|
Table Of Contents
Release Notes for Cisco Enterprise Policy Manager, Version 3.3.1.0
Supported Platform for CEPM Version 3.3.1.0
Applying CEPM Patch Version 3.3.1.0
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Enterprise Policy Manager, Version 3.3.1.0
Document Number: OL-21368-01Revised: December 23, 2011Contents
Cisco Enterprise Policy Manager (CEPM) Version 3.3.1.0 is a minor release that is applied as a patch to CEPM Version 3.3.0.0. It introduces two new features, Policy Cache and Resource Groups, and resolves various internal and customer found defects. CEPM Version 3.3.1.0 must be applied over CEPM Version 3.3.0.0 only.
•Supported Platform for CEPM Version 3.3.1.0
•Obtaining Documentation and Submitting a Service Request
Features Optimized/Removed
•PDPServicesWSDL is deprecated in CEPM V3.3.0.0 and removed starting from CEPM V3.3.1.0. AuthorizationService WSDL can be used.
What's New In This Release
CEPM Version 3.3.1.0 introduces the Resource Groups and Policy Cache features:
Resource Group
In CEPM, resources of a particular type can be grouped together to facilitate the managing of entitlements as a group of resources. A resource group is an individual entity which is made up of the same resource type as the resources of which the group is composed.
A resource group can be of two types, such as Adhoc and Rule Based. An Adhoc creation allows the user to select resources of the same resource type as the resource group to be members of the group. A rule based creation of resource group allows the user to specify a complex rule or simple rule that must be evaluated to true to determine the membership of the resources.
Refer to Cisco Enterprise Policy Manager User Guide, Version 3.3.1.0 for more information on how to create, update, and delete resource groups and how to define policy on them.
Policy Cache
CEPM introduces Policy Cache - a framework that allows the policy data to be cached so that policy evaluation can be done quickly in memory rather than relegating all calls to the database. The policy cache infrastructure (PDP application memory) provides better response times to the access requests and leverages application performance.
Refer to CEPM Policy Cache Guide for more information on the deployment scenarios and configuration details.
AuthorizationServiceWSDL
CEPM supports a new WSDL called AuthorizationServiceWSDL which replaces the PdpServiceWSDL. Refer to CEPM Java Developer Guide V3.3.1.0 for more information.
Note PdpServiceWSDL which was available in Version 3.3.0.0 is deprecated from Version 3.3.1.0.
Release Distribution
The following files are included in this patch distribution:
•CEPM_Patch-v3.3.1.0GA.zip
•CEPM_DotNetAgentV3.3.1.0GA_32b_NCache323.zip
•CEPM_DotNetAgentV3.3.1.0GA_64b_NCache323.zip
•CEPM_InProcessPDPV3.3.1.0GA.zip
•CEPM_InProcessPDP_Unbundled_V3.3.1.0GA.zip
•CEPM_PAPClient-V3.3.1.0GA_Unbun_withCommonsLog.zip
•CEPM_PAPClient-V3.3.1.0GA_Unbun_withLog4jLog.zip
•CEPM_PAPClient-V3.3.1.0GA_withCommonsLog.zip
•CEPM_PAPClient-V3.3.1.0GA_withLog4jLog.zip
•CEPM_PEPClient-V3.3.1.0GA_Unbun_withCommonsLog.zip
•CEPM_PEPClient-V3.3.1.0GA_Unbun_withLog4jLog.zip
•CEPM_PEPClient-V3.3.1.0GA_withCommonsLog.zip
•CEPM_PEPClient-V3.3.1.0GA_withLog4jLog.zip
Supported Platform for CEPM Version 3.3.1.0
Table 1 lists the platform matrix for CEPM Version 3.3.1.0 which covers the information about the supported combination of operating systems, application servers and databases. The compatibility of this matrix is applicable to this version only and may be subject to change in upcoming versions.
Installation Notes
The CEPM Version 3.3.1.0 patch must be applied on top of the last major CEPM release, Version 3.3.0.0. This section contains the installation information for CEPM Version 3.3.1.0.
Warning This patch can be only be applied once and cannot be run again directly. When you are running the Version 3.3.1.0 patch for the first time, make sure that you are applying it correctly.
Warning Stop the CEPM server before applying this patch.Applying CEPM Patch Version 3.3.1.0
The CEPM Version 3.3.1.0 build provides a fully automated installation process. Certain activities require manual interaction which is clearly stated in the respective steps. To apply this patch, use the following steps:
Step 1 Copy CEPM_Patch-v3.3.1.0GA.zip to CEPM_HOME, for example, .../CEPM-V3.3.0.0.
