|
Table Of Contents
CEPM PEP Configuration Guide V3.3.1.0
Elements of pep_config.xml File
Sample <loadbalance> Element Configuration
Sample <pdps> Element Configuration
Sample <http-proxy> Element Configuration
Sample <apis> Element Configuration
Sample <logs> Element Configuration
Sample <adapters> Element Configuration
Sample <record> Element Configuration
Obtaining Documentation and Submitting a Service Request
CEPM PEP Configuration Guide V3.3.1.0
Revised: June 10, 2010, Doc Part No: OL-22920-01Contents
•Elements of pep_config.xml File
•Obtaining Documentation and Submitting a Service Request
About This Document
Objective
This document explains the various elements present in the Policy Enforcement Point (PEP) configuration file pep_config.xml. This file should be placed in the appropriate location according to the type of application used, as given below:
•J2EE web application: \WEB-INF\classes\
•.NET standalone application: \Application Name\bin\
•.NET web application: \Application Name\debug\
Audience
This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.
Introduction
This document explains about the various elements present in the Policy Enforcement Point (PEP) configuration file pep_config.xml. This file should be placed in the appropriate location based on the type of application used, as given below:
•J2EE web application: \WEB-INF\classes\
•.NET standalone application: \Application Name\bin\
•.NET web application: \Application Name\bin\debug\
The pep_config.xml file contains the following PEP configurations:
•PEP cache: <cache>
•Load balancing: <loadbalance>
•Policy Decision Points (PDPs): <pdps>
•HTTP proxy: <http-proxy>
•Policy Administration Point (PAP) connection details: <apis>
•Logs: <logs>
•Protocol-specific adapters to access PDP: <adapters>
•Resource discovery: <record>
Password Encryption in CEPM
You must set the password value for some elements in the pep_config.xml file.For example, PDP authentication password and PAP authentication password. The password values must be entered in an encrypted format.
To encrypt the password value:
Step 1 Run the encryptor.bat file, which is located in the \<CEPM_HOME>\installer\bin\ folder.
Step 2 Run the following command in the console:
•For Windows:
encryptor.bat JAVA_HOME <password>
•For Solaris/Linux:
encryptor.sh JAVA_HOME <password>
JAVA_HOME is the environment variable that contains the location of the Java Runtime Environment (JRE) home directory. The <password> is the password of the user to be encrypted.
When this command is run, the encrypted password is displayed on the console.
Step 3 Copy the encrypted password and paste it as the value for the appropriate <password> element in the pep_config.xml file.
Case Sensitivity
The configuration values are not case sensitive (except for Java class names, user names, passwords, and file paths). For example, the values Oracle, oracle, and ORACLE are considered the same by the PDP.
Elements of pep_config.xml File
The following is a sample pep_config.xml file:
<pep_config version="3.0"><cache decisionCacheEnabled="true" cacherefreshtype="onlyupdated" decisionsOnly="false" provider="net.securent.pep.cache.CacheProvider" implementor="net.securent.admin.sdk.cache.impl.JBossCache" eventProvider="net.securent.pep.event.EventProvider" ><type>TTL</type><refresh enable="true">INVALIDATE</refresh><interval>20</interval><prefetch enable="false" type="user" bulkUsersPerRequest="10"><prefetchForApis><api name="isUserAccessAllowed"></api></prefetchForApis><!-- Selective prefetch for configured Groups, Roles, Resources entities--><groups><!-- FQN of GroupName --><!--<group>SampleGroup:SampleApplication:Group1</group>--></groups><roles><!-- role>SampleGroup:SampleApplication:Role1</role--><!--<role>SampleGroup:SampleApplication:Role2</role>--></roles><resources><!-- FQN of ResourceName --><!--<resource>SampleGroup:SampleApplication:Res1</resource>--></resources></prefetch><applicationgroup>Prime group</applicationgroup><application>Prime portal</application></cache><logs enable="false" records="100" logsTTL="10"/><loadbalance enabled="true"><algorithm>roundrobin</algorithm><refreshtime>10</refreshtime><timeout>10000</timeout><maxconnectionsperhost>10</maxconnectionsperhost><maxtotalconnections>1000</maxtotalconnections></loadbalance><pdps><!--pdp><protocol>soap</protocol><username>admin</username><password>h1BYu+lcwcM=</password><url>http://host:port/pdp/services/AuthorizationService</url><timeout>1000</timeout></pdp><pdp><protocol>http</protocol><username>admin</username><password>h1BYu+lcwcM=</password><url>http://host:port/pdp/AuthorizationEndPoint</url><responsetype>Object</responsetype><timeout>1000</timeout></pdp><!--pdp><protocol>rmi</protocol><username>admin</username><password>h1BYu+lcwcM=</password><url>rmi://host:10002/pdpObj</url><timeout>1000</timeout></pdp--></pdps><http-proxy><host></host><port></port></http-proxy><apis><api><url>http://host:port/cepm</url><username>superuser</username><password>h1BYu+lcwcM=</password><repositoryname>Default Domain</repositoryname></api></apis><adapters><soap>net.securent.pep.soap.SoapTransportAdaptor</soap><rmi>net.securent.pep.rmi.RMITransportAdaptor</rmi><http>net.securent.pep.http.HttpTransportAdaptor</http><java>net.securent.pep.java.JavaTransportAdaptor</java><https>net.securent.pep.http.HttpTransportAdaptor</https></adapters><record>false</record></pep_config><cache>
Note CEPM introduces Policy cache - a high performance caching mechanism replacing the decision cache. Currently, Policy Cache feature has been set as default caching mechanism.CEPM highly recommends using of policy cache instead of the decision cacheas the caching system. Refer to CEPM Policy Cache Guide and CEPM PDP Configuration Guide for more information on how to configure the policy cache.
The <cache> tag provides the configuration parameters to enable caching in the PEP side.
<loadbalance>
When the enabled attribute value is set to True, the PEP component implements the load-balancing mechanism while referencing various PDPs. If this value is set to False, the load-balancing mechanism is not implemented.
Note When multiple PDPs are associated with a single PEP, the load-balancing mechanism can be used. For more information about the load-balancing mechanism in the PEP, refer to the Cisco Enterprise Policy Manager Developer Guide.
The <loadbalance> element contains the following subelements:
•<algorithm>—This element decides the type of algorithm to run while the load-balancing mechanism is implemented. Set this value to roundrobin.
•<refreshtime>—This element decides the time interval (in minutes) after which PEP should check the status of all the PDPs configured in the <pdps> element and refresh its cache with the individual PDP's status (that is active or inactive).
•<timeout>—This element decides the time interval (in milliseconds) for the PEP component to wait before receiving a response from the PDP so PEP can assess whether the PDP status is active or inactive. For example, if the value is set to 1000, when the PEP sends a request to PDP to check the status , if the PEP does not receive a response within 1000 milliseconds, the PEP sets the status of that PDP to inactive in its own cache.
•<maxconnectionsperhost>—This element sets the default maximum number of connections allowed for a given host configuration
•<maxtotalconnections>—This element sets the maximum number of connections allowed for the connection manager.
Sample <loadbalance> Element Configuration
<loadbalance enabled="true"><algorithm>roundrobin</algorithm><refreshtime>10</refreshtime><timeout>10000</timeout><maxconnectionsperhost>10</maxconnectionsperhost><maxtotalconnections>1000</maxtotalconnections></loadbalance><pdps>
The <pdps> element contains the configuration details for all the PDPs that are to be referenced from the PEP component. Each PDP configuration needs to be provided in a separate <pdp> element.
The following <pdp> subelements must be configured for each PDP entry:
•<protocol>—This element specifies the protocol for PEP-PDP communication. It can use one of the four protocol values: HTTP, SOAP, JAVA, or RMI.
•<username>—This element specifies the user name value to connect to the PDP.
•<password>—This element specifies the encrypted password value for the user name. For more details about password encryption, refer to "Password Encryption in CEPM".
•<url>—This element specifies the URL of the PDP service.
•<responsetype>—This element signifies response as Object or XML.
The <responsetype> tag value should be similar in both pdp_config.xml and pep_config.xml. For example,if the value is set to Object in pep_config.xml, the corresponding tag in the pdp_config.xml must also be set to object. The same configuration is applicable for XML.
•<timeout>—This element specifies the time interval (in seconds) which the PEP to wait before receiving a response from the PDP. If the PEP does not receive a response from PDP in this configured time interval, then PEP considers it as an error request.
Sample <pdps> Element Configuration
<pdps><pdp><protocol>soap</protocol> <!-- SOAP Protocol -->
<username>admin</username><password>h1BYu+lcwcM=</password><url>http://host:port/pdp/services/AuthorizationService</url><responsetype>Object</responsetype><timeout>1000</timeout></pdp><pdp><protocol>http</protocol><!-- http Protocol -->
<username>admin</username><password>h1BYu+lcwcM=</password><url>http://host:port/pdp/AuthorizationEndPoint</url><maxconnectionsperhost>10</maxconnectionsperhost><maxtotalconnections>1000</maxtotalconnections><responsetype>Object</responsetype><timeout>1000</timeout></pdp><pdp><protocol>rmi</protocol> <!-- RMI Protocol -->
<username>admin</username><password>h1BYu+lcwcM=</password><<url>rmi://host:10002/pdpObj</url><responsetype>Object</responsetype><timeout>1000</timeout></pdp></pdps><http-proxy>
The <http-proxy> element contains the configuration details for the proxy server.
Note If proxy server is not being used, then give the null values for its child elements.
The following <http-proxy> subelements must be configured to connect to the proxy-server:
•<host>—This element contains the machine IP address of the proxy server.
•<port>—This element contains the port number for the proxy service.
Sample <http-proxy> Element Configuration
<http-proxy><host></host><port></port></http-proxy><apis>
The <apis> element contains the configuration details of the PAP server. These values are used by the PEP API to access the PAP application.
The following subelements of the <apis> element must be configured to access the PAP server:
•<url>—This element contains the URL of the PAP server.
•<username>—This element contains the user name to connect to the PAP server.
•<password>—This element contains the encrypted password for the defined user. For more details about password encryption, refer to "Password Encryption in CEPM".
•<repositoryname>—This element contains the name of the repository to connect in the PAP server.
Sample <apis> Element Configuration
<apis><api><url>http://host:port/cepm</url><username>superuser</username><password>h1BYu+lcwcM=</password><repositoryname>Default Domain</repositoryname></api></apis><logs>
The <logs> element contains:
•enable attribute—The enable attribute value can be set to True or False. If this value is set to True the request and response served from the PEP cache is stored in the runtime logs.
•records attribute—The record attribute specifies the number of records that PEP will store in a separate file.
•logsTTL attribute—The logsTTL attribute defines the frequency (in seconds) of logs activity. For example, if you want to update the cached data after every 10 seconds, set its value to 10.
For example, if records ="20" logs and TTL="10", then PEP will maintain a log for 20 files at a time and update the PDP every 10 seconds.
Sample <logs> Element Configuration
<logs enable="false" records="20" logsTTL="10"><adapters>
The <adapters> element contains the list of protocol-specific adapters that can be used by the PEP application to access the PDPs. The PEP supports adapters for SOAP, RMI, HTTP, and JAVA.
The following <adapters> subelements must be configured to use the appropriate protocol-specific adapter for accessing PDPs:
•<soap>—This tag contains the name of SOAP adapter.
• <rmi>—This tag contains the name of RMI adapter.
•<http>—This tag contains the name of HTTP adapter.
•<java>—This tag contains the name of JAVA adapter, which is used for the in-process PDP configuration.
•<https>—This tag contains the name of HTTPS adapter.
Sample <adapters> Element Configuration
<adapters><!-- SOAP --><soap>net.securent.pep.soap.SoapTransportAdaptor</soap> <!-- RMI --><rmi>net.securent.pep.rmi.RMITransportAdaptor</rmi> <!-- HTTP --><http>net.securent.pep.http.HttpTransportAdaptor</http> <!-- JAVA --><java>net.securent.pep.java.JavaTransportAdaptor</java><!-- HTTPS --><https>net.securent.pep.http.HttpTransportAdaptor</https></adapters><record>
The <record> element value can be set to either True or False.
If this value is set to True, when a resource is accessed in the protected application, the resource is automatically created in the PAP, under the configured application group and application.
If you do not want to use the resource discovery functionality, set this value to False.
Sample <record> Element Configuration
<record>false</record>Documentation Updates
Table 1 Updates to CEPM PEP Configuration Guide V3.3.1.0
Date DescriptionJune 10, 2010
Cisco Enterprise Policy Manager (EPM) Release 3.3.1.0
The following changes have been made to this document since Release 3.3.0.0:
•<cache> tag description is purged
Related Documentation
•CEPM Policy Cache Guide V3.3.1.0
•CEPM Dotnet Agent Guide V3.3.1.0
•CEPM JAX-WS Agent Guide V3.3.1.0
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved.