml parser implementation class that is used to parse the Xacml requests coming from the PEP and generate the appropriate Xacml response to send to the PEP.

The following are the subelements of <xacml-parser> element:

•<impl>—Xacml parser implementation class.

Set its value to net.securent.util.pep.XacmlGenerator.

<xacml-log>

The PDP component has the option to log the Xacml requests that are received from the PEP and the Xacml responses sent to the PEP in a database that is configured in this <xacml-log> section of the PDP configuration file pdp_config.xml.

The PDP log can be viewed through the PAP UI from the Runtime Logs section. To view the logs generated by multiple PDPs, perform the following configuration in the PAP and in each PDP.

•PDP configuration for Xacml log: Configure all the PDPs to store their log information in a common database instance.

For this, configure the <xacml-log> section of the PDP configuration file, pdp_config.xml, and provide the same database connection details).

•PAP configuration for Xacml log: Configure the PAP to connect to the previously mentioned database instance where all the PDPs store their Xacml log information. This is done by configuring the <xacml-log> element in pap_config.xml file and providing the same database connection details here as set for all the PDPs.

The following are the subelements of the <xacml-log> element:

•<enable>—Set its value to False if the log information is not be stored in the PDP database.

Set its value to True if the log information needs to be stored in the PDP database. In this case, the logRequestResponse attribute decides whether or not the Xacml requests and Xacml responses should be stored in the database. If the logRequestResponse attribute value is set to false, all the log information except the Xacml requests and responses are stored in the database. If the logRequestResponse attribute value is set to True, all the log information including Xacml requests and responses are stored in the database.

•<log-impl>—Set its value to the PDP log implementation class name, which is net.securent.pdp.xacmllog.DBXacmlLogWriter

•<db>—This subelement contains the attributes and subelements for configuring database connection details where the Xacml log information is stored.

•refer attribute—Set its value to True if the Xacml log information is stored in the PDP database itself, that is, the Xacml log database is the same database as given in the <securent><db> element.

In this case, you do not have to provide the database connection details for the following <properties> subelements—<db-type>, <username>, <password>, <url>, <driver>.

Set its value to False if the Xacml log database is different from the PDP database, that is, different from the one that is configured for the <securent><db> element. In this case, you will have to provide the database connection details for the following <properties> subelements—<db-type>, <username>, <password>, <url>, <driver>.

•name attribute—If the refer attribute is set to True, provide the same database name as configured for the <securent><db> element, or provide any new name.

•<properties>—Set its subelements if the Xacml log database is different from the PDP database, that is, if the refer attribute value is set to false. The subelements of the <properties> element are as follows:

–<db-type>—Set its value to oracle if Xacml log information is stored in Oracle database. Set its value to mssql if it is stored in Microsoft SQL Server database. Set its value to db2 if it is stored in DB2 database.

–<username>—Name of the database user where Xacml log information is stored.

–<password>—The password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

–<url>—JDBC connection string to connect to the database where the Xacml log information is stored.

–<driver>—JDBC driver class.

Sample <xacml-log> Element Configuration

Case 1: Database Logging when xacml-log Information is Stored in the Same Database Instance where the PDP Data Resides (PDP Database).

In this case, set refer attribute value to True and the name attribute value to the same database name value as provided for the name attribute value of the <securent><db> element (that is, the PDP database).
  
    <xacml-log>
        <db refer="true" name="pdp_db"></db>
         
    </xacml-log>
   <!—- PDP Database Details -->
    <db name="pdp_db" ...>
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <username>testuser</username>
            <password>R7mNxexTum8=</password>
            <url>jdbc:oracle:thin:@host:1521:devbdb</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName>
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
Case 2: Database Logging when xacml-log Information is Stored in the Different Database Instance from the One Where the PDP Data Resides (PDP Database)

In this case, set the refer attribute value to false and provide new database connection details of the database instance (<db-type>, <username>, <password>, <url>, <driver>), where the PDP authentication details are stored.