Step 2 Unzip CEPM_Patch-v3.3.1.0GA.zip. This creates a folder called Patch-v3.3.1.0GA within CEPM_HOME.
Step 3 Go to .../CEPM-V3.3.0.0/Patch-v3.3.1.0GA folder and
•For Windows: either double-click on applyPatch.bat or open the command window, go to this location and run applyPatch.bat.
•For LINUX/Solaris/AIX: from the terminal window, run the shell file as - sh applyPatch.sh.
Step 4 Execute the database related scripts and the patch information scripts. To do this:
a. Open your respective DB editor configured for CEPM.
b. For Oracle—Execute the following SQL scripts from .../CEPM-V3.3.0.0/Patch-v3.3.1.0GA/sql/oracle folder in the same order as given below:
1. Migration-v3.3-3.3.1.0.SQL
2. Indexscript-v3.3.1.0.SQL
3. pap_wrapped.SQL
4. pdp_wrapped.SQL
5. VersionInfo.SQL
c. For MSSQL 2005—Execute the following SQL scripts from .../CEPM-V3.3.0.0/Patch-v3.3.1.0GA/sql/mssql folder in the same order as given below:
1. Migration-v3.3-3.3.1.0.SQL
2. pap.SQL
3. pdp.SQL
4. VersionInfo.SQL
Step 5 Configure the JMS Provider. Ignore this step if JMS Provider is already configured.
Note It is mandatory to have the JMS Provider configured in the CEPM environment to support the Policy Cache feature.
CEPM supports ActiveMQ and Tibco JMS servers. To configure JMS, follow these steps:
a. Open the pap_config.xml file from ...CEPM_V3.3.0.0/config folder and update the following tags and their attributes:
•Set the <sharedRepository> tag to false.
•Update the <jms> tag in the following manner:
–Update the <url> attribute with the IP address of the machine where the JMS server is running.
–Update the <connectionFactory> attribute by replacing the existing value to the following values-
•For ActiveMQ - org.apache.activemq.ActiveMQConnectionFactory
•For Tibco - com.tibco.tibjms.TibjmsTopicConnectionFactory
Refer to CEPM PAP Configuration Guide V3.3.1.0 for more information on how to update the JMS tag in pap_config.xml file.
–Save the file and close it.
b. Open the pdp_config.xml file from ...CEPM_V3.3.0.0/config/pdp folder and update the following tags and their attributes:
•Set the <sharedRepository> tag to true if the PAP and the PDP are sharing a common repository. Set it to false if both of these components are using two different repositories.
•Update the <url> and the <connectionFactory> attributes of the <jms> tag with the same value as mentioned in the pap_config.xml.
Refer to CEPM PDP Configuration Guide V3.3.1.0 for more information on how to update the JMS tag in pdp_config.xml file.
•Save and close the file after making the changes.
Step 6 Deploy your respective WARs / EARs
a. For Tomcat:
–If you are using Tomcat, delete the old WAR files (both cepm.war and pdp.war) from CEPM-V3.3.0.0/external/apache-tomcat-5.5.17/webapps
–Delete the cepm and pdp folders under /CEPM-V3.3.0.0/external/apache-tomcat-5.5.17/webapps
–Copy cepm.war and pdp.war from the /CEPM-V3.3.0.0/dist folder to CEPM-V3.3.0.0/external/apache-tomcat-5.5.17/webapps
–Restart the server from /CEPM-V3.3.0.0/bin but executing startcepmgui.bat(sh).
b. For Weblogic:
–From the Weblogic Administration Console, remove/delete the cepm and pdp applications.
–Re-deploy the cepm.war and pdp.war from the /CEPM-V3.3.0.0/dist.
–Restart the server.
c. For Websphere:
–From the Websphere Administration Console, uninstall/delete cepm.ear
–Re-install the cepm.ear (or pdp.ear) from /CEPM-V3.3.0.0/dist.
–Restart the server.
Step 7 (Optional) Depending on your requirements, download and replace the following Clients or Agents:
•PAP Client— Replace the existing PAP Client files with the following files:
–CEPM_PAPClient-V3.3.1.0GA_Unbun_withCommonsLog.zip
–CEPM_PAPClient-V3.3.1.0GA_Unbun_withLog4jLog.zip
–CEPM_PAPClient-V3.3.1.0GA_withCommonsLog.zip
–CEPM_PAPClient-V3.3.1.0GA_withLog4jLog.zip
•PEP Client— Replace the existing PEP Client files with the following files:
–CEPM_PEPClient-V3.3.1.0GA_Unbun_withCommonsLog.zip
–CEPM_PEPClient-V3.3.1.0GA_Unbun_withLog4jLog.zip
–CEPM_PEPClient-V3.3.1.0GA_withCommonsLog.zip
–CEPM_PEPClient-V3.3.1.0GA_withLog4jLog.zip
•Dotnet Agent— Replace the existing dotnet agent file with the following file:
–CEPM_DotNetAgentV3.3.1.0GA_32b_NCache323.zip or CEPM_DotNetAgentV3.3.1.0GA_64b_NCache323.zip
•InProcessPDP— Replace the existing InProcessPDP file with the following file:
–CEPM_InProcessPDPV3.3.1.0GA.zip
Note You must discard the existing versions of Clients or Agents before using the latest versions.
