CEPM PEP Configuration Guide [Cisco Policy Enforcement Point]

Table Of Contents

CEPM PEP Configuration Guide

Contents

About This Document

Objective

Audience

Introduction

Password Encryption in CEPM

Case Sensitivity

Elements of the pep_config.xml File

<cache>

Sample <cache> Element Configuration

<loadbalance>

Sample <loadbalance> Element Configuration

<pdps>

Sample <pdps> Element Configuration

<http-proxy>

Sample <http-proxy> Element Configuration

<apis>

Sample <apis> Element Configuration

<logs>

Sample <logs> Element Configuration

<adapters>

Sample <adapters> Element Configuration

<record>

Sample <record> Element Configuration

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

CEPM PEP Configuration Guide

Revised: July 21, 2009, Doc Part No: OL-19577-01

Contents

•About This Document

•Introduction

•Case Sensitivity

•Elements of the pep_config.xml File

•Documentation Updates

•Related Documentation

•Obtaining Documentation and Submitting a Service Request

About This Document

Objective

This document explains the various elements present in the Policy Enforcement Point (PEP) configuration file pep_config.xml. This file should be placed in the appropriate location according to the type of application used, as given below:

•J2EE web application: \WEB-INF\classes\

•.NET standalone application: \Application Name\bin\

•.NET web application: \Application Name\debug\

Audience

This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.

Introduction

This document explains about the various elements present in the Policy Enforcement Point (PEP) configuration file pep_config.xml. This file should be placed in the appropriate location based on the type of application used, as given below:

•J2EE web application: \WEB-INF\classes\

•.NET standalone application: \Application Name\bin\ok

•.NET web application: \Application Name\debug\

The pep_config.xml file contains the following PEP configurations:

•PEP cache: <cache>

•Load balancing: <loadbalance>

•Policy Decision Points (PDPs): <pdps>

•HTTP proxy: <http-proxy>

•Policy Administration Point (PAP) connection details: <apis>

•Logs: <logs>

•Protocol-specific adapters to access PDP: <adapters>

•Resource discovery: <record>

Password Encryption in CEPM

You must set the password value for some elements in the pep_config.xml file.For example, PDP authentication password and PAP authentication password. The password values must be entered in an encrypted format.

To encrypt the password value:

Step 1 Run the encryptor.bat file, which is located in the \<CEPM_HOME>\installer\bin\ folder.

Step 2 Run the following command in the console:

•For Windows:

encryptor.bat JAVA_HOME <password>

•For Solaris/Linux:

encryptor.sh JAVA_HOME <password>

JAVA_HOME is the environment variable that contains the location of the Java Runtime Environment (JRE) home directory. The <password> is the password of the user to be encrypted.

When this command is run, the encrypted password is displayed on the console.

Step 3 Copy the encrypted password and paste it as the value for the appropriate <password> element in the pep_config.xml file.

Case Sensitivity

The configuration values are not case sensitive (except for Java class names, user names, passwords, and file paths). For example, the values Oracle, oracle, and ORACLE are considered the same by the PDP.

Elements of the pep_config.xml File

Here is a sample pep_config.xml file:
<pep_config version="3.0">
	<cache decisionCacheEnabled="true" cacherefreshtype="onlyupdated" 
decisionsOnly="false" provider="net.securent.pep.cache.CacheProvider" 
implementor="net.securent.admin.sdk.cache.impl.JBossCache" 
eventProvider="net.securent.pep.event.EventProvider" >		
		<type>TTL</type>
		<refresh enable="true">INVALIDATE</refresh>
		<interval>20</interval>
		<prefetch enable="false" type="user" bulkUsersPerRequest="10">
			<prefetchForApis>
				<api name="isUserAccessAllowed">  
				</api>
			 </prefetchForApis>
			
				<groups>
					
					
				</groups>
				<roles>
				
				
			    </roles>  
				<resources>
					
				 </resources>  
			</prefetch>
		<applicationgroup>Prime group</applicationgroup>
		<application>Prime portal</application>
</cache>
<logs enable="false" records="100" logsTTL="10"/>
	<loadbalance enabled="true">
		<algorithm>roundrobin</algorithm>
		<refreshtime>10</refreshtime>
		<timeout>10000</timeout>
		<maxconnectionsperhost>10</maxconnectionsperhost>
		<maxtotalconnections>1000</maxtotalconnections>
	</loadbalance>
	<pdps>
	
	</pdps>
	<http-proxy>
			<host></host>
			<port></port>
	</http-proxy>
	<apis>
		<api>
			<url>http://host:port/cepm</url>
			<username>superuser</username>
			<password>h1BYu+lcwcM=</password>
			<repositoryname>Default Domain</repositoryname>
		</api>
	</apis>
	<adapters>
		<soap>net.securent.pep.soap.SoapTransportAdaptor</soap>
		<rmi>net.securent.pep.rmi.RMITransportAdaptor</rmi>
		<http>net.securent.pep.http.HttpTransportAdaptor</http>
		<java>net.securent.pep.java.JavaTransportAdaptor</java>
		<https>net.securent.pep.http.HttpTransportAdaptor</https>
	</adapters>
    <record>false</record>
</pep_config>
<cache>

The <cache> element contains the subelements related to the cache and cache clustering of the PEP component:

•decisionCacheEnabled attribute—To enable the PEP cache mechanism, set this attribute to True.

•cacherefreshtype attribute—This attribute value can be set to onlyupdated or all. When set to onlyupdated during the cache refresh process, only the changed data is copied from PDP and updated in the PEP cache. When this value is set to all during the cache refresh process, all the data from the PDP cache gets copied to the PEP cache.

•decisionOnly attribute—This is a Boolean expression. If this value is set to False, all the cache objects which contain decision, decision lifetime, and entity attributes related to the decisions, are stored. If this value is set to True, only the decisions are stored. Since the lifetime will not be maintained in persistence, the cache for any policy will not be updated when its lifetime expires.

Note For enhanced performance, set this attribute to True..

•provider attribute—This attribute comprises of:

•PDP Cache Provider—Collects data directly from the database by calling Java API's.Works only for the PDP cache.

•PEP Cache Provider—Communicates with the PDP and gets information for the prefetch using different protocols configured in PEP config. Works only for PEP cache.

Note By default, its value is set to net.securent.pep.cache.CacheProvider.

•implementor attribute—This attribute implementation class should implement the ICache interface. Helper methods such as put(), get(), remove() etc are used for inserting and retrieving data from the cache. By default, its value is set to net.securent.admin.sdk.cache.impl.JBossCache.

If you want the PEP to handle the request without case-sensitive, it can be done by using the implementor class - net.securent.admin.sdk.cache.impl.JBossCacheCaseInSensitive

For example, if a resource is created as Send Trades, and the name is sent as send trades in the access request, if you use net.securent.admin.sdk.cache.impl.JBossCache as the implementor class, you may not get the right decision as the PEP considers case-sensitive characters. In such scenario, if you use net.securent.admin.sdk.cache.impl.JBossCacheCaseInSensitive class, it gives the right decision.

•eventProvider attribute-This attribute updates the cache depending on the events occuring at the PAP location. To enable this attribute, enable <event> element at the PAP.

Note By default, its value is set to net.securent.pep.event.EventProvider.

•<type>—Set its value to either TTL or Session.

•<refresh>—The enable attribute value can be set to True or false. If this value is set to False, PEP will never refresh its cache (except during start-up if the <prefetch> element's enable attribute is set to True). If this value is set to True, the PEP refreshes its cache every few second's based on the time interval specified in the <interval> element.

The <refresh> element can be set to invalidate or update. If <refresh> is set to invalidate, it erases the cache during the refresh cycle. If <refresh> is set to to update, it updates the PEP cache based on the value set for the cacherefreshtype attribute.

If the PEP is deployed in the clustered cache mode, and if the enable attribute value of the <refresh> element's enable attribute value is set to True, the PEP acts as a primary cache for other PEPs in the same cluster. As PEP is the primary cache, refreshes its cache and all the PEP caches in the same cache cluster with the changed data. If this attribute value is set to False, then the PEP acts as a secondary cache and it does not refresh its own cache, but depends on the primary cache PEP or PDP to refresh its cache.

•<interval>—This element defines the frequency (in seconds) of cache refresh activity. For example, if you want to refresh the cached data every 20 seconds, set the <interval> value to 20.

•<prefetch>—This element is configured to prefetch the policy information and store it in the PEP cache, when the PEP component is loaded in Java Virtual Machine (JVM).

•enable attribute—The enable attribute value can be set to True or False. If this value is set to True, all the data is refreshed during the PEP startup. If this value is set to False, the PEP does not refresh its data during startup.

•type attribute—The type attribute can be set to user or resource.

If this value is set to user, then all resources belonging to all users are refreshed in the cache. The value can be set to user when there are fewer number of users compared to the number of resources.This minimizes the number of API calls and reduces network traffic.

If this value is set to resource, all users belonging to all resources are refreshed in the cache. The value can be set to resource when there are few number of resources compared to the number of users.

•bulkUsersPerRequest attribute—The bulkUsersPerRequest attribute value is applicable only when the type attribute value is set to user. This is to reduce the network traffic. The bulkUsersPerRequest attribute value specifies the batch size of the number of users for which the prefetch will be performed.

Example: If there are a total of 100 users and the bulkUsersPerRequest attribute value is set to 10, the PDP fetches the policy information such as allowed or denied resources for the 100 users in batches of 10 users. This fetches the policy information in ten batches, i.e. tenrequests.

<prefetch> can have multiple <api> subelements. Each <api> subelement contains a PEP API method name to call during the prefetch operation based on the requirement.

Note PEP supports only the isUserAccessAllowed() API method for prefetch operation. This permits only user access permission for all the resources can be cached during the prefetch operation.

•<prefetchForApis>—This element defines the selective prefetch mechanism to be used to filter out with respect to the groups, roles, and resources.

•<groups>—This element is configured to prefetch the users that belong to the configured group. For example there are 10 users such as User1.....to User10 and User1 to User5 are mapped to Group1. Specify the <group> as <group>SampleGroup:SampleApplication:Group1</group>.The <prefecthForApis> fetches only five users (User1 to User5), since only five users are mapped to Group1.

•<roles>—This element is configured to prefetch the users that belong to the configured role. For example there are 10 users such as User1.....to User10. User1 to User5 are mapped to Role2. Specify the <role> as <role>SampleGroup:SampleApplication:Role2</role>.The <prefecthForApis> fetches only five users (User1 to User5), since only five users are mapped to Role2.

Note CEPM does not support pre-fetch for the role "Known Users" as this is similar to pre-fetching all decisions for all users.

•<resources>—This element is configured to prefetch the users that belong to the configured resource. For example there are 10 users such as User1.....to User10. User4 to User9 are mapped to resource Send Trades. Specify the <resources> as <resource>Prime group:Prime portal:Send Trades</resource>.The <prefecthForApis> fetches only six users (User4 to User9), since only six users are mapped to Send Trades.

The <prefetchForApis> element works in conjunction with <groups>,<roles>, and <resources>. For example there are 10 users such as User1.....to User10. User1 to User5 are mapped to Grp1.User3 to User7 are mapped to role1 and User4 to User9 are mapped to resource Send Trades.The <prefetchForApis> fetches only two users (User4 and User5), since only two users are commonly mapped to Grp1,role1,and Send Trades (Grp1 union Role1 union SendTrades).

•<applicationgroup>—Set this element value to the application group name for which the PEP is deployed.

•<application>—Set this element value to the application name for which the PEP is deployed.

Sample <cache> Element Configuration
	<cache decisionCacheEnabled="true" cacherefreshtype="onlyupdated" 
decisionsOnly="false" provider="net.securent.pep.cache.CacheProvider" 
implementor="net.securent.admin.sdk.cache.impl.JBossCache" 
eventProvider="net.securent.pep.event.EventProvider" >		
		<type>TTL</type>
		<refresh enable="true">INVALIDATE</refresh>
		<interval>20</interval>
		<prefetch enable="false" type="user" bulkUsersPerRequest="10">
			<prefetchForApis>
				<api name="isUserAccessAllowed">  
				</api>
			 </prefetchForApis>
			
				<groups>
					
					
				</groups>
				<roles>
				
				 
			    </roles>  
				<resources>
					
				 </resources>  
			</prefetch>
		<applicationgroup>Prime group</applicationgroup>
		<application>Prime portal</application>
</cache>
<loadbalance>

When the enabled attribute value is set to True, the PEP component implements the load-balancing mechanism while referencing various PDPs. If this value is set to False, the load-balancing mechanism is not implemented.

Note When multiple PDPs are associated with a single PEP, the load-balancing mechanism can be used. For more information about the load-balancing mechanism in the PEP, refer to the Cisco Enterprise Policy Manager Developer Guide.

The <loadbalance> element contains the following subelements:

•<algorithm>—This element decides the type of algorithm to run while the load-balancing mechanism is implemented. Set this value to roundrobin.

•<refreshtime>—This element decides the time interval (in minutes) after which PEP should check the status of all the PDPs configured in the <pdps> element and refresh its cache with the individual PDP's status (that is active or inactive).

•<timeout>—This element decides the time interval (in milliseconds) for the PEP component to wait before receiving a response from the PDP so PEP can assess whether the PDP status is active or inactive. For example, if the value is set to 1000, when the PEP sends a request to PDP to check the status , if the PEP does not receive a response within 1000 milliseconds, the PEP sets the status of that PDP to inactive in its own cache.

•<maxconnectionsperhost>—This element sets the default maximum number of connections allowed for a given host configuration

•<maxtotalconnections>—This element sets the maximum number of connections allowed for the connection manager.

Sample <loadbalance> Element Configuration
	<loadbalance enabled="true">
		<algorithm>roundrobin</algorithm>
		<refreshtime>10</refreshtime>
		<timeout>10000</timeout>
		<maxconnectionsperhost>10</maxconnectionsperhost>
		<maxtotalconnections>1000</maxtotalconnections>
	</loadbalance>
<pdps>

The <pdps> element contains the configuration details for all the PDPs that are to be referenced from the PEP component. Each PDP configuration needs to be provided in a separate <pdp> element.

The following <pdp> subelements must be configured for each PDP entry:

•<protocol>—This element specifies the protocol for PEP-PDP communication. It can use one of the four protocol values: HTTP, SOAP, JAVA, or RMI.

•<username>—This element specifies the user name value to connect to the PDP.

•<password>—This element specifies the encrypted password value for the user name. For more details about password encryption, refer to "Password Encryption in CEPM".

•<url>—This element specifies the URL of the PDP service.

•<responsetype>—This element signifies response as Object or XML.

The <responsetype> tag value should be similar in both pdp_config.xml and pep_config.xml. For example,if the value is set to Object in pep_config.xml, the corresponding tag in the pdp_config.xml must also be set to object. The same configuration is applicable for XML.

•<timeout>—This element specifies the time interval (in seconds) which the PEP to wait before receiving a response from the PDP. If the PEP does not receive a response from PDP in this configured time interval, then PEP considers it as an error request.

Sample <pdps> Element Configuration
<pdps>
		<pdp>
			<protocol>soap</protocol> 
			<username>admin</username>
			<password>h1BYu+lcwcM=</password>
			<url>http://host:port/pdp/services/AuthorizationService</url>
			<responsetype>Object</responsetype>			
			<timeout>1000</timeout>
		</pdp>
		<pdp>
			<protocol>http</protocol>
			<username>admin</username>
			<password>h1BYu+lcwcM=</password>
			<url>http://host:port/pdp/AuthorizationEndPoint</url>
			<maxconnectionsperhost>10</maxconnectionsperhost>
			<maxtotalconnections>1000</maxtotalconnections>
			<responsetype>Object</responsetype>			
			<timeout>1000</timeout>
		</pdp>
		<pdp>
		    <protocol>rmi</protocol>  
			<username>admin</username>
			<password>h1BYu+lcwcM=</password>
			<<url>rmi://host:10002/pdpObj</url>
			<responsetype>Object</responsetype>
			<timeout>1000</timeout>
		</pdp>
</pdps>
<http-proxy>

The <http-proxy> element contains the configuration details for the proxy server.

Note If proxy server is not being used, then give the null values for its child elements.

The following <http-proxy> subelements must be configured to connect to the proxy-server:

•<host>—This element contains the machine IP address of the proxy server.

•<port>—This element contains the port number for the proxy service.

Sample <http-proxy> Element Configuration
<http-proxy>
	<host></host>
	<port></port>
</http-proxy>
<apis>

The <apis> element contains the configuration details of the PAP server. These values are used by the PEP API to access the PAP application.

The following subelements of the <apis> element must be configured to access the PAP server:

•<url>—This element contains the URL of the PAP server.

•<username>—This element contains the user name to connect to the PAP server.

•<password>—This element contains the encrypted password for the defined user. For more details about password encryption, refer to "Password Encryption in CEPM".

•<repositoryname>—This element contains the name of the repository to connect in the PAP server.

Sample <apis> Element Configuration
	<apis>
		<api>
			<url>http://host:port/cepm</url>
			<username>superuser</username>
			<password>h1BYu+lcwcM=</password>
			<repositoryname>Default Domain</repositoryname>
		</api>
	</apis>
<logs>

The <logs> element contains:

•enable attribute—The enable attribute value can be set to True or False. If this value is set to True the request and response served from the PEP cache is stored in the runtime logs.

•records attribute—The record attribute specifies the number of records that PEP will store in a separate file.

•logsTTL attribute—The logsTTL attribute defines the frequency (in seconds) of logs activity. For example, if you want to update the cached data after every 10 seconds, set its value to 10.

For example, if records ="20" logs and TTL="10", then PEP will maintain a log for 20 files at a time and update the PDP every 10 seconds.

Sample <logs> Element Configuration
<logs enable="false" records="20" logsTTL="10">
<adapters>

The <adapters> element contains the list of protocol-specific adapters that can be used by the PEP application to access the PDPs. The PEP supports adapters for SOAP, RMI, HTTP, and JAVA.

The following <adapters> subelements must be configured to use the appropriate protocol-specific adapter for accessing PDPs:

•<soap>—This tag contains the name of SOAP adapter.

• <rmi>—This tag contains the name of RMI adapter.

•<http>—This tag contains the name of HTTP adapter.

•<java>—This tag contains the name of JAVA adapter.

•<https>—This tag contains the name of HTTPS adapter.

Sample <adapters> Element Configuration
	<adapters>
		
		<soap>net.securent.pep.soap.SoapTransportAdaptor</soap> 
		
		<rmi>net.securent.pep.rmi.RMITransportAdaptor</rmi> 
		
		<http>net.securent.pep.http.HttpTransportAdaptor</http> 
		
		<java>net.securent.pep.java.JavaTransportAdaptor</java>
		
		<https>net.securent.pep.http.HttpTransportAdaptor</https>
	</adapters>
<record>

The <record> element value can be set to either True or False.

If this value is set to True, when a resource is accessed in the protected application, the resource is automatically created in the PAP, under the configured application group and application.

If you do not want to use the resource discovery functionality, set this value to False.

Sample <record> Element Configuration
	<record>false</record>
Documentation Updates

Table 1 Updates to CEPM PEP Configuration Guide

Date

Description

July 9, 2009

Minor edits and template/boilerplate updates for publication to Cisco.com

April 3, 2009

Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0

Related Documentation
CEPM_User_Guide_V3.3.0.0.pdf
Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Policy Enforcement Point

CEPM PEP Configuration Guide

Hierarchical Navigation

Downloads

Table Of Contents

CEPM PEP Configuration Guide

Contents

About This Document

Objective

Audience

Introduction

Password Encryption in CEPM

Case Sensitivity

Elements of the pep_config.xml File

<cache>

Sample <cache> Element Configuration

<loadbalance>

Sample <loadbalance> Element Configuration

<pdps>

Sample <pdps> Element Configuration

<http-proxy>

Sample <http-proxy> Element Configuration

<apis>

Sample <apis> Element Configuration

<logs>

Sample <logs> Element Configuration

<adapters>

Sample <adapters> Element Configuration

<record>

Sample <record> Element Configuration

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)