Cisco Policy Enforcement Point

Table Of Contents

CEPM Axis Agent Guide

Contents

About This Document

Objective

Audience

Introduction

Setting Up Axis Agent in a Web Application

Resource Discovery (For Creating Web Services Resources) using wsdl in CEPM

Steps to Test StockQuote Sample with CEPM Axis Agent

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

CEPM Axis Agent Guide

---

Revised: July 13, 2009, Doc Part No: OL-19563-01

Contents

•About This Document

•Introduction

•Setting Up Axis Agent in a Web Application

•Resource Discovery (For Creating Web Services Resources) using wsdl in CEPM

•Steps to Test StockQuote Sample with CEPM Axis Agent

•Documentation Updates

•Related Documentation

•Obtaining Documentation and Submitting a Service Request

About This Document

Objective

This document gives the overview about the Axis Agent and explains the steps for setting up the Axis agent for the Web Application.

Audience

This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.

Introduction

The Axis Authorization Handler operates as a coarse-grained authorization module for the protection of any Axis web service. The handler is inserted in the request flow of a web application, in front of any resource that requires authorization protection. The handler examines every incoming Simple Object Access Protocol (SOAP) request. It extracts the client certificate and the optional policy and role parameters. It passes the subject and other optional parameters to the authorization manager, and it sends back the result of the authorization operation.

•In case of a positive reply, the handler includes a new property in the MessageContext. The MessageContext stores the value that is returned by the authorization manager and forwards the SOAP request to the next resource in the request flow.

•In case of a negative reply, the handler blocks and terminates the SOAP request by throwing an AxisFaultException and returns an error to the SOAP requester.

When a web-based application is using Axis Handler, which is integrated with Cisco Entitlement Policy Manager (CEPM), Axis Handler helps the Axis Agent to fine-grain the authorization module.

Figure 1 Axis Handler Flow

In Axis framework, while a user is trying to access a web application, the user is intercepted by an Axis Authorization Handler. This handler sends the authorization request to the Policy Enforcement Point (PEP) embedded within the same application. As a part of the CEPM features, the PEP forwards the request to the concerned Policy Decision Point(s) (PDP[s]). The PDP(s) authenticates the access permission and sends the decision to the PEP, which enables the user to access the requested application, based on the policy configured in the Policy Administation Point (PAP).

Setting Up Axis Agent in a Web Application

To set up Axis Agent in a web application, follow these steps:

---

Step 1 Unzip the distribution, CEPM_AXISAgentV3.3.0.0.zip, from distribution folder. In this document, the directory where this zip file is unzipped is referred to as the AXIS_HOME directory.

Step 2 Copy pep.jar, axishandler_agent.jar and CEPM_Commons.jar files to <sample_webservice>\WEB-INF\lib folder, where <sample_webservice> refers to the webservice to be protected by Axis Agent.

Step 3 Open the pep_config.xml file from <AXIS_HOME>\config\pep folder and update the following:

a. Provide endpoint of PDP server(s) in the <pdps> tag. If more than one PDP is configured for the protected application,mention the PDP endpoint details of each and every PDP in individual <pdp> tags under the <pdps> tag.

b. Provide endpoint of CEPM PAP API in the <api> tag in which the URL should be the IP address of the machine where the CEPM PAP is running. The other elements set the user credentials which should also be updated under this tag.

c. Update the <applicationgroup> tag with the name of the application group under which the protected applications and webservices are created.

d. Update the <application> tag with the name of the application under which the protected webservices are created as resources.

e. Update the <axis-web-service> tag in the following manner to accommodate the environmental variables to be included in the PEP API from SOAP request:

–If you want to add the environmental attributes (for example, xpath) in the PEP API, add the <environmentalAttribute> tag under the </axis-web-service> tag.

–Add xpath expression in the <xpath> tag under the <environmentalAttribute> tag in the following format:

<xpath 
key="key1">/soapenv:Envelope/soapenv:Header/EnvironmentVariables/KeyValues[key='ke
y1']/value/text()

</xpath>

You can add as many attributes in the <environmentalAttribute> tag.

Step 4 Configure the server-config.wsdd file that is located in <sample_webservice>\WEB-INF folder as follows:

a. In case of a specific web service, add the following code to the <service> tag of the web service that you want to authorize:

<requestFlow>

   <handler type="java:com.cisco.epm.agent.axis.CepmAuthorizationHandler"/>

</requestFlow>

b. In case of a multiple web services running in the same application server, add the preceding code to the <globalConfiguration> tag of the web service.

Step 5 Add the Java environmental variables CEPM_AGENT_CONFIG, log4j.configuration and CEPM_DECISION_CACHE_CONFIG to the java properties for specifying the directory path of pep_config.xml, logging.xml and jbosscache.xml files. For example:

-DCEPM_AGENT_CONFIG=<AXIS_HOME>\config\pep\pep_config.xml 
-Dlog4j.configuration=<AXIS_HOME>\config\logging\logging.xml 
-DCEPM_DECISION_CACHE_CONFIG=<AXIS_HOME>\config\jbosscache\jbosscache.xml

Step 6 Restart the application server.

Resource Discovery (For Creating Web Services Resources) using wsdl in CEPM

---

Step 1 Log in to CEPM, and choose Home > Manage Entities > Resources.

Step 2 Under the configured application, click Create Resources from External Sources.

Step 3 Choose Source Type as wsdl.

Step 4 Choose URL/FileName Type as URL. Enter the value for wsdl running in URL.

For example: http://host:port/TestService/services/StockQuoteService?wsdl.

Step 5 Click Create.

Step 6 Choose all the Operation Name and click Create. This creates all the resources under the specified application.

Steps to Test StockQuote Sample with CEPM Axis Agent

This distribution contains a sample StockQuote service which runs in Tomcat server.

---

Step 1 Copy TestService.war [StockQuote Service] from <AXIS_HOME> folder and deploy in Tomcat server.

Step 2 Follow the steps to configure CEPM Axis2 Agent.

Step 3 To set the variables CEPM_AGENT_CONFIG, log4j.configuration and CEPM_DECISION_CACHE_CONFIG, open <TOMCAT_HOME>\bin\catalina.bat file and set all the variables in JAVA_OPTS.

Step 4 Modify the pep_config.xml file:

•Update the application group and application tags as follows:

<cache 

			.

			.

	<applicationgroup>Prime group</applicationgroup>

	<application>StockQuote</application>

</cache>

•Add an <axis-web-service> tag as follows

<axis-web-service>

	<environmentalvariables>

		<xpath 
key="key1">/soapenv:Envelope/soapenv:Header/EnvironmentVariables/KeyValues/key1/text()	

		</xpath>

		<xpath 
key="key2">/soapenv:Envelope/soapenv:Header/EnvironmentVariables/KeyValues/key2/text()										

		</xpath>

	</environmentalvariables>

</axis-web-service>

Step 5 Start the CEPM and do the following tasks:

•Create a PDP.

•Create the applicationgroup 'Prime group' and application 'StockQuote' as specified in the pep_config.xml and associate the PDP.

Step 6 Run WSDL Resource Discovery in CEPM, under 'StockQuote' application.

URL: http://host:port/TestService/services/StockQuoteService?wsdl

Step 7 Open TestServiceClient [StockQuote Service Client] under <AXIS_HOME>, and find the testClient.bat file.

Step 8 To get the stock quote for the given stock symbol, run testClient.bat by passing five command line arguments.

a. Endpoint. For example:

http://host:port/TestService/services/StockQuoteService

b. UserName

c. stockSymbol [SUNW, MSFT or YHOO]

d. EnvironmentVariable key1

e. EnvironmentVariable key2

For Example:

testClient.bat http://localhost:8080/TestService/services/StockQuoteService Tom SUNW 
value1 value2

Step 9 Based on the permissions specified within CEPM:

•If the user 'Tom' is authorized to perform this operation, Result will be displayed.

•If the user 'Tom' is not authorized to perform this operation, a message will be displayed saying 'Tom' is not authorized to perform this operation.

---

Documentation Updates

Table 1 Updates to CEPM Axis Agent Guide

Date	Description
July 9, 2009	Minor edits and template/boilerplate updates for publication to Cisco.com
April 3, 2009	Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0

Related Documentation

CEPM_User_Guide_V3.3.0.0.pdf

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2009 Cisco Systems, Inc. All rights reserved