|
The SESM installation process uses default values and values you enter during installation to configure the sample portal applications. Read this section if you want to change or fine-tune configuration after installation.
The SESM portal applications use the following MBeans:
To change attributes in these MBeans, you can either:
The installation process configures all three of the sample portal applications (NWSP, WAP, and PDA) using the same default port numbers. These port numbers are:
Each sample portal application uses a different MBean configuration file. The files are located in a directory named for the application under the SESM installation directory:
nwsp
config
nwsp.xml
wap
config
wap.xml
pda
config
pda.xml
The Logger MBean configures both logging and debugging tools. The logging tool traces business events in the SESM portal. The debugging mechanism produces messages useful to developers in debugging applications. Table 5-1 describes the attributes in the Logger MBean.
Attribute Name | Explanation |
---|---|
Turns debugging on or off. That is, it controls whether Log.debug calls executed by the SESM application are displayed in the log file. Note Logging remains on regardless of this value. That is, all Log.trace and Log.warning calls executed in the SESM application are written to the log file regardless of the value of the debug attribute. To turn off logging, comment out the entire Logger MBean. Values for this attribute are:
The following parameters control the contents of debug messages that the application generates: logFrame, logStack, logThread, debugPatterns, and debugThreads. The following parameters control the types of logging messages produced: trace and warning. Installed default: false | |
By specifying one or more patterns, you turn on a filtering mechanism that excludes any message that does not match the pattern. The patterns are file, class, or method names. Pattern matching is based on substring matches. For example, if you specify the pattern RADIUS, the software focuses on RADIUS messages. To specify multiple patterns, separate the patterns using a comma. Installed default: empty, which means that you receive all messages. | |
Specifies a specific thread name for which to show debugging messages. You can specify multiple thread names, separating them using a comma. For example: 6,13,22. By default, no thread name is specified. Because each user interaction with the SESM web application takes place in a thread named for that user, this parameter can be used to focus the logging trace on a specific user activity. Enter a list of thread names separated by commas. Installed default: empty | |
Specifies the level of detail in debugging messages. When the debug attribute is set to false, this attribute is ignored. Values are MAX, MED, or LOW. Installed default: LOW | |
Specifies format of dates in the log file. Installed default: yyyyMMdd:HHmmss.SSS | |
Where:
| |
Controls whether or not to log the calling member function. Installed default: false | |
Controls whether or not to log stack traces. Installed default: false | |
Controls whether or not to log thread IDs. Installed default: true | |
Controls whether or not to route log messages to stderr, in addition to the log file. This parameter is useful for monitoring the SESM web application at the command line. Displaying output to stderr is not recommended for production deployments. Installed default: true | |
Controls whether or not to log trace messages. These messages indicate entry and exit to code points. Installed default: true | |
Controls whether or not to log warning messages (nonfatal exceptions). Installed default: true |
The ManagementConsole MBean configures the portal's management console port, including valid user names and passwords for accessing the console. See the "Configuring the ManagementConsole MBean" section for more information.
The SESM MBean configures SESM features and options, including the SESM mode.Table 5-2 describes the attributes in the SESM MBean.
Attribute Name | Explanation |
---|---|
An SESM portal runs in one of the following modes.
The value for mode is a Java system property named: This system property is different from most of the other system properties used in the MBean configuration files, in that, by default, the startup script does not set this system property. Therefore, the application runs in the mode specified in the MBean configuration file unless you explicitly override that value at run time. The installation program sets the default value to match the type of installation you perform (RADIUS, LDAP, or Demo.) To change the mode, you can:
| |
Enables or disables the single sign-on feature.
Installed default: true | |
In RADIUS mode, set this attribute to false, because SSG automatically makes the connections immediately after authentication. You do not need SESM to request those connections. In LDAP mode, the SSG performs automatic connections if it obtains a service list from the RDP. If SSG does not obtain the service list from RDP, you should set this attribute to true. The Add Services option, which is set during RDP installation, controls whether or not the RDP returns a service list to SSG. The Add Services option configures RDP to either:
| |
Specifies the time in seconds that a service or group object must be idle in the cache before its resources are deallocated from memory. Installed default: 600 | |
The minimum time in seconds that an SESM session can be in memory without being accessed. If this value is 0 or undefined, the application calculates a value as: profileCachePeriod * 2. Installed default: 1200 | |
| |
SESM applications include automatic memory management features that constantly work to free unused memory. If this attribute is set correctly, the application does not run out of memory. If this attribute is set too small, the application might run out of memory and terminate abnormally. The installed default is correct for the NWSP application. You might need to adjust the value for customized applications. If subscribers are receiving the server busy message too frequently, increase the amount of memory reserved for the application. This value is set in the startup script. See the "SESM Portal Application Memory Requirements" section for more information. Installed default: 10485760 |
The SESMDemoMode MBean configures SESM in demo mode. Table 5-3 describes the attributes in the SESMDemoMode MBean.
