Cisco Policy Administration Point

Table Of Contents

Release Notes for Cisco Enterprise Policy Manager, Version 3.3.1.0

Contents

Features Optimized/Removed

What's New In This Release

Resource Group

Policy Cache

AuthorizationServiceWSDL

Release Distribution

Supported Platform for CEPM Version 3.3.1.0

Installation Notes

Applying CEPM Patch Version 3.3.1.0

Resolved Caveats

Known Caveats

Related Documentation

Documentation Updates

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Enterprise Policy Manager, Version 3.3.1.0

---

Document Number: OL-21368-01

Revised: December 23, 2011

Contents

Cisco Enterprise Policy Manager (CEPM) Version 3.3.1.0 is a minor release that is applied as a patch to CEPM Version 3.3.0.0. It introduces two new features, Policy Cache and Resource Groups, and resolves various internal and customer found defects. CEPM Version 3.3.1.0 must be applied over CEPM Version 3.3.0.0 only.

•Features Optimized/Removed

•What's New In This Release

•Release Distribution

•Supported Platform for CEPM Version 3.3.1.0

•Installation Notes

•Resolved Caveats

•Known Caveats

•Related Documentation

•Obtaining Documentation and Submitting a Service Request

Features Optimized/Removed

•PDPServicesWSDL is deprecated in CEPM V3.3.0.0 and removed starting from CEPM V3.3.1.0. AuthorizationService WSDL can be used.

What's New In This Release

CEPM Version 3.3.1.0 introduces the Resource Groups and Policy Cache features:

Resource Group

In CEPM, resources of a particular type can be grouped together to facilitate the managing of entitlements as a group of resources. A resource group is an individual entity which is made up of the same resource type as the resources of which the group is composed.

A resource group can be of two types, such as Adhoc and Rule Based. An Adhoc creation allows the user to select resources of the same resource type as the resource group to be members of the group. A rule based creation of resource group allows the user to specify a complex rule or simple rule that must be evaluated to true to determine the membership of the resources.

Refer to Cisco Enterprise Policy Manager User Guide, Version 3.3.1.0 for more information on how to create, update, and delete resource groups and how to define policy on them.

Policy Cache

CEPM introduces Policy Cache - a framework that allows the policy data to be cached so that policy evaluation can be done quickly in memory rather than relegating all calls to the database. The policy cache infrastructure (PDP application memory) provides better response times to the access requests and leverages application performance.

Refer to CEPM Policy Cache Guide for more information on the deployment scenarios and configuration details.

AuthorizationServiceWSDL

CEPM supports a new WSDL called AuthorizationServiceWSDL which replaces the PdpServiceWSDL. Refer to CEPM Java Developer Guide V3.3.1.0 for more information.

---

Note PdpServiceWSDL which was available in Version 3.3.0.0 is deprecated from Version 3.3.1.0.

---

Release Distribution

The following files are included in this patch distribution:

•CEPM_Patch-v3.3.1.0GA.zip

•CEPM_DotNetAgentV3.3.1.0GA_32b_NCache323.zip

•CEPM_DotNetAgentV3.3.1.0GA_64b_NCache323.zip

•CEPM_InProcessPDPV3.3.1.0GA.zip

•CEPM_InProcessPDP_Unbundled_V3.3.1.0GA.zip

•CEPM_PAPClient-V3.3.1.0GA_Unbun_withCommonsLog.zip

•CEPM_PAPClient-V3.3.1.0GA_Unbun_withLog4jLog.zip

•CEPM_PAPClient-V3.3.1.0GA_withCommonsLog.zip

•CEPM_PAPClient-V3.3.1.0GA_withLog4jLog.zip

•CEPM_PEPClient-V3.3.1.0GA_Unbun_withCommonsLog.zip

•CEPM_PEPClient-V3.3.1.0GA_Unbun_withLog4jLog.zip

•CEPM_PEPClient-V3.3.1.0GA_withCommonsLog.zip

•CEPM_PEPClient-V3.3.1.0GA_withLog4jLog.zip

Supported Platform for CEPM Version 3.3.1.0

Table 1 lists the platform matrix for CEPM Version 3.3.1.0 which covers the information about the supported combination of operating systems, application servers and databases. The compatibility of this matrix is applicable to this version only and may be subject to change in upcoming versions.

Table 1 Supported Platform for CEPM Version 3.3.1.0

Component	Description
Operating System	•Windows2003 •Linux
Database	•Oracle 10g •Oracle 11g •MS SQL 2005 Enterprise Edition
Application Server (PAP and PDP)	•Weblogic 9.2 •Tomcat 5.5, •Websphere 6.1
Browser	•Mozilla Firefox 3 •Internet Explorer 7

Installation Notes

The CEPM Version 3.3.1.0 patch must be applied on top of the last major CEPM release, Version 3.3.0.0. This section contains the installation information for CEPM Version 3.3.1.0.

Warning This patch can be only be applied once and cannot be run again directly. When you are running the Version 3.3.1.0 patch for the first time, make sure that you are applying it correctly.

Warning Stop the CEPM server before applying this patch.

Applying CEPM Patch Version 3.3.1.0

The CEPM Version 3.3.1.0 build provides a fully automated installation process. Certain activities require manual interaction which is clearly stated in the respective steps. To apply this patch, use the following steps:

---

Step 1 Copy CEPM_Patch-v3.3.1.0GA.zip to CEPM_HOME, for example, .../CEPM-V3.3.0.0.

Step 2 Unzip CEPM_Patch-v3.3.1.0GA.zip. This creates a folder called Patch-v3.3.1.0GA within CEPM_HOME.

Step 3 Go to .../CEPM-V3.3.0.0/Patch-v3.3.1.0GA folder and

•For Windows: either double-click on applyPatch.bat or open the command window, go to this location and run applyPatch.bat.

•For LINUX/Solaris/AIX: from the terminal window, run the shell file as - sh applyPatch.sh.

Step 4 Execute the database related scripts and the patch information scripts. To do this:

a. Open your respective DB editor configured for CEPM.

b. For Oracle—Execute the following SQL scripts from .../CEPM-V3.3.0.0/Patch-v3.3.1.0GA/sql/oracle folder in the same order as given below:

1. Migration-v3.3-3.3.1.0.SQL

2. Indexscript-v3.3.1.0.SQL

3. pap_wrapped.SQL

4. pdp_wrapped.SQL

5. VersionInfo.SQL

c. For MSSQL 2005—Execute the following SQL scripts from .../CEPM-V3.3.0.0/Patch-v3.3.1.0GA/sql/mssql folder in the same order as given below:

1. Migration-v3.3-3.3.1.0.SQL

2. pap.SQL

3. pdp.SQL

4. VersionInfo.SQL

Step 5 Configure the JMS Provider. Ignore this step if JMS Provider is already configured.

---

Note It is mandatory to have the JMS Provider configured in the CEPM environment to support the Policy Cache feature.

---

CEPM supports ActiveMQ and Tibco JMS servers. To configure JMS, follow these steps:

a. Open the pap_config.xml file from ...CEPM_V3.3.0.0/config folder and update the following tags and their attributes:

•Set the <sharedRepository> tag to false.

•Update the <jms> tag in the following manner:

–Update the <url> attribute with the IP address of the machine where the JMS server is running.

–Update the <connectionFactory> attribute by replacing the existing value to the following values-

•For ActiveMQ - org.apache.activemq.ActiveMQConnectionFactory

•For Tibco - com.tibco.tibjms.TibjmsTopicConnectionFactory

Refer to CEPM PAP Configuration Guide V3.3.1.0 for more information on how to update the JMS tag in pap_config.xml file.

–Save the file and close it.

b. Open the pdp_config.xml file from ...CEPM_V3.3.0.0/config/pdp folder and update the following tags and their attributes:

•Set the <sharedRepository> tag to true if the PAP and the PDP are sharing a common repository. Set it to false if both of these components are using two different repositories.

•Update the <url> and the <connectionFactory> attributes of the <jms> tag with the same value as mentioned in the pap_config.xml.

Refer to CEPM PDP Configuration Guide V3.3.1.0 for more information on how to update the JMS tag in pdp_config.xml file.

•Save and close the file after making the changes.

Step 6 Deploy your respective WARs / EARs

a. For Tomcat:

–If you are using Tomcat, delete the old WAR files (both cepm.war and pdp.war) from CEPM-V3.3.0.0/external/apache-tomcat-5.5.17/webapps

–Delete the cepm and pdp folders under /CEPM-V3.3.0.0/external/apache-tomcat-5.5.17/webapps

–Copy cepm.war and pdp.war from the /CEPM-V3.3.0.0/dist folder to CEPM-V3.3.0.0/external/apache-tomcat-5.5.17/webapps

–Restart the server from /CEPM-V3.3.0.0/bin but executing startcepmgui.bat(sh).

b. For Weblogic:

–From the Weblogic Administration Console, remove/delete the cepm and pdp applications.

–Re-deploy the cepm.war and pdp.war from the /CEPM-V3.3.0.0/dist.

–Restart the server.

c. For Websphere:

–From the Websphere Administration Console, uninstall/delete cepm.ear

–Re-install the cepm.ear (or pdp.ear) from /CEPM-V3.3.0.0/dist.

–Restart the server.

Step 7 (Optional) Depending on your requirements, download and replace the following Clients or Agents:

•PAP Client— Replace the existing PAP Client files with the following files:

–CEPM_PAPClient-V3.3.1.0GA_Unbun_withCommonsLog.zip

–CEPM_PAPClient-V3.3.1.0GA_Unbun_withLog4jLog.zip

–CEPM_PAPClient-V3.3.1.0GA_withCommonsLog.zip

–CEPM_PAPClient-V3.3.1.0GA_withLog4jLog.zip

•PEP Client— Replace the existing PEP Client files with the following files:

–CEPM_PEPClient-V3.3.1.0GA_Unbun_withCommonsLog.zip

–CEPM_PEPClient-V3.3.1.0GA_Unbun_withLog4jLog.zip

–CEPM_PEPClient-V3.3.1.0GA_withCommonsLog.zip

–CEPM_PEPClient-V3.3.1.0GA_withLog4jLog.zip

•Dotnet Agent— Replace the existing dotnet agent file with the following file:

–CEPM_DotNetAgentV3.3.1.0GA_32b_NCache323.zip or CEPM_DotNetAgentV3.3.1.0GA_64b_NCache323.zip

•InProcessPDP— Replace the existing InProcessPDP file with the following file:

–CEPM_InProcessPDPV3.3.1.0GA.zip

---

Note You must discard the existing versions of Clients or Agents before using the latest versions.

---

---

Resolved Caveats

Table 2 contains the caveats resolved in this patch.

Table 2 Resolved caveats in CEPM Version 3.3.1.0

Bug ID	Description
CSCsz76889	Enhancement Request - Create Resource Groups
CSCsz46508	Runtimelogs.sql file is not updated.
CSCsz42968	PAP UI is slow.
CSCsz25709	isRoleAccessAllowed() API is throwing exception while using 3.3.0.84 .NET agent.
CSCta49316	.NET PEP assemblies cache provider looks for wrong file.
CSCsz25715	Cannot import XACML policies compliant xml file using Import API.
CSCsz37975	Special Characters as first letter for resources/entities.
CSCta59058	Special characters # $ ( ) < > ~ ' + / @ in context creation - need this in the first letter also a special character.
CSCte88931	isUserAccessAllowed() API is hitting the DB even though the PIP cache enabled.
CSCtg04713	The DB PIP is throwing `Concurrent Modification' exception.
CSCtg52519	JMS reconnect interval configured in the configuration files is not considered.
CSCtg62331	HTTP protocol is throwing `Object reference not set' exception in .Net.
CSCtg62733	InProcesspdp is not able to create a topic as configured in pdp_config.xml file.
CSCtg70941	Home >Manage Entities > Users page is taking long time to populate.
CSCth04198	InProcessPDP shows an exception when Policy cached is updated.
CSCth04938	TopicException is thrown in the PAP UI while testing the JMS server reconnect interval.

Known Caveats

Table 3 contains the known caveats that are pertaining to this release.

Table 3 Known Caveats in CEPM Version 3.3.1.0

Bug ID	Bug Description
CSCth07321	Unable to get the LDAP user details after entering valid inputs.
CSCth05120	NullPointer exception is thrown and wrong decisions are given for the first application attached to the PDP.
CSCtg29960	Modification in the entity types not getting reflected in the decisions. Any modification in the entity types (resource, group, user etc.) not getting reflected in the decisions unless updates are applied on the entities. For example, if a new action is added to resource type and decision for this new action is requested for a resource of this type, decision for new action will not be available. However if resources is refreshed / updated to reflect the new action, decision will be available for newly added action.
CSCtg20760	For .Net application, decisions are displayed in number format instead of the predefined format such as permit, Deny, NotApplicable, and Indeterminate.
CSCtf86887	Unable to edit the attribute name in the Application Attributes in Home > Manage Entities > Application Attributes > Add/Update Application Attributes page.
CSCtf65282	Policy Inheritance is not working for actions of resource group.
CSCtf56143	Dataload is failing for Oracle 11g.
CSCsz78956	Issue in listing mapped users when mapped to Referenced Roles and Groups.
CSCsy53951	Issue in mapping user to reference roles.
CSCtg54171	Getting wrong decisions when setting casesensitive attribute to true in pdp_config.xml file.
CSCte54301	Getting JMSCONNECTIONFACTORY exception while starting the CEPM server.
CSCtc54078	The following APIs return wrong obligations for 1-level of child resource entitlements. •getPermissibleResourcesForUser •getPermissibleResourcesForRoles •getPermissibleResourcesForGroups
CSCtd64880	Not getting decisions after updating application with proper PDP.
CSCth17017	Issue in deleting all functionalities for PAP user other than the Superuser.
CSCth17229	Group based policies are not getting displayed in View Decisions page.
CSCtg30491	Able to create a Context under an Application which does not exist.
CSCtd60315	Issue with IExport API with migrated data from 3.2 to 3.3.
CSCtd74248	Repository is not getting deleted.
CSCtg59400	Deadlock issue while deleting the User type or role type or resource type in a multi threading manner.
CSCth18777	Getting decisions for the member resources after deleting the Rule-based Resource Group.
CSCtg06172	Getting wrong decision when policy is created and the decision is verified using API.

Related Documentation

The following documents are available with this release.

Table 4 List of Documents available with CEPM Version 3.3.1.0 

Document	Description and Location on Cisco.com
CEPM User Guide Version 3.3.1.0	Provides detailed information about various features and functionalities available in CEPM. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/User_Guide/CEPM_User_Guide_V3310.html
CEPM Install and Config Guide Version 3.3.1.0	Provides step-by-step instructions on how to install CEPM Components, such as Policy Administration Point (PAP) and Policy Decision Point (PDP), in various supported combinations of operating system, database, and application server. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Installation_Guide/Install_and_Config_Guide/CEPM_Install_and_Config_Guide_V3310.html
CEPM Quick Start Guide Version 3.3.1.0	Provides a quick, step-by-step procedure for starting up and using CEPM. This guide also walks you through the setup of a basic application and its resources, the securing of its resources with policies, and the testing of those policies. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Quick_Start_Guide/CEPM_Quick_Start_Guide_V3310.html
CEPM Concept Guide Version 3.3.1.0	Provides general information on CEPM architecture and entitlement management. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Concept_Guide/CEPM_Concept_Guide_V331.html
CEPM Resource Models Version 3.3.1.0	Describes concepts related to basic policy-based application entitlement which ensures that a subject accessing a resource (or invoking an action on a resource) is allowed or denied, based on attributes-based rules. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Resource_Models/CEPM_Resource_Models_V3310.html
CEPM Deployment and Capacity Planning Guide Version 3.3.1.0	Discusses the different deployment options that are possible using CEPM. It also recommends the database size depending on the parameters of the application that is being protected by CEPM. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Capacity_Planning_Guide/CEPM_Capacity_Planning_Guide.html
CEPM Policy Cache Guide Version 3.3.1.0	Provides various deployment scenarios and guidelines to configure the Policy Cache in CEPM. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Policy_Cache_Guide/EPMPolicyCacheGuide.html
CEPM Java Developers Guide Version 3.3.1.0	Provides guidelines for using the Policy Enforcement Point (PEP) and PAP APIs, and provides instructions for configuring the PEP agent and Java Server Page (JSP) tag libraries. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Developer_Guide/Java_Developer_Guide/CEPM_Java_Developers_Guide_V3310.html
CEPM Dotnet Developers Guide Version 3.3.1.0	Provides guidelines for using the PEP and PAP APIs, and provides instructions for configuring the PEP agent for Dotnet applications. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Developer_Guide/Dotnet_Developer_Guide/CEPM_Dotnet_Developers_Guide_v331.html
CEPM PAP Configuration Guide Version 3.3.1.0	Provides guidelines to configure the PAP configuration parameters available in pap_config.xml file. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Configuration_Guide/PAP_Config_Guide/CEPM_PAP_Configuration_Guide.html
CEPM PDP Configuration Guide Version 3.3.1.0	Provides guidelines to configure the PDP configuration parameters available in pdp_config.xml file. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Configuration_Guide/PDP_Config_Guide/EPMPDPConfigs_chap.html
CEPM PEP Configuration Guide Version 3.3.1.0	Provides guidelines to configure the PEP configuration parameters available in pep_config.xml file. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Configuration_Guide/PEP_Config_Guide/EPMPEPConfigs_chap.html
CEPM In-process PDP Deployment Guide V3.3.1.0	Provides step-by-step instructions for how to deploy the CEPM In-process PDP in a standalone application. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Configuration_Guide/Inprocess_PDP/EPMInPDPDeploy_chap.html
CEPM Dotnet Agent Guide Version 3.3.1.0	Provides step-by-step instructions for how to deploy the CEPM Dotnet Agent used by any .NET based application (either a desktop or a web-based application). It also describes the COM-wrapped agent, which is supported for VB, C++, and other Windows-based applications. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Agent/Dotnet_Agent/CEPM_Dotnet_Agent_Guide_V331.html
CEPM JAX-WS Agent Guide Version 3.3.1.0	Provides an overview about the CEPM JAX-WS Agent and explains the steps for configuring this agent in the applications running in Tomcat server and WebSphere Application Server. Location on Cisco.com: http://www.cisco.com/en/US/docs/security/epm/epm331/Agent/JAX-WS_Agent/CEPM_JAX-WS_Agent_Guide.html

Documentation Updates

Table 5 lists the changes made to this document since it was first released.

Table 5 Document Updates for Release Notes for Cisco Enterprise Policy Manager Version 3.3.0.0

Date	Change Summary
December, 2011	Added Features Optimized/Removed.
June 23, 2010	Cisco Enterprise Policy Manager (EPM) Release 3.3.1.0
October 7, 2009	AuthorizationServiceWSDL information is added in AuthorizationServiceWSDL.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2010 Cisco Systems, Inc. All rights reserved.