|
Table Of Contents
Release Notes for Cisco Enterprise Policy Manager, Version 3.3.0.0
Policy Administration Point (PAP)
Policy Enforcement Point (PEP)
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Enterprise Policy Manager, Version 3.3.0.0
Published: April 3, 2009Revised: December 23, 2011, OL-19618-01Contents
Introduction
These release notes provides information specific to Cisco Enterprise Policy Manager V3.3.0.0. These release notes highlight the following items:
•New features are detailed in New Features.
•Major known issues that might be encountered when working with the product are detailed in Known Caveats.
Features Optimized/Removed
•PDPServicesWSDL is deprecated in CEPM V3.3.0.0 and removed starting from CEPM V3.3.1.0. AuthorizationService WSDL can be used.
New Features
This section describes the features added in Cisco Enterprise Policy Manager Version 3.3.0.0 and lists them by component.
General
•PAP UI Re-branding: The PAP UI is completely revamped with the following important changes:
–Menu, colors, and navigation are redesigned
–Product name is updated
–Logo is changed
–Color scheme is updated to match Cisco's style guides
Note After CEPM is installed, access the PAP UI by entering the following URL in the web browser: http://host:port/cepm
•Install and upgrade process: Installation of CEPM is now automated and can be performed through the command line using Install.bat(sh). Refer to the CEPM Installation and Configuration Guide V3.3.0.0 for installation and upgrade instructions.
CEPM installation and upgrade processes feature the following improvements:
–Versioning of all objects in the data model. Run the following query to get the object versions:
SELECT SEC_OBJECT_NAME,SEC_VERSION_NAME,SEC_CREATE_TIME,SEC_UPDATE_TIME FROM SEC_OBJECTS_INFO–A version JSP in the WAR/EAR file, which has the version embedded. This JSP is automatically updated during an installation or upgrade process, including when customers apply hotfixes and patches or upgrade to a new major/minor release.
•Performance: The PDP performance of CEPM is enhanced which results in delivering improved application performance and scalability compared to earlier versions of the product.
Note CEPM highly recommends choosing HTTP over SOAP for better performance.
Policy Administration Point (PAP)
•More graceful policy migrations: CEPM now supports selective export of any data in the entitlement repository. Export can be performed for selected entities and entity types which are available in Home > Manage Entities > Import/Export page.
•Rules can be reused or shared: CEPM now supports configuring simple and complex rules which are reusable and sharable. Existing rules can be used in multiple policies. In addition to this, rules can also be shared or referenced in other rules.
•Status Bar in PAP: A `Progress bar' is displayed for PAP features which take a long time to complete, such as import/export, create repository, and so on.
•Regular expressions in Rule Editor: CEPM now enables the PAP Administrator to configure rules using regular expression in the Rule Editor.
•Enhanced encryption capabilities: The PAP Administrator can make use of an external encryption scheme other than the default encryption facility provided by CEPM. Now third-party crypto modules can be plugged in to CEPM.
•Sybase PIP: CEPM supports Sybase database as a PIP. Sybase can be selected from the list of databases while creating a PIP in Home > System Config > External Attribute Sources > Application Attribute Sources page.
•Enable logs for resources: Now logging can be done at the resource level. While creating or updating a resource, logging can be enabled by selecting the `Enable XACML Logs' checkbox.
•Simplified Search functionality: The Search Entity functionality for users, roles or groups in PAP UI is simplified. Entity types can be set as a search criteria for searching an entity. For example, in Home > Manage Entities > Users > List Users page, a user can be searched by a usertype.
•Mark attributes of entities mandatory: While creating an entity type (resource, role, group, etc.) the attributes can be marked as mandatory. For example, if a usertype `Analyst' has an attribute called `Age' which is marked as mandatory, then `Age' must be provided while creating a user of type `Analyst'.
