Guest

Cisco Policy Administration Point

Release Notes for CEPM V3.3.0.0

 Feedback

Table Of Contents

Release Notes for Cisco Enterprise Policy Manager, Version 3.3.0.0

Contents

Introduction

Features Optimized/Removed

New Features

General

Policy Administration Point (PAP)

Policy Decision Point (PDP)

Policy Enforcement Point (PEP)

Database

Agents

Known Caveats

Related Documentation

Documentation Updates

Obtaining Documentation and Submitting a Service Request


Release Notes for Cisco Enterprise Policy Manager, Version 3.3.0.0


Published: April 3, 2009
Revised: December 23, 2011, OL-19618-01

Contents

Introduction

Features Optimized/Removed

New Features

Known Caveats

Related Documentation

Documentation Updates

Introduction

These release notes provides information specific to Cisco Enterprise Policy Manager V3.3.0.0. These release notes highlight the following items:

New features are detailed in New Features.

Major known issues that might be encountered when working with the product are detailed in Known Caveats.

Features Optimized/Removed

PDPServicesWSDL is deprecated in CEPM V3.3.0.0 and removed starting from CEPM V3.3.1.0. AuthorizationService WSDL can be used.

New Features

This section describes the features added in Cisco Enterprise Policy Manager Version 3.3.0.0 and lists them by component.

General

PAP UI Re-branding: The PAP UI is completely revamped with the following important changes:

Menu, colors, and navigation are redesigned

Product name is updated

Logo is changed

Color scheme is updated to match Cisco's style guides


Note After CEPM is installed, access the PAP UI by entering the following URL in the web browser: http://host:port/cepm


Install and upgrade process: Installation of CEPM is now automated and can be performed through the command line using Install.bat(sh). Refer to the CEPM Installation and Configuration Guide V3.3.0.0 for installation and upgrade instructions.

CEPM installation and upgrade processes feature the following improvements:

Versioning of all objects in the data model. Run the following query to get the object versions:

SELECT SEC_OBJECT_NAME,SEC_VERSION_NAME,SEC_CREATE_TIME,SEC_UPDATE_TIME FROM 
SEC_OBJECTS_INFO

A version JSP in the WAR/EAR file, which has the version embedded. This JSP is automatically updated during an installation or upgrade process, including when customers apply hotfixes and patches or upgrade to a new major/minor release.

Performance: The PDP performance of CEPM is enhanced which results in delivering improved application performance and scalability compared to earlier versions of the product.


Note CEPM highly recommends choosing HTTP over SOAP for better performance.


Policy Administration Point (PAP)

More graceful policy migrations: CEPM now supports selective export of any data in the entitlement repository. Export can be performed for selected entities and entity types which are available in Home > Manage Entities > Import/Export page.

Rules can be reused or shared: CEPM now supports configuring simple and complex rules which are reusable and sharable. Existing rules can be used in multiple policies. In addition to this, rules can also be shared or referenced in other rules.

Status Bar in PAP: A `Progress bar' is displayed for PAP features which take a long time to complete, such as import/export, create repository, and so on.

Regular expressions in Rule Editor: CEPM now enables the PAP Administrator to configure rules using regular expression in the Rule Editor.

Enhanced encryption capabilities: The PAP Administrator can make use of an external encryption scheme other than the default encryption facility provided by CEPM. Now third-party crypto modules can be plugged in to CEPM.

Sybase PIP: CEPM supports Sybase database as a PIP. Sybase can be selected from the list of databases while creating a PIP in Home > System Config > External Attribute Sources > Application Attribute Sources page.

Enable logs for resources: Now logging can be done at the resource level. While creating or updating a resource, logging can be enabled by selecting the `Enable XACML Logs' checkbox.

Simplified Search functionality: The Search Entity functionality for users, roles or groups in PAP UI is simplified. Entity types can be set as a search criteria for searching an entity. For example, in Home > Manage Entities > Users > List Users page, a user can be searched by a usertype.

Mark attributes of entities mandatory: While creating an entity type (resource, role, group, etc.) the attributes can be marked as mandatory. For example, if a usertype `Analyst' has an attribute called `Age' which is marked as mandatory, then `Age' must be provided while creating a user of type `Analyst'.

Sorting of application and resources names: Applications and resources are displayed in alphabetical order in the resource tree. This is default functionality, and the user cannot change the resource order.

Only Allowed Resource for User/Role: CEPM enables viewing of `Only allowed resources' for a user/group/role while auditing. For example, to view only allowed resources for a user, go to Home > Auditing & Reporting > Audit Entitlements > User page and select Only-Allowed-Resource from the Entitlement Type dropdown.

Enumerate resource type attributes: `Null' can be set as a default value while enumerating an entity type attribute. For example, a usertype `Guest' has an attribute called `ID' of type enum with values 30,31. While creating a user of type `Guest', `ID' can be set to null (blank), 30 or 31.

Policy lookup: The CEPM PDP can now store policies applicable to a request in a readily accessible manner. Policies applicable to a combination of subject, role bundle, context and resource are stored in the policy or ACL table for easy look-up of the PDP. Policy administrators may start (and update) the policy table independent of a request processed by the PDP.

Full tree context (FQN) is shown when the pointer is placed on a resource in the resource tree.

Policy Decision Point (PDP)

Upgraded logging: CEPM now supports logging of requests and responses served from the PEP and PDP caches. As a result, all log data can be viewed in the PDP which are written by the PEP.

Caching support is extended for selected APIs: CEPM now supports caching for the following APIs (including all overloaded methods for each API):

isUserAccessAllowed()

getDecisions()

isRoleAccessAllowed()

isGroupAccessAllowed()

getUsersAllowedForResource()

getRolesAllowedForResource()

getPermissibleResourcesForUser()

getPermissibleResourcesForRoles()

getPermissibleResourcesForGroups()

getPermissibleActionsByResource()

getGroupsAllowedForResource()

getDecisionsWithRoles()

getDecisisonsByResourceTypeForAnyAction()

getDecisionsByResourceType()

getDecisionsByAttributeValue()

getDecisionForResources()

getBulkDecisions()

Retry PDP: When the databases (entitlement repository or external PIP) of a PDP become unresponsive (due to connection failure during query execution time), the PEP retries to send the request to PDP after a specified time interval. This `retry' time interval is set in the <retry> tag in the pdp_config.xml file. For example, assuming the retry value given in pdp_config.xml is X seconds and the timeout value given in pep_config.xml is Y seconds (where X < Y), when the PEP sends a request to the PDP and the PDP finds the database is down, it sends a retry message to the PEP conveying that it should resend the request after X seconds. The PEP will resend the request to the PDP after X seconds. This process continues until the PEP gets a proper response. If the PEP does not get any response within the specified timeout interval (Y seconds), it throws an exception.

PDP/PEP Prefetching from disk if available: If the cache is persisted to a local disk, when the PDP/PEP is restarted it can prefetch the data from the disk without approaching the entitlement database.

Retrieval of PIP attributes when not used in rules: CEPM now supports return of PIP attributes even though they are not used in any rule. As a result, if a user is allowed for a resource, the PDP returns the user's additional attributes from an external DB source along with the response. This can be achieved by using the policy attributes.

Policy Enforcement Point (PEP)

Enhanced prefetch and cache refresh APIs to accept additional NV Pairs: CEPM now implements a smart and selective prefetch mechanism. This allows customers to selectively prefetch based on configured groups, roles or resource for a user. Prefetching can also be done based on the environmental mappings defined in message attributes. The message attributes can be key-value pairs, rolebundles, contexts or any entity attributes. This feature is configurable in pep_config.xml file.

Enhance debug logging: The PEP logging functionality is enhanced by including different log levels such as ERROR, INFO, and so on, to give enough details to determine the root cause for failure/errors within the PEP.

Enhanced getUsersAllowedForResource() API: getUsersAllowedForResource() API is enhanced to return inherited policies. Now this API can return users belonging to the parent resource, even if its child resource is passed as the input parameter. For example, Mary is mapped to Role1 and Role1 has an allow policy on a resource Parent1, that in turn has a child resource Child1. Here, this method returns User1 even if Child1 is passed as the resource name.

Database


Note CEPM V3.3.0.0 does not support IBM DB2.


Multi-site synchronization of Entitlement Repository: CEPM now supports multi-site synchronization for Oracle and MSSQL databases. With the help of this feature, two or more sites can be deployed, each with active PDPs, PAPs and local entitlement repositories, across global data centers and the administrators of each site can make changes to policies and data.

Primary keys are added for all database tables to support database replication. This feature is implemented in all CEPM supported databases (such as Oracle, MSSQL and DB2).

Timestamp Columns: Two Timestamp columns (such as created timestamp and updated timestamp) are added to all database tables to record database transactions.

Agents

New/updated agents: The following agents are introduced in this release:

Spring Security2 Agent

JAX-WS Agent

AXIS2 Agent

.Net Agent: CEPM .Net Agent supports mutually authenticated SSL. This feature is also implemented in CEPM SharePoint Agent.

SharePoint Document Library: Now policies can be configured on a document library level instead of for each and every document constituting it. When configured on a document library level, the policy will apply to all documents present inside the library.

SharePoint resource tree enhancement: Enhancements allow viewing resource trees while configuring entitlement policies for the resources from within the SharePoint site collection page. For example, you can have a better view of the resource hierarchy in your website while creating role based policies in Site > Actions > Site Settings > Users & Permissions > CEPM Permissions > Role Based Entitlement page.

Known Caveats

Table 1 lists the known caveats in this release.

Table 1 Known Caveats 

DDTS Number
Description
Workaround (if any)
Policy Administration Point (PAP)

CSCsx11998

Heading: Unable to edit username with spanish characters.

Description: In the PAP UI, after creating a user in Home > Manage entities > Users, when you try to edit the user name, it is not happening.

Internationalization of PAP UI is not supported in CEPM V3.3.0.0.

CSCsy20640

Heading: The PAP user should not need to logout and re-login to the PAP to see the changes made via PAP API.

Description: After adding new users, applications etc. to the domain via the PAP API, you need to log out of the PAP in the browser and re-login to see the changes.

None

CSCsy10156

Heading: Copy Entitlements is not saving properly for Bulk Users.

Description: When there are large number of users present under an application group or application, while copying entitlements of a user to multiple users present in different pages (due to pagination), the desired copy entitlement is not happening.

During copy entitlements, if copy users are shown across multiple pages due to pagination, you must save the copy entitlements done on the users of a particular set before proceeding to the next set. For example, while copying entitlements for a user, if the copied users are present across 3 pages (due to pagination), save the copy entitlements done to users present in page1 before proceeding to page2.

CSCsx97333

Heading: In Delegated Administration, read-only user can see the menu options.

Description: In Delegated Administration, if a user is mapped to the default role called Read-Only, after login to PAP UI (say, Manage Entities > Users page), that user is able to see all menu options such as Add, Delete, Delete All, etc.

In such scenario, though the menu options are visible to the PAP User with Read-only privilege, they are in disabled state and thus the user cannot use those options.

CSCsx96497

Heading: I18N:Some special characters (œ , Ÿ ) are not supported in PAP-UI.

None

CSCsy57371

Heading: Issue in updating resource with special character '

Description: Updating resource name is failing if it contains special characters. Resource name cannot be started with the special character '+'.

Make use of updateResource API to update a resource containing special characters or delete the resource and re-create it from UI.

CSCsy67658

Heading: Current Entity Inherited Policies are not getting displayed.

Description: In Home > Manage Entitlements > By Policies > Policy Entitlement By Entity page, Current Entity Inherited Policies table are not getting displayed for a selected resource.

Visit the corresponding entitlement page for the entity to view the Inherited Policies. For example, to view inherited policies for a user, visit Home > Manage entitlements > By users page.

CSCsy71350

Heading: SimpleRule link does not work with Dynamic Role/Group with special character.

Description: At the global/application group level, if a Dynamic Role/Group has special character, the SimpleRule link does not work while configuring rules.

None

CSCsy71505

Heading: Issue with 'Allows mapping this Permit policy to multiple resources'.

Description: In Home > Manage Entitlements > By resources page, creating policies using expression by selecting 'Allows mapping this Permit policy to multiple resources' checkbox is not working.

None

CSCsy74025

Heading: Able to create duplicate roles

Description: After creating two different roles, if you edit one of the roles and give the same name as the other role and click the Update button, the duplicate role is getting created.

Avoid creating different roles with the same name.

CSCsy74031

Heading: Pagination is not working from Add Users to Roles & Add Groups to Roles page

Description: In Home > Manage Entities > Entity Assignments > Add Users to Roles page, if you map more than 100 users to a role and click 'List mapped users for Role' icon, the table displays only first 100 users.

Same thing is happening in Add Groups to Roles page.

None

CSCsy42358

Heading: Issue in displaying rule details when reusing.

Description: After creating simple/complex rules, when you reuse those rules in multiple policies, the rule details are not available at any policy where it has been reused.

You can view/edit the rule details of a simple/complex rules in its parent policy (that is, the policy on which the rule was configured) and not in the policies where it is reused. For example, if a simple rule (SR1) is created on the policy P1 and it is reused in another policy P2, you can view/edit the rule details of SR1 by editing P1 and not P2.

CSCsy47447

CSCsy47504

CSCsu07848

Heading: Any entity type having attribute as PIP fails.

Description: Following issues have been observed while creating/updating entity types using PIP:

Updating entity types with Default PIPs fails.

Creating user with usertype having PIPs fails.

Any type having attribute as Java PIP fails.

None

CSCsy53862

Heading: While creating reference role Global roles are not displaying in Reference.

Description: In Reference drop down, global level roles/groups are not displayed while creating reference role/group on application group/application.

None

CSCsy53922

Heading: Global Group Types are displaying from Delegated Administration tab.

Description: User/Group Types created under Global is getting displayed from the select User Type drop down.

None

CSCsy53951

Heading: Issue in mapping user to reference roles.

Description: The List mapped users for role page will not display users if the role is being checked as a Referenced Role.

None

CSCsy54074

Heading: Child roles of reference role is not displayed.

Description: The child role of a reference role is not displaying in Home > Auditing & Reporting > Audit Entitlements > Role > List of Roles page. For example, if there are two roles R1 and R2 under Prime group:Prime portal R11 is child role of R1, when a reference role is created as Prime group:Prime portal:R2:R1:R11, then R11 (the child role of the referenced role R1 under R2) is not visible in the List of roles page.

None

CSCsy54288

Heading: Issue in SoD Role mapping with respect to context.

Description: The SoD Roles mapping is not getting displayed after changing the context.

The SoD check will not be done in any other context except the default context.

CSCsx31593

Heading: Default Attributes are returning two times for Group based Policies.

Description: When the `Add attributes to be returned' option is selected on the top of a resource and this resource is mapped with two groups which are parent-child to each other and the child group is a dynamic group, while checking entitlements for the child group, all the attributes participated in the policy are returning twice.

None

CSCsx62621

Heading: Actions on a resource not always on top.

Description: If the resource `View Reports' has two actions such as `Edit' and `Read-only', when you create a child resource called `Add Report' under that resource, the resource page shows the child resource first followed by the Actions.

None

CSCsy10204

Heading: Issue in saving clone/copy users with bulk users.

Description: Clone user/Copy Entitlement 1st user with the Nth user in the user list. While navigating through First icon and Last icon at the bottom of the page, the pages are getting refreshed in turn unselecting the data for Clone/Copy.

None

CSCsy23126

Heading: Password Attribute are not encrypted in Database for User.

Description: Password value is displayed in database.

None

CSCsy26409

Heading: Issue with Back button when creating Dynamic Group/Role.

Description: While creating dynamic group/role and clicking Back button returns to the Group Management page instead of getting back to Create/Update Group page.

None

CSCsy28517

Heading: While importing/exporting bulk data the UI session is getting terminated.

Description: In Home > Manage Entities > Advanced > Import/Export page, while importing / exporting bulk data, the UI session is terminated.

None

CSCsy29115

Heading: Issue with Entitled Users links.

Description: In Home > Auditing & Reporting > Resources > Entitled Users page, Copy Entitled User is not displaying from Entitled Users. For example, after doing the copy entitlements of User1 to User2 and mapping User1 to Res1, while checking entitled users for Res1, it shows only User1 and not User2.

None

CSCsy31939

Heading: Issue in exporting Entitled Users/ Groups / Roles.

Description: Export button is missing in the following pages:

Home > Auditing & Reporting > Resources > Entitled Roles

Home > Auditing & Reporting > Resources > Entitled Groups

None

CSCsy39225

Heading: Reused Simple Rules are not imported on Appropriate Policy.

Description: Simple and Complex Rules are not getting displayed with entity's policy, it is getting displayed for the entity's which is first imported.

None

CSCsy39316

Heading: Issue in deleting Default Attributes with respect to Rules and Policy Attributes.

Description: When a default attribute is used in a rule and added as policy attribute, after deleting that attribute, the corresponding rule is not getting deleted and also it is not getting removed from the list of policy attributes.

None

CSCsy55476

Heading: The UI based import/export support is inconsistent.

None

CSCsx16780

Heading: User is not getting deleted from database

Description: After a user created under an application group, if that application group is deleted, the user is not getting deleted from the database. While recreating the application group and the user under it with the same name given as earlier, the `User already exists' message is shown.

After deleting the application group from the PAP UI, delete the corresponding user(s) from the database.

CSCsy84687

Heading: Null pointer exception is thrown while getting operation name from WSDL

Description: After creating a Webservice PIP, an error occurs while adding attributes to it.

Create the Application Attributes using the createApplicationAttributes(attribute) API. Refer to the PAP Javadoc for more details.

CSCsy81807

Heading: Issue in deleting reference roles.

Description: If there are two roles R1 and R2, when you create a reference role under R1 using R2 (the new role will be R1:R2), when you try to delete the reference role (R2), it is not getting deleted.

None

CSCsy81811

Heading: Set Log Level failed with SSL PDP

Description: If SSL is configured in the PDP server, while trying to set the Log Level from the PAP UI (Home > System Config > Policy Decision Points > Set Log Level), it fails to do so.

None

CSCsx69426

Heading: Password is displaying in clear text for all entities if it has password

Description: After creating an entity type (usertype, grouptype, roletype or resourcetype) with password as an attribute, if you create an entity with its corresponding entity type, the password value is displayed in clear text in the DEBUG logs and as well as in the 'View Page Source' for that UI page.

None

CSCsu07815

Heading: PAP URL failover

Description: When there are more than one PAP API URLs given in the pep_config.xml/api tag, the PAP Client is unable to fail over to second or next API URL as configured in pep_config.xml/api tag.

None

CSCsy62098, CSCsy62111

Heading: Old API: Issue in ISubject

Description: Following APIs belonging to ISubject throw null/exception:

getGroupRoleList(appName)

getUserRoleList(userSearchPattern,roleBundleNameFQN,appName,contextFQN)

listSODRolesForUser(applicationName)

listSODRolesForUser(applicationName,roleBundle,contextFQN)

listSODRolesForGroup(applicationName, roleBundle, contextFQN)

setUserRoleAttributeValues(aUserRole)

setGroupRoleAttributeValues(aGroupRole)

getUserGroupObject(userFQN, groupFQN, contextFQN)

Make use of the corresponding new APIs.

Policy Decision Point (PDP)

CSCsw15923 CSCsw15945 CSCsw15956

Heading: Issues observed while using SOAP, isUserAccessAllowed method response time is not reaching the expected number.

Description: Following issues are observed while using SOAP:

The response time for method isUserAccessAllowed is not reaching the expected number (less than 10 milliseconds).

The access time for isUserAccessAllowedAPI is larger than expected for 50 users

Accesstime is not as expected for getDecisions API

CEPM highly recommends its customers to choose HTTP over SOAP for better performance.

CSCsy26353

Heading: Issue with rules with respect to application group-/application-/group-/resource-/user-type tabulates in dynamic group/role.

Description: While creating a dynamic role, if the rules are configured using all the available entity type attributes including the role-type attributes, the rule fails.

Same scenario is applicable for Dynamic group also.

While configuring rules for a dynamic role, the role type attributes of its parent static role should not be used.

Same workaround is applicable for dynamic groups.

CSCsy57721

Heading: Roles are not returned as attributes for method getDecisionsByResourceType.

Description: After invoking getDecisionsByResourceType method by passing the values for the subject, application and resource types in the request, the XACML response does not contain the role name as an attribute.

None

CSCsy50462

Heading: Scoped attributes having same attribute values are not returning

Description: If multiple entities have the same attribute names and these values are used across multiple attributes, the PDP cannot return the same attribute value.

None

CSCsy81583

Heading: Decisions are not evaluating properly with special characters

Description: Create users with names 'ua' and 'u+', give allow policy for a resource having special characters. While checking the decisions of 'ua' and 'u+' from UI, it is showing Allow permission for `ua' and deny for `u+'. Whereas it shows deny permission for both the users when checking for the decision from the pep client.

None

Policy Enforcement Point (PEP)

CSCsx34023

Heading: For PDP caching, throughput does not meet the expected number for concurrent users i.e. 50 & 100 users

None

CSCsy07572

Heading: Exceptions while Running Jboss server with CacheEnabled.

Description: After configuring the JBOSS Agent by setting the pep_config.xml/cacheEnbaled tag to true, when the server is started, it is throwing an exception.

None

Database

CSCsy66585

Heading: In Oracle10g, policy on a parent resource is ignored when Combined with Inherited policies.

Description: Even though the `Combined with Inherited policies' option is checked for an application, policy on a parent resource is ignored.

If the PEP request contains an action name (other than `Any'), the PDP will not combine the inherited policies in its response.

CSCsy29281

Heading: Issue with Clone user and Copy Entitlements in Delegated Administration.

Description: In Delegated Administration, when you create a user called User1 with `Superuser' privilege and create another user called User2 and then copy the entitlements of User1 to User2 using the `Copy Entitlement' feature, User2 will not get the Superuser privilege after login to the PAP UI.

The same scenario is applicable for `Clone User' feature also, that is, when User1 is cloned to User2.

Avoid copying entitlement and cloning of a user (having Superuser privileges) with any other user (non-superuser).

CSCsy15000

Heading: LDAP PIP as obligations are returned twice.

Description: When LDAP PIP is used in rules in Dynamic role as well as in obligations to be returned, LDAP attributes are returned twice.

None

CSCzk06447

Heading: Delegation visibility issue on entities created by Superuser.

Description: If delegation is done to a particular user, Superuser can see all the entities created by the delegated user but vice versa does not work on an application created by the delegated user.

None

CSCsy38895 CSCsy47198 CSCsy47383 CSCsy39463

Heading: For SQL Agent, results are not returned when PCA set for User-based-overrides.

Description: If there are multiple policies created on a resource and none of those policies are user based policies, then the query will not deliver the expected result if the PCA is set for User-based-overrides.

None

Migration

CSCsx72510

Heading: Migration - Getting Error page when click on Assign resources link.

Description: After migrating from CEPM V3.2.0.0 to V3.3.0.0, when clicking Assign Resources for user in Home > Manage Entities > Users > Update user page, an error page is displayed along with an exception thrown at the server side.

None

CSCsy84659

Heading: For MSSQL, Decision are not changed when frequency is set to 5 min

Description: After enabling policy lookup for an application, when you run the jobutilities by setting the time interval to 5 minutes, the decisions are not changing.

None

Others

CSCsy47098

Heading: Backward compatibility will not work while using 3.1 PEP cache for 3.3 PDP.

None

CSCsy46973

Heading: Backward compatibility will not work when PDP cache is set to true.

Description: When PDP cache is set to true for 3.3 PDP while using 3.2, 3.1 and 3.0 PEP, the PDP cache will not work.

None

CSCsv09199

Heading: Log file rotation is not working

Description: When the size of the log files (pap.log / pdp.log) reaches the "MaxFileSize" value as given in logging.xml file, log files are not getting rotated by keeping a backup.

None


Related Documentation

Table 2 lists documents that are available with this release.

Table 2 Documents Available for CEPM V3.3.0.0 

Documentation Title
Description and Location of the Document in Cisco.com

CEPM Installation and Configuration Guide

Provides step-by-step instructions on how to install CEPM Components, such as Policy Administration Point (PAP) and Policy Decision Point (PDP), in various supported combinations of operating system, database, and application server.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Installation_Guide/Install_and_Config_Guide/CEPM_Install_and_Config_Guide.html

CEPM User Guide

Provides detailed information about various features and functionalities available in CEPM.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/User_Guide/CEPM_User_Guide.html

CEPM Quickstart Guide

Provides a quick, step-by-step procedure for starting up and using CEPM. This guide also walks you through the setup of a basic application and its resources, the securing of its resources with policies, and the testing of those policies.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Quick_Start_Guide/CEPM_Quick_Start_Guide.html

CEPM Concept Guide

Provides general information on CEPM architecture and entitlement management.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Concept_Guide/CEPM_Concept_Guide.html

CEPM Capacity Planning Guide

Discusses the different deployment options that are possible using CEPM. It also recommends the database size depending on the parameters of the application that is being protected by CEPM.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Capacity_Planning_Guide/CEPM_Capacity_Planning_Guide.html

CEPM Resource Models

Describes concepts related to basic policy-based application entitlement which ensures that a subject accessing a resource (or invoking an action on a resource) is allowed or denied, based on attributes-based rules.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Resource_Models/CEPM_Resource_Models.html

CEPM Java Developers Guide

Provides guidelines for using the Policy Enforcement Point (PEP) and PAP APIs, and provides instructions for configuring the PEP agent and Java Server Page (JSP) tag libraries.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Developer_Guide/Java_Developer_Guide/CEPM_Java_Developer_Guide.html

CEPM Dotnet Developers Guide

Provides guidelines for using the PEP and PAP APIs, and provides instructions for configuring the PEP agent for dotnet applications.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Developer_Guide/DotNet_Developer_Guide/CEPM_DotNet_Developer_Guide.html

CEPM PAP Configurations Guide

Provides guidelines to configure the PAP configuration parameters available in the pap_config.xml file.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Configuration_Guide/PAP_Configuration_Guide/CEPM_PAP_Configuration_Guide.html

CEPM PDP Configurations Guide

Provides guidelines to configure the PDP configuration parameters available in the pdp_config.xml file.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Configuration_Guide/PDP_Configuration_Guide/EPMPDPConfigs_chap.html

CEPM PEP Configurations Guide

Provides guidelines to configure the PEP configuration parameters available in the pep_config.xml file.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Configuration_Guide/PEP_Configuration_Guide/EPMPEPConfigs_chap.html

CEPM In-Process PDP Deployment Guide

Provides guidelines for deployment of CEPM In-Process PDP in the stand-alone client-side applications.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Configuration_Guide/In_Process_PDP/EPMInPDPDeploy_chap.html

CEPM Dotnet Agent Guide

Provides step-by-step instructions for how to deploy the CEPM Dotnet Agent used by any .NET based application (either a desktop or a web-based application). It also describes the COM-wrapped agent, which is supported for VB, C++, and other Windows-based applications.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/Dotnet_Agent/CEPM_Dotnet_Agent_Guide.html

CEPM SharePoint Agent Guide

Provides a step-by-step procedure to install CEPM SharePoint Agent and integrate the Policy Administration Point (PAP) with your web applications running on SharePoint Server 2007.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/SharePoint_Agent/CEPM_SharePoint_Agent_Guide.html

CEPM SSPI Agent Guide

Provides guidelines for the deployment of the CEPM SSPI Agent and explains the features supported by CEPM customized authorization provider for applications running in the WebLogic (BEA WebLogic V9.2).

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/SSPI_Agent/EPMSSPIAgt_chap.html

CEPM JACC Agent For JBOSS Portal Guide

Explains about how the CEPM JACC Agent for JBOSS Portal helps in implementing the fine-grained authorization decisions for portal applications developed using JBOSS Portal.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JACC_JBOSS_Agent/EPMJACCAgtJB_chap.html

CEPM JACC WAS Agent Guide

Explains how the CEPM JACC Agent for WebSphere Application Server helps in implementing the fine-grained authorization decisions for web applications developed using WebSphere Application Server.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JACC_WAS_Agent/CEPM_JACC_WAS_Agent.html

CEPM JAX-RPC Agent Guide

Provides an overview about the CEPM JAX-RPC Agent and explains the steps for configuring this agent in the applications running in WebSphere Application Server.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JAX-RPC_Agent/CEPM_JAX_RPC_Agent_Guide.html

CEPM JAX-WS Agent Guide

Provides an overview about the CEPM JAX-WS Agent and explains the steps for configuring this agent in the applications running in WebSphere Application Server.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JAX-WS_Agent/CEPM_JAX-WS_Agent_Guide.html

CEPM AXIS Agent Guide

Provides step-by-step instructions on how to integrate the CEPM Axis Agent with web applications using Axis webservice implementation for fine-grained access control.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/AXIS_Agent/EPMAxisAgt_chap.html

CEPM AXIS2 Agent Guide

Provides step-by-step instructions on how to integrate the CEPM Axis2 Agent with web applications using Axis2 webservice implementation for fine-grained access control.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/AXIS2_Agent/EPMAxisAgt_chap.html

CEPM ACEGI Agent Guide

Provides guidelines for deployment of the CEPM ACEGI Agent and explains the features of using CEPM customized ACEGI authorization solution for applications running in the Spring Framework.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/ACEGI_Agent/EPMACEGIAgt_chap.html

CEPM Spring Security2 Agent Guide

Provides guidelines for deployment of the CEPM Spring Security2 Agent and explains the features of using the CEPM customized Spring Security2 authorization solution using the RoleVoter for applications running in the Spring Framework.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/Spring_Security2_Agent/EPMSSAgt_chap.html

CEPM XMLACCESS Agent Guide

Provides guidelines for deployment of the CEPM XMLAccess Agent and explains the features of using the CEPM customized XMLAccess authorization solution for portal applications running in the WebSphere Portal Server.

Location on Cisco.com:

http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/XML_ACCESS_Agent/EPMXMLAccessAgt_chap.html


Documentation Updates

Table 3 lists the changes made to this document since it was first released.

Table 3 Document Updates for Release Notes for Cisco Enterprise Policy Manager Version 3.3.1.0

Date
Change Summary

December, 2011

Updated Features Optimized/Removed.

October 7, 2010

Added section Features Optimized/Removed.

June 7, 2009

Minor edits and template/boilerplate updates for publication to Cisco.com.

April 3, 2009

Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0


Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.


This document is to be used in conjunction with the documents listed in Related Documentation.