[an error occurred while processing this directive]

Cisco Policy Decision Point

CEPM In-Process PDP Deployment Guide V3.3.1.0

Hierarchical Navigation

Downloads

 Feedback

Table Of Contents

Cisco Entitlement Policy Manager, In-Process PDP Deployment Guide, Version 3.3.1.0

Contents

About This Document

Objective

Audience

In-Process Policy Decision Point

Deploying In-Process PDP

Upgrade Information

Sample In-process PDP API Call

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request


Cisco Entitlement Policy Manager, In-Process PDP Deployment Guide, Version 3.3.1.0

Revised: July 30, 2010, Doc Part No: OL-23012-01

Contents

About This Document

In-Process Policy Decision Point

Deploying In-Process PDP

Upgrade Information

Sample In-process PDP API Call

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

About This Document

Objective

This document intends to provide guidelines for deployment of Cisco Enterprise Policy Manager (CEPM) In-Process PDP in the client-side application to implement fine-grained authorization solution.

Audience

This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.

In-Process Policy Decision Point

In Cisco Enterprise Policy Manager (CEPM), In-process PDP is a special component which is a more suitable replacement for the native Policy Enforcement Point (PEP) in standalone (desktop) applications. The in-process PDP is embedded in the client-side application for sending, acknowledging, and implementing policy requests to and from the PDP. The in-process PDP is the combination of PEP and PDP defined within the normal CEPM environment. The structure of the in-process PDP is displayed in Figure 1.

Figure 1 In-process PDP

PEP and PDP are combined to form a single component called In-process PDP. The entities (such as users, roles, protected resource hierarchy, etc.) and the entitlement policies (including rules and other policy attributes) are defined in the Policy Administration Point (PAP) UI. Adjustments have been made to enable the PEP to send/receive the access request/response to/from the PDP within this composite in-process PDP. Java is used as the transport protocol for the Agent-PDP communication. For the out-of-process PDP, the supported communication protocols between PEP and PDP are HTTP, SOAP, and RMI.

Deploying In-Process PDP

Note If you have already deployed an older version of in-process PDP, refer to Upgrade Information to know more about how to upgrade it to the latest version, that is Version 3.3.1.0.

To deploy the In-process PDP:

Step 1 Unzip CEPM_InprocessPDPV3.3.1.0.zip on your local machine. The unzipped directory is considered CEPM_HOME for the in-process PDP.

Step 2 Set Java_Home to your Java Development Kit (JDK).

Step 3 Open the configure.properties file from the CEPM_HOME/bin folder and update the parameters in the following sequence:

a. Update DOMAIN_NAME= parameter with the domain name.

b. Update CEPM.DB_SELECTION= parameter with database properties. The value could be either Oracle or MSSQL. If you do not specify a value, the system automatically sets the oracle default value.

c. If you select Oracle as the database, then uncomment the version Oracle_Version parameter and specify the Oracle version which could be either 10g or 11g.

d. Update the following database properties:

CEPM.DB_URL= Database URL in the form of jdbc:oracle:thin:@hostname:port:databaseName

For example: 

# MSSQL DataBase url:  
jdbc:sqlserver://IPADDRESS:PORT;databaseName=SID;selectMethod=cursor

# ORACLE DataBase url:  jdbc:oracle:thin:@IPADDRESS:PORT:SID

CEPM.DB_USR= Database username

CEPM.DB_PWD= Database password

CEPM.DB_DRIVER= Database driver name 

# MSSQL Driver:  com.microsoft.sqlserver.jdbc.SQLServerDriver

# ORACLE Driver:  oracle.jdbc.driver.OracleDriver

Note The database password encrypted in the configuration files. To retrieve an encrypted password, run the <CEPM_HOME>\encryptor.bat(sh) file using the following command:

For Windows: encryptor.bat JAVA_HOME Password

For Solaris/Linux: encryptor.sh JAVA_HOME Password

where JAVA_HOME is replaced with the corresponding folder path for JAVA_HOME and Password is replaced with the chosen database password. When this command is executed, an encrypted password is displayed. You must enter this encrypted password in the Password parameter of the database properties in the configure.properties file.

e. Save and close configure.properties.

Step 4 Run CEPM_HOME/bin/configure.bat (for Windows) or CEPM_HOME/bin/configure.sh (for LINUX/Solaris).

Step 5 Configure the JMS Provider. Ignore this step if JMS Provider is already configured.

Note It is mandatory to have the JMS Provider configured in the CEPM environment to support the Policy Cache feature.

CEPM supports ActiveMQ and Tibco JMS servers. To configure JMS, follow these steps:

a. Open the pdp_config.xml file from ...CEPM_HOME/config/pdp folder and update the following tags and their attributes:

Set the <sharedRepository> tag to false.

Update the <jms> tag in the following manner:

Update the <url> attribute with the IP address of the machine where the JMS server is running.

Update the <connectionFactory> attribute by replacing the existing value to the following values-

For ActiveMQ - org.apache.activemq.ActiveMQConnectionFactory

For Tibco - com.tibco.tibjms.TibjmsTopicConnectionFactory

Refer to CEPM PDP Configuration Guide V3.3.1.0 for more information on how to update the JMS tag in pdp_config.xml file.

Save the file and close it.

Step 6 Execute the database procedures as follows, depending on the selected database type:

Table 1 Database Type 

DB Type
Action

Oracle (10g/11g)

To execute the procedure in Oracle 10g or 11g, open the Oracle client and run the pdp_wrapped.sql or pdp.sql file from CEPM_HOME/db/script/oracle/oracle folder.

CEPM highly recommends running the wrapped sqls at the client end. These sqls are masked code which cannot be read normally and can be understood only by Oracle. If you open any wrapped sqls, you will not find anything in a readable format. These wrapped sqls are supported from Oracle10g onwards.

MSSQL 2005

To execute the procedure in MS SQL Server 2005, open the MS SQL client and run the pdp.sql file from CEPM_HOME/db/script/mssql folder.

It is recommended to run these scripts in MSSQL Query Analyzer, because executing these scripts through SQLCMD might not compile all the functions and procedures


Step 7 To verify whether the in-process PDP is deployed properly or not, run InprocessPDPSampleTest.bat (for Windows) or InprocessPDPSampleTest.sh (for LINUX/Solaris) from the CEPM_HOME folder in the following manner:

For Windows— 

<CEPM_HOME> InprocessPDPSampleTest.bat "tom" "prime group:Prime portal" "any"

For LINUX/Solaris— 

<CEPM_HOME> InprocessPDPSampleTest.bat "tom" "prime group:Prime portal" "any"

where, "tom", "prime group:Prime portal", and "any" are username, resource FQN and the default action name respectively.

If the system returns the correct response, that implies the in-process PDP is deployed successfully.

Note When you want to deploy the in-process PDP within your desktop application, make sure that the unzipped folder (in Step 1) is named as CEPM_HOME.

Refer to the CEPM PDP Configuration Guide to configure caching mechanism for the In-Process PDP.

Upgrade Information

If you are using an older version of CEPM In-process PDP, for example, Version 3.3.0.0 and want to upgrade it to the latest Version, that is, 3.3.1.0, take the following steps:

Step 1 Unzip CEPM_InprocessPDPV3.3.1.0.zip on your local machine.

Step 2 Copy the Query folder from the unzipped directory to your CEPM_HOME folder.

Step 3 Replace your older InProcessPDP.jar file with the latest jar file available in the unzipped folder.

Note Before copying the new InProcessPDP.jar in the CEPM_HOME, it is recommended to take a back up of the existing InProcessPDP.jar by renaming it with the current date, for example, InProcessPDP_06102010.jar. Do not overwrite the jar files.

Step 4 Verify the upgrade as mentioned in Step 7.

Sample In-process PDP API Call

The following example uses the most common form of the isUserAccessAllowed() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to CEPM Java Developer Guide V3.3.1.0.

The PEP Simulator is a CEPM utility that allows developers to quickly test entitlement policies defined within the administration console. The utility also serves as test bed for working with the PEP APIs. To call the isUserAccessAllowed method, edit, compile, and run the PEP Simulator in the following ways:

Step 1 Unzip CEPM_PEPClient-V3.3.1.0GA_XXXXX.zip.

Step 2 Open the command prompt and navigate to the PEP Simulator directory.

Step 3 Edit the pep.java file, replacing username and resource values with the user and resource names you want to test. For example: 

//Define subject, resource, and action values

String username = "jdoe";

String resource = "Prime group:Prime portal:Account 1";

String action = "any";

//initialize the PDPEngine

PDPEngine.getInstance().init();

//Initialize IAuthorization Manager

IAuthorizationManager mgr = 
AuthorizationManagerFactory.getInstance().getAuthorizationManager();

//Invoke isUserAccessAllowed() method, providing user, resource, and action information

boolean decision = mgr.isUserAccessAllowed(username,resource,action);

//Print decision

System.out.println("Is "+username+" allowed to access "+resource+"? "+decision);

Step 4 Save the updated PEP.java file.

Step 5 Type: compile

Step 6 Type: run

The PEP Simulator should return a true or false result based on the applicable policies for the user and resource.

Documentation Updates

Table 2 Updates to Cisco Entitlement Policy Manager, In-Process PDP Deployment Guide, Version 3.3.1.0

Date
Description

June 10, 2010

Cisco Enterprise Policy Manager, Release 3.3.1.0

The following changes have been made to this document after its previous major release version 3.3.0.0:

Added a new section called Upgrade Information in this guide.

July 15, 2010

Added code snippet for sample In-process PDP API call. Refer to Sample In-process PDP API Call.


Related Documentation

Cisco Enterprise Policy Manager User Guide

CEPM PDP Configuration Guide

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2010 Cisco Systems, Inc. All rights reserved

[an error occurred while processing this directive]