|
Table Of Contents
Cisco Entitlement Policy Manager, In-Process PDP Deployment Guide, Version 3.3.1.0
In-Process Policy Decision Point
Sample In-process PDP API Call
Obtaining Documentation and Submitting a Service Request
Cisco Entitlement Policy Manager, In-Process PDP Deployment Guide, Version 3.3.1.0
Revised: July 30, 2010, Doc Part No: OL-23012-01Contents
•In-Process Policy Decision Point
•Sample In-process PDP API Call
•Obtaining Documentation and Submitting a Service Request
About This Document
Objective
This document intends to provide guidelines for deployment of Cisco Enterprise Policy Manager (CEPM) In-Process PDP in the client-side application to implement fine-grained authorization solution.
Audience
This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.
In-Process Policy Decision Point
In Cisco Enterprise Policy Manager (CEPM), In-process PDP is a special component which is a more suitable replacement for the native Policy Enforcement Point (PEP) in standalone (desktop) applications. The in-process PDP is embedded in the client-side application for sending, acknowledging, and implementing policy requests to and from the PDP. The in-process PDP is the combination of PEP and PDP defined within the normal CEPM environment. The structure of the in-process PDP is displayed in Figure 1.
Figure 1 In-process PDP
PEP and PDP are combined to form a single component called In-process PDP. The entities (such as users, roles, protected resource hierarchy, etc.) and the entitlement policies (including rules and other policy attributes) are defined in the Policy Administration Point (PAP) UI. Adjustments have been made to enable the PEP to send/receive the access request/response to/from the PDP within this composite in-process PDP. Java is used as the transport protocol for the Agent-PDP communication. For the out-of-process PDP, the supported communication protocols between PEP and PDP are HTTP, SOAP, and RMI.
Deploying In-Process PDP
Note If you have already deployed an older version of in-process PDP, refer to Upgrade Information to know more about how to upgrade it to the latest version, that is Version 3.3.1.0.
To deploy the In-process PDP:
Step 1 Unzip CEPM_InprocessPDPV3.3.1.0.zip on your local machine. The unzipped directory is considered CEPM_HOME for the in-process PDP.
Step 2 Set Java_Home to your Java Development Kit (JDK).
Step 3 Open the configure.properties file from the CEPM_HOME/bin folder and update the parameters in the following sequence:
a. Update DOMAIN_NAME= parameter with the domain name.
b. Update CEPM.DB_SELECTION= parameter with database properties. The value could be either Oracle or MSSQL. If you do not specify a value, the system automatically sets the oracle default value.
c. If you select Oracle as the database, then uncomment the version Oracle_Version parameter and specify the Oracle version which could be either 10g or 11g.
d. Update the following database properties:
–CEPM.DB_URL= Database URL in the form of jdbc:oracle:thin:@hostname:port:databaseName
For example:
# MSSQL DataBase url: jdbc:sqlserver://IPADDRESS:PORT;databaseName=SID;selectMethod=cursor# ORACLE DataBase url: jdbc:oracle:thin:@IPADDRESS:PORT:SID–CEPM.DB_USR= Database username
–CEPM.DB_PWD= Database password
–CEPM.DB_DRIVER= Database driver name
# MSSQL Driver: com.microsoft.sqlserver.jdbc.SQLServerDriver# ORACLE Driver: oracle.jdbc.driver.OracleDriver
Note The database password encrypted in the configuration files. To retrieve an encrypted password, run the <CEPM_HOME>\encryptor.bat(sh) file using the following command:
For Windows: encryptor.bat JAVA_HOME Password
For Solaris/Linux: encryptor.sh JAVA_HOME Password
where JAVA_HOME is replaced with the corresponding folder path for JAVA_HOME and Password is replaced with the chosen database password. When this command is executed, an encrypted password is displayed. You must enter this encrypted password in the Password parameter of the database properties in the configure.properties file.e. Save and close configure.properties.
Step 4 Run CEPM_HOME/bin/configure.bat (for Windows) or CEPM_HOME/bin/configure.sh (for LINUX/Solaris).
Step 5 Configure the JMS Provider. Ignore this step if JMS Provider is already configured.
Note It is mandatory to have the JMS Provider configured in the CEPM environment to support the Policy Cache feature.
CEPM supports ActiveMQ and Tibco JMS servers. To configure JMS, follow these steps:
a. Open the pdp_config.xml file from ...CEPM_HOME/config/pdp folder and update the following tags and their attributes:
•Set the <sharedRepository> tag to false.
