|
|
This chapter describes how to configure the Security Policy Engine (SPE) component to work with SESM applications. The chapter includes the following topics:
SPE uses the following MBeans:
The SPE MBeans are used by any application that incorporates the SPE, which could include SESM portals deployed in LDAP mode, the RDP server, and the CDAT application. Each application has its own version of SPE MBeans.
To change attributes in the SPE MBeans, you can either:
applicationName
config
dessauth.xml
 |
Note The SPE component does not have its own management console. Rather, the SPE MBeans are managed from the application's MBean list, on the application's management console. |
The Directory MBean configures logging and caching attributes for executing classes in the SPE APIs. Table 8-1 describes the attributes in the Directory MBean.
| Attribute Name | Explanation |
|---|---|
Root name of the individual connection Mbeans. This MBean searches for other mbeans that begin with this name and assumes that those MBeans are connections to the directory. | |
Do not change the installed value. | |
Default LDAP context. This is the organization and organizational unit that was created to hold the SESM data. | |
If set to true, all the attributes of an LDAP entry are returned for each query. | |
Name of the directory log file. | |
Should be one of: NONE, ERROR, BRIEF, VERBOSE, or DEBUG. | |
If set to true, the application sends trace messages to the console and writes them into the log file. | |
If set to true, the application prints a stack trace with each trace message. | |
Specifies the maximum number of software objects to hold in the cache. Objects represent subscribers, services, privileges, roles, and so on. When the cache contains cacheMaxObjects, old objects are deleted from cache, regardless of available cache space. Set this value high to allow the available cache space to be the determining factor for cache management. Installed default: 50000 | |
Specifies the percentage of Java virtual memory that must remain available (that is, not used by the cache) after the application is loaded into memory. You can calculate the specific amount of memory available for the cache as follows: cacheSize = (JavaVirtualMemory- applCodeSize) * (100% - cacheMinFreeMem)
Where: JavaVirtualMemory is the maximum virtual memory size specified at application startup time with the jvm argument. The installed startup scripts use the following values:
applCodeSize is the application size. The NWSP is approximately 18 MB. cacheMinFreeMem is the percentage of JVM that must remain available after the application is loaded into memory. For example, the cacheSize for NWSP is 90% of 14 MB, or 12.6 MB: cacheSize = (32 MB - 18 MB) * (100% - 10%) Default: 10 | |
Specifies the timeout of inactive client sessions in seconds. Default: 600 | |
Specifies the interval in seconds after which the cache attempts to expire objects. Note Do not set this attribute to 0. A value of 0 causes every request to go to the directory, bypassing caching and any memory storage from a recent request for the same object. A value of 0 degrades performance substantially. Default: 600 | |
Specifies the number of seconds before objects time out. Default: 600 |
The Connection MBeans configure location and security attributes required to connect to an LDAP directory. If you configure and deploy two LDAP directories for failover protection, make sure to configure two instances of the connection MBean, using the appropriate connection information for the primary and secondary directories. The connection MBean names are:
Table 8-2 describes the attributes in the Connection MBeans.
| Attribute Name | Explanation |
|---|---|
Number of active connections allowed to the LDAP server. | |
Credentials (such as password) used for connecting to the LDAP server. |
The SPE installation process optionally performs these update activities. If you did not choose these options during installation, you must perform these updates before running CDAT or SESM applications in LDAP mode.
To perform these updates after SESM installation, use either of the following procedures:
dess-auth
schema
README.SESM.LDIF.html
To use the SESM custom installation process to extend the directory schema and load initial RBAC objects, follow these procedures:
Step 1 Make sure the LDAP directory server is running.
Step 2 Make sure you know the following user IDs and passwords:
Step 3 Execute the SESM installation program on a server that has network access to the LDAP directory.
Step 4 When the installation program prompts for setup type, choose Custom.
Step 5 When the installation program prompts for the components to install, choose SPE.
Step 6 When the installation program prompts for directory connection information, provide correct information to access the directory. This includes the names of the organization and organizational unit you created to hold the SESM data.
Step 7 When the installation program displays the options, click Update schema and Install RBAC.
dess-auth
schema
samples
DESSusecasedata.ldf
To load the sample data, follow instructions in the following file:
dess-auth
schema
README.SESM.LDIF.html
Posted: Fri Oct 18 09:59:14 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.