•Sorting of application and resources names: Applications and resources are displayed in alphabetical order in the resource tree. This is default functionality, and the user cannot change the resource order.
•Only Allowed Resource for User/Role: CEPM enables viewing of `Only allowed resources' for a user/group/role while auditing. For example, to view only allowed resources for a user, go to Home > Auditing & Reporting > Audit Entitlements > User page and select Only-Allowed-Resource from the Entitlement Type dropdown.
•Enumerate resource type attributes: `Null' can be set as a default value while enumerating an entity type attribute. For example, a usertype `Guest' has an attribute called `ID' of type enum with values 30,31. While creating a user of type `Guest', `ID' can be set to null (blank), 30 or 31.
•Policy lookup: The CEPM PDP can now store policies applicable to a request in a readily accessible manner. Policies applicable to a combination of subject, role bundle, context and resource are stored in the policy or ACL table for easy look-up of the PDP. Policy administrators may start (and update) the policy table independent of a request processed by the PDP.
•Full tree context (FQN) is shown when the pointer is placed on a resource in the resource tree.
Policy Decision Point (PDP)
•Upgraded logging: CEPM now supports logging of requests and responses served from the PEP and PDP caches. As a result, all log data can be viewed in the PDP which are written by the PEP.
•Caching support is extended for selected APIs: CEPM now supports caching for the following APIs (including all overloaded methods for each API):
–isUserAccessAllowed()
–getDecisions()
–isRoleAccessAllowed()
–isGroupAccessAllowed()
–getUsersAllowedForResource()
–getRolesAllowedForResource()
–getPermissibleResourcesForUser()
–getPermissibleResourcesForRoles()
–getPermissibleResourcesForGroups()
–getPermissibleActionsByResource()
–getGroupsAllowedForResource()
–getDecisionsWithRoles()
–getDecisisonsByResourceTypeForAnyAction()
–getDecisionsByResourceType()
–getDecisionsByAttributeValue()
–getDecisionForResources()
–getBulkDecisions()
•Retry PDP: When the databases (entitlement repository or external PIP) of a PDP become unresponsive (due to connection failure during query execution time), the PEP retries to send the request to PDP after a specified time interval. This `retry' time interval is set in the <retry> tag in the pdp_config.xml file. For example, assuming the retry value given in pdp_config.xml is X seconds and the timeout value given in pep_config.xml is Y seconds (where X < Y), when the PEP sends a request to the PDP and the PDP finds the database is down, it sends a retry message to the PEP conveying that it should resend the request after X seconds. The PEP will resend the request to the PDP after X seconds. This process continues until the PEP gets a proper response. If the PEP does not get any response within the specified timeout interval (Y seconds), it throws an exception.
•PDP/PEP Prefetching from disk if available: If the cache is persisted to a local disk, when the PDP/PEP is restarted it can prefetch the data from the disk without approaching the entitlement database.
•Retrieval of PIP attributes when not used in rules: CEPM now supports return of PIP attributes even though they are not used in any rule. As a result, if a user is allowed for a resource, the PDP returns the user's additional attributes from an external DB source along with the response. This can be achieved by using the policy attributes.
Policy Enforcement Point (PEP)
•Enhanced prefetch and cache refresh APIs to accept additional NV Pairs: CEPM now implements a smart and selective prefetch mechanism. This allows customers to selectively prefetch based on configured groups, roles or resource for a user. Prefetching can also be done based on the environmental mappings defined in message attributes. The message attributes can be key-value pairs, rolebundles, contexts or any entity attributes. This feature is configurable in pep_config.xml file.
•Enhance debug logging: The PEP logging functionality is enhanced by including different log levels such as ERROR, INFO, and so on, to give enough details to determine the root cause for failure/errors within the PEP.
•Enhanced getUsersAllowedForResource() API: getUsersAllowedForResource() API is enhanced to return inherited policies. Now this API can return users belonging to the parent resource, even if its child resource is passed as the input parameter. For example, Mary is mapped to Role1 and Role1 has an allow policy on a resource Parent1, that in turn has a child resource Child1. Here, this method returns User1 even if Child1 is passed as the resource name.
Database
Note CEPM V3.3.0.0 does not support IBM DB2.
•Multi-site synchronization of Entitlement Repository: CEPM now supports multi-site synchronization for Oracle and MSSQL databases. With the help of this feature, two or more sites can be deployed, each with active PDPs, PAPs and local entitlement repositories, across global data centers and the administrators of each site can make changes to policies and data.
•Primary keys are added for all database tables to support database replication. This feature is implemented in all CEPM supported databases (such as Oracle, MSSQL and DB2).
•Timestamp Columns: Two Timestamp columns (such as created timestamp and updated timestamp) are added to all database tables to record database transactions.
Agents
•New/updated agents: The following agents are introduced in this release:
–Spring Security2 Agent
–JAX-WS Agent
–AXIS2 Agent
•.Net Agent: CEPM .Net Agent supports mutually authenticated SSL. This feature is also implemented in CEPM SharePoint Agent.
•SharePoint Document Library: Now policies can be configured on a document library level instead of for each and every document constituting it. When configured on a document library level, the policy will apply to all documents present inside the library.
•SharePoint resource tree enhancement: Enhancements allow viewing resource trees while configuring entitlement policies for the resources from within the SharePoint site collection page. For example, you can have a better view of the resource hierarchy in your website while creating role based policies in Site > Actions > Site Settings > Users & Permissions > CEPM Permissions > Role Based Entitlement page.
Known Caveats
Table 1 lists the known caveats in this release.
Related Documentation
Table 2 lists documents that are available with this release.
Table 2 Documents Available for CEPM V3.3.0.0
Documentation Title Description and Location of the Document in Cisco.comCEPM Installation and Configuration Guide
Provides step-by-step instructions on how to install CEPM Components, such as Policy Administration Point (PAP) and Policy Decision Point (PDP), in various supported combinations of operating system, database, and application server.
Location on Cisco.com:
CEPM User Guide
Provides detailed information about various features and functionalities available in CEPM.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/User_Guide/CEPM_User_Guide.html
CEPM Quickstart Guide
Provides a quick, step-by-step procedure for starting up and using CEPM. This guide also walks you through the setup of a basic application and its resources, the securing of its resources with policies, and the testing of those policies.
Location on Cisco.com:
CEPM Concept Guide
Provides general information on CEPM architecture and entitlement management.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Concept_Guide/CEPM_Concept_Guide.html
CEPM Capacity Planning Guide
Discusses the different deployment options that are possible using CEPM. It also recommends the database size depending on the parameters of the application that is being protected by CEPM.
Location on Cisco.com:
CEPM Resource Models
Describes concepts related to basic policy-based application entitlement which ensures that a subject accessing a resource (or invoking an action on a resource) is allowed or denied, based on attributes-based rules.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Resource_Models/CEPM_Resource_Models.html
CEPM Java Developers Guide
Provides guidelines for using the Policy Enforcement Point (PEP) and PAP APIs, and provides instructions for configuring the PEP agent and Java Server Page (JSP) tag libraries.
Location on Cisco.com:
CEPM Dotnet Developers Guide
Provides guidelines for using the PEP and PAP APIs, and provides instructions for configuring the PEP agent for dotnet applications.
Location on Cisco.com:
CEPM PAP Configurations Guide
Provides guidelines to configure the PAP configuration parameters available in the pap_config.xml file.
Location on Cisco.com:
CEPM PDP Configurations Guide
Provides guidelines to configure the PDP configuration parameters available in the pdp_config.xml file.
Location on Cisco.com:
CEPM PEP Configurations Guide
Provides guidelines to configure the PEP configuration parameters available in the pep_config.xml file.
Location on Cisco.com:
CEPM In-Process PDP Deployment Guide
Provides guidelines for deployment of CEPM In-Process PDP in the stand-alone client-side applications.
Location on Cisco.com:
CEPM Dotnet Agent Guide
Provides step-by-step instructions for how to deploy the CEPM Dotnet Agent used by any .NET based application (either a desktop or a web-based application). It also describes the COM-wrapped agent, which is supported for VB, C++, and other Windows-based applications.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/Dotnet_Agent/CEPM_Dotnet_Agent_Guide.html
CEPM SharePoint Agent Guide
Provides a step-by-step procedure to install CEPM SharePoint Agent and integrate the Policy Administration Point (PAP) with your web applications running on SharePoint Server 2007.
Location on Cisco.com:
CEPM SSPI Agent Guide
Provides guidelines for the deployment of the CEPM SSPI Agent and explains the features supported by CEPM customized authorization provider for applications running in the WebLogic (BEA WebLogic V9.2).
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/SSPI_Agent/EPMSSPIAgt_chap.html
CEPM JACC Agent For JBOSS Portal Guide
Explains about how the CEPM JACC Agent for JBOSS Portal helps in implementing the fine-grained authorization decisions for portal applications developed using JBOSS Portal.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JACC_JBOSS_Agent/EPMJACCAgtJB_chap.html
CEPM JACC WAS Agent Guide
Explains how the CEPM JACC Agent for WebSphere Application Server helps in implementing the fine-grained authorization decisions for web applications developed using WebSphere Application Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JACC_WAS_Agent/CEPM_JACC_WAS_Agent.html
CEPM JAX-RPC Agent Guide
Provides an overview about the CEPM JAX-RPC Agent and explains the steps for configuring this agent in the applications running in WebSphere Application Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JAX-RPC_Agent/CEPM_JAX_RPC_Agent_Guide.html
CEPM JAX-WS Agent Guide
Provides an overview about the CEPM JAX-WS Agent and explains the steps for configuring this agent in the applications running in WebSphere Application Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JAX-WS_Agent/CEPM_JAX-WS_Agent_Guide.html
CEPM AXIS Agent Guide
Provides step-by-step instructions on how to integrate the CEPM Axis Agent with web applications using Axis webservice implementation for fine-grained access control.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/AXIS_Agent/EPMAxisAgt_chap.html
CEPM AXIS2 Agent Guide
Provides step-by-step instructions on how to integrate the CEPM Axis2 Agent with web applications using Axis2 webservice implementation for fine-grained access control.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/AXIS2_Agent/EPMAxisAgt_chap.html
CEPM ACEGI Agent Guide
Provides guidelines for deployment of the CEPM ACEGI Agent and explains the features of using CEPM customized ACEGI authorization solution for applications running in the Spring Framework.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/ACEGI_Agent/EPMACEGIAgt_chap.html
CEPM Spring Security2 Agent Guide
Provides guidelines for deployment of the CEPM Spring Security2 Agent and explains the features of using the CEPM customized Spring Security2 authorization solution using the RoleVoter for applications running in the Spring Framework.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/Spring_Security2_Agent/EPMSSAgt_chap.html
CEPM XMLACCESS Agent Guide
Provides guidelines for deployment of the CEPM XMLAccess Agent and explains the features of using the CEPM customized XMLAccess authorization solution for portal applications running in the WebSphere Portal Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/XML_ACCESS_Agent/EPMXMLAccessAgt_chap.html
Documentation Updates
Table 3 lists the changes made to this document since it was first released.
Table 3 Document Updates for Release Notes for Cisco Enterprise Policy Manager Version 3.3.1.0
Date Change SummaryDecember, 2011
Updated Features Optimized/Removed.
October 7, 2010
Added section Features Optimized/Removed.
June 7, 2009
Minor edits and template/boilerplate updates for publication to Cisco.com.
April 3, 2009
Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in Related Documentation.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved