CEPM PDP Configuration Guide V3.3.1.0 [Cisco Policy Decision Point]

Table Of Contents

CEPM PDP Configuration Guide V3.3.1.0

Contents

About This Document

Objective

Audience

Introduction

Password Encryption in CEPM

Case Sensitivity

Elements of pdp_config.xml File

<shared-repository>

<pdpname>

<pdphost>

<db>

Using Database Connection Pool Provided by CEPM

Using Database Connection Pool Provided by WebLogic

Using Database Connection Pool Provided by WebSphere

Sample <db> Element Configuration Using CEPM Connection Pool

Sample <db> Element Configuration Using the WebLogic Connection Pool

Sample <db> Element Configuration Using WebSphere Connection Pool

<jms>

Sample <shared-repository> Element Configuration when PAP and PDP Components Share the Common Database Instance (Shared Mode)

Sample <shared-repository> Element Configuration when PAP and PDP Components Do Not Share a Common Database Instance (Non-Shared Mode)

<dao-configuration>

<authentication>

Sample <authentication> Element Configuration

<encryption>

<xacml-parser>

<xacml-log>

Sample <xacml-log> Element Configuration

<pdp>

Sample <pdp> Element Configuration

<pip>

Sample <pip> Element Configuration

<cache>

<callbackhandlers>

Sample <callbackhandlers> Element Configuration

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

CEPM PDP Configuration Guide V3.3.1.0

Revised: June 10, 2010, Doc Part No: OL-21356-01

Contents

•About This Document

•Introduction

•Password Encryption in CEPM

•Elements of pdp_config.xml File

•Documentation Updates

•Related Documentation

•Obtaining Documentation and Submitting a Service Request

About This Document

Objective

This document explains the various elements present in the Policy Decision Point (PDP) configuration file pdp_config.xml. This file is located in the Cisco Entitlement Policy Manager (CEPM) installation directory \<CEPM_HOME>\config\pdp\.

Audience

This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.

Introduction

In CEPM, pdp_config.xml file contains various configuration parameters for the Policy Decision Point (PDP). This file is located in the Cisco Enterprise Policy Manager (CEPM) installation directory \<CEPM_HOME>\config\pdp\.

The pdp_config.xml file contains the following PDP configurations.

•Database connection: <db>

•JMS connection: <jms>

•PDP authentication: <authentication>

•Encryption algorithm and implementer: <encryption>

•XACML parser: <xacml-parser>

•XACML log: <xacml-log>

•Policy Cache: <pdp>

•PDP listeners: <pdp>

•Policy Information Point (PIP) data sources: <pip>

•PDP cache: <cache>

•Callback Handlers:<callbackhandlers>

Since CEPM installation process is automated, some of the parameters in the pdp_config.xml file are updated automatically according to the configuration information entered during the installation. But you must manually enter the values for the user-defined parameters such as password, IP addresses, and so on.

Password Encryption in CEPM

You must set the password value for some elements in the pdp_config.xml file.For example, PDP authentication password and PAP authentication password. The password values must be entered in an encrypted format.

To encrypt the password value:

Step 1 Run the encryptor.bat file, which is located in the \<CEPM_HOME>\installer\bin\ folder.

Step 2 Run the following command in the console:

•For Windows:

encryptor.bat JAVA_HOME <password>

•For Solaris/Linux:

encryptor.sh JAVA_HOME <password>

JAVA_HOME is the environment variable that contains the location of the Java Runtime Environment (JRE) home directory. The <password> is the password of the user to be encrypted.

When this command is run, the encrypted password is displayed on the console.

Step 3 Copy the encrypted password and paste it as the value for the appropriate <password> element in the pdp_config.xml file.

Case Sensitivity

The configuration values are not case sensitive (except for Java class names, user names, passwords, and file paths). For example, the values Oracle, oracle, and ORACLE are considered the same by the PDP.

Elements of pdp_config.xml File

Here is a sample pdp_config.xml file:
<?xml version="1.0" encoding="UTF-8"?>

<securent>
	<shared_repository>true</shared_repository>
	<pdpname>EntitlementServer1</pdpname>
	<pdphost>127.0.0.1</pdphost>
	<db name="default">
		<impl>net.securent.util.db.ConnectionPool</impl>
		<properties>
	        <db-type>oracle</db-type>
            <username>hrbhatt</username>
            <password>nfQXOMv8c0Q=</password>
            <url>jdbc:oracle:thin:@host:1521:cepmdev</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
			<maxconnections>200</maxconnections>
			<maxconnectiontime>120</maxconnectiontime>
			<idleconnectiontime>300</idleconnectiontime>
			<poolName>Default Domain</poolName>
			<eventenable>
				<value>false</value>
			</eventenable>
		</properties>
	</db>
	<jms>
		<env>
			<url>tcp://host:61616</url>
			<connectionFactory>
				org.apache.activemq.ActiveMQConnectionFactory
			</connectionFactory>
			<username>ActiveMQConnection.DEFAULT_USER</username>
			<password>
				c6p96kuD91p3Gwazl0JnE652dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
			</password>
		</env>
		<reconnect_interval>100000</reconnect_interval>
		<useJndi>false</useJndi>
		<jndi>
			<jndiName>jndiName</jndiName>
			<providerUrl>tcp://host:61616</providerUrl>
			<providerCtxFactory>
				org.apache.activemq.jndi.ActiveMQInitialContextFactory
			</providerCtxFactory>
			<jndiUserName></jndiUserName>
			<jndiPassword></jndiPassword>
		</jndi>
	</jms>
	<authentication enable="false" type="db"
		class="net.securent.util.db.PDPAuthenticator">
		<properties refer="true" name="default">
			<property name="db-type">oracle</property>
			<property name="username">surendra</property>
			<property name="password" encrypted="true">
				XBKO7w9gh3tEq6iEZjvEnQ==
			</property>
			<property name="url">
				jdbc:oracle:thin:@host:1521:cepmdev
			</property>
			<property name="driver">
				oracle.jdbc.driver.OracleDriver
			</property>
		</properties>
	</authentication>
	<encryption>
		<implementors>
			<crypt>
				com.cisco.epm.util.auth.encryptor.crypt.DefaultCryptEncryptor
			</crypt>
		</implementors>
	</encryption>
	<callbackhandlers>
		<keycallbackhandler usedefault="true">
			com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider
		</keycallbackhandler>
	</callbackhandlers>
	<xacml-parser>
		<impl>net.securent.util.pep.XacmlGenerator</impl>
	</xacml-parser>
	<dao-configuration>config/pdp/dao_config.xml</dao-configuration>
	<xacml-log>
		<enable logRequestResponse="false">false</enable>
		<log-impl>net.securent.pdp.xacmllog.DBXacmlLogWriter</log-impl>
		<db refer="true" name="default">
			<properties>
				<db-type>oracle</db-type>
				<username>swetha</username>
				<password>p4zwLWZ2Arc=</password>
				<url>jdbc:oracle:thin:@host:1521:devbdb</url>
				<driver>oracle.jdbc.driver.OracleDriver</driver>
			</properties>
		</db>
	</xacml-log>
	<pdp attributeEnable="false" cloningCheckEnable="false" retry="1000" 
policyCacheEnable="true" caseSensitive="true" xacmlAttributes="false">
		<listeners>
			<listener>
				
				<responseType>Object</responseType>
				<enabled>true</enabled>
				<name>http</name>
				<listenerClass>
					net.securent.pdp.listener.http.HttpListener
				</listenerClass>
				<processorClass>
					net.securent.pdp.listener.http.HttpProcessor
				</processorClass>
				<parameters />
			</listener>
			<listener>
				<enabled>false</enabled>
				<name>rmi</name>
				<listenerClass>
					net.securent.pdp.listener.rmi.RMIListener
				</listenerClass>
				<processorClass>
					net.securent.pdp.listener.rmi.RMIProcessor
				</processorClass>
				<parameters>
					<host>131.107.0.42</host>
					<port>10001</port>
					<jndiName>pdpObj</jndiName>
				</parameters>
			</listener>
		</listeners>
	</pdp>
	<pip>
		<attributesources>
			<source>
				<type>database</type>
				<metadataImpl>
					net.securent.pip.db.DataBasePIPMetaData
				</metadataImpl>
				<attributeImpl>
					net.securent.pip.db.DBAttribute
				</attributeImpl>
				<attributeEvaluator>
					net.securent.pip.db.DBAttributeEvaluator
				</attributeEvaluator>
			</source>
			<source>
				<type>ldap</type>
				<metadataImpl>
					net.securent.pip.ldap.LDAPPIPMetaData
				</metadataImpl>
				<attributeImpl>
					net.securent.pip.ldap.LDAPAttribute
				</attributeImpl>
				<attributeEvaluator>
					net.securent.pip.ldap.LDAPAttributeEvaluator
				</attributeEvaluator>
			</source>
			<source>
				<type>Java</type>
				<metadataImpl>
					net.securent.pip.java.JavaPIPMetaData
				</metadataImpl>
				<attributeImpl>
					net.securent.pip.java.JavaAttribute
				</attributeImpl>
				<attributeEvaluator>
					net.securent.pip.java.JavaAttributeEvaluator
				</attributeEvaluator>
			</source>
			<source>
				<type>Webservice</type>
				<metadataImpl>
					net.securent.pip.webservice.WebservicePIPMetaData
				</metadataImpl>
				<attributeImpl>
					net.securent.pip.webservice.WebserviceAttribute
				</attributeImpl>
				<attributeEvaluator>
					net.securent.pip.webservice.WebserviceAttributeEvaluator
				</attributeEvaluator>
			</source>
		</attributesources>
	</pip>
	<cache decisionCacheEnabled="false" cacherefreshtype="all"
		decisionsOnly="true" provider="net.securent.pdp.cache.CacheProvider"
		implementor="net.securent.admin.sdk.cache.impl.JBossCache"
		eventProvider="net.securent.pdp.event.EventProvider">
		<type>TTL</type>
		<interval>200</interval>
		<refresh enable="false">update</refresh>
		<prefetch enable="true" type="user" bulkUsersPerRequest="2">
			<applications>
				<application name="appGrp:app1">
					<prefetchForApis>
						<api name="isUserAccessAllowed">
							
							
							
							
							
							
							
							
							
						</api>
					</prefetchForApis>
					<groups>
						
						
					</groups>
					<roles>
						
						
					</roles>
					<resources>
						
						
					</resources>
				</application>
			</applications>
		</prefetch>
		<pip cacheenabled="false">
			
			<metaDataInterval>60</metaDataInterval>
		</pip>
	</cache>
</securent>
The <securent> element is the root element of the PDP configuration file. All the other XML elements are the subelements of <cepm>. The XML elements in the pdp_config.xml file are as explained in the following sections.

<shared-repository>

Set the <shared-repository> tag value to True if you want the PAP and the PDP components to share a common database instance. Set the it to false if the PAP and the PDP have separate database instances.

If this value is set to False, the data synchronization between the PAP and the PDP is done using Java Messaging Service (JMS). In that case, you must configure the JMS server environmental details in the <jms> tag as explained in <jms>.

The value of this tag is dynamically changed according to the configuration information provided during the installation process.

<pdpname>

Set the <pdpname> value to the name of the PDP that is attached with the concerned application in the PAP UI. This tag is useful:

•When PAP and PDP are deployed in non-shared mode and the JMS is configured to update the PDP database.

•For data synchronization between the CEPM repository and the policy cache.

•To store the Xacml logs with the given PDP name. If the PDP name is not matching, the logs are stored under the PDP host IP address.

<pdphost>

This tag carries the IP address of the server where the PDPs attached to the application are running. While storing the Xacml logs, if the name of the PDP from where the decision is given does not match with the value entered in the <pdpname> tag, the logs are stored under the IP adress in the database.

<db>

The <db> element contains the subelements related to database connection details of the PDP database.

The PDP supports the following databases servers:

–Oracle (9i/10g/11g)

–Microsoft SQL Server (2000/2005)

–DB2

This element also contains the subelements related to the database connection pool. The PDP allows you to use the database connection pool provided by any one of the following:

–CEPM

–WebLogic Server

–WebSphere Server

•<impl>—Name of the Java class used for the database connection pool. Configure the following class names depending on the database connection pool provider:

–CEPM—This is configured by default as net.securent.util.db.ConnectionPool

–WebLogic server—This is configured by default as net.securent.util.db.WebLogicConnectionPool

–WebSphere server—This is configured by default as net.securent.util.db.WebSphereConnectionPool

•<properties>—The subelements in this section vary depending on the database connection pool class used in the <impl> element. This is the database connection pool provided either by CEPM or the WebLogic server.

Using Database Connection Pool Provided by CEPM

You must configure the following <properties> subelements to use the database connection pool provided by CEPM:

•<db-type>—Type of the PDP database. CEPM supports Oracle and Microsoft SQL Server databases. If you are using:

–Oracle database, set the database value to oracle.

–Microsoft SQL Server database, set the database value to mssql.

•<username>—Name of the database user to connect to the PDP database.

•<password>—Password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

•<url>—JDBC connection string to connect to the PDP database. PDP supports Oracle thin driver, Oracle thick driver (that is, the OCI driver) and MS SQL Server driver. Thus the database connection URL can have one of the following formats as per the database driver used.

Oracle Thin Driver

Format:
jdbc:oracle:thin:@<host>:<port>:<SID>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<SID>—The SID of Oracle database.

Example:
jdbc:oracle:thin:@131.107.0.23:1521:cepmdev
Oracle Thick Driver

Format:
jdbc:oracle:oci8:@<tns-listener-name>
where:

<tns-listener-name>—The TNS LISTENER name of the database service. This is configured in the TNSNAMES.ORA file present in the Oracle client installation directory ORACLE_HOME/network/admin/

Example:
jdbc:oracle:oci8:@cepmdev
MS SQL Server Driver

Format:
jdbc:sqlserver://<host>:<port>;databaseName=<DB name>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<DB name>—The SQL Server database name.

Example:
jdbc:sqlserver://131.107.2.205:3279;databaseName=cepmdev
•<driver>—JDBC driver class.

–For Oracle:

oracle.jdbc.driver.OracleDriver

–For MS SQL Server:

com.microsoft.sqlserver.jdbc.SQLServerDriver

•<maxconnections>—Maximum number of database connections in pool.

•<maxconnectiontime>—Maximum time in seconds to wait for the database connection to be available.

•<idleconnectiontime>—Number of seconds a connection should remain unused in the pool before the connection is disconnected and closed.

•<poolName>—Name of the connection pool. By default, it is set to Default Domain.

Note The pool name is same as the domain name that the PAP administrator selects when logging in to the PAP console. This is set duringthe PAP installation. The value for this element should not be edited manually.

•<eventenable>—Set its value to True, in the following scenarios:

–If you want to use getUpdatedUsersAsArray() or getUpdtaedUsers() API methods of the ISubject interface. These API methods get all the users whose permissions are modified by a specific administrator for a specific duration for a specific application.

–If the Policy Enforcement Point (PEP) needs to update the cache data with only the changed decisions.

Using Database Connection Pool Provided by WebLogic

You must configure the following <properties> subelements to use the database connection pool provided by the WebLogic server:

Note The values for the following subelements can be empty if the PDP application and WebLogic server are deployed in the same Java Virtual Machine (JVM): <context-provider-url>, <context-username>, <context-password>.

•<db-type>—This specifies the PAP database type. CEPM supports Oracle and Microsoft SQL Server databases. If you are using:

–Oracle database, set the database value to oracle.

–Microsoft SQL Server database, set the database value to mssql.

•<initial-context-factory>—Set its value to weblogic.jndi.WLInitialContextFactory.

•<context-provider-url>—Set its value to t3://<Machine IP Address>:<port> where <Machine IP Address> is the IP address of the machine on which the WebLogic application server is running and

<port> is the port number on which this service is available. The default port used by the WebLogic server is 7001.

Note This value is optional if PDP is running in the same JVM as the Weblogic application server

•<context-username>—Set its value to the user name of the WebLogic context. By default, its value is set to weblogic.

•<context-password>—The password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

Note This value is optional if PDP is running in the same JVM as the Weblogic application server

•<datasource-jndi>—Set its value to the appropriate JNDI datasource name.

•<poolName>—This is the name of the database connection pool. By default, its value is set to Default Domain.

Note The pool name is the domain name that the PDP administrator chooses when logging in to the PAP application. This is set during the PAP installation. You must not edit the value for this element manually.

Using Database Connection Pool Provided by WebSphere

You must configure the following subelements of the <properties> element to use the database connection pool provided by the WebSphere server:

Note The values for the following subelements can be empty if the PAP application and WebSphere server are deployed in the same JVM: <context-provider-url>, <context-username>, <context-password>.

•<db-type>—This specifies the PAP database type. CEPM supports Oracle and Microsoft SQL Server databases. If you are using:

–Oracle database, set the database value to oracle.

–Microsoft SQL Server database, set the database value to mssql.

•<initial-context-factory>—Set its value to com.ibm.websphere.naming.WsnInitialContextFactory.

•<context-provider-url>—Set its value to t3://<Machine IP Address>:<port> where <Machine IP Address> is the IP address of the machine on which the WebLogic application server is running and

<port> is the port number on which this service is available.

•<context-username>—Set its value to the user name of the WebSphere context.

•<context-password>—The password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

•<datasource-jndi>—Set its value to the appropriate JNDI datasource name.

•<poolName>—This is the name of the database connection pool. By default, its value is set to Default Domain.

Note The pool name is the domain name that the PAP administrator chooses when logging in to the PAP application. This is set during the PAP installation. You must not edit the value for this element manually.

Sample <db> Element Configuration Using CEPM Connection Pool

Case 1: Using Oracle Database with Thin Driver
   <db name="default"> 
	 
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
			<db-type>oracle</db-type>
            <username>##USER_NAME##</username>
            <password>##PASSWORD##</password>
            <url>##URL##</url>
            <driver>##DRIVER##</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>##DOMAIN##</poolName>
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
Case 2: Using Oracle Database with Thick Driver
   <db name="default"> 
	 
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
			<db-type>oracle</db-type>
            <username>##USER_NAME##</username>
            <password>##PASSWORD##</password>
			<url>jdbc:oracle:oci8:@secdev</url>
			<driver>##DRIVER##</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>##DOMAIN##</poolName>
			<eventenable>
                <value>false</value>
			</eventenable>
        </properties>
    </db>
Case 3: Using MS SQL Server Database
   <db name="default"> 
	   
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>mssql</db-type>
            <username>testuser3</username>
            <password>R7mNxexTum8=</password>
            <url>jdbc:sqlserver://localhost:3279;databaseName=cepmdev</url>
            <driver>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver>
            <maxconnections>20</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName>
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
Sample <db> Element Configuration Using the WebLogic Connection Pool

The values for the following subelements can be empty if the PDP component and WebLogic server are deployed in the same JVM: <context-provider-url>, <context-username>, <context-password>.
   <db name="default"> 
	   
        <impl>net.securent.util.db.WebLogicConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <initial-context-factory>
                weblogic.jndi.WLInitialContextFactory
            </initial-context-factory>
            <context-provider-url>t3://host:7001</context-provider-url>
            <context-username>weblogic</context-username>
            <context-password>++7XL4YWJ/FEq6iEZjvEnQ==</context-password>
            <datasource-jndi>defaultpool</datasource-jndi>
            <poolName>Default Domain</poolName> 
			<eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
Sample <db> Element Configuration Using WebSphere Connection Pool

The values for the following subelements can be empty if the PDP component and WebLogic server are deployed in the same JVM: <context-provider-url>, <context-username>, <context-password>.
   <db name="default"> 
	   
        <impl> net.securent.util.db.WebSphereConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <initial-context-factory>
                com.ibm.websphere.naming.WsnInitialContextFactory
            </initial-context-factory>
            <context-provider-url>iiop://host:2809</context-provider-url>
            <context-username>webshere</context-username>
            <context-password> uYgp9FZIEnREq6iEZjvEnQ==</context-password>
            <datasource-jndi>WSJNDI</datasource-jndi>
            <poolName>Default Domain</poolName> 
			<eventenable>
                <value>false</value>
            </eventenable>
</properties>
    </db>
<jms>

The <jms> element contains the subelements for configuring the JMS properties for the PDP to communicate with the PAP when these two components are configured in non-shared mode. CEPM supports following JMS providers:

•ActiveMQ from Apache (comes bundled with PDP by default)

•WebLogic JMS

•Tibco JMS

Note For the JMS mechanism to work in the non-shared mode of PAP-PDP operation, the <shared_repository> element value should be set to False.

<shared_repository>false</shared_repository>

The following are the <jms> subelements:

•<reconnect_interval>—This contains the time-interval in milliseconds between the reconnect attempts for the PAP to connect to the JMS server, in case the JMS server is down.

•<useJndi>—Set its value to True, if you have to lookup the JMS service provider using JNDI.

If <useJndi> value is set to True, this:

–Provides values for the <env> subelements—<connectionFactory> and <replyTopic>. The PAP ignores values set for subelements <url>, <username>, and <password>.

–Provides details for the <jndi> subelements—<providerUrl>, <providerCtxFactory>, <jndiUserName>,k and <jndiPassword>.

If <useJndi> value is set to False, this:

–Provides details for the <env> subelements—<url>, <connectionFactory>, <username>, <password>, and <replyTopic>.

–The PAP ignores the <jndi> element so you do not need to set the values for its subelements <providerUrl>, <providerCtxFactory>, <jndiUserName>, and <jndiPassword>.

•<env>—This element contains the following subelements related to the JMS connection. For more details on how to set these values, please refer to the Note.

–<url>—JMS Server URL.

Format:

For ActiveMQ—tcp://<machine IP Address>:<port>

For WebLogic JMS—t3://<machine IP Address>:<port>

For Tibco JMS—tcp://<machine IP Address>:<port>

where <machine IP Address> is the IP address of the machine on which JMS Service is available and <port> is the port number on which this service is available.

–<connectionFactory>—Java class name of the JMS Provider's Context Factory.

For ActiveMQ—org.apache.activemqActiveMQConnectionFactory

For WebLogic JMS—weblogic.jms.ConnectionFactory

For Tibco JMS—com.tibco.tibjms.TibjmsTopicConnectionFactory

–<username>—Name of the JMS server user.

Note If you are using ActiveMQ JMS, set the <username> value to ActiveMQConnection.DEFAULT_USER.

–<password>—Password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

Note If you are using ActiveMQ JMS, set the <password> value to the encrypted value of ActiveMQConnection.DEFAULT_PASSWORD.

–<replyTopic>—Name of the JMS Topic to which the reply should be sent by the receiver of the message.

•<jndi>—Set the subelements for this element if you have to lookup the messaging service provider using JNDI. For this, first set the <useJndi> element value toTrue, as explained earlier. The <jndi> element contains the following subelements: <providerUrl>, <providerCtxFactory>, <jndiUserName>, and <jndiPassword>

–<providerUrl>—JMS Server URL. This value should be the same as provided for <url> subelement of the <env> element explained earlier.

Format:

–For ActiveMQ—tcp://<machine IP Address>:<port>

–For WebLogic JMS—t3://<machine IP Address>:<port>

–For Tibco JMS—tcp://<machine IP Address>:<port>

where <machine IP Address> is the IP address of the machine on which JMS Service is available and <port> is the port number on which this service is available.

Example:

–For ActiveMQ—tcp://131.107.0.68:61616

–For WebLogic JMS—t3://131.107.0.68:7011

–For Tibco JMS—tcp://131.107.0.68:7222

For more details on how to set these values, refer to Note.

–<providerCtxFactory>—The Java class name of the remote JMS Provider's JNDI lookup service.

–For ActiveMQ—org.apache.activemq.jndi.ActiveMQInitialContextFactory

–For WebLogic JMS—weblogic.jndi.WLInitialContextFactory

–For Tibco JMS—com.tibco.tibjms.naming.TibjmsInitialContextFactory

–<jndiUserName>—Set its value to JNDI user name.

–<jndiPassword>

Password of the user in encrypted format. For more details about password encryption, refer to "Password Encryption in CEPM" section.

Sample <shared-repository> Element Configuration when PAP and PDP Components Share the Common Database Instance (Shared Mode)

In this scenario, the PAP and PDP components share a common database instance to store their data. The <shared_repository> element value should be set to True. The database details configured under the <db> element are the same for the PAP and PDP. JMS configuration details are not required. JMS configuration details are not required as PDP will ignore these elements if they are provided.
 
   <shared_repository>true</shared_repository> 
    <!—- PDP Database Details. As shared_repository flag is set to true, following 
         database details are common for both, PAP and PDP, i.e. the following 
         details for <db> element should match the corresponding <db> element 
         details present in the pap_config.xml file. -->
    <db name="mydb">
        
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <username>username</username>
            <password>R7mNxexTum8=</password>
            <url>jdbc:oracle:thin:@10.77.116.162:1521:cepmdev</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName> 
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
Sample <shared-repository> Element Configuration when PAP and PDP Components Do Not Share a Common Database Instance (Non-Shared Mode)

In this scenario, the PAP and PDP components do not share a common database instance and have different database instances to store their data. The <shared_repository> element value should be set to False. The database details configured under the <db> element are only for the PDP database. JMS configuration details must be provided so that events generated in the PAP are communicated to the PDP through JMS, and data in the PDP database is synchronized with the data in the PAP database.

CEPM supports the following JMS providers:

•ActiveMQ from Apache (This comes bundled with the PAP by default).

•WebLogic JMS

•Tibco JMS

Set the <useJndi> value to True if you have to look up the JMS service provider using JNDI. Refer to the above Note to know more about how to set various subelements present under the <jms> element.

Case 1: Using ActiveMQ JMS without JNDI Lookup
    
   <shared_repository>false</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>false</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <url>tcp://host:61616</url>
            <connectionFactory>  
               org.apache.activemq.ActiveMQConnectionFactory
            </connectionFactory>
            <username>ActiveMQConnection.DEFAULT_USER</username>        
            <password>dQh1QLrLMfnDulySruPVDpfLSgm3Mw==</password>
		</env>
    </jms>
Case 2: Using ActiveMQ JMS with JNDI Lookup
    
   <shared_repository>false</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>false</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <connectionFactory>  
               org.apache.activemq.ActiveMQConnectionFactory
            </connectionFactory>
		</env>
        <jndi>
			<jndiName>jndiName</jndiName> 				
	<providerUrl>tcp://host:61616</providerUrl>
            <providerCtxFactory>
                org.apache.activemq.jndi.ActiveMQInitialContextFactory
            </providerCtxFactory>
            <jndiUserName>jndiuser</jndiUserName>
            <jndiPassword>h1QLrLMfnDulySru==</jndiPassword>
        </jndi>
    </jms>
Case 3: Using WebLogic JMS Without JNDI Lookup
    
   <shared_repository>false</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>false</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <url>t3://host:7011</url>
            <connectionFactory>weblogic.jms.ConnectionFactory</connectionFactory>
            <username>jmsuser</username>        
            <password>ruPVDpfLSgm3Mw==</password>
	</env>
    </jms>
Case 4: Using WebLogic JMS with JNDI Lookup
    
   <shared_repository>false</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>true</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <connectionFactory>weblogic.jms.ConnectionFactory</connectionFactory>
	</env>
        <jndi>
            <providerUrl> t3://host:7011</providerUrl>
            <providerCtxFactory>
                weblogic.jndi.WLInitialContextFactory
            </providerCtxFactory>
            <jndiUserName>jndiuser</jndiUserName>
            <jndiPassword>h1QLrLMfnDulySru==</jndiPassword>
        </jndi>
    </jms>
Case 5: Using Tibco JMS Without JNDI Lookup
    
   <shared_repository>false</shared_repository> 
   <!—- JMS Details -->    
    <jms>
        <useJndi>false</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <url>tcp://host:7222</url>
            <connectionFactory>  
               com.tibco.tibjms.TibjmsTopicConnectionFactory
            </connectionFactory>
            <username>jmsuser</username>        
            <password>ruPVDpfLSgm3Mw==</password>
	</env>
    </jms>
Case 6: Using Tibco JMS with JNDI Lookup
 
   <shared_repository>false</shared_repository>
   <!—- JMS Details -->    
    <jms>
        <useJndi>true</useJndi>
        <reconnect_interval>10000</reconnect_interval>
        <env>
            <connectionFactory>  
               com.tibco.tibjms.TibjmsTopicConnectionFactory
            </connectionFactory>
            <replyTopic>replyTopicName</replyTopic>
        </env>
        <jndi>
            <providerUrl>tcp://host:7222</providerUrl>
            <providerCtxFactory>
                com.tibco.tibjms.naming.TibjmsInitialContextFactory
            </providerCtxFactory>
            <jndiUserName>jndiuser</jndiUserName>
            <jndiPassword>h1QLrLMfnDulySru==</jndiPassword>
        </jndi>     
</jms>
<dao-configuration>

DAO (Data Access Objects) is an application program interface (API) that lets a programmer request access to various databases. The <dao-configuration> element contains the name and path of the configuration file that contains the list of DAO interface classes used in the PDP to access various databases. CEPM supports Oracle and MS SQL Server databases. The DAO configuration file is present in the installation directory <CEPM_HOME>\config\pdp\dao_config.xml.

By default, its value is set to config/pdp/dao_config.xml.

Note The value of this element should not be edited.

<authentication>

The <authentication> element contains the subelements related to the connection details of the repository where the user credentials for authenticating the PEP requests are stored. In PDP, user authentication details are stored in either the database server or in the LDAP server. PDP authentication can be also configured in such a way that existing authentication implementation present in the protected application can be used for this purpose.

•CEPM supports following databases servers:

–Oracle

–Microsoft SQL Server

•CEPM supports following LDAP service providers:

–Sun One Directory Server

–Novell eDirectory Server

–Active Directory Server

The following are the subelements of the <authentication> element:

•type attribute—Set its value to:

–db—user authentication details are stored in the database.

–ldap—user authentication details are stored in the LDAP server.

–sso—user authentication will be carried out by the protected application.

•<class>—Name of Java class for authentication.

Set its value to:

–For db authentication—net.securent.util.db.DBAuthenticator

–For ldap authentication—net.securent.util.db.LocalLDAPAuthenticator

–For sso authentication—net.securent.util.db.SSOAuthenticator

•<properties>—This contains the attributes and subelements for configuring the data source details where the user authentication related information is stored.

•refer attribute—Set its value toTrue, if the details for user authentication are stored in the same database instance where CEPM data resides.

(CEPM repository details are configured in the <db> element). In this case, set the same value for this name attribute that was set for the name attribute of <db> element (for example: default).

In this case, you do not have to provide the data source connection details for the subelement <property>.

Set its value to False, if the data source details for user authentication information is not stored in the database instance that is configured for the <db> element. In this case, you will have to provide the data source connection details for the subelement <property>.

•name attribute—If the refer attribute is set to True, then provide the same database name that was configured for the <db> element (for example: default), or provide a new name.

•<property>—Set multiple property element values, if user authentication information is not stored in the database instance that is configured for the <db> element.

You have to specify three different sets of <property> elements depending upon the type of the data source—database, ldap, or sso (as set for the type attribute of the <authentication> element).

Database Data Source

<property name="db-type">[value]</property>

If you are using:

–Oracle database, set the value of the database to oracle.

–Microsoft SQL Server database, set the value of the database to mssql.

<property name="username">[value]</property>

Set value to the name of the PAP database user.

<property name="password" encrypted="true">[value]</property>

Set the value for the user password in encrypted format and set the encrypted attribute value to True. Set encrypted attribute value to False, if you do not want to set the password value in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

<property name="url">[value]</property>

Set the value to the JDBC connection string to connect to the PAP database. The PAP supports Oracle Thin Driver, Oracle Thick Driver (that is, OCI driver), and MS SQL Server driver. The database connection URL can have one of the following formats based on the database driver used.

Oracle Thin Driver

Format:
jdbc:oracle:thin:@<host>:<port>:<SID>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<SID>—The SID of Oracle database.

Example:
jdbc:oracle:thin:@131.107.0.23:1521:secdev
Oracle Thick Driver

Format:
jdbc:oracle:oci8:@<tns-listener-name>
where:

<tns-listener-name> — The TNS LISTENER name of the database service. This is configured in the TNSNAMES.ORA file present in the Oracle client installation directory: /ORACLE_HOME/network/admin/

Example:
jdbc:oracle:oci8:@secdev
MS SQL Server Driver

Format:
jdbc:sqlserver://<host>:<port>;databaseName=<DB name>
where:

–<host>—The machine IP address where the database is running.

–<port>—The port number where the database listener is running.

–<database name>—The SQL Server database name.

Example:
jdbc:sqlserver://131.107.2.205:3279;databaseName= secdev
<property name="driver">[value]</property>

Set value to the JDBC driver class.

–For Oracle—oracle.jdbc.driver.OracleDriver.

–For MS SQL Server—com.microsoft.sqlserver.jdbc.SQLServerDriver.

LDAP Server Data Source

<property name="ldap-type">[value]</property>

Set the value to name of the LDAP service provider. CEPM supports three LDAP service providers.

–Sun One Directory Server—set <ldap-type> value to SunOne.

–Novell eDirectory Server —set <ldap-type> value to Novell.

–Active Directory Server—set <ldap-type> value to AD.

<property name="url">[value]</property>

Set the value to LDAP server URL.

<property name="port">[value]</property>

Set the value to LDAP server port.

<property name="ldapdn">[value]</property>

Set the value to LDAP server Base DN.

<property name="userdn">[value]</property>

Set the value to LDAP server User DN.

<property name="password" encrypted="true">[value]</property>

Set the value for password of the user in encrypted format and set encrypted attribute value is set to True. set encrypted attribute value is set to False, if you do not want to set the password value in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

<property name="superuser-role">[value]</property>

Set value to the name of the role to which the super user belongs.

SSO Data Source

If authentication type is single sign-on (sso), then one property element needs to be configured with a name that has request or session as the value.

Example:

<property name="request">[value]</property>

Here set the value to the request/session attribute name that contains the value as the name of the user.

Sample <authentication> Element Configuration

Case 1: PDP Authentication Details are Stored in the Same Database Instance as Configured for the <securent><db> Element

(A) PDP authentication details are stored in PAP database.
    
    <shared_repository>true</shared_repository> 
    <!—- PDP Database Connection Configuration -->
    <db authEnable="true" name="pap_db">
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties></properties>
    </db>
    
 
    <authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="true" name="pap_db"></properties>
     </authentication>
(B) PDP authentication details are stored in a PDP database that is different from the PAP database.
    
    <shared_repository>false</shared_repository> 
    <!—- PDP Database Connection Configuration -->
    <db authEnable="true" name="pdp_db">
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <username>user2</username>
            <password>XBKO7w9gh3vTFr8u41H9JQ==</password>
            <url>jdbc:oracle:thin:@host:1521:securent</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
            <maxconnections>20</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName>    
        <properties>
    </db>
    
 
    <authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="true" name="pdp_db"></properties>
    </authentication>
Case 2: PDP Authentication Details are Stored in a Database Instance that is Different from the PDP Database Instance

(A) Oracle Database Using Thin Driver

<authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="false" name="my_db">             
            <property name="db-type">oracle</property>
            <property name="username">testuser</property>
            <property name="password" encrypted="true">xiicLTdcE2g=</property>
            <property name="url">   
                 jdbc:oracle:thin:@host:1521:cepmdev 
            </property>
            <property name="driver">oracle.jdbc.driver.OracleDriver</property>
        </properties>
</authentication>
(B) Oracle Database Using Thick Driver

<authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="false" name="my_db">             
            <property name="db-type">oracle</property>
            <property name="username">testuser</property>
            <property name="password" encrypted="true">xiicLTdcE2g=</property>
            <property name="url">   
                 jdbc:oracle:oci8:@cepmdev 
            </property>
            <property name="driver">oracle.jdbc.driver.OracleDriver</property>
        </properties>
</authentication>
(C) MS SQL Server Database

<authentication type="db" class="net.securent.util.db.PDPAuthenticator">
        <properties refer="false" name="my_db">             
            <property name="db-type">oracle</property>
            <property name="username">testuser</property>
            <property name="password" encrypted="true">xiicLTdcE2g=</property>
            <property name="url">   
                 jdbc:sqlserver://host:3279;databaseName=cepmdev 
            </property>
            <property name="driver">        
                 com.microsoft.sqlserver.jdbc.SQLServerDriver  
            </property>
        </properties>
</authentication>
Case 3: PDP Authentication Details are Stored in an LDAP Server
  
  <authentication type="ldap" class="net.securent.util.db.LocalLDAPAuthenticator">
        <properties refer="false" name="default">
                <property name="ldap-type">AD</property>
                <property name="ldapdn"> 
                         dc=win2k-ad,dc=win2k-ad,dc=bodhtree,dc=co,dc=in
                </property>
                <property name="userdn">
                         cn=administrator,cn=users,dc=win2k-ad,dc=win2k-ad,  
                         dc=bodhtree,dc=co,dc=in
                </property>
                <property name="password" encrypted="true">  
                         xiicLTdcE2g= 
                </property>
                <property name="url">ldap://131.107.2.204</property>
                <property name="port">389</property>
                <property name="superuser-role">Test</property> 
        </properties>
    </authentication>
Case 4: PDP Authentication is Done Using the Existing Authentication Framework Present in the Protected Application (SSO Authentication)

The following example considers SSO authentication, that is, the authentication will not be carried out by CEPM, but the authentication implementation in the existing protected application will be used.
    
  <authentication type="sso" class="net.securent.util.db.SSOAuthenticator">
        <properties refer="false" name="default">
           <property name="request">username</property>
         </properties>
    </authentication>
<encryption>

The <encryption> element contains the subelements for configuring multiple Java classes for implementing various encryption algorithms used for encrypting passwords of the PDP database user, JMS server user, LDAP server user, and so on.

The following are the subelements of <encryption> element:

•<implementors>—This contains various encryption Java classes.

•<crypt>—Set its value to com.cisco.epm.util.auth.encryptor.DefaultCryptEncryptor.

Note The PDP supports only the crypt password scheme. The algorithm that crypt uses is based on the Data Encryption Standard (DES).

<xacml-parser>

The <xacml-parcer> element contains the subelements related to the Xacml parser implementation class that is used to parse the Xacml requests coming from the PEP and generate the appropriate Xacml response to send to the PEP.

The following are the subelements of <xacml-parser> element:

•<impl>—Xacml parser implementation class.

Set its value to net.securent.util.pep.XacmlGenerator.

<xacml-log>

The PDP component has the option to log the Xacml requests that are received from the PEP and the Xacml responses sent to the PEP in a database that is configured in this <xacml-log> section of the PDP configuration file pdp_config.xml.

The PDP log can be viewed through the PAP UI from the Runtime Logs section. To view the logs generated by multiple PDPs, perform the following configuration in the PAP and in each PDP.

•PDP configuration for Xacml log: Configure all the PDPs to store their log information in a common database instance.

For this, configure the <xacml-log> section of the PDP configuration file, pdp_config.xml, and provide the same database connection details).

•PAP configuration for Xacml log: Configure the PAP to connect to the previously mentioned database instance where all the PDPs store their Xacml log information. This is done by configuring the <xacml-log> element in pap_config.xml file and providing the same database connection details here as set for all the PDPs.

The following are the subelements of the <xacml-log> element:

•<enable>—Set its value to False if the log information is not be stored in the PDP database.

Set its value to True if the log information needs to be stored in the PDP database. In this case, the logRequestResponse attribute decides whether or not the Xacml requests and Xacml responses should be stored in the database. If the logRequestResponse attribute value is set to false, all the log information except the Xacml requests and responses are stored in the database. If the logRequestResponse attribute value is set to True, all the log information including Xacml requests and responses are stored in the database.

•<log-impl>—Set its value to the PDP log implementation class name, which is net.securent.pdp.xacmllog.DBXacmlLogWriter

•<db>—This subelement contains the attributes and subelements for configuring database connection details where the Xacml log information is stored.

•refer attribute—Set its value to True if the Xacml log information is stored in the PDP database itself, that is, the Xacml log database is the same database as given in the <securent><db> element.

In this case, you do not have to provide the database connection details for the following <properties> subelements—<db-type>, <username>, <password>, <url>, <driver>.

Set its value to False if the Xacml log database is different from the PDP database, that is, different from the one that is configured for the <securent><db> element. In this case, you will have to provide the database connection details for the following <properties> subelements—<db-type>, <username>, <password>, <url>, <driver>.

•name attribute—If the refer attribute is set to True, provide the same database name as configured for the <securent><db> element, or provide any new name.

•<properties>—Set its subelements if the Xacml log database is different from the PDP database, that is, if the refer attribute value is set to false. The subelements of the <properties> element are as follows:

–<db-type>—Set its value to oracle if Xacml log information is stored in Oracle database. Set its value to mssql if it is stored in Microsoft SQL Server database.

–<username>—Name of the database user where Xacml log information is stored.

–<password>—The password of the user in encrypted format. For more details about password encryption, refer to Password Encryption in CEPM.

–<url>—JDBC connection string to connect to the database where the Xacml log information is stored.

–<driver>—JDBC driver class.

Sample <xacml-log> Element Configuration

Case 1: Database Logging when xacml-log Information is Stored in the Same Database Instance where the PDP Data Resides (PDP Database).

In this case, set refer attribute value to True and the name attribute value to the same database name value as provided for the name attribute value of the <securent><db> element (that is, the PDP database).
  
    <xacml-log>
        <db refer="true" name="pdp_db"></db>
         
    </xacml-log>
   <!—- PDP Database Details -->
    <db name="pdp_db" ...>
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <username>testuser</username>
            <password>R7mNxexTum8=</password>
            <url>jdbc:oracle:thin:@host:1521:devbdb</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName>
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
Case 2: Database Logging when xacml-log Information is Stored in the Different Database Instance from the One Where the PDP Data Resides (PDP Database)

In this case, set the refer attribute value to false and provide new database connection details of the database instance (<db-type>, <username>, <password>, <url>, <driver>), where the PDP authentication details are stored.

    <xacml-log>
        <db refer="true" name="my_db">
            <db-type>oracle</db-type>
            <username>testuser3</username>
            <password>ZFPx34KVJsQ=</password>
            <url>jdbc:oracle:thin:@host:1521:devbdb</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
        </db>
    </xacml-log>
   <!—- PDP Database Details -->
    <db name="pdp_db" ...>
        <impl>net.securent.util.db.ConnectionPool</impl>
        <properties>
            <db-type>oracle</db-type>
            <username>testuser</username>
            <password>R7mNxexTum8=</password>
            <url>jdbc:oracle:thin:@host:1521:devbdb</url>
            <driver>oracle.jdbc.driver.OracleDriver</driver>
            <maxconnections>200</maxconnections>
            <maxconnectiontime>120</maxconnectiontime>
            <idleconnectiontime>300</idleconnectiontime>
            <poolName>Default Domain</poolName>
            <eventenable>
                <value>false</value>
            </eventenable>
        </properties>
    </db>
<pdp>

The <pdp> tag is used to enable the policy cache in the PDP. This tag also contains the subelements related to protocol-specific listeners that should be up for the PDP-PEP communication and the subelements that define the content of PDP response to PEP.

The <pdp> subelements are as follows:

•attributeEnable attribute—Set its value to True if you want the PDP to send attributes related to various entities for a policy, such as user attributes, role attributes, and resource attributes. Otherwise, set its value to False.

•cloningCheckEnable attribute—Set its value to True if, you want the PDP to send the policy details of the main user for which this user is cloned. Otherwise, set its value to False.

•retry attribute—When the databases (entitlement repository or external PIP) of a PDP become unresponsive (due to connection failure during query execution time), the PEP retries to send the request to PDP after a specified time interval. This `retry' time interval is set in the <retry> tag in the pdp_config.xml file. For example, assume the retry value given in pdp_config.xml is X seconds and the timeout value given in pep_config.xml is Y seconds (where X < Y). When the PEP sends a request to the PDP and the PDP finds the database is down, it sends a retry message to the PEP conveying that it should resend the request after X seconds. The PEP will resend the request to the PDP after X seconds. This process will continue till the PEP gets a proper response. If it does not get any response within the specified timeout interval (Y seconds), it will throw an exception.

Set its value in seconds.

•policyCacheEnable attribute— This attribute must be set to true in order to utilize the policy cache for policy decision instead of accessing the database. If this attribute is set to false, the authorization decisions are given from the database and not the policy cache. By default, this attribute value is set to true.

•caseSensitive attribute— This attribute indicates whether or not to sort input parameters records in a case sensitive manner. If it is set to false, the values of input parameters with different cases are considered the same, for example, username Mary and username MARY are same.

•xacmlAttributes attribute— If this attribute is set to true, the PDP returns the Xacml compliance response, that includes the decision as well as other relevant attributes such as resource names and resource type names along with the authorization decision. If this element is set to false, the PDP returns only the decision.

•<listeners>—This section contains the configuration related to various protocol-specific listeners that are supported by the PDP to communicate with the PEP. The PDP supports two protocol listeners: http and rmi.

•<listener>—This element contains the configuration details related to a protocol-specific listener.

The following are the subelements of the <listener> element:

–<responseType>—Response as Objext or XML.

The <responsetype> tag value should match in both pdp_config.xml and pep_config.xml. For example, if it is set to Object in pep_config.xml, the corresponding tag in the pdp_config.xml must also be set to object. The same thing is applicable for XML.

–<enabled>—Set its value to True to enable this listener. Otherwise, set its value to False.

Note Multiple listeners can be enabled at the same time as per the requirement.

–<name>—The <name> sub-element can have one of these values: http and rmi.

–<listenerClass>—Protocol-specific listener class. Do not edit this value.

For http: net.securent.pdp.listener.http.HttpListener

For rmi: net.securent.pdp.listener.rmi.RMIListener

–<processorClass>—Protocol-specific processor class. Do not edit this value.

For http: net.securent.pdp.listener.http.HttpProcessor

For rmi: net.securent.pdp.listener.rmi.RMIProcessor

–<parameters>—This contains rmi protocol-specific values. For http listener, keep it empty.

–<host>—The RMI registry host machine IP address.

–<port>—The RMI registry port number.

–<jndiName>—The JNDI lookup name to locate the RMI registry.

Sample <pdp> Element Configuration
	<pdp attributeEnable="false" cloningCheckEnable="false" retry="1000" 
policyCacheEnable="true" caseSensitive="true" xacmlAttributes="false">
		<listeners>
			<listener>
				
				<responseType>Object</responseType>
				<enabled>true</enabled>
				<name>http</name>
				<listenerClass>
					net.securent.pdp.listener.http.HttpListener
				</listenerClass>
				<processorClass>
					net.securent.pdp.listener.http.HttpProcessor
				</processorClass>
				<parameters />
			</listener>
			<listener>
				<enabled>false</enabled>
				<name>rmi</name>
				<listenerClass>
					net.securent.pdp.listener.rmi.RMIListener
				</listenerClass>
				<processorClass>
					net.securent.pdp.listener.rmi.RMIProcessor
				</processorClass>
				<parameters>
					<host>131.107.0.42</host>
					<port>10001</port>
					<jndiName>pdpObj</jndiName>
				</parameters>
			</listener>
		</listeners>
	</pdp>
<pip>

The <pip> element contains the subelements related to Policy Information Points (PIPs), that is, data stores that are external to the application (PAP and PDP), which store policy-related information.

The following are the subelements of the <pip> element:

•<attributesources>—This element contains the configurations for various external datasources (PIPs). CEPM supports the following data sources:

–Database

–LDAP

–JAVA Class

–Web Service

The following are the <attributesources> subelements:

–<source>—Each <source> element contains the configuration related to a specific data source (PIP).
The following are its subelements.

–<type>—Type of data source. It can have one of the following values:

For Database PIP— database

For LDAP PIP—ldap

For JAVA Class PIP—Java

For Web Service PIP—WebService

–<metadataImpl>—Metadata implementation class. It can have one of the following values:

For Database PIP—net.securent.pip.db.DataBasePIPMetaData

For LDAP PIP—net.securent.pip.ldap.LDAPPIPMetaData

For JAVA Class PIP—net.securent.pip.java.JavaPIPMetaData

For Web Service PIP—net.securent.pip.webservice.WebservicePIPMetaData

–<attributeImpl>

Attribute implementation class. It can have one of the following values.

For Database PIP—net.securent.pip.db.DBAttribute

For LDAP PIP—net.securent.pip.ldap.LDAPAttribute

For JAVA Class PIP—net.securent.pip.java.JavaAttribute

For Web Service PIP—net.securent.pip.webservice.WebserviceAttribute

–<attributeEvaluator>—Attribute evaluator class. It can have one of the following values.

For Database PIP—net.securent.pip.db.DBAttributeEvaluator

For LDAP PIP—net.securent.pip.ldap.LDAPAttributeEvaluator

For JAVA Class PIP—net.securent.pip.java.JavaAttributeEvaluator

For Web Service PIP—net.securent.pip.webservice.WebserviceAttributeEvaluator

Sample <pip> Element Configuration

    <pip>
        <attributesources>
	   	
            <source>
                <type>database</type>
                <metadataImpl>
                    net.securent.pip.db.DataBasePIPMetaData
                </metadataImpl>		
                <attributeImpl>net.securent.pip.db.DBAttribute</attributeImpl>
                <attributeEvaluator>
                    net.securent.pip.db.DBAttributeEvaluator
                </attributeEvaluator>
            </source>
	   	
            <source>
                <type>ldap</type>
                <metadataImpl>
                    net.securent.pip.ldap.LDAPPIPMetaData
                </metadataImpl>		
                <attributeImpl>
                    net.securent.pip.ldap.LDAPAttribute
               </attributeImpl>
               <attributeEvaluator>
                   net.securent.pip.ldap.LDAPAttributeEvaluator
               </attributeEvaluator>
            </source>
		
            <source>
                <type>Java</type>
                <metadataImpl>
                    net.securent.pip.java.JavaPIPMetaData
                </metadataImpl>		
                <attributeImpl>
                     net.securent.pip.java.JavaAttribute
                </attributeImpl>
                <attributeEvaluator>
                    net.securent.pip.java.JavaAttributeEvaluator
                </attributeEvaluator>
            </source>
		
 		 <source>
                <type>Webservice</type>
                <metadataImpl>
                    net.securent.pip.webservice.WebservicePIPMetaData
                </metadataImpl>		
                <attributeImpl>
                    net.securent.pip.webservice.WebserviceAttribute
                </attributeImpl>
                <attributeEvaluator>
                    net.securent.pip.webservice.WebserviceAttributeEvaluator
                </attributeEvaluator>
            </source>
        </attributesources>
    </pip>  
<cache>

The cache element contains the subelements related to the decision cache configuration. CEPM highly recommends using of policy cache mechanism instead of the decision cache. Refer to <pdp> for more information on how to configure the policy cache.

<callbackhandlers>

The callbackhandlers element contains the subelements related to the encryption configuration.The password encryption program optionally consume user provided input for key store location, key store password and key name. When these parameters together are not specified, the default encryption key is used. By using the default encryption key, the user is not required to provide a key from the getSecret() method or a KeyCallback implementation

The following are the subelements of the <callbackhandlers> element:

•<keycallbackhandlers>—This element write there own implementation class by implementing IkeyCallback interface.

Set its value to com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider.

•usedefault attribute—If this value is set to True, use the default encryption key. Otherwise, if this value is set to False, use

public javax.crypto.SecretKey getSecret (int identifier, String keyname) throws NoSuchKeyException; //pass the key name as Default Key.

public javax.crypto.SecretKey getSecret (int identifier, String encryptionScheme, long keySize) throws NoSuchKeyException; //pass the encryption scheme as DESede and Size as 192.

Sample <callbackhandlers> Element Configuration
	<callbackhandlers>
           <keycallbackhandler	
usedefault="true">com.cisco.epm.util.auth.encryptor.crypt.DefaultKeyProvider 
</keycallbackhandler>
	</callbackhandlers>
Documentation Updates

Table 1 Updates to CEPM PDP Configuration Guide V3.3.1.0

Date

Description

June 10, 2010

Cisco Enterprise Policy Manager (EPM) Release 3.3.1.0

The following changes have been made to this document since Release 3.3.0.0:

•Updated the document with the tags used to configure Policy Cache. See <pdp>.

•Added <pdphost> tag. See <pdphost>.

•<cache> tag description is purged.

Related Documentation

•CEPM User Guide V3.3.1.0

•CEPM Policy Cache Guide

•CEPM Concept Guide V3.3.1.0

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Policy Decision Point

CEPM PDP Configuration Guide V3.3.1.0

Hierarchical Navigation

Downloads

Table Of Contents

CEPM PDP Configuration Guide V3.3.1.0

Contents

About This Document

Objective

Audience

Introduction

Password Encryption in CEPM

Case Sensitivity

Elements of pdp_config.xml File

<shared-repository>

<pdpname>

<pdphost>

<db>

Using Database Connection Pool Provided by CEPM

Using Database Connection Pool Provided by WebLogic

Using Database Connection Pool Provided by WebSphere

Sample <db> Element Configuration Using CEPM Connection Pool

Case 1: Using Oracle Database with Thin Driver

Case 2: Using Oracle Database with Thick Driver

Case 3: Using MS SQL Server Database

Sample <db> Element Configuration Using the WebLogic Connection Pool

Sample <db> Element Configuration Using WebSphere Connection Pool

<jms>

Sample <shared-repository> Element Configuration when PAP and PDP Components Share the Common Database Instance (Shared Mode)

Sample <shared-repository> Element Configuration when PAP and PDP Components Do Not Share a Common Database Instance (Non-Shared Mode)

Case 1: Using ActiveMQ JMS without JNDI Lookup

Case 2: Using ActiveMQ JMS with JNDI Lookup

Case 3: Using WebLogic JMS Without JNDI Lookup

Case 4: Using WebLogic JMS with JNDI Lookup

Case 5: Using Tibco JMS Without JNDI Lookup

Case 6: Using Tibco JMS with JNDI Lookup

<dao-configuration>

<authentication>

Sample <authentication> Element Configuration

Case 1: PDP Authentication Details are Stored in the Same Database Instance as Configured for the <securent><db> Element

Case 2: PDP Authentication Details are Stored in a Database Instance that is Different from the PDP Database Instance

Case 3: PDP Authentication Details are Stored in an LDAP Server

Case 4: PDP Authentication is Done Using the Existing Authentication Framework Present in the Protected Application (SSO Authentication)

<encryption>

<xacml-parser>

<xacml-log>

Sample <xacml-log> Element Configuration

Case 1: Database Logging when xacml-log Information is Stored in the Same Database Instance where the PDP Data Resides (PDP Database).

Case 2: Database Logging when xacml-log Information is Stored in the Different Database Instance from the One Where the PDP Data Resides (PDP Database)

<pdp>

Sample <pdp> Element Configuration

<pip>

Sample <pip> Element Configuration

<cache>

<callbackhandlers>

Sample <callbackhandlers> Element Configuration

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)