    <xacml-log>
        <db refer="true" name="my_db">
            <db-type>oracle</db-type>
            <username>testuser3</username>
            <password>ZFPx34KVJsQ=</password>
            <url>jdbc:oracle:thin:@host:1521:devbdb</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
        </db>
    </xacml-log>
   <!—- PDP Database Details -->
    <db name="pdp_db" ...>
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <username>testuser</username>
            <password>R7mNxexTum8=</password>
            <url>jdbc:oracle:thin:@host:1521:devbdb</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName>
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
<pdp>

The <pdp> element contains the subelements related to the protocol-specific listeners that should be up for the PDP-PEP communication. It also contains the subelements that define the content of PDP response to PEP.

The <pdp> subelements are as follows:

•attributeEnable attribute—Set its value to True if you want the PDP to send attributes related to various entities for a policy, such as user attributes, role attributes, and resource attributes. Otherwise, set its value to False.

•cloningCheckEnable attribute—Set its value to True if, you want the PDP to send the policy details of the main user for which this user is cloned. Otherwise, set its value to False.

•retry attribute—When the databases (entitlement repository or external PIP) of a PDP become unresponsive (due to connection failure during query execution time), the PEP retries to send the request to PDP after a specified time interval. This `retry' time interval is set in the <retry> tag in the pdp_config.xml file. For example, assume the retry value given in pdp_config.xml is X seconds and the timeout value given in pep_config.xml is Y seconds (where X < Y). When the PEP sends a request to the PDP and the PDP finds the database is down, it sends a retry message to the PEP conveying that it should resend the request after X seconds. The PEP will resend the request to the PDP after X seconds. This process will continue till the PEP gets a proper response. If it does not get any response within the specified timeout interval (Y seconds), it will throw an exception.

Set its value in seconds.

•<listeners>—This section contains the configuration related to various protocol-specific listeners that are supported by the PDP to communicate with the PEP. The PDP supports two protocol listeners: http and rmi.

•<listener>—This element contains the configuration details related to a protocol-specific listener.

The following are the subelements of the <listener> element:

–<responseType>—Response as Objext or XML.

The <responsetype> tag value should match in both pdp_config.xml and pep_config.xml. For example, if it is set to Object in pep_config.xml, the corresponding tag in the pdp_config.xml must also be set to object. The same thing is applicable for XML.

–<enabled>—Set its value to True to enable this listener. Otherwise, set its value to False.

Note Multiple listeners can be enabled at the same time as per the requirement.

–<name>—The <name> sub-element can have one of these values: http and rmi.

–<listenerClass>—Protocol-specific listener class. Do not edit this value.

For http: net.securent.pdp.listener.http.HttpListener

For rmi: net.securent.pdp.listener.rmi.RMIListener

–<processorClass>—Protocol-specific processor class. Do not edit this value.

For http: net.securent.pdp.listener.http.HttpProcessor

For rmi: net.securent.pdp.listener.rmi.RMIProcessor

–<parameters>—This contains rmi protocol-specific values. For http listener, keep it empty.

–<host>—The RMI registry host machine IP address.

–<port>—The RMI registry port number.

–<jndiName>—The JNDI lookup name to locate the RMI registry.

Sample <pdp> Element Configuration
	<pdp attributeEnable="false" cloningCheckEnable="false" retry="1000">
		<listeners>
			<listener>
				
				<responseType>Object</responseType>
				<enabled>true</enabled>
				<name>http</name>
				<listenerClass>
					net.securent.pdp.listener.http.HttpListener
				</listenerClass>
				<processorClass>
					net.securent.pdp.listener.http.HttpProcessor
				</processorClass>
				<parameters />
			</listener>
			<listener>
				<enabled>false</enabled>
				<name>rmi</name>
				<listenerClass>
					net.securent.pdp.listener.rmi.RMIListener
				</listenerClass>
				<processorClass>
					net.securent.pdp.listener.rmi.RMIProcessor
				</processorClass>
				<parameters>
					<host>131.107.0.42</host>
					<port>10001</port>
					<jndiName>pdpObj</jndiName>
				</parameters>
			</listener>
		</listeners>
	</pdp>
<pip>

The <pip> element contains the subelements related to Policy Information Points (PIPs), that is, data stores that are external to the application (PAP and PDP), which store policy-related information.

The following are the subelements of the <pip> element:

•<attributesources>—This element contains the configurations for various external datasources (PIPs). CEPM supports the following data sources:

–Database

–LDAP

–JAVA Class

–Web Service

The following are the <attributesources> subelements:

–<source>—Each <source> element contains the configuration related to a specific data source (PIP).
The following are its subelements.

–<type>—Type of data source. It can have one of the following values:

For Database PIP— database

For LDAP PIP—ldap

For JAVA Class PIP—Java

For Web Service PIP—WebService

–<metadataImpl>—Metadata implementation class. It can have one of the following values:

For Database PIP—net.securent.pip.db.DataBasePIPMetaData

For LDAP PIP—net.securent.pip.ldap.LDAPPIPMetaData

For JAVA Class PIP—net.securent.pip.java.JavaPIPMetaData

For Web Service PIP—net.securent.pip.webservice.WebservicePIPMetaData

–<attributeImpl>

Attribute implementation class. It can have one of the following values.

For Database PIP—net.securent.pip.db.DBAttribute

For LDAP PIP—net.securent.pip.ldap.LDAPAttribute

For JAVA Class PIP—net.securent.pip.java.JavaAttribute

For Web Service PIP—net.securent.pip.webservice.WebserviceAttribute

–<attributeEvaluator>—Attribute evaluator class. It can have one of the following values.

For Database PIP—net.securent.pip.db.DBAttributeEvaluator

For LDAP PIP—net.securent.pip.ldap.LDAPAttributeEvaluator

For JAVA Class PIP—net.securent.pip.java.JavaAttributeEvaluator

For Web Service PIP—net.securent.pip.webservice.WebserviceAttributeEvaluator

Sample <pip> Element Configuration

    <pip>
        <attributesources>
	   	
            <source>
                <type>database</type>
                <metadataImpl>
                    net.securent.pip.db.DataBasePIPMetaData
                </metadataImpl>		
                <attributeImpl>net.securent.pip.db.DBAttribute</attributeImpl>
                <attributeEvaluator>
                    net.securent.pip.db.DBAttributeEvaluator
                </attributeEvaluator>
            </source>
	   	
            <source>
                <type>ldap</type>
                <metadataImpl>
                    net.securent.pip.ldap.LDAPPIPMetaData
                </metadataImpl>		
                <attributeImpl>
                    net.securent.pip.ldap.LDAPAttribute
               </attributeImpl>
               <attributeEvaluator>
                   net.securent.pip.ldap.LDAPAttributeEvaluator
               </attributeEvaluator>
            </source>
		
            <source>
                <type>Java</type>
                <metadataImpl>
                    net.securent.pip.java.JavaPIPMetaData
                </metadataImpl>		
                <attributeImpl>
                     net.securent.pip.java.JavaAttribute
                </attributeImpl>
                <attributeEvaluator>
                    net.securent.pip.java.JavaAttributeEvaluator
                </attributeEvaluator>
            </source>
		
 		 <source>
                <type>Webservice</type>
                <metadataImpl>
                    net.securent.pip.webservice.WebservicePIPMetaData
                </metadataImpl>		
                <attributeImpl>
                    net.securent.pip.webservice.WebserviceAttribute
                </attributeImpl>
                <attributeEvaluator>
                    net.securent.pip.webservice.WebserviceAttributeEvaluator
                </attributeEvaluator>
            </source>
        </attributesources>
    </pip>  
<cache>

The cache element contains the subelements related to the cache implementation configuration.

The following are the subelements of the <cache> element:

•decisionCacheEnabled attribute—To enable the PDP cache mechanism set this attribute to True.

•cacherefreshtype attribute—This attribute value can be set to onlyupdated or all. When the value is set to onlyupdated during the cache refresh process, only data from the changed policies is retrieved from the PDP database and is updated in the PDP cache. When set to all, during the cache refresh process data from all the policies is retrieved from the PDP database and gets copied to the PDP cache.

•decisionOnly attribute—This is a Boolean expression. If the value is set to False, it stores the entire cache objects, which contain decision, decision lifetime, and every entity attributes related to the decisions. If the value is set to True, it stores only the decisions. Since the lifetime will not be maintained in persistence, the cache for any policy will not be updated when its lifetime expires.

Note For enhanced performance, set this attribute toTrue.

•provider attribute—Cache provider class. By default, its value is set to net.securent.pdp.cache.CacheProvider.

•implementor attribute—Cache implemention class. By default, its value is set to net.securent.admin.sdk.cache.impl.JBossCache.

If you want the PDP to handle the request without case-sensitive, it can be done by using the implementor class - net.securent.admin.sdk.cache.impl.JBossCacheCaseInSensitive

For example, if a resource is created as Send Trades, and the name is sent as send trades in the access request, if you use net.securent.admin.sdk.cache.impl.JBossCache as the implementor class, you will not get the right decision as the PDP will consider case-sensitive charecters. In such scenario, if use net.securent.admin.sdk.cache.impl.JBossCacheCaseInSensitive class, it will give the right decision.

•eventProvider attribute—Cache event provider class. By default, its value is set to net.securent.pdp.event.EventProvider.

•<type>—Set its value to TTL.

•<refresh>—The enable attribute value can be set to either True or False. If this value is set to False, the PDP never refreshes its cache (except during start-up if the enable attribute of the <prefetch> element is set to True). If this value is set to True, the PDP refreshes its cache according to the time interval specified in the <interval> element.

The refresh operation can be set to invalidate or update. Setting the value to invalidate erases the cache during the refresh cycle. If set to update, the PDP cache is refreshed according to the value set for the cacherefreshtype attribute.

If the PDP is deployed in clustered cache mode and if the enable attribute value of the <refresh> element is set to True, the PDP acts as a primary cache for other PDPs and PEPs present in the same cluster. This PDP then takes the responsibility of refreshing its cache with the changed data and also refreshes all the PDP and PEP caches in the same cache cluster. If this attribute value is set to false, this PDP acts as a secondary cache, and never refreshes its own cache. Instead it depends upon the primary cache (of other PDP) to refresh its cache. For more information about the PDP cache and PDP cache clustering mechanism, refer to CEPM PDP and PEP Cache Clustering Guide.

•<interval>—This element defines how often (in seconds) the cache is refreshed. For example, if you want to refresh the cached data every 20 seconds, set this value to 20.

•<prefetch>—This element is configured to prefetch the policy information and store it in the PDP cache when the PDP component is loaded in JVM.

•enable attribute—The enable attribute value can be set to True or False. If this value is set to True, all the data is refreshed during the PDP startup. If this value is set to False, then the PDP does not refresh its data during startup.

•type attribute—The type attribute can be set to user or resource. If this value is set to user, all the resources pertaining to all the users are refreshed in the cache. The value can be set to user when there is a fewer number of users compared to the number of resources, which minimizes the number of API calls and reduces network traffic. If this value is set to resource, all users pertaining to all resources are refreshed in the cache. Thevalue can be set to resource when there are few number of resources compared to the number of users.

•bulkUsersPerRequest attribute—The bulkUsersPerRequest attribute value is applicable only when the type attribute value is set to user. This is to reduce the network traffic. The bulkUsersPerRequest attribute value specifies the batch size of the number of users for which the prefetch will be performed.

Example: If there are a total of 100 users and the bulkUsersPerRequest attribute value is set to 20, the PDP fetches the policy information such as allowed or denied resources for the 100 users in batches of 20 users each. This fetches the policy information in five batches, that is, five requests.

The <prefetch> element can have multiple <api> subelements. Each <api> subelement contains a PDP API method name to call during the prefetch operation based on the requirement.

Note PDP supports only the UserAccessAllowed() API method for prefetch operation. This permits only user-access permission for all the resources can be cached during the prefetch operation.

•<prefetchForApis>—This element defines smart and selective prefetch mechanism based on configured groups, roles or resource for a user. Prefetching can also be done based on the environmental mappings defined in message attributes. The message attributes can be key-value pairs, rolebundles, contexts or any entity attributes.

This element defines the selective prefetch for configured Groups, Roles and Resource entities.

•<groups>—This element is configured to prefetch the users that belong to the configured group. For example there are 10 users such as User1.....to User10 and User1 to User5 are mapped to Grp1. Specify the <group> as (<group>TestAppGrp:TestApp:Grp1</group>).The <prefetchForApis> fetches only five users (User1 to User5), since only 5 users are mapped to Grp1.

•<roles>—This element is configured to prefetch the users that belong to the configured role. For example there are 10 users such as User1.....to User10 and User1 to User5 are mapped to Role1. Specify the <role> as (<role>appGrp:app1:Role1</role>).The <prefetchForApis> fetches only five users (User1 to User5), since only five users are mapped to Role1.

•<resources>—This element is configured to prefetch the users that belong to the configured resource. For example there are 10 users such as User1.....to User10 and User4 to User9 are mapped to resource Send Trades. Specify the <resources> as (<resource>Prime group:Prime portal:Send Trades</resource>).The <prefetchForApis> fetches only six users (User4 to User9), since only six users are mapped to Send Trades.

The <prefetchForApis> element works in conjunction with <groups>,<roles> and <resources>. For example there are 10 users such as User1.....to User10 and User1 to User5 are mapped to Grp1.User3 to User7 are mapped to role1 and User4 to User9 are mapped to resource Send Trades.The <prefetchForApis> fetches only two users (User4 and User5), since only two users are commonly mapped to Grp1,role1and Send Trades (Grp1 union Role1 union Send Trades).

•<applications>—This element contains the names of the applications that should be configured for caching. The application names can be specified using multiple <application> subelements.

•<application>—Set its value to the application name for which caching needs to be implemented. The application name should be in the FQN (Fully Qualified Name) format.

For example: The value of the application Prime portal present under the application group Prime group should be set here as: <application>Prime group:Prime portal</application>

Multiple applications can be configured for caching as shown in the following example.
 <applications>
       <application>Prime group:Prime portal</application>
       <application>Test group:Test applicationl</application>
       <application>Admin group:FTP Server</application>
 </applications>
•<pip>—This element contains the subelements related to caching of PIP data. When enabled, the PDP periodically connects to all the PIPs that are configured in the PAP and fetches the metadata (PIP attributes configuration details) as well as the actual data of those PIP attributes from the PIP repository and copies this information in the PDP cache.

•cacheenabled attribute—Set its value to True to enable the PIP cache mechanism. Otherwise, set its value to false.

•<cacheInterval>—This element defines how often (in seconds) the cache should be updated with data about the PIP attributes that is present in the PIP stores (databases, ldap servers, Java classes, or Web Services). Thus, if you want to refresh the cached PIP data after every 60 seconds, set this value to 60.

•<metaDataInterval>—This element defines how often (in seconds) the cache should be updated with PIP metadata, that is, the PIP configuration information done in the PAP/PDP database. Thus, if you want to refresh the cached PIP metadata after every 60 seconds, set this value to 60.

Sample <cache> Element Configuration
    
	<cache decisionCacheEnabled="false" cacherefreshtype="all"
		decisionsOnly="true" provider="net.securent.pdp.cache.CacheProvider"
		implementor="net.securent.admin.sdk.cache.impl.JBossCache"
		eventProvider="net.securent.pdp.event.EventProvider">
		<type>TTL</type>
		<interval>200</interval>
		<refresh enable="false">update</refresh>
		<prefetch enable="true" type="user" bulkUsersPerRequest="2">
			<applications>
				<application name="appGrp:app1">
					<prefetchForApis>
						<api name="isUserAccessAllowed">
						</api>
					</prefetchForApis>
					<groups>
						
						
					</groups>
					<roles>
						
						
					</roles>
					<resources>
						
						
					</resources>
				</application>
			</applications>
		</prefetch>
		<pip cacheenabled="false">
			
			<metaDataInterval>60</metaDataInterval>
		</pip>
	</cache>
<callbackhandlers>

The callbackhandlers element contains the subelements related to the encryption configuration.The password encryption program optionally consume user provided input for key store location, key store password and key name. When these parameters together are not specified, the default encryption key is used. By using the default encryption key, the user is not required to provide a key from the getSecret() method or a KeyCallback implementation

The following are the subelements of the <callbackhandlers> element:

•<keycallbackhandlers>—This element write there own implementation class by implementing IkeyCallback interface.

Set its value to com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider.

•usedefault attribute—If this value is set to True, use the default encryption key. Otherwise, if this value is set to False, use

public javax.crypto.SecretKey getSecret (int identifier, String keyname) throws NoSuchKeyException; //pass the key name as Default Key.

public javax.crypto.SecretKey getSecret (int identifier, String encryptionScheme, long keySize) throws NoSuchKeyException; //pass the encryption scheme as DESede and Size as 192.

Sample <callbackhandlers> Element Configuration
	<callbackhandlers>
           <keycallbackhandler	
usedefault="true">com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider 
</keycallbackhandler>
	</callbackhandlers>
Documentation Updates

Table 1 Updates to CEPM PDP Configuration Guide

Date

Description

December 19, 2011

Updated shared repository information based on doc bug ID CSCtw86841.

July 9, 2009

Minor edits and template/boilerplate updates for publication to Cisco.com

April 3, 2009

Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0

Related Documentation
CEPM_User_Guide_V3.3.0.0.pdf
Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Policy Decision Point

CEPM PDP Configuration Guide

Hierarchical Navigation

Downloads

Table Of Contents

CEPM PDP Configuration Guide

Contents

About This Document

Objective

Audience

Introduction

Password Encryption in CEPM

Case Sensitivity

Elements of pdp_config.xml File

<shared-repository>

<pdpname>

<db>

Using Database Connection Pool Provided by CEPM

Using Database Connection Pool Provided by WebLogic

Using Database Connection Pool Provided by WebSphere

Sample <db> Element Configuration Using CEPM Connection Pool

Case 1: Using Oracle Database with Thin Driver

Case 2: Using Oracle Database with Thick Driver

Case 3: Using MS SQL Server Database

Sample <db> Element Configuration Using the WebLogic Connection Pool

Sample <db> Element Configuration Using WebSphere Connection Pool

<jms>

Sample <shared-repository> Element Configuration (Shared Mode)

Case 1: Using ActiveMQ JMS without JNDI Lookup

Case 2: Using ActiveMQ JMS with JNDI Lookup

Case 3: Using WebLogic JMS Without JNDI Lookup

Case 4: Using WebLogic JMS with JNDI Lookup

Case 5: Using Tibco JMS Without JNDI Lookup

Case 6: Using Tibco JMS with JNDI Lookup

<dao-configuration>

<authentication>

Sample <authentication> Element Configuration

Case 1: PDP Authentication Details are Stored in the Same Database Instance as Configured for the <securent><db> Element

Case 2: PDP Authentication Details are Stored in a Database Instance that is Different from the PDP Database Instance

Case 3: PDP Authentication Details are Stored in an LDAP Server

Case 4: PDP Authentication is Done Using the Existing Authentication Framework Present in the Protected Application (SSO Authentication)

<encryption>

<xacml-parser>

<xacml-log>

Sample <xacml-log> Element Configuration

Case 1: Database Logging when xacml-log Information is Stored in the Same Database Instance where the PDP Data Resides (PDP Database).

Case 2: Database Logging when xacml-log Information is Stored in the Different Database Instance from the One Where the PDP Data Resides (PDP Database)

<pdp>

Sample <pdp> Element Configuration

<pip>

Sample <pip> Element Configuration

<cache>

Sample <cache> Element Configuration

<callbackhandlers>

Sample <callbackhandlers> Element Configuration

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request