•Update the <jms> tag in the following manner:
–Update the <url> attribute with the IP address of the machine where the JMS server is running.
–Update the <connectionFactory> attribute by replacing the existing value to the following values-
•For ActiveMQ - org.apache.activemq.ActiveMQConnectionFactory
•For Tibco - com.tibco.tibjms.TibjmsTopicConnectionFactory
Refer to CEPM PDP Configuration Guide V3.3.1.0 for more information on how to update the JMS tag in pdp_config.xml file.
–Save the file and close it.
Step 6 Execute the database procedures as follows, depending on the selected database type:
Step 7 To verify whether the in-process PDP is deployed properly or not, run InprocessPDPSampleTest.bat (for Windows) or InprocessPDPSampleTest.sh (for LINUX/Solaris) from the CEPM_HOME folder in the following manner:
•For Windows—
<CEPM_HOME> InprocessPDPSampleTest.bat "tom" "prime group:Prime portal" "any"•For LINUX/Solaris—
<CEPM_HOME> InprocessPDPSampleTest.bat "tom" "prime group:Prime portal" "any"where, "tom", "prime group:Prime portal", and "any" are username, resource FQN and the default action name respectively.
If the system returns the correct response, that implies the in-process PDP is deployed successfully.
Note When you want to deploy the in-process PDP within your desktop application, make sure that the unzipped folder (in Step 1) is named as CEPM_HOME.
Refer to the CEPM PDP Configuration Guide to configure caching mechanism for the In-Process PDP.
Upgrade Information
If you are using an older version of CEPM In-process PDP, for example, Version 3.3.0.0 and want to upgrade it to the latest Version, that is, 3.3.1.0, take the following steps:
Step 1 Unzip CEPM_InprocessPDPV3.3.1.0.zip on your local machine.
Step 2 Copy the Query folder from the unzipped directory to your CEPM_HOME folder.
Step 3 Replace your older InProcessPDP.jar file with the latest jar file available in the unzipped folder.
Note Before copying the new InProcessPDP.jar in the CEPM_HOME, it is recommended to take a back up of the existing InProcessPDP.jar by renaming it with the current date, for example, InProcessPDP_06102010.jar. Do not overwrite the jar files.
Step 4 Verify the upgrade as mentioned in Step 7.
Sample In-process PDP API Call
The following example uses the most common form of the isUserAccessAllowed() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to CEPM Java Developer Guide V3.3.1.0.
The PEP Simulator is a CEPM utility that allows developers to quickly test entitlement policies defined within the administration console. The utility also serves as test bed for working with the PEP APIs. To call the isUserAccessAllowed method, edit, compile, and run the PEP Simulator in the following ways:
Step 1 Unzip CEPM_PEPClient-V3.3.1.0GA_XXXXX.zip.
Step 2 Open the command prompt and navigate to the PEP Simulator directory.
Step 3 Edit the pep.java file, replacing username and resource values with the user and resource names you want to test. For example:
//Define subject, resource, and action valuesString username = "jdoe";String resource = "Prime group:Prime portal:Account 1";String action = "any";//initialize the PDPEnginePDPEngine.getInstance().init();//Initialize IAuthorization ManagerIAuthorizationManager mgr = AuthorizationManagerFactory.getInstance().getAuthorizationManager();//Invoke isUserAccessAllowed() method, providing user, resource, and action informationboolean decision = mgr.isUserAccessAllowed(username,resource,action);//Print decisionSystem.out.println("Is "+username+" allowed to access "+resource+"? "+decision);Step 4 Save the updated PEP.java file.
Step 5 Type: compile
Step 6 Type: run
The PEP Simulator should return a true or false result based on the applicable policies for the user and resource.
Documentation Updates
Table 2 Updates to Cisco Entitlement Policy Manager, In-Process PDP Deployment Guide, Version 3.3.1.0
Date DescriptionJune 10, 2010
Cisco Enterprise Policy Manager, Release 3.3.1.0
The following changes have been made to this document after its previous major release version 3.3.0.0:
•Added a new section called Upgrade Information in this guide.
July 15, 2010
Added code snippet for sample In-process PDP API call. Refer to Sample In-process PDP API Call.
Related Documentation
•Cisco Enterprise Policy Manager User Guide
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved