|
|
This appendix contains sample MBean configuration files. It includes the following sections:
An example jetty/config/nwsp.jetty.xml file follows.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE XmlConfig PUBLIC "-//Cisco Systems//DTD XmlConfig 1.1//EN" "http://www.cisco.com/sesm/xmlconfig_1_1.dtd">
<!-- Copyright (c) 2001, 2002 by Cisco Systems, Inc. All rights reserved. -->
<!-- This is the container specific configuration for the NWSP web application.
Container independant configuration can be found at:
$INSTALLROOT/nwsp/config/nwsp.xml
-->
<XmlConfig>
<!-- ================================================================ -->
<Instantiate order="10" class="org.mortbay.jetty.jmx.LogMBean"/>
<Instantiate order="11" class="org.mortbay.jetty.jmx.DebugMBean"/>
<Instantiate order="12"
class="org.mortbay.jetty.jmx.HttpServerMBean"
jmxname="org.mortbay.jetty:name=Jetty,Server=0"/>
<!-- ================================================================ -->
<Configure jmxname="org.mortbay.jetty:name=Log,OutputStreamLogSink=0">
<Set name="append" type="boolean">true</Set>
<Set name="filename"><SystemProperty name="application.log" default="./logs"/>/yyyy_mm_dd.jetty.log</Set>
<Set name="logTimezone"></Set>
<Set name="logDateFormat">yyyyMMdd:HHmmss.SSS' '</Set>
<Set name="logLabels" type="boolean">false</Set>
<Set name="logOneLine" type="boolean">false</Set>
<Set name="logStackSize" type="boolean">false</Set>
<Set name="logStackTrace" type="boolean">false</Set>
<Set name="logTags" type="boolean">true</Set>
<Set name="logTimeStamps" type="boolean">true</Set>
<Set name="retainDays" type="int">31</Set>
</Configure>
<Configure class="org.mortbay.jetty.jmx.DebugMBean" >
<Set name="debug" type="boolean">false</Set>
<Set name="debugPatterns"></Set>
<Set name="debugTriggers"></Set>
<Set name="verbose" type="int">0</Set>
<Set name="suppressStack" type="boolean">false</Set>
<Set name="suppressWarnings" type="boolean">false</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="org.mortbay.jetty:name=Jetty,Server=0">
<Call name="addListener">
<Arg>
<New class="org.mortbay.http.SocketListener">
<Set name="port"><SystemProperty name="application.portno" default="8080"/></Set>
<Set name="minThreads">5</Set>
<Set name="maxThreads">255</Set>
<Set name="maxIdleTimeMs">60000</Set>
<Set name="maxReadTimeMs">60000</Set>
</New>
</Arg>
</Call>
<Call name="addListener">
<Arg>
<New class="org.mortbay.http.SunJsseListener">
<Set name="port"><SystemProperty name="application.ssl.portno" default="8130"/></Set>
<Set name="MinThreads">5</Set>
<Set name="MaxThreads">255</Set>
<Set name="MaxIdleTimeMs">50000</Set>
<Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/config/nwspkeystore</Set>
<Set name="Password">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
<Set name="KeyPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
</New>
</Arg>
</Call>
<Set name="logSink">
<New class="org.mortbay.util.OutputStreamLogSink">
<Arg><SystemProperty name="application.log" default="./logs"/>/yyyy_mm_dd.request.log</Arg>
<Set name="retainDays">90</Set>
<Set name="append">true</Set>
</New>
</Set>
<!-- NWSP web application -->
<Call name="addWebApplication">
<Arg></Arg>
<Arg>/</Arg>
<Arg><SystemProperty name="application.home" default="."/>/docroot</Arg>
<Arg><SystemProperty name="jetty.home" default="."/>/config/webdefault.xml</Arg>
<Arg type="boolean">FALSE</Arg>
<Call name="addHandler">
<Arg type="int">0</Arg>
<Arg><New class="com.cisco.sesm.jetty.PortBundleHandler"/></Arg>
</Call>
</Call>
<Call name="start"/>
</Configure>
</XmlConfig>
This section contains two sample files:
The following nwsp/config/nwsp.xml file shows a RADIUS mode deployment.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE XmlConfig PUBLIC "-//Cisco Systems//DTD XmlConfig 1.1//EN" "http://www.cisco.com/sesm/xmlconfig_1_1.dtd">
<!-- Copyright (c) 2002 by Cisco Systems, Inc. All rights reserved. -->
<!-- This is the container independent configuration for the NWSP web application.
Container specific configuration can be found at:
$INSTALLROOT/$CONTAINER/config/nwsp.xml
-->
<XmlConfig>
<!-- ================================================================ -->
<Instantiate order="1"
class="com.cisco.sesm.jmx.LoggerMBean"
jmxname="com.cisco.sesm:name=Logger"/>
<Instantiate order="99"
class="com.sun.jdmk.comm.HtmlAdaptorServer"
jmxname="com.cisco.sesm:name=ManagementConsole">
<Arg type="int">
<SystemProperty name="management.portno"/>
</Arg>
<Arg>
<Array class="com.sun.jdmk.comm.AuthInfo">
<Item>
<New class="com.sun.jdmk.comm.AuthInfo">
<Arg>MgmtUser</Arg>
<Arg>MgmtPassword</Arg>
</New>
</Item>
</Array>
</Arg>
</Instantiate>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=Logger">
<Set name="debug" type="boolean"><SystemProperty name="nwsp.debug" default="false"/></Set>
<Set name="debugPatterns"></Set>
<Set name="debugThreads"></Set>
<Set name="debugVerbosity">LOW</Set>
<Set name="logDateFormat">yyyyMMdd:HHmmss.SSS</Set>
<Set name="logFile"><SystemProperty name="application.log" default="./logs"/>/yyyy_mm_dd.application.log</Set>
<Set name="logFrame" type="boolean">false</Set>
<Set name="logStack" type="boolean">false</Set>
<Set name="logThread" type="boolean">true</Set>
<Set name="logToErr" type="boolean"><SystemProperty name="nwsp.logToErr" default="false"/></Set>
<Set name="trace" type="boolean">true</Set>
<Set name="warning" type="boolean">true</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=ManagementConsole">
<Call name="start"/>
</Configure>
<!-- ================================================================ -->
<Configure class="com.cisco.sesm.core.model.SESMMBean"
jmxname="com.cisco.sesm:name=SESM">
<Call name="defineMode">
<Arg>Demo</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoAuthenticationService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoAuthorizationService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoConnectionService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoServiceProfileService</Arg>
</Call>
<Call name="defineMode">
<Arg>RADIUS</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthentication</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthorization</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSServiceConnection</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSServiceProfile</Arg>
</Call>
<Call name="defineMode">
<Arg>LDAP</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthentication</Arg>
<Arg>com.cisco.sesm.spis.dess.DESSAuthorizationService</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSServiceConnection</Arg>
<Arg>com.cisco.sesm.spis.dess.DESSServiceProfileService</Arg>
</Call>
<!--
- This determines the SESM model mode of operation. A mode of operation
- determines how SESM connects to hardware.
-->
<Set name="mode"><SystemProperty name="sesm.mode" default="RADIUS"/></Set>
<!--
- This boolean turns on or off the capability to perform
- single sign-on. In single sign on mode, a user only has to
- authenticate once and SESM merely checks that the user has
- been authenticated.
-->
<Set name="singleSignOn" type="boolean">true</Set>
<!--
- This boolean determines whether or not services are auto-connected
- by SESM during sign-on.
-->
<Set name="autoConnect" type="boolean">false</Set>
<!--
- This is the number of seconds between clearing group
- and service caches.
-->
<Set name="profileCachePeriod" type="int">600</Set>
<!--
- This is the minimum length of time in seconds that an SESMSession
- is held in memory without being accessed. SESMSessions are checked
- regularly according to the profileCachePeriod.
- If this is set to 0 (or undefined) profileCachePeriod*2 is used.
-->
<Set name="sessionCachePeriod" type="int">1200</Set>
<!--
- Turning on this option will cause the model to throw an exception when
- an attempt is made to connect a service in a mutually exclusive service
- group and another service in the group is already connected.
- If the option is turned off, the previous service will be disconnected
- automatically.
-->
<Set name="confirmMutexDisconnect" type="boolean">false</Set>
<!--
- This sets the minimum amount of memory required before
- a SESM session can be created or authenticated.
- This is in order to prevent the application running out of memory.
-->
<Set name="memRequired" type="long">10485760</Set>
<!--
- If this is set true, sessions will be removed from memory when
- the minimum memory limit is hit.
- Turning this on will facilitate a quick recovery from a memory problem
- but will result in loss of user state. This means they will have to log
- in again if Single Sign On is disabled.
-->
<Set name="clearSessionsOnMem" type="boolean">false</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=SESMDemoMode">
<!--
- This is the demo data file. It is in the format of a Merit
- dictionary with special extensions for this software.
-->
<Set name="demoDataFile"><SystemProperty name="application.home"/>/config/demo.txt</Set>
</Configure>
<!-- ================================================================ -->
<!-- Settings for the DESS SPI. -->
<Configure jmxname="com.cisco.sesm:name=DESSMode">
<!-- The time in seconds between checking the authorization tokens. -->
<Set name="tokenCheckInterval" type="int">300</Set>
<!-- The age of a token in seconds (time since last used) for it to be removed from cache. -->
<Set name="tokenMaxAge" type="int">600</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=SSG">
<!--
- Maxmimum number of simultaneous requests allowed to each SSG. Extra
- requests will be placed on a queue and issued as responses are received
- or timeout.
-->
<Set name="throttle" type="int">20</Set>
<!--
- Here we define attributes for RADIUS communication with the SSG If
- we are running with Port Bundle Host key then we need only define
- the global attributes for all of the SSGs.
-->
<Call name="setGlobalAttribute"><Arg>PORT</Arg><Arg>1812</Arg></Call>
<Call name="setGlobalAttribute"><Arg>TIMEOUTSECS</Arg><Arg>10</Arg></Call>
<Call name="setGlobalAttribute"><Arg>RETRIES</Arg><Arg>3</Arg></Call>
<Call name="setGlobalAttribute"><Arg>SECRET</Arg><Arg>cisco</Arg></Call>
<Call name="setGlobalAttribute"><Arg>MASK</Arg><Arg>255.255.255.255</Arg></Call>
<!--
- A non zero value here, the default should be 4, will turn Port
- Bundle Host Key on.
-->
<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>4</Arg></Call>
<Call name="setGlobalAttribute"><Arg>PORT_BUNDLE_HOST_KEY_SWITCH</Arg><Arg>false</Arg></Call>
<!--
- This value may be true or false. True is implied by a non zero
- BUNDLE_LENGTH. If the BUNDLE_LENGTH is non zero, then this value
- will be ignored. As a BUNDLE_LENGTH of 0 is a legal value, however,
- the Port Bundle Host Key feature can can also be turned on here
- when the BUNDLE_LENGTH is 0, which it would be for persistent
- connections.
<Call name="setGlobalAttribute"><Arg>PORT_BUNDLE_HOST_KEY_SWITCH</Arg><Arg>true</Arg></Call>
-->
<!--
- If we need to map from a client IP address to an SSG explicitly,
- then we could have an entry like this:
<Call name="setSubnetAttribute"><Arg>213.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>195.245.182.2</Arg></Call>
- which would map the client subnet 213.0.0.0 to the SSG at
- 195.245.182.2 with the global parameters defined above for
- the RADIUS protocol.
-->
<!-- If we need to define a location for a subnet, say London, then we
- could do this:
<Call name="setSubnetAttribute"><Arg>213.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>SESSION_LOCATION</Arg><Arg>London</Arg></Call>
- See the location definitions below for illustrations of how
- attributes can be associated with locations.
-->
</Configure>
<!-- ================================================================ -->
<!--
- Here we define attributes for RADIUS communication with the RADIUS
- servers for service and group profiles in RADIUS mode.
-->
<Configure jmxname="com.cisco.sesm:name=AAA,connection=ServiceProfile">
<Set name="throttle" type="int">256</Set>
<Set name="timeOut" type="int">4</Set>
<Set name="retryCount" type="int">3</Set>
<Set name="primaryIP">127.0.0.2</Set>
<Set name="primaryPort" type="int">1812</Set>
<Set name="secret">cisco</Set>
<Set name="secondaryIP">127.0.0.3</Set>
<Set name="secondaryPort" type="int">1812</Set>
<Set name="servicePassword">servicecisco</Set>
<Call name="open"/>
</Configure>
<Configure jmxname="com.cisco.sesm:name=AAA,connection=ServiceGroupProfile">
<Set name="throttle" type="int">256</Set>
<Set name="timeOut" type="int">4</Set>
<Set name="retryCount" type="int">3</Set>
<Set name="primaryIP">127.0.0.2</Set>
<Set name="primaryPort" type="int">1812</Set>
<Set name="secret">cisco</Set>
<Set name="secondaryIP">127.0.0.3</Set>
<Set name="secondaryPort" type="int">1812</Set>
<Set name="serviceGroupPassword">groupcisco</Set>
<Call name="open"/>
</Configure>
<!-- ================================================================ -->
<Configure class="com.cisco.sesm.webapp.config.WebAppMBean"
jmxname="com.cisco.sesm:name=WebApp">
<!--
- These options control different aspects of the NWSP applications
- behaviours. These settings are used by the NWSP application to
- control different aspects of its behaviour.
-->
<!-- Confirm that you want to logon onto a service as opposed
- to single click logon. -->
<Set name="confirmAtServiceLogon" type="boolean">FALSE</Set>
<!-- Confirm that you want to logoff a service as opposed
- to single click logoff. -->
<Set name="confirmAtServiceLogoff" type="boolean">TRUE</Set>
<!-- Confirm that you want to logoff from the application as opposed
- to single click logoff. -->
<Set name="confirmAtAccountLogoff" type="boolean">TRUE</Set>
<!-- This overrides the setting in the Jetty nwsp.xml. -->
<Set name="sessionTimeOut" type="int">7200</Set>
<!-- Maximum length for usernames and passwords. -->
<Set name="credentialMaxLength" type="int">30</Set>
<!-- These identify the URI required for requests to NWSP's /serviceRedirect: -->
<!-- service redirect when request parameter "service" is null or empty -->
<Set name="serviceNotGivenURI">/status</Set>
<!-- service redirect for any unexpected condition, eg if service is not available -->
<Set name="defaultURI">/home</Set>
<!-- service redirect for services that are not subscribed -->
<Set name="serviceSubscriptionURI">/subscriptionManage</Set>
<!-- service redirect when no further entry of credentials required -->
<Set name="serviceStartURI">/serviceStart</Set>
<!-- service redirect when further entry of credentials required -->
<Set name="serviceLogonURI">/serviceLogon</Set>
<!--
- These are examples of how arbitrary properties can be used
- in the SESM applications.
-->
<Call name="addDimension">
<Arg type="int">1</Arg>
<Arg>London</Arg>
<Arg>http://www.london.com</Arg>
</Call>
<Call name="addDimension">
<Arg type="int">1</Arg>
<Arg>Paris</Arg>
<Arg>http://www.paris-france.org/</Arg>
</Call>
<Call name="addDimension">
<Arg type="int">1</Arg>
<Arg>New York</Arg>
<Arg>http://www.usa.net/newyork</Arg>
</Call>
<Call name="addDimension">
<Arg type="int">2</Arg>
<Arg>Acme</Arg>
<Arg>http://www.acme.com</Arg>
</Call>
<Call name="addDimension">
<Arg type="int">2</Arg>
<Arg>Cisco</Arg>
<Arg>http://www.cisco.com</Arg>
</Call>
</Configure>
</XmlConfig>
The following nwsp/config/nwsp.xml file shows an LDAP mode deployment with the captive portal feature enabled. RDP was installed in normal (non-proxy) mode, with the Add Services option checked.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE XmlConfig PUBLIC "-//Cisco Systems//DTD XmlConfig 1.1//EN" "http://www.cisco.com/sesm/xmlconfig_1_1.dtd">
<!-- Copyright (c) 2002 by Cisco Systems, Inc. All rights reserved. -->
<!-- This is the container independent configuration for the NWSP web application.
Container specific configuration can be found at:
$INSTALLROOT/$CONTAINER/config/nwsp.xml
-->
<XmlConfig>
<!-- ================================================================ -->
<Instantiate order="1"
class="com.cisco.sesm.jmx.LoggerMBean"
jmxname="com.cisco.sesm:name=Logger"/>
<Instantiate order="99"
class="com.sun.jdmk.comm.HtmlAdaptorServer"
jmxname="com.cisco.sesm:name=ManagementConsole">
<Arg type="int">
<SystemProperty name="management.portno"/>
</Arg>
<Arg>
<Array class="com.sun.jdmk.comm.AuthInfo">
<Item>
<New class="com.sun.jdmk.comm.AuthInfo">
<Arg>MgmtUser</Arg>
<Arg>MgmtPassword</Arg>
</New>
</Item>
</Array>
</Arg>
</Instantiate>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=Logger">
<Set name="debug" type="boolean"><SystemProperty name="nwsp.debug" default="false"/></Set>
<Set name="debugPatterns"></Set>
<Set name="debugThreads"></Set>
<Set name="debugVerbosity">LOW</Set>
<Set name="logDateFormat">yyyyMMdd:HHmmss.SSS</Set>
<Set name="logFile"><SystemProperty name="application.log" default="./logs"/>/yyyy_mm_dd.application.log</Set>
<Set name="logFrame" type="boolean">false</Set>
<Set name="logStack" type="boolean">false</Set>
<Set name="logThread" type="boolean">true</Set>
<Set name="logToErr" type="boolean"><SystemProperty name="nwsp.logToErr" default="false"/></Set>
<Set name="trace" type="boolean">true</Set>
<Set name="warning" type="boolean">true</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=ManagementConsole">
<Call name="start"/>
</Configure>
<!-- ================================================================ -->
<Configure class="com.cisco.sesm.core.model.SESMMBean"
jmxname="com.cisco.sesm:name=SESM">
<Call name="defineMode">
<Arg>Demo</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoAuthenticationService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoAuthorizationService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoConnectionService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoServiceProfileService</Arg>
</Call>
<Call name="defineMode">
<Arg>RADIUS</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthentication</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthorization</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSServiceConnection</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSServiceProfile</Arg>
</Call>
<Call name="defineMode">
<Arg>LDAP</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthentication</Arg>
<Arg>com.cisco.sesm.spis.dess.DESSAuthorizationService</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSServiceConnection</Arg>
<Arg>com.cisco.sesm.spis.dess.DESSServiceProfileService</Arg>
</Call>
<!--
- This determines the SESM model mode of operation. A mode of operation
- determines how SESM connects to hardware.
-->
<Set name="mode"><SystemProperty name="sesm.mode" default="LDAP"/></Set>
<!--
- This boolean turns on or off the capability to perform
- single sign-on. In single sign on mode, a user only has to
- authenticate once and SESM merely checks that the user has
- been authenticated.
-->
<Set name="singleSignOn" type="boolean">true</Set>
<!--
- This boolean determines whether or not services are auto-connected
- by SESM during sign-on.
-->
<Set name="autoConnect" type="boolean">false</Set>
<!--
- This is the number of seconds between clearing group
- and service caches.
-->
<Set name="profileCachePeriod" type="int">600</Set>
<!--
- This is the minimum length of time in seconds that an SESMSession
- is held in memory without being accessed. SESMSessions are checked
- regularly according to the profileCachePeriod.
- If this is set to 0 (or undefined) profileCachePeriod*2 is used.
-->
<Set name="sessionCachePeriod" type="int">1200</Set>
<!--
- Turning on this option will cause the model to throw an exception when
- an attempt is made to connect a service in a mutually exclusive service
- group and another service in the group is already connected.
- If the option is turned off, the previous service will be disconnected
- automatically.
-->
<Set name="confirmMutexDisconnect" type="boolean">false</Set>
<!--
- This sets the minimum amount of memory required before
- a SESM session can be created or authenticated.
- This is in order to prevent the application running out of memory.
-->
<Set name="memRequired" type="long">10485760</Set>
<!--
- If this is set true, sessions will be removed from memory when
- the minimum memory limit is hit.
- Turning this on will facilitate a quick recovery from a memory problem
- but will result in loss of user state. This means they will have to log
- in again if Single Sign On is disabled.
-->
<Set name="clearSessionsOnMem" type="boolean">false</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=SESMDemoMode">
<!--
- This is the demo data file. It is in the format of a Merit
- dictionary with special extensions for this software.
-->
<Set name="demoDataFile"><SystemProperty name="application.home"/>/config/demo.txt</Set>
</Configure>
<!-- ================================================================ -->
<!-- Settings for the DESS SPI. -->
<Configure jmxname="com.cisco.sesm:name=DESSMode">
<!-- The time in seconds between checking the authorization tokens. -->
<Set name="tokenCheckInterval" type="int">300</Set>
<!-- The age of a token in seconds (time since last used) for it to be removed from cache. -->
<Set name="tokenMaxAge" type="int">600</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=SSG">
<!--
- Maxmimum number of simultaneous requests allowed to each SSG. Extra
- requests will be placed on a queue and issued as responses are received
- or timeout.
-->
<Set name="throttle" type="int">20</Set>
<!--
- Here we define attributes for RADIUS communication with the SSG If
- we are running with Port Bundle Host key then we need only define
- the global attributes for all of the SSGs.
-->
<Call name="setGlobalAttribute"><Arg>PORT</Arg><Arg>1812</Arg></Call>
<Call name="setGlobalAttribute"><Arg>TIMEOUTSECS</Arg><Arg>10</Arg></Call>
<Call name="setGlobalAttribute"><Arg>RETRIES</Arg><Arg>3</Arg></Call>
<Call name="setGlobalAttribute"><Arg>SECRET</Arg><Arg>cisco</Arg></Call>
<Call name="setGlobalAttribute"><Arg>MASK</Arg><Arg>255.255.255.255</Arg></Call>
<!--
- A non zero value here, the default should be 4, will turn Port
- Bundle Host Key on.
-->
<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>0</Arg></Call>
<!-- The following line configures a single non-hostkey SSG -->
<!-- Additional SSGs can be configured by adding further 'Call' elements -->
<!-- Remove the following call if the bundle size is ever set to > 0 -->
<!-- Arg list: <client subnet>, <subnet mask>, IP, <SSG IP address> -->
<Call name="setSubnetAttribute"><Arg>10.20.1.0</Arg><Arg>255.255.255.0</Arg><Arg>IP</Arg><Arg>10.4.4.4</Arg></Call>
<Call name="setGlobalAttribute"><Arg>PORT_BUNDLE_HOST_KEY_SWITCH</Arg><Arg>false</Arg></Call>
<!--
- This value may be true or false. True is implied by a non zero
- BUNDLE_LENGTH. If the BUNDLE_LENGTH is non zero, then this value
- will be ignored. As a BUNDLE_LENGTH of 0 is a legal value, however,
- the Port Bundle Host Key feature can can also be turned on here
- when the BUNDLE_LENGTH is 0, which it would be for persistent
- connections.
<Call name="setGlobalAttribute"><Arg>PORT_BUNDLE_HOST_KEY_SWITCH</Arg><Arg>true</Arg></Call>
-->
<!--
- If we need to map from a client IP address to an SSG explicitly,
- then we could have an entry like this:
<Call name="setSubnetAttribute"><Arg>213.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>195.245.182.2</Arg></Call>
- which would map the client subnet 213.0.0.0 to the SSG at
- 195.245.182.2 with the global parameters defined above for
- the RADIUS protocol.
-->
<!-- If we need to define a location for a subnet, say London, then we
- could do this:
<Call name="setSubnetAttribute"><Arg>213.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>SESSION_LOCATION</Arg><Arg>London</Arg></Call>
- See the location definitions below for illustrations of how
- attributes can be associated with locations.
-->
</Configure>
<!-- ================================================================ -->
<!--
- Here we define attributes for RADIUS communication with the RADIUS
- servers for service and group profiles in RADIUS mode.
-->
<!-- Uncomment and modify this element when run in RADIUS mode
<Configure jmxname="com.cisco.sesm:name=AAA,connection=ServiceProfile">
<Set name="throttle" type="int">256</Set>
<Set name="timeOut" type="int">4</Set>
<Set name="retryCount" type="int">3</Set>
<Set name="primaryIP">127.0.0.1</Set>
<Set name="primaryPort" type="int">1812</Set>
<Set name="secret">cisco</Set>
<Set name="secondaryIP">127.0.0.2</Set>
<Set name="secondaryPort" type="int">1812</Set>
<Set name="servicePassword">servicecisco</Set>
<Call name="open"/>
</Configure>
<Configure jmxname="com.cisco.sesm:name=AAA,connection=ServiceGroupProfile">
<Set name="throttle" type="int">256</Set>
<Set name="timeOut" type="int">4</Set>
<Set name="retryCount" type="int">3</Set>
<Set name="primaryIP">127.0.0.1</Set>
<Set name="primaryPort" type="int">1812</Set>
<Set name="secret">cisco</Set>
<Set name="secondaryIP">127.0.0.2</Set>
<Set name="secondaryPort" type="int">1812</Set>
<Set name="serviceGroupPassword">groupcisco</Set>
<Call name="open"/>
</Configure>
-->
<!-- ================================================================ -->
<Configure class="com.cisco.sesm.webapp.config.WebAppMBean"
jmxname="com.cisco.sesm:name=WebApp">
<!--
- These options control different aspects of the NWSP applications
- behaviours. These settings are used by the NWSP application to
- control different aspects of its behaviour.
-->
<!-- Confirm that you want to logon onto a service as opposed
- to single click logon. -->
<Set name="confirmAtServiceLogon" type="boolean">FALSE</Set>
<!-- Confirm that you want to logoff a service as opposed
- to single click logoff. -->
<Set name="confirmAtServiceLogoff" type="boolean">TRUE</Set>
<!-- Confirm that you want to logoff from the application as opposed
- to single click logoff. -->
<Set name="confirmAtAccountLogoff" type="boolean">TRUE</Set>
<!-- This overrides the setting in the Jetty nwsp.xml. -->
<Set name="sessionTimeOut" type="int">7200</Set>
<!-- Maximum length for usernames and passwords. -->
<Set name="credentialMaxLength" type="int">30</Set>
<!-- These identify the URI required for requests to NWSP's /serviceRedirect: -->
<!-- service redirect when request parameter "service" is null or empty -->
<Set name="serviceNotGivenURI">/status</Set>
<!-- service redirect for any unexpected condition, eg if service is not available -->
<Set name="defaultURI">/home</Set>
<!-- service redirect for services that are not subscribed -->
<Set name="serviceSubscriptionURI">/subscriptionManage</Set>
<!-- service redirect when no further entry of credentials required -->
<Set name="serviceStartURI">/serviceStart</Set>
<!-- service redirect when further entry of credentials required -->
<Set name="serviceLogonURI">/serviceLogon</Set>
<!--
- These are examples of how arbitrary properties can be used
- in the SESM applications.
-->
<Call name="addDimension">
<Arg type="int">1</Arg>
<Arg>London</Arg>
<Arg>http://www.london.com</Arg>
</Call>
<Call name="addDimension">
<Arg type="int">1</Arg>
<Arg>Paris</Arg>
<Arg>http://www.paris-france.org/</Arg>
</Call>
<Call name="addDimension">
<Arg type="int">1</Arg>
<Arg>New York</Arg>
<Arg>http://www.usa.net/newyork</Arg>
</Call>
<Call name="addDimension">
<Arg type="int">2</Arg>
<Arg>Acme</Arg>
<Arg>http://www.acme.com</Arg>
</Call>
<Call name="addDimension">
<Arg type="int">2</Arg>
<Arg>Cisco</Arg>
<Arg>http://www.cisco.com</Arg>
</Call>
</Configure>
</XmlConfig>
An example rdp.xml file follows. See "RDP Packet Handlers," for more information about this MBean and the possibilities for extending RDP functionality with customized packet handlers.
 |
Note The contents of this MBean is different depending on the options you checked during RDP installation. (The packet handlers are different.) The following file shows RDP installed in normal (non-proxy) mode, with the Add Services and Add Client options checked. |
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE XmlConfig PUBLIC "-//Cisco Systems//DTD XmlConfig 1.1//EN" "http://www.cisco.com/sesm/xmlconfig_1_1.dtd">
<!-- Copyright (c) 2002 by Cisco Systems, Inc. All rights reserved. -->
<!-- This is the container independent configuration for the RDP application.
Container specific configuration can be found at:
$INSTALLROOT/$CONTAINER/config/rdp.xml
-->
<XmlConfig>
<!-- ================================================================ -->
<Instantiate order="1"
class="com.cisco.sesm.jmx.LoggerMBean"
jmxname="com.cisco.sesm:name=Logger" />
<Instantiate order="97"
class="com.cisco.sesm.rdp.RDPPacketFactoryMBean"
jmxname="com.cisco.sesm:name=RDPPacketFactory" />
<Instantiate order="98"
class="com.cisco.sesm.rdp.RDPMBean"
jmxname="com.cisco.sesm:name=RDP" />
<Instantiate order="96"
class="com.sun.jdmk.comm.HtmlAdaptorServer"
jmxname="com.cisco.sesm:name=ManagementConsole">
<Arg type="int">
<SystemProperty name="management.portno"/>
</Arg>
<Arg>
<Array class="com.sun.jdmk.comm.AuthInfo">
<Item>
<New class="com.sun.jdmk.comm.AuthInfo">
<Arg>MgmtUser</Arg>
<Arg>MgmtPassword</Arg>
</New>
</Item>
</Array>
</Arg>
</Instantiate>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=Logger">
<Set name="debug" type="boolean"><SystemProperty name="rdp.debug" default="false"/></Set>
<Set name="debugPatterns"></Set>
<Set name="debugThreads"></Set>
<Set name="debugVerbosity">LOW</Set>
<Set name="logDateFormat">yyyyMMdd:HHmmss.SSS</Set>
<Set name="logFile"><SystemProperty name="application.log" default="./logs"/>/yyyy_mm_dd.application.log</Set>
<Set name="logFrame" type="boolean">false</Set>
<Set name="logStack" type="boolean">false</Set>
<Set name="logThread" type="boolean">true</Set>
<Set name="logToErr" type="boolean"><SystemProperty name="rdp.logToErr" default="false"/></Set>
<Set name="trace" type="boolean">true</Set>
<Set name="warning" type="boolean">true</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=ManagementConsole">
<Call name="start"/>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=RDPPacketFactory">
<Call name="addType">
<!-- The untyped handler looks for the service type AV in the packer to
- determine whether the request is for a service profile (service
- type == outbound) or a user profile (no service type)-->
<Arg>Untyped</Arg>
<Arg>com.cisco.sesm.rdp.UntypedPacket</Arg>
</Call>
<Call name="addType">
<!-- There are six user logon handlers; userLogonPacket (authenticates),
- UserLogonFramedPacket (authenticates and adds a Service-type=2
- (Framed user) ), UserLogonFramedAddServicesPacket (authenticates
- and adds a Service-type=2 and services, i.e. authorizes),
- UserLogonAddServices (authenticates and authorizes),
- UserProxyAuthPacket (authenticates via a proxy) and
- UserProxyAuthAddServicePacket (authenticates via a proxy and
- authorizes) -->
<Arg>UserLogon</Arg>
<Arg>com.cisco.sesm.rdp.UserLogonFramedAddServicesPacket</Arg>
</Call>
<Call name="addType">
<Arg>ProfileRequest</Arg>
<!-- Attempts to match the password to the PASSWORD: attribute and
- return the matching value -->
<Arg>com.cisco.sesm.rdp.ProfileRequestPacket</Arg>
</Call>
<!-- Following attribute and type handle service profiles -->
<Call name="setAttribute">
<Arg>PASSWORD:servicecisco</Arg>
<Arg>ServiceRequest</Arg>
</Call>
<Call name="addType">
<Arg>ServiceRequest</Arg>
<Arg>com.cisco.sesm.rdp.ServiceProfilePacket</Arg>
</Call>
<!-- Following attribute and type handle group profiles -->
<Call name="setAttribute">
<Arg>PASSWORD:groupcisco</Arg>
<Arg>GroupRequest</Arg>
</Call>
<Call name="addType">
<Arg>GroupRequest</Arg>
<Arg>com.cisco.sesm.rdp.GroupProfilePacket</Arg>
</Call>
<!-- Following attribute and type handle next hop profiles -->
<Call name="setAttribute">
<Arg>PASSWORD:nexthopcisco</Arg>
<Arg>NextHopRequest</Arg>
</Call>
<Call name="addType">
<Arg>NextHopRequest</Arg>
<Arg>com.cisco.sesm.rdp.NextHopPacket</Arg>
</Call>
<Call name="addType">
<Arg>Unknown</Arg>
<!-- Does not respond to the request -->
<Arg>com.cisco.sesm.rdp.DiscardPacket</Arg>
</Call>
<!-- Example use of a Proxy handler.
String after ';' is name of AAA connection (see AAAMBean below)
<Call name="addType">
<Arg>ProxyNextHop</Arg>
<Arg>com.cisco.sesm.rdp.ProxyPacket;Proxy</Arg>
</Call>
-->
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=RDP">
<Set id="RDPSecret" name="secret">cisco</Set>
<Set name="localIPAddress">10.3.3.1</Set>
<Set name="localPort" type="int"><SystemProperty name="application.portno" default="1812"/></Set>
<Set name="minThreads" type="int">10</Set>
<Set name="maxThreads" type="int">256</Set>
<Set name="maxIdleTimeMs" type="int">10000</Set>
<!-- This option turns on 3-key authentication. When this is set, one of the -->
<!-- RADIUS attributes in the access request is matched to the attribute in the -->
<!-- user profile in the directory -->
<Set name="threeKeyAuth" type="boolean">false</Set>
<!-- When 3-key authentication is turned on, this option determines which RADIUS -->
<!-- attribute is used for authentication. Typical values are: -->
<!-- CALLED_STATION_ID (APN) = 30 -->
<!-- CALLING_STATION_ID (MSISDN) = 31 -->
<!-- NAS_IDENTIFIER = 32 -->
<Set name="authAttribute" type="int">31</Set>
<!-- This section is used for specifying a client list for the RADIUS server -->
<!-- This variable turns client list usage on or off. -->
<!-- If it is off, the client list that follows has no effect. -->
<Set name="useClientList" type="boolean">true</Set>
<!-- The following line is an example client specification that can be -->
<!-- copied and modified to create a client list. -->
<!-- The parameters are: -->
<!-- String: client name -->
<!-- String client IP address -->
<!-- String shared secret -->
<Call name="addClient">
<Arg>SSG-first</Arg>
<Arg>10.4.4.4</Arg>
<Arg>cisco</Arg>
</Call>
<!-- End of client list section -->
<Call name="startRDP"/>
</Configure>
<!-- ================================================================ -->
<!-- Uncomment and modify this element when run in proxy mode
<Configure jmxname="com.cisco.sesm:name=AAA,connection=Proxy">
<Set name="throttle" type="int">256</Set>
<Set name="timeOut" type="int">4</Set>
<Set name="retryCount" type="int">1</Set>
<Set name="primaryIP">127.0.0.2</Set>
<Set name="primaryPort" type="int">1812</Set>
<Set id="AAASecret" name="secret">cisco</Set>
<Set name="secondaryIP">127.0.0.3</Set>
<Set name="secondaryPort" type="int">1812</Set>
<Call name="open"/>
</Configure>
-->
</XmlConfig>
An example cdat.xml file follows.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE XmlConfig PUBLIC "-//Cisco Systems//DTD XmlConfig 1.1//EN" "http://www.cisco.com/sesm/xmlconfig_1_1.dtd">
<!-- Copyright (c) 2001,2002 by Cisco Systems, Inc. All rights reserved. -->
<!-- This is the container independent configuration for the CDAT web application.
Container specific configuration can be found at:
$INSTALLROOT/$CONTAINER/config/cdat.xml
-->
<XmlConfig>
<!-- ================================================================ -->
<Instantiate order="1"
class="com.cisco.sesm.jmx.LoggerMBean"
jmxname="com.cisco.sesm:name=Logger" />
<Instantiate order="99"
class="com.sun.jdmk.comm.HtmlAdaptorServer"
jmxname="com.cisco.sesm:name=ManagementConsole">
<Arg type="int">
<SystemProperty name="management.portno"/>
</Arg>
<Arg>
<Array class="com.sun.jdmk.comm.AuthInfo">
<Item>
<New class="com.sun.jdmk.comm.AuthInfo">
<Arg>MgmtUser</Arg>
<Arg>MgmtPassword</Arg>
</New>
</Item>
</Array>
</Arg>
</Instantiate>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=Logger">
<Set name="debug" type="boolean"><SystemProperty name="cdat.debug" default="false"/></Set>
<Set name="debugPatterns"></Set>
<Set name="debugThreads"></Set>
<Set name="debugVerbosity">LOW</Set>
<Set name="logDateFormat"><SystemProperty name="cdat.logDateFormat" default="HHmmss.SSS"/></Set>
<Set name="logFile"><SystemProperty name="application.log" default="./logs"/>/yyyy_mm_dd.application.log</Set>
<Set name="logFrame" type="boolean">false</Set>
<Set name="logStack" type="boolean">false</Set>
<Set name="logThread" type="boolean">false</Set>
<Set name="logToErr" type="boolean"><SystemProperty name="cdat.logToErr" default="false"/></Set>
<Set name="trace" type="boolean">true</Set>
<Set name="warning" type="boolean">true</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=ManagementConsole">
<Call name="start"/>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=CDAT">
<Set name="naming" type="String">cn</Set>
<Set name="sessionTimeout" type="int">600</Set>
<Set name="maxVariables" type="int">40</Set>
<Set name="queryMaxResults" type="int">100</Set>
<Set name="queryTimeout" type="int">0</Set>
</Configure>
</XmlConfig>
An example SPE configuration file (dess-auth/config/config.xml) follows:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE XmlConfig PUBLIC "-//Cisco Systems//DTD XmlConfig 1.1//EN" "http://www.cisco.com/sesm/xmlconfig_1_1.dtd">
<!-- Copyright (c) 2001 by Cisco Systems, Inc. All rights reserved. -->
<!-- This is the dess-auth configuration -->
<XmlConfig>
<!-- ================================================================ -->
<Instantiate order="2"
class="com.cisco.sesm.dessauth.ConnectionMBean"
jmxname="com.cisco.sesm:name=Directory,type=Connection,instance=Primary"
/>
<Instantiate order="2"
class="com.cisco.sesm.dessauth.ConnectionMBean"
jmxname="com.cisco.sesm:name=Directory,type=Connection,instance=Secondary"
/>
<Instantiate order="3"
class="com.cisco.sesm.dessauth.DirectoryMBean"
jmxname="com.cisco.sesm:name=Directory" />
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=Directory,type=Connection,instance=Primary">
<Set name="poolSize" type="int">2</Set>
<Set name="URL">ldap://127.0.0.1:389/</Set>
<Set name="principal">cn=admin,ou=sesm,o=cisco</Set>
<Set name="credentials"></Set>
</Configure>
<Configure jmxname="com.cisco.sesm:name=Directory,type=Connection,instance=Secondary">
<Set name="poolSize" type="int">2</Set>
<Set name="URL">ldap://127.0.0.1:389/</Set>
<Set name="principal">cn=admin,ou=sesm,o=cisco</Set>
<Set name="credentials"></Set>
</Configure>
<Configure jmxname="com.cisco.sesm:name=Directory">
<Set name="connectionNameRoot">com.cisco.sesm:name=Directory,type=Connection,*</Set>
<Set name="factory">com.cisco.cns.security.jndi.JNDIConnection</Set>
<Set name="context">ou=sesm,o=cisco</Set>
<Set name="DESSPrincipal">cn=admin,ou=sesm,o=cisco</Set>
<Set name="alwaysGetAllAttributes" type="boolean">false</Set>
<Set name="traceFileName"><SystemProperty name="application.log" default="./logs"/>/dess.log</Set>
<Set name="traceLevel">NONE</Set>
<Set name="printTraceToConsole" type="boolean">false</Set>
<Set name="stackTrace" type="boolean">false</Set>
<Set name="cacheMaxObjects" type="int">50000</Set>
<!-- Save at least cacheMinFreeMem% VM memory. -->
<!-- i.e. Cache can occupy 100-cacheMinFreeMem% memory -->
<Set name="cacheMinFreeMem" type="int">10</Set>
<!-- All timeout values are in seconds -->
<Set name="cacheSessionTimeout" type="int">600</Set>
<Set name="cacheExpireInterval" type="int">600</Set>
<Set name="cacheObjectTimeout" type="int">600</Set>
<Call name="commit"/>
</Configure>
</XmlConfig>
An example captiveportal.xml file follows:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE XmlConfig PUBLIC "-//Cisco Systems//DTD XmlConfig 1.1//EN" "http://www.cisco.com/sesm/xmlconfig_1_1.dtd">
<!-- Copyright (c) 2002 by Cisco Systems, Inc. All rights reserved. -->
<!-- This is the container independent configuration for the captiveportal web application.
Container specific configuration can be found at:
$INSTALLROOT/$CONTAINER/config/captiveportal.jetty.xml
-->
<XmlConfig>
<!-- ================================================================ -->
<Instantiate order="1"
class="com.cisco.sesm.jmx.LoggerMBean"
jmxname="com.cisco.sesm:name=Logger"/>
<Instantiate order="99"
class="com.sun.jdmk.comm.HtmlAdaptorServer"
jmxname="com.cisco.sesm:name=ManagementConsole">
<Arg type="int">
<SystemProperty name="management.portno"/>
</Arg>
<Arg>
<Array class="com.sun.jdmk.comm.AuthInfo">
<Item>
<New class="com.sun.jdmk.comm.AuthInfo">
<Arg>MgmtUser</Arg>
<Arg>MgmtPassword</Arg>
</New>
</Item>
</Array>
</Arg>
</Instantiate>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=Logger">
<Set name="debug" type="boolean"><SystemProperty name="captiveportal.debug" default="false"/></Set>
<Set name="debugPatterns"></Set>
<Set name="debugThreads"></Set>
<Set name="debugVerbosity">LOW</Set>
<Set name="logDateFormat">yyyyMMdd:HHmmss.SSS</Set>
<Set name="logFile"><SystemProperty name="application.log" default="./logs"/>/yyyy_mm_dd.application.log</Set>
<Set name="logFrame" type="boolean">false</Set>
<Set name="logStack" type="boolean">false</Set>
<Set name="logThread" type="boolean">true</Set>
<Set name="logToErr" type="boolean"><SystemProperty name="captiveportal.logToErr" default="false"/></Set>
<Set name="trace" type="boolean">true</Set>
<Set name="warning" type="boolean">true</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=ManagementConsole">
<Call name="start"/>
</Configure>
<!-- ================================================================ -->
<Configure class="com.cisco.sesm.core.model.SESMMBean"
jmxname="com.cisco.sesm:name=SESM">
<!-- Only the authenticationSPI is used, but for completeness give
a mode in each case, which requires the full set of SPIs -->
<Call name="defineMode">
<Arg>Demo</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoAuthenticationService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoAuthorizationService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoConnectionService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoServiceProfileService</Arg>
</Call>
<Call name="defineMode">
<Arg>RADIUS</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthentication</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthorization</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSConnection</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSServiceProfile</Arg>
</Call>
<!--
- There is a performance consideration in retrieving the subscriber profile.
- LDAP mode is not used, as the profile is not required. For usage
- consistency, a mode of this name is defined here which uses the RADIUS SPIs.
-->
<Call name="defineMode">
<Arg>LDAP</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthentication</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSAuthorization</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSConnection</Arg>
<Arg>com.cisco.sesm.spis.radius.RADIUSServiceProfile</Arg>
</Call>
<!--
- This determines the SESM model mode of operation. A mode of operation
- determines how SESM connects to hardware.
-->
<Set name="mode"><SystemProperty name="sesm.mode" default="Demo"/></Set>
<!--
- This boolean turns on or off the capability to perform
- single sign-on. In single sign on mode, a user only has to
- authenticate once and SESM merely checks that the user has
- been authenticated.
-->
<Set name="singleSignOn" type="boolean">true</Set>
<!--
- This is the number of seconds between clearing group
- and service caches.
-->
<Set name="profileCachePeriod" type="int">600</Set>
<!--
- This is the minimum length of time in seconds that an SESMSession
- is held in memory without being accessed. SESMSessions are checked
- regularly according to the profileCachePeriod.
- If this is set to 0 (or undefined) profileCachePeriod*2 is used.
-->
<Set name="sessionCachePeriod" type="int">1200</Set>
<!--
- This sets the minimum amount of memory required before
- a SESM session can be created or authenticated.
- This is in order to prevent the application running out of memory.
-->
<Set name="memRequired" type="long">10485760</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=SSG">
<!--
- Maxmimum number of simultaneous requests allowed to each SSG. Extra
- requests will be placed on a queue and issued as responses are received
- or timeout.
-->
<Set name="throttle" type="int">20</Set>
<!--
- Here we define attributes for RADIUS communication with the SSG If
- we are running with Port Bundle Host key then we need only define
- the global attributes for all of the SSGs.
-->
<Call name="setGlobalAttribute"><Arg>PORT</Arg><Arg>1812</Arg></Call>
<Call name="setGlobalAttribute"><Arg>TIMEOUTSECS</Arg><Arg>10</Arg></Call>
<Call name="setGlobalAttribute"><Arg>RETRIES</Arg><Arg>3</Arg></Call>
<Call name="setGlobalAttribute"><Arg>SECRET</Arg><Arg>cisco</Arg></Call>
<Call name="setGlobalAttribute"><Arg>MASK</Arg><Arg>255.255.255.255</Arg></Call>
<!--
- A non zero value here, the default should be 4, will turn Port
- Bundle Host Key on.
-->
<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>0</Arg></Call>
<Call name="setGlobalAttribute"><Arg>PORT_BUNDLE_HOST_KEY_SWITCH</Arg><Arg>false</Arg></Call>
<!--
- This value may be true or false. True is implied by a non zero
- BUNDLE_LENGTH. If the BUNDLE_LENGTH is non zero, then this value
- will be ignored. As a BUNDLE_LENGTH of 0 is a legal value, however,
- the Port Bundle Host Key feature can can also be turned on here
- when the BUNDLE_LENGTH is 0, which it would be for persistent
- connections.
<Call name="setGlobalAttribute"><Arg>PORT_BUNDLE_HOST_KEY_SWITCH</Arg><Arg>true</Arg></Call>
-->
<!--
- If we need to map from a client IP address to an SSG explicitly,
- then we could have an entry like this:
<Call name="setSubnetAttribute"><Arg>213.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>195.245.182.2</Arg></Call>
- which would map the client subnet 213.0.0.0 to the SSG at
- 195.245.182.2 with the global parameters defined above for
- the RADIUS protocol.
-->
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=captiveportal">
<!--
- The install requires these booleans to turn the different features on or off.
- Disabling a particular feature can also be achieved by removing the entire
- corresponding entry, or removing the corresponding port argument.
-->
<Set name="userRedirectOn" type="boolean">true</Set>
<Set name="initialCaptivateOn" type="boolean">true</Set>
<Set name="advertisingCaptivateOn" type="boolean">true</Set>
<Set name="serviceRedirectOn" type="boolean">true</Set>
<!--
- This is the URL that the Captive Portal application will redirect
- to for unauthenticated user redirects.
- It should point to the service application.
-->
<Set name="userRedirectURL">http://<SystemProperty name="serviceportal.host" default="www.cisco.com"/>:<SystemProperty name="serviceportal.port" default="80"/>/home</Set>
<!--
- Requests on this incoming port are for unauthenticated user redirects
-->
<Set name="userRedirectPort"><SystemProperty name="userRedirect.port" default="8090"/></Set>
<!--
- This is the URL that the Captive Portal application will redirect
- to for default initial captivate redirects.
- It should point to the message application.
-->
<Set name="initialCaptivateURL">http://<SystemProperty name="messageportal.host" default="www.cisco.com"/>:<SystemProperty name="messageportal.port" default="80"/>/initial</Set>
<!--
- Requests on this incoming port are for
- default initial captivate redirects
-->
<Set name="initialCaptivatePort"><SystemProperty name="initialCaptivate.port" default="8091"/></Set>
<!--
- Specifies the duration for the default initial captivate redirects
-->
<Set name="initialCaptivateDuration">10</Set>
<!--
- This is the URL that the Captive Portal application will redirect
- to for default advertising captivate redirects.
- It should point to the message application.
-->
<Set name="advertisingCaptivateURL">http://<SystemProperty name="messageportal.host" default="www.cisco.com"/>:<SystemProperty name="messageportal.port" default="80"/>/advertising</Set>
<!--
- Requests on this incoming port are for
- default advertising captivate redirects
-->
<Set name="advertisingCaptivatePort"><SystemProperty name="advertisingCaptivate.port" default="8092"/></Set>
<!--
- Specifies the duration for the default advertising captivate redirects
-->
<Set name="advertisingCaptivateDuration">10</Set>
<!--
- This is the URL that the Captive Portal application will redirect
- to if an unconnected service redirect has no specific URL given in
- its configuration below. The configuration of the Service Portal
- application can be checked as to how it handles the request.
-->
<Set name="serviceRedirectDefaultURL">http://<SystemProperty name="serviceportal.host" default="www.cisco.com"/>:<SystemProperty name="serviceportal.port" default="80"/>/serviceRedirect</Set>
<!--
- These define service redirects, consisting of:
- incoming port, optional URL out and optional service name
- The redirect for the default group (the first listed here)
- would not have a service name specified for normal operation
-->
<Call name="defineServiceRedirect">
<Arg><SystemProperty name="defaultServiceRedirect.port" default="8093"/></Arg>
<Arg></Arg>
<Arg></Arg>
</Call>
<Call name="defineServiceRedirect">
<Arg><SystemProperty name="serviceRedirect1.port" default="8094"/></Arg>
<Arg><SystemProperty name="serviceRedirect1.URL" default=""/></Arg>
<Arg><SystemProperty name="serviceRedirect1.service" default="service1"/></Arg>
</Call>
<Call name="defineServiceRedirect">
<Arg><SystemProperty name="serviceRedirect2.port" default="8095"/></Arg>
<Arg><SystemProperty name="serviceRedirect2.URL" default=""/></Arg>
<Arg><SystemProperty name="serviceRedirect2.service" default="service2"/></Arg>
</Call>
<Call name="defineServiceRedirect">
<Arg><SystemProperty name="serviceRedirect3.port" default="8096"/></Arg>
<Arg><SystemProperty name="serviceRedirect3.URL" default=""/></Arg>
<Arg><SystemProperty name="serviceRedirect3.service" default="service3"/></Arg>
</Call>
<!--
- This is only used to detect loops: if the request host and this match,
- as well as the request port and the listener port, redirect to errorURL.
- Accepts a comma-separated list of aliases and/or addresses.
-->
<Set name="host">127.0.0.1</Set>
<!--
- This is the URL that the Captive Portal application will redirect
- to if it does not find a URL to redirect to for the given port that
- the request came in on. It should point to the service portal.
-->
<Set name="errorURL">http://<SystemProperty name="serviceportal.host" default="www.cisco.com"/>:<SystemProperty name="serviceportal.port" default="80"/>/home</Set>
<!--
- These are the parameter names passed in the query string of the URL to
- indicate the name of the service and the URL as appropriate.
- The message redirect parameters apply to initial and advertising captivate
- To avoid any attempt to obtain a username by captive portal,
- the two arguments for the subscriber parameter should be empty or removed.
-->
<Set name="userRedirectURLParam">CPURL</Set>
<Set name="serviceRedirectURLParam">serviceURL</Set>
<Set name="serviceRedirectServiceParam">service</Set>
<Set name="serviceRedirectSubscriberParam"></Set>
<Set name="messageRedirectURLParam">CPURL</Set>
<Set name="messageRedirectSubscriberParam">CPSUBSCRIBER</Set>
<Set name="messageRedirectDurationParam">CPDURATION</Set>
</Configure>
<!-- ================================================================ -->
</XmlConfig>
An example messageportal.xml file follows:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE XmlConfig PUBLIC "-//Cisco Systems//DTD XmlConfig 1.1//EN" "http://www.cisco.com/sesm/xmlconfig_1_1.dtd">
<!-- Copyright (c) 2002 by Cisco Systems, Inc. All rights reserved. -->
<!-- This is the container independent configuration for the messageportal web application.
Container specific configuration can be found at:
$INSTALLROOT/$CONTAINER/config/messageportal.xml
-->
<XmlConfig>
<!-- ================================================================ -->
<Instantiate order="1"
class="com.cisco.sesm.jmx.LoggerMBean"
jmxname="com.cisco.sesm:name=Logger" />
<Instantiate order="99"
class="com.sun.jdmk.comm.HtmlAdaptorServer"
jmxname="com.cisco.sesm:name=ManagementConsole">
<Arg type="int">
<SystemProperty name="management.portno"/>
</Arg>
<Arg>
<Array class="com.sun.jdmk.comm.AuthInfo">
<Item>
<New class="com.sun.jdmk.comm.AuthInfo">
<Arg>MgmtUser</Arg>
<Arg>MgmtPassword</Arg>
</New>
</Item>
</Array>
</Arg>
</Instantiate>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=Logger">
<Set name="debug" type="boolean"><SystemProperty name="messageportal.debug" default="false"/></Set>
<Set name="debugPatterns"></Set>
<Set name="debugThreads"></Set>
<Set name="debugVerbosity">LOW</Set>
<Set name="logDateFormat"><SystemProperty name="messageportal.logDateFormat" default="HHmmss.SSS"/></Set>
<Set name="logFile"><SystemProperty name="application.log" default="./logs"/>/yyyy_mm_dd.application.log</Set>
<Set name="logFrame" type="boolean">false</Set>
<Set name="logStack" type="boolean">false</Set>
<Set name="logThread" type="boolean">false</Set>
<Set name="logToErr" type="boolean"><SystemProperty name="messageportal.logToErr" default="false"/></Set>
<Set name="trace" type="boolean">true</Set>
<Set name="warning" type="boolean">true</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=ManagementConsole">
<Call name="start"/>
</Configure>
<!-- ================================================================ -->
<Configure class="com.cisco.sesm.core.model.SESMMBean"
jmxname="com.cisco.sesm:name=SESM">
<Call name="defineMode">
<Arg>Demo</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoAuthenticationService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoAuthorizationService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoConnectionService</Arg>
<Arg>com.cisco.sesm.spis.demo.DemoServiceProfileService</Arg>
</Call>
<Call name="defineMode">
<Arg>LDAP</Arg>
<Arg>com.cisco.sesm.spis.dess.DESSAuthenticationService</Arg>
<Arg>com.cisco.sesm.spis.dess.DESSAuthorizationService</Arg>
<Arg>com.cisco.sesm.spis.dess.DESSServiceConnectionService</Arg>
<Arg>com.cisco.sesm.spis.dess.DESSServiceProfileService</Arg>
</Call>
<!--
- This determines the SESM model mode of operation. A mode of operation
- determines how SESM connects to hardware.
-->
<Set name="mode"><SystemProperty name="sesm.mode" default="Demo"/></Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=SESMDemoMode">
<!--
- This is the demo data file. It is in the format of a Merit
- dictionary with special extensions for this software.
-->
<Set name="demoDataFile"><SystemProperty name="application.home"/>/config/demo.txt</Set>
</Configure>
<!-- ================================================================ -->
<!-- Settings for the DESS SPI. -->
<Configure jmxname="com.cisco.sesm:name=DESSMode">
<!-- The time in seconds between checking the authorization tokens. -->
<Set name="tokenCheckInterval" type="int">300</Set>
<!-- The age of a token in seconds (time since last used) for it to be removed from cache. -->
<Set name="tokenMaxAge" type="int">600</Set>
</Configure>
<!-- ================================================================ -->
<Configure jmxname="com.cisco.sesm:name=messageportal">
<!-- default page to use if no interests obtained from subscriber profile -->
<Set name="defaultPage">default.jsp</Set>
<!-- default URL to redirect to, if none given in query string of request URL -->
<Set name="defaultURL">http://<SystemProperty name="serviceportal.host" default="10.50.5.1"/>:<SystemProperty name="serviceportal.port" default="8080"/>/</Set>
<!-- duration in seconds, if none given in query string of request URL -->
<Set name="defaultDuration">15</Set>
<!-- ignore subscriber profile and only display default page -->
<Set name="ignoreProfile" type="boolean">true</Set>
<!-- redirect to originally requested URL after displaying message page -->
<Set name="redirectOn" type="boolean">true</Set>
<!-- Possible interests, obtained from subscriber profile -->
<!-- Only the page for the first located interest is displayed -->
<Set name="interests">
cinema,
science,
internet,
news,
sports,
travel,
finance,
community
</Set>
<!-- Corresponding pages, using any 1-char string to use default page instead -->
<Set name="interestPages">
cinema.jsp,
.,
internet.jsp,
news.jsp,
sports.jsp,
travel.jsp,
finance.jsp,
community.jsp
</Set>
</Configure>
</XmlConfig>
Posted: Mon Aug 26 08:52:57 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.