Resolved Caveats
Table 2 contains the caveats resolved in this patch.
Known Caveats
Table 3 contains the known caveats that are pertaining to this release.
Related Documentation
The following documents are available with this release.
Table 4 List of Documents available with CEPM Version 3.3.1.0
Document Description and Location on Cisco.comCEPM User Guide Version 3.3.1.0
Provides detailed information about various features and functionalities available in CEPM.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/User_Guide/CEPM_User_Guide_V3310.html
CEPM Install and Config Guide Version 3.3.1.0
Provides step-by-step instructions on how to install CEPM Components, such as Policy Administration Point (PAP) and Policy Decision Point (PDP), in various supported combinations of operating system, database, and application server.
Location on Cisco.com:
CEPM Quick Start Guide Version 3.3.1.0
Provides a quick, step-by-step procedure for starting up and using CEPM. This guide also walks you through the setup of a basic application and its resources, the securing of its resources with policies, and the testing of those policies.
Location on Cisco.com:
CEPM Concept Guide Version 3.3.1.0
Provides general information on CEPM architecture and entitlement management.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Concept_Guide/CEPM_Concept_Guide_V331.html
CEPM Resource Models Version 3.3.1.0
Describes concepts related to basic policy-based application entitlement which ensures that a subject accessing a resource (or invoking an action on a resource) is allowed or denied, based on attributes-based rules.
Location on Cisco.com:
CEPM Deployment and Capacity Planning Guide Version 3.3.1.0
Discusses the different deployment options that are possible using CEPM. It also recommends the database size depending on the parameters of the application that is being protected by CEPM.
Location on Cisco.com:
CEPM Policy Cache Guide Version 3.3.1.0
Provides various deployment scenarios and guidelines to configure the Policy Cache in CEPM.
Location on Cisco.com:
CEPM Java Developers Guide Version 3.3.1.0
Provides guidelines for using the Policy Enforcement Point (PEP) and PAP APIs, and provides instructions for configuring the PEP agent and Java Server Page (JSP) tag libraries.
Location on Cisco.com:
CEPM Dotnet Developers Guide Version 3.3.1.0
Provides guidelines for using the PEP and PAP APIs, and provides instructions for configuring the PEP agent for Dotnet applications.
Location on Cisco.com:
CEPM PAP Configuration Guide Version 3.3.1.0
Provides guidelines to configure the PAP configuration parameters available in pap_config.xml file.
Location on Cisco.com:
CEPM PDP Configuration Guide Version 3.3.1.0
Provides guidelines to configure the PDP configuration parameters available in pdp_config.xml file.
Location on Cisco.com:
CEPM PEP Configuration Guide Version 3.3.1.0
Provides guidelines to configure the PEP configuration parameters available in pep_config.xml file.
Location on Cisco.com:
CEPM In-process PDP Deployment Guide V3.3.1.0
Provides step-by-step instructions for how to deploy the CEPM In-process PDP in a standalone application.
Location on Cisco.com:
CEPM Dotnet Agent Guide Version 3.3.1.0
Provides step-by-step instructions for how to deploy the CEPM Dotnet Agent used by any .NET based application (either a desktop or a web-based application). It also describes the COM-wrapped agent, which is supported for VB, C++, and other Windows-based applications.
Location on Cisco.com:
CEPM JAX-WS Agent Guide Version 3.3.1.0
Provides an overview about the CEPM JAX-WS Agent and explains the steps for configuring this agent in the applications running in Tomcat server and WebSphere Application Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Agent/JAX-WS_Agent/CEPM_JAX-WS_Agent_Guide.html
Documentation Updates
Table 5 lists the changes made to this document since it was first released.
Table 5 Document Updates for Release Notes for Cisco Enterprise Policy Manager Version 3.3.0.0
Date Change SummaryDecember, 2011
Added Features Optimized/Removed.
June 23, 2010
Cisco Enterprise Policy Manager (EPM) Release 3.3.1.0
October 7, 2009
AuthorizationServiceWSDL information is added in AuthorizationServiceWSDL.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved.