Table Of Contents

Configuring pep_config.xml File

<cache>

<loadbalance>

<pdps>

<http-proxy>

<apis>

<adapters>

<SSL>

Configuring pep_config.xml File

---

This appendix describes the structure of the PEP configuration file (pep_config.xml) that is embedded into the protected .NET application to avail fine grained authorization provided by CEPM and gives guidelines for configuring it to suit the requirements of your application.

The following is a sample pep_config.xml file:

<pep_config version="3.3">

<cache decisionCacheEnabled="true"  cacherefreshtype="onlyupdated" decisionsOnly="false" 
provider="Com.Cisco.Epm.Cache.CacheProvider" implementor="Com.Cisco.Epm.Cache.Impl.NCache" 
eventProvider="Com.Cisco.Epm.Cache.Event.EventProvider" > 

    <type>TTL</type>

    <refresh enable="false">update</refresh>

    <interval>20</interval>

    <prefetch enable="false" type="user" bulkUsersPerRequest="10">

      <prefetchForApis>

        <api name="isUserAccessAllowed">

          <!-- Prefetch based on message attributes -->

          <!-- Attribute for Context -->

          <!--<message-attribute name="urn:cisco.cepm:3.3:xacml:context-name" 
override="true">TestAppGrp:TestApp:Context1</message-attribute> -->

          <!-- Attribute for Role Bundle -->

          <!--<message-attribute name="urn:cisco.cepm:3.3:xacml:rolebundle-name" 
override="true">Rb1</message-attribute>-->

          <!-- Attribute for Resource Type -->

          <!--<message-attribute name="urn:cisco.cepm:3.3:xacml:resource-type-name" 
override="true">TestAppGrp:TestApp:ResType</message-attribute>-->

          <!-- Attribute for any attributes -->

          <!--<message-attribute name="Key1" override="true">Value1</message-attribute>-->

        </api>

        <!-- api name="getDecisionsByResourceTypeForAnyAction"/-->

      </prefetchForApis>

      <!-- Selective prefetch for configured  Groups, Roles, Resources entities-->

	  <groups>

        <!-- FQN of GroupName -->

        <!--	<group>TestAppGrp:TestApp:Grp1</group> -->

      </groups>

      <roles>

        <!-- FQN of RoleName -->

        <!-- 	<role>Prime group:Prime portal:Internal Dev:Internal Dev Tokyo</role> -->

      </roles>

      <resources>

        <!-- FQN of ResourceName -->

        <!-- <resource>TestAppGrp:TestApp:Res3</resource> -->

      </resources>

   </prefetch>

   <applicationgroup>Prime group</applicationgroup>

   <application>Prime portal</application>

  </cache>

  <logs  enable="false" records="20" logsttl="10"/>

  <loadbalance enabled="false">

    <algorithm>roundrobin</algorithm>

    <refreshtime>10</refreshtime>

    <timeout>10000</timeout>

  </loadbalance>

  <pdps>

    <pdp>

      <protocol>soap</protocol>

      <username>admin</username>

      <password>h1BYu+lcwcM=</password>

      <url>http://localhost:8080/pdp/services/AuthorizationService</url>

      <timeout>1000</timeout>

    </pdp>

    <!--<pdp>

      <protocol>http</protocol>

      <username>admin</username>

      <password>h1BYu+lcwcM=</password>

      <url>http://localhost:8080/pdp/AuthorizationEndPoint</url>

      <timeout>10000</timeout>

    </pdp>-->

   </pdps>

  <http-proxy>

    <host></host>

    <port></port>

  </http-proxy>

  <apis>

    <api>

      <url>http://localhost:8080/cepm</url>

      <username>superuser</username>

      <password>h1BYu+lcwcM=</password>

      <repositoryname>Default Domain</repositoryname>

	  <timeout>10000</timeout>

    </api>

  </apis>

  <adapters>

    <soap>Com.Cisco.Epm.Soap.SoapTransportAdaptor</soap>

    <http>Com.Cisco.Epm.Http.HttpTransportAdaptor</http>

  </adapters>

  <ssl truststoreFile="C:\OpenSSL\bin\PEM\demoCA\keypair.p12" 
truststorePass="changeit"></ssl>

	<dncache>

    <cachepath>C:\DotnetCache\DNCache.xml</cachepath>

    <cachename>Cache</cachename>

  </dncache>

  <ncache>

    <cachename>TestCache</cachename>

  </ncache>

</pep_config>

<cache>

---

Note CEPM uses policy cache, an in-memory cache located in the PDP server where all the policies and its relevant attributes are persisted during PDP bootstrap and is updated during runtime as well. Thus CEPM recommends use of policy cache instead of using the PEP cache for better performance in getting PDP responses for a given access request. You can configure the policy cache by updating the <pdp> tag in pdp_config.xml file. Refer to CEPM Policy Cache Guide and CEPM Policy Configuration Guide for more information on policy cache.

---

Leave this tag as it is.

<loadbalance>

When the enabled attribute value is set to true, the PEP component implements the load-balancing mechanism while referencing various PDPs. If set to false, the load-balancing mechanism is not implemented.

---

Note When multiple PDPs are associated with a single PEP, the load-balancing mechanism can be used. (Refer to the Cisco Enterprise Policy Manager Developer Guide for more information about the load-balancing mechanism in the PEP.)

---

The <loadbalance> element contains the following subelements:

•<algorithm>

This subelement decides the type of algorithm to run while the load-balancing mechanism is implemented. Set it to roundrobin.

•<refreshtime>

This subelement decides the time interval (in minutes) after which PEP should check the status of all the PDPs configured in the <pdps> element and refresh its cache with the individual PDP's status (that is active or inactive).

•<timeout>

This element decides the time interval (in milliseconds) for which the PEP component should wait for the response after making a request to PDP, so as to assess PDPs status as active or inactive. For example, if the value is set to 1000, when the PEP makes a request to PDP for status check and if the PEP does not receive response within 1000 milliseconds, the PEP sets the status of that PDP to inactive in its own cache.

<pdps>

This tag contains the configuration details for all the PDPs that need to be referenced from this PEP component. Each PDP configuration needs to be provided in a separate <pdp> tag.

The following child tags that should be configured for each PDP entry:

•<protocol>

This tag decides the protocol for PEP-PDP communication. The .NET PEP Agent uses SOAP or HTTP protocol to communicate with the PDP.

•<username>

This tag contains the user name value to connect to the PDP.

•<password>

This tag contains the password value for the above mentioned user name.

•<url>

This tag contains the URL of the PDP service.

•<timeout>

This tag decides the time interval (in seconds) for which PEP should wait for the response after making a request to PDP. If a response is not received by the PEP from the PDP in this configured time interval, the PEP considers it as an error request.

<http-proxy>

This tag contains the configuration details for the proxy server. If proxy server is not being used, then give the empty values for its child tags. The following child tags should be configured to connect to the proxy-server.

•<host>

This tag contains the machine IP address of the proxy server.

•<port>

This tag contains the port number for the proxy service.

<apis>

This tag contains the configuration details of the PAP server. These values are used by the PEP API to access the PAP application. The following child tags that should be configured to access the PAP server.

•<url>

This tag contains the URL of the PAP server.

•<username>

This tag contains the user name to connect to the PAP server.

•<password>

This tag contains the password for the above user.

•<repositoryname>

This tag contains the name of the repository to connect to in the PAP server.

<adapters>

This tag contains the name of the adapter that is used by the PEP application to access PDP. .NET PEP uses SOAP and HTTP protocols to communicate with PDP. Do not update this value, which are set by default as shown below.

<adapters>

<soap>Com.Cisco.Epm.Soap.SoapTransportAdaptor</soap>

<http>Com.Cisco.Epm.Http.HttpTransportAdaptor</http>

</adapters>

<SSL>

If you enable SSL for PEP-PDP communication, use this tag to set the directory path of the truststore certificate and the truststore password.