Attribute Name | Explanation |
---|---|
Specifies the file that contains data for Demo mode. The installed value is:
Where:
The SESM start script derives the value for application.home from an expected (installed) directory structure. To change the value of application.home, edit the start script. |
The DESSMode MBean configures SPE attributes used by the SESM application. Table 5-4 describes the attributes in the DESSMode MBean.
Attribute Name | Explanation |
---|---|
The time in seconds between checking the authorization tokens. Default: 300 seconds | |
The length of time in seconds a token can remain in cache without being used before it is deleted. Default: 600 seconds | |
naming | The component in distinguished name (dn) that the LDAP directory uses to allow access to the directory. For example: |
The SSG MBean configures communication between SESM web applications and SSGs. The MBean also includes attributes that determine which SSG should handle a subscriber request. Table 5-5 describes the attributes in the SSG MBean.
Object | Attribute Name | Explanation |
---|---|---|
Sets the policy to use for mapping SSGs to subscribers. Installed default: com.cisco.sesm.ssg.DefaultSSGIPPolicy The DefaultSSGIPPolicy is implemented using the attributes described in the rest of this table. Other policies are subsets of DefaultSSGIPPolicy. Deployers might also implement customized policies of their own. See the javadoc for more information. | ||
Global attributes The global attributes apply to all SSGs that the SESM web application might communicate with. To determine how an SSG is configured, use the show run command on the SSG host. | The global value for RADIUS ports on the SSG hosts. This value must match the value configured on the SSG device using the following command:
You can create subnet entries in the MBean configuration file to override this global value for specific SSGs. | |
The number of seconds the SESM web application waits before timing out RADIUS packets that it sends to SSG. You cannot override this global value. Installed default: 5 | ||
The number of times the SESM web application resends a RADIUS packet to SSG if no response is received. You cannot override this global value. Installed default: 3 | ||
The global value for the RADIUS protocol shared secret used for communication between the SESM web application and the SSGs. This value must match the value entered on the SSG device using the ssg radius-helper key command. You can create subnet entries in the MBean configuration file to override this global value for specific SSGs. | ||
The global value for the mask that the SESM web application applies to incoming subscriber IP addresses to derive an IP address for the SSG. You can create subnet entries in the MBean configuration file to override this global value for specific subnets. | ||
SSG global attributes (continued) | The global value for the maximum number of simultaneous requests that SESM portals can send to an SSG. The RADIUS protocol queues additional requests and issues them as the SSG returns responses or timeout messages for previous requests. Installed default: 20 | |
The global value for the port bundle length that SSGs use when the port-bundle host key feature is enabled. The port bundle length is the number of bits that SSG uses to indicate bundled slots. For example, a value of 4 indicates 16 bundled slots. This value must match the value used in the following command on the SSG host: ssg port-map length
Default: You set this value during installation. | ||
The global value indicating whether or not the port-bundle host key feature is enabled on the SSGs. If BUNDLE_LENGTH is zero, then the value of this switch is important.
| ||
MIN_LOCAL_PORT MAX_LOCAL_PORT | Together, these two attributes specify a range of UDP ports for RADIUS protocol requests from the SESM portal application to the SSG. By using these attributes, you restrict the source ports used by NWSP to only the ports in the specified range. For example, you might want to restrict port usage if a firewall separates SESM from other components. In that case, you can configure the firewall to allow traffic through the specified range of ports. You can create subnet entries in the MBean configuration file to override this global value for specific SSGs. | |
Use subnet entries to override the global values or to map client subnets to specific SSGs when the port-bundle host key feature is not being used. See the "Associating SSGs with Subscriber Requests" section on page 5-15 for more information about using subnet entries. | Subnet entries use positional arguments. | The format for a subnet entry is: <Call name="setSubnetAttribute"> The call to setSubnetAttribute has four positional arguments:
1. subnetAddress is the subnet for which you are explicitly setting a value, overriding the globally set value. 2. subnetMask is the mask that can be applied to the subscriber's IP address to derive the subnet. 3. argumentName is the argument that you are explicitly setting: ssg port-map length
4. argumentValue is the value for argumentName. |
Table 5-6 describes the attributes in the AAA MBean.
Attribute Name | Explanation |
---|---|
The maximum number of simultaneous requests that SESM web applications can send to a RADIUS server. This is a RADIUS protocol attribute. The RADIUS protocol queues additional requests and issues them as the server returns responses or timeout messages for previous requests. Installed default: 256 | |
The number of seconds the SESM web application waits before timing out RADIUS packets that it sends to the AAA server. Installed default: 4 | |
The number of times the SESM web application resends packets to the AAA server if no response is received. Installed default: 3 | |
The IP address or the host name of the primary AAA server. | |
The port number that the primary RADIUS server listens on. Default: 1812 | |
The shared secret used between the RADIUS server and the SESM web application. The shared secret must be the same for the primary and secondary servers. It must match the secret specified when you configured SESM as a NAS client on the RADIUS server. Default: | |
The IP address or host name of the secondary AAA server. If you are not using a secondary RADIUS server, reenter the primary server. | |
The port number that the secondary RADIUS server listens on. If you are not using a secondary server, reenter the primary server. Default: 1812 | |
The password that the SESM web application uses to request service profiles from the RADIUS server. It must match the service password values used in the service profiles in the RADIUS database. Default: | |
The password that the SESM web application uses to request group profiles from the RADIUS server. It must match the service group password values used in the service group profiles in the RADIUS database. Default: |
The Firewall MBean configures fields on the NWSP My Firewall page. Table 5-7 describes the attributes in the Firewall MBean. For more information about configuring and using the SESM firewall features, see the "Personal Firewalls" section.
The Firewall MBean defines a list of firewall protocols and firewall applications, which are SESM concepts used in a different way than the OSI protocol and application concepts. You can specify ACLs on firewall applications, but not on firewall protocols.
<Key>ip</Key>
<Value>ip</Value>
<Key>tcp</Key>
<Value>tcp</Value>
<Key>ftp</Key>
<Value>tcp, 21</Value>
<Key>https</Key>
<Value>tcp,443</Value>
<Key>imap</Key>
<Value>tcp,143</Value>
<Key>ip</Key>
<Value>ip</Value>
<Key>tcp</Key>
<Value>tcp</Value>
<Key>ftp</Key>
<Value>ftp</Value>
<Key>email</Key>
<Value>smtp,pop2,pop3,imap</Value>
<Key>www</Key>
<Value>http,https</Value>
SESM includes many predefined firewall protocols and firewall applications. You can see all of these predefined values by accessing the NWSP Agent View. In the Firewall MBean, click in the value column for the read-only attributes AllApplicationDescriptions and AllProtocolDescriptions.
You can use the customProtocols and customApplications attributes in the Firewall MBean to define additional firewall protocols and firewall applications.
Attribute Name | Explanation |
---|---|
Defines additional firewall protocols. Each item in the array consists of two elements:
For example: <Key>tcp</Key>
<Value>tcp</Value>
<Key>ftp</Key>
<Value>tcp, 21</Value>
See the "Firewall Protocols and Applications" section for a definition and more examples of firewall protocols. Several firewall protocols are predefined in SESM and do not need to be explicitly defined here. | |
Defines additional firewall applications. Each item in the array consists of two elements:
<Key>ftp</Key>
<Value>ftp</Value>
<Key>www</Key>
<Value>http,https</Value>
See the "Firewall Protocols and Applications" section for a definition and more examples of firewall applications. | |
Specifies the firewall applications that appear on the NWSP My Firewall page, in the Applications/Protocols column. Items in this list must be defined as predefined or custom firewall applications. To see a list of all defined applications, open the portal's Agent View management console and click in the value column of the AllApplicationsDescriptions attribute, a read-only attribute in the Firewall MBean. The text that represents the application on the My Firewall page is configured as a resource bundle in the portal application's directory. For example, for NWSP, resources are in:
The portal searches its resource bundles for the resource firewallAppNameDescription, where firewallAppName is the application defined in the Firewall MBean. If a matching resource is not found, then firewallAppName is displayed on the My Firewall page. For example, consider the following firewall application:
The portal searches for a resource named wwwDescription, and displays the text in the appropriate language on the My Firewall page. (In the installed files, this is World-Wide-Web for the en locale.) If the wwwDescription resource did not exist, then www would appear on the My Firewall page. | |
Specifies direction (in or out) for the default access control direction in the ACLs created by SESM. See the "ACLs Generated from Entries on the Firewall Pages" section for more information about created ACLs. Value values for direction are:
All connections have a return path. A block on in also affects traffic traveling in the opposite direction, and vice-versa. For any ACL, the choice of whether to control the in or out direction is a matter of preference. | |
Sets the return option for TCP applications. Recommended values are: permit and default. Default refers to the Permit/Deny All Else button on the My Farewell page. Default: permit Note You can alter the My Firewall JSP to add a button allowing the subscriber to choose the TCP return option. The JSP contains commented-out code for an ipPermission button, which you could copy to implement a return TCP permission button. |
The WebApp MBean configures options of the SESM portal application, including:
Table 5-8 describes the attributes in the WebApp MBean.
Attribute Name | Explanation |
---|---|
Controls whether or not the application prompts the user for confirmation before it acts on a request to start a service. Default: FALSE | |
Controls whether or not the application prompts the user for confirmation before it acts on a request to log off. Default: TRUE | |
Controls whether or not the application prompts the user for confirmation before it acts on a request to log off of the SESM application. Default: TRUE | |
Controls whether SESM requests the SSG to disconnect an existing service connection if the subscriber unsubscribes from that service. Applies to LDAP mode only. | |
The number of seconds of inactivity allowed before the application closes a session. This value overrides the timeout value in the nwsp.jetty.xml file. Default: 7200 | |
These attributes control the length of user names and passwords. A value of 0 is valid for usernameMinLength and passwordMinLength. Configuration files from SESM releases earlier than Release 3.1(7) that use the credentialMaxLength attribute are valid. The value in credentialMaxLength sets usernameMaxLength and passwordMaxLength values. Defaults for usernameMinLength and passwordMinLength: 1 Defaults for usernameMaxLength and passwordMaxLength: 30 | |
These attributes are related to the captive portal solution. See Table 11-4 for explanations of these attributes. | |
You can create arbitrary attributes and associate them with subscriber requests in the manner described in the "Arbitrary Attributes" section. |
The Location MBean defines locations and associated attributes for the location awareness feature based on complete ID attributes. Table 5-9 describes the attributes in the Location MBean. For more information about configuring location awareness, see "Location Awareness" section.
Attribute Name | Explanation |
---|---|
Defines the SESM class containing the logic for location determination. You can change this attribute to point to a customized service provider interface (SPI) class. | |
Defines an array of location values. Each location in the array consists of the following items: Note Configure locations by editing the configuration file, not by using AgentView.
<New class="com.cisco.sesm.core.location.IPRangeParam">
<Set name="start" type="String">10.0.0.0</Set>
<Set name="end" type="String">10.10.0.0</Set>
</New>
<New class="com.cisco.sesm.core.location.VPIRangeParam">
<Set name="start" type="int">1</Set>
<Set name="end" type="int">2</Set>
</New>
<New class="com.cisco.sesm.core.location.SubInterfaceParam">
<Set name="subInterface" type="String">Ethernet0/0</Set>
</New>
|
You can set the attributes that associate an SSG with subscriber requests globally, by client subnet, or for a specific client IP address, as follows:
Note To use the port-bundle host key feature, the SSG device must be running Cisco IOS Release 12.2(2)B or later and the SSG port-bundle host key feature must be configured appropriately. |
When the port-bundle host key feature is enabled on an SSG, the SSG replaces the subscriber IP address in the request with a software token (or key) when it forwards the request to SESM. The SESM application uses this key in its responses to SSG, and the SSG does an internal translation to an actual host object.
The key is a unique combination of an SSG IP address from a range of IP addresses and a port number from a range of port numbers, as follows:
The IP address and port ranges are configured on each SSG. The key uniquely identifies each subscriber currently logged on to SESM, even when multiple subscribers are using the same IP address.
To use the port-bundle host key feature to associate SSGs, follow these procedures:
1. Enable and configure the port-bundle host key feature on all of the SSGs, as described in the Configuring the Port-Bundle Host Key Feature on SSG.
2. Configure the same values on all of the SSG hosts for the following attributes:
ssg radius-helper
authenticationPort
ssg radius-helper
key
ssg port-map length
3. When the SESM installation program prompts you, enter the globally-configured values in Step 2. These values are saved as global elements in the SSG MBean, as the following example illustrates.
When the port-bundle host key feature is enabled and configured, you can set all parameters globally.
<Configure name="com.cisco.aggbu:name=SSG">
<Call name="setGlobalAttribute"><Arg>PORT</Arg><Arg>1812</Arg></Call>
<Call name="setGlobalAttribute"><Arg>SECRET</Arg><Arg>cisco</Arg></Call>
<Call name="setGlobalAttribute"><Arg>MASK</Arg><Arg>255.255.255.255</Arg></Call>
<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>4</Arg></Call>
</Configure>
In this example, all SSGs are configured to use a port of 1812 and a shared RADIUS secret of cisco
. The BUNDLE_LENGTH of 4 indicates that port-bundle host key is configured on all SSGs.
The MASK attribute specifies the mask that SESM applies to the client (source) IP address in a received message to determine the client's subnet, and, from that, the SSG IP address. However, when a host key is used, the client (source) IP address is the SSG IP address. The SESM installation program provides the default mask of 255.255.255.255.
If port-bundle host key is enabled on all SSGs, but some are configured differently, you can configure the global case and then specifically configure exceptions. For example, if all but one SSG is assigned the same shared secret, you can configure the shared secret attribute globally, and then add one subnet entry to configure the different secret for the single SSG.
The installation program lets you provide one set of SSG global attribute values and one subnet entry. It records these attribute values in the <Configure name="SSG"> section of the application MBean configuration file, as illustrated in the following example.
In this example, port-bundle host key is enabled on all SSGs. In addition, all SSGs are using the same port, secret, and client IP address mask, except that one SSG uses a different port. In this case, you can set all parameters globally, and then use one subnet entry to define:
In the following example, the SSG that services subnet 10.1.1.0 uses port 1245.
<Configure name="com.cisco.aggbu:name=SSG">
<Call name="setGlobalAttribute"><Arg>PORT</Arg><Arg>1812</Arg></Call>
<Call name="setGlobalAttribute"><Arg>SECRET</Arg><Arg>cisco</Arg></Call>
<Call name="setGlobalAttribute"><Arg>MASK</Arg><Arg>255.255.255.255</Arg></Call>
<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>4</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.1.0</Arg><Arg>255.255.255.0</Arg><Arg>PORT
</Arg><Arg>1245</Arg></Call>
</Configure>
Each request arriving at an SESM web application contains a source, or client, IP address. SESM uses this client IP address to determine which SSG should handle each request.
<Call name="setSubnetAttribute">
<Arg>10.2.0.0</Arg><Arg>255.255.0.0</Arg><Arg>IP</Arg><Arg>10.6.7.1</Arg></Call>
In this example, port-bundle host key is not being used. In this case, you must explicitly define the mapping from subscriber subnet to the SSG IP address.
<Configure name="com.cisco.aggbu:name=SSG">
<Call name="setGlobalAttribute"><Arg>PORT</Arg><Arg>1645</Arg></Call>
<Call name="setGlobalAttribute"><Arg>SECRET</Arg><Arg>cisco</Arg></Call>
<Call name="setGlobalAttribute"><Arg>MASK</Arg><Arg>255.255.255.255</Arg></Call>
<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>0</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.1.0</Arg><Arg>255.255.255.0</Arg><Arg>IP
</Arg><Arg>10.21.1.2</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.2.0</Arg><Arg>255.255.255.0</Arg><Arg>IP
</Arg><Arg>10.21.2.2</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.3.0</Arg><Arg>255.255.255.0</Arg><Arg>IP
</Arg><Arg>10.21.3.2</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.4.0</Arg><Arg>255.255.255.0</Arg><Arg>IP
</Arg><Arg>10.21.4.2</Arg></Call>
</Configure>
The Cisco SESM is a collection of components for creating specialized Java 2 Platform, Enterprise Edition (J2EE) web server applications. J2EE provides a framework for using various Java-based components to develop multi-tiered applications. The multi-tiered application (as opposed to the 2-tiered client server application) provides many opportunities for isolating and controlling functional pieces of a large application. For more information about the J2EE development platform, see:
A Cisco SESM application consists of the following:
<installDir>nwsp
call "%SCRIPTDIR%start.cmd" nwsp %PORTNO%
jetty
subdirectory. For example, for the NWSP application, the configuration filename is: nwsp.jetty.xml
To create the required configuration files and startup scripts for a customized SESM application that will run in a Jetty server, follow these steps:
Step 1 Create a configuration file for the new application in the container's config directory. You can copy the nwsp.jetty.xml file and appropriately rename it. For example:
jetty
config
newApplication.jetty.xml
Step 2 Edit the new file.
Step 3 Create a startup script for the new application by copying the startNWSP script and appropriately renaming the copy. For example:
jetty
bin
startNewApplication
Step 4 Edit the new file, changing the application name and the port number parameters.
Step 5 Copy the nwsp directory structure, and rename the nwsp objects appropriately. For example, copy:
nwsp
config
nwsp.xml
docroot
docs
Step 6 See the Cisco Subscriber Edge Services Manager Web Developer Guide for information about customizing the JSPs, images, and other components. That guide also describes how to update the docroot folder, recompile affected components, and edit the web.xml file.
Posted: Fri Oct 18 09:58:16 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.