securent entitlement management solution v 3.1 ga€¦ · the securent entitlement management...

Securent Entitlement Management Solution

v 3.1 GA

Installation & Configuration Guide

September 2007

Part No. 31-INSTALLGUIDE-2

Copyright Copyright © 2006-2007 Securent, Inc. All Rights Reserved.

Restricted Rights This software and documentation is subject to and made available only pursuant to the terms of the Securent Inc. License Agreement and may be used or copied only in accordance with the terms of that agreement. It is against the law to copy the software except as specifically allowed in the agreement. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from Securent, Inc. THE SOFTWARE AND DOCUMENTATION ARE PROVIDED .AS IS. WITHOUT WARRANTY OF ANY KIND INCLUDING WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. FURTHER, Securent DOES NOT WARRANT, GUARANTEE, OR MAKE ANY REPRESENTATIONS REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR WRITTEN MATERIAL IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY, OR OTHERWISE.

Content

Contents

Securent Overview.....................................................................................................1 Minimum System Requirements .............................................................................2

Minimum Hardware Requirements for Server Machine.............................................2 Minimum Software Requirements for Server Machine..............................................2 Minimum Database Requirements ........................................................................2

Common Installation steps..........................................................................................4

Installing Securent PAP and PDP on Windows.................................................................5

Installing Securent PAP and PDP on Linux ...................................................................11

Installing Securent PAP and PDP on Solaris..................................................................17

Installing Securent PAP on Windows ...........................................................................23

Installing Securent PAP on Linux................................................................................28

Installing Securent PAP on Solaris ..............................................................................34

Installing Securent PDP on Windows...........................................................................39

Installing Securent PDP on Linux................................................................................44

Installing Securent PDP on Solaris..............................................................................50

JMS Configuration for PAP PDP Database Separation.....................................................56 JMS Configuration for ActiveMQ Server ...............................................................57 JMS Configuration for Servers other than ActiveMQ ..............................................58

Verifying the Securent PAP-PDP Installation.................................................................60

Updating Securent License ........................................................................................63

Troubleshooting Securent Installation .........................................................................64

Using Connection Pools.............................................................................................67 Setting up WebLogic Connection Pool for PAP .........................................................67 Setting up WebLogicConnectionPool for PDP...........................................................68 Setting up WebSphere Connection Pool .................................................................69

Installing EMS as a Windows Service on Windows 2003.................................................72

Deployment of war files in application server ...............................................................75

Appendix 1 - Sample config.xml.................................................................................78

Appendix 2 - Sample pap-config.xml ..........................................................................79

Appendix 3 - Sample pdp-config.xml ..........................................................................82

Proprietary and Confidential iii

Installation and Configuration Guide

Introduction This document provides a step-by-step procedure for installing and configuring Securent Entitlement Management Solution v 3.1GA components on Linux, Solaris, and Windows server machines.

Securent Overview The Securent Entitlement Management Solution (EMS) consists of the following components:

The Policy Decision Point (PDP), also called the Securent Entitlement Engine, evaluates application-specific authorization policies. PDPs connect with existing information repositories, for example, LDAP, AD, and databases.

The Policy Administration Point (PAP), also called the Securent Administration Console, provides central administration, management and monitoring of entitlement policies with delegation and integration with an Entitlement Repository.

The Policy Enforcement Point (PEP), also called the Securent Agent, enforces entitlement policy decisions that are made by the PDP.

Fig 1: Securent deployment diagram

PEP PEP

The Securent_installer (the distribution) is used to install the PAP and PDP only. The third component, PEP (an agent), is embedded into the application for which the entitlement solution is sought.

The installation is done purely on the user’s discretion. Appropriate arrangements are made within the installer for the user to choose whether PAP and PDP are installed together in a single server or separately in individual servers.

Proprietary and Confidential 1


Installing Securent Software Minimum System Requirements This section lists system requirements for different components of the Securent EMS.

Minimum Hardware Requirements for Server Machine The following minimum system hardware configuration is necessary to install and deploy Securent PAP and PDP:

500 MHz

1GB RAM

40 GB Hard Disk

CD-ROM Drive (Internal)

10/100 Mbps Network Card

512 MB minimum space

Minimum Software Requirements for Server Machine The following minimum system software configuration is necessary to install and deploy Securent PAP and PDP:

Component Requirement

Operating System Linux or Solaris or Windows 2000/NT/XP with SP1 or above

Software Java Development Kit 1.4.x. , 3.0

Application Server Apache Tomcat 5.x WebLogic Server 8.1/9.2/10.0 SP4 WebSphere 6.1

Minimum Database Requirements The following minimum database system software configuration is necessary to install and deploy Securent PAP and PDP:

Component Requirement

Database Server Oracle 9i or 10g, MS-SQL Server2000, MS-SQL Server2005

Minimum Space Required 2 GB of user table space 2 GB of temporary table space

Schema / user for Securent A DB user with below mentioned privileges should be created prior to installation.



Oracle DB Privileges

The following Oracle database privileges are required for the Securent DB-Schema:

• CREATE SESSION

• ALTER SESSION

• UNLIMITED TABLESPACE

• CREATE TABLE

• CREATE CLUSTER

• CREATE SYNONYM

• CREATE VIEW

• CREATE SEQUENCE

• CREATE DATABASE LINK

• CREATE PROCEDURE

• CREATE TRIGGER

• CREATE TYPE

• CREATE OPERATOR

• CREATE INDEXTYPE

Proprietary and Confidential

3


Common Installation steps Installation process does following activities:

1. Creates the Securent home directory (Securent installation directory) & update the configuration files.

2. Creates DB objects (tables, functions, etc) & populate the bootstrap data & a sample application.

3. If installer has embedded Tomcat, Tomcat is installed.

4. PDP & PAP WAR files are deployed on embedded Tomcat. These files are also available for deployment on the alternate servlet containers.

Following are the common steps across all the environments for PAP and PDP installation. These steps are also valid for the individual PAP or PDP installation.

1. Unzip SecurentInstaller_3.1_Windows.zip/SecurentInstaller_3.1_Linux.tar.gz file in your system.

For Solaris / Linux installation:

♦ Extract the tar file by using the following command:

gunzip -v SecurentInstaller_3.1_SunOs.tar.gz

♦ When this command is run, the SecurentInstaller_3.1_SunOs.tar file is created in the specified extraction folder.

♦ Unzip this tar file to extract Securent-3.1 by using the following command:

tar -xvf SecurentInstaller_3.1_SunOs.tar

2. Change directories to the location: Securent-v3.1/bin

3. DB password is configured in encrypted format in configuration files. To get an encrypted password, run the following command:

For windows:encryptor.bat JAVA_HOME Password For Solaris/Linux: encryptor.sh JAVA_HOME Password

where JAVA_HOME is replaced with the corresponding folder path for JAVA_HOME and Password is replaced with the chosen DB password. When this command is executed, an encrypted password is displayed. You must copy this encrypted password in the Password parameter of the database properties in the configure.properties file as explained in the following steps.


4


Installing Securent PAP and PDP on Windows To install Securent v 3.1 on a Windows machine:

1. Follow steps 1 through 3 in the common installation steps section.

2. Edit the configure.properties file and update the following parameters:

♦ Relative paths are not supported. Use forward slash '/' for specifying the file locations instead of using backward slash '\’.

♦ Specify the path to User_install_directory.

Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:

USER_INSTALL_DIR=C:/Securent-v3.1

♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.

♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.

♦ Update the Securent.DB_Selection= parameter by specifying the database name.

- For Oracle, mention Securent.DB_Selection= Oracle

- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i

- For MS SQL Server 2000, mention

Securent.DB_Selection= mssql

♦ Update the following database variable settings for PAP:

─ SECURENT.PAPDB_URL = with the corresponding database URL

─ SECURENT.PAPDB_USR = with the corresponding username

─ SECURENT.PAPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.

For example, if you are using Oracle, the DB-details are updated as shown in the following examples:

SECURENT.PAPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb

Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib

Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin

SECURENT.PAPDB_USR=username

SECURENT.PAPDB_PWD=uKoPsYGLxkY=

If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:

SECURENT.PAPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor



5


SECURENT.PAPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==

♦ Update the following database variable settings for PDP:

─ SECURENT.PDPDB_URL = with the corresponding database URL

─ SECURENT.PDPDB_USR = with the corresponding username

─ SECURENT.PDPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.


SECURENT.PDPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb

SECURENT.PDPDB_USR=username

SECURENT.PDPDB_PWD=uKoPsYGLxkY=


SECURENT.PDPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor


SECURENT.PDPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==

♦ Update the following database variable settings for XACML log:

─ SECURENT.XACMLDB_URL = with the corresponding database URL

─ SECURENT.XACMLDB_USR = with the corresponding username

─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.


SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb

SECURENT.XACMLDB_USR=username

SECURENT.XACMLDB_PWD=uKoPsYGLxkY=


SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor


SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==

♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.

Update the following properties to enable JMS for PAP-PDP database separation:

─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.


6


• SECURENT.JMSURL = JMS Server URL

• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class

• SECURENT.JMSUSERNAME = JMS user name

• SECURENT.JMSPASSWORD = JMS User Password

• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds

• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class

Example:

SECURENT.JMSURL= tcp://131.107.0.68:61616

SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory

SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER

SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==

SECURENT.JMSRECONNECTINTERVAL= 100000

SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory

─ Update JNDI_ENABLE= tag to ‘true’ if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (which is optional).

• SECURENT. JNDIUSERNAME= JNDI User Name

• SECURENT. JNDIPASSWORD= JNDI User Password

Example:

SECURENT.JNDIUSERNAME= jndiUserName

SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==

─ Update REPLY_TOPIC= tag with the reply topic name.

3. Set JAVA_HOME from the command prompt.

4. Run configure.bat file. If you are using WebSphere server, then instead of running this file you must run configurews_ear.bat.

5. Run createtables.bat file. This bat should not be run while upgrading the existing version to a higher version. See Note 1 for upgradation details.

Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.

For ex, If you are currently using Securent EMS V 3.0, instead of running createtables.bat file, upgrade your Securent application software from version 3.0 to 3.1GA by running the Migration-v3.0-3.1GA.sql file in your corresponding database client.


7


Following migration scripts are available for Securent EMS v3.1:

DB-Type Migration Type Migration Scripts

v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL

v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL

v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL

v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL

Oracle

v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL

v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL


v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL


After the migration is finished, run templateloader.bat file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.

Note 2: Do not run the templateloader.bat file when the installation is fresh, because createtables.bat is run while installing Securent for the first time. This file must be run only when migration is required.

(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting Securent Installation” section.)

6. Execute the database procedures in the following way:

- To execute the procedure in Oracle 9i, open the Oracle client and run pap.sql and pdp.sql files from the /Securent-v3.1/db/scripts/oracle folder.

If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.

- To execute the procedure in Oracle 10g, open the Oracle client and run the pap_wrapped.sql and pdp_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.

If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.

- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql and pdp.sql file from …/Securent-v3.1/db/scripts/mssql folder.

If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.

7. Deploy the PAP and PDP WAR files by starting the application server using one of the following methods:


8


♦ Prepackaged Tomcat:

If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.bat file from .../Securent-v3.1/bin folder.

♦ External Tomcat:

- Edit the Tomcat_home/bin/catalina.bat file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>

- Copy securent.war and PDP.war files from the dist folder to the application folder and deploy these files.

- Start the server using startsecurentgui.bat file from .../Securent-v3.1/bin folder.

♦ WebLogic:

If you are using the BEA WebLogic Server:

- Edit startWLS.bat file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.

For example, -DSECURENT_HOME=D:/securent-v31

- Copy securent.war and pdp.war files from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.

- Open the WebLogic console in your web browser and deploy securent.war and pdp.war files. (Refer How to deploy war files in WebLogic Server)

- Start the server by running startWLS.bat

Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.

(See Appendix1 for a sample config.xml file with the added parameter.)

♦ WebSphere 6.1:

If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.bat file and follow these deployment instructions:

- Login to Websphere Administrative Console

- Expand Servers from the navigation and click on Application Servers

- Click on the name of the server link. Ex: Server1

- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition

- In Process Definition page Select Java Virtual Machine from Additional Properties.

- In the Java Virtual Machine Select Custom Properties from Additional Properties

- In the Customer Properties select New button


9


- In the Configuration tab specify the name, value and description

Ex: Name: SECURENT_HOME

Value: D:/Securent-v31

Description: Not mandatory

- Restart the WebSphere server

- Deploy SecurentEMS.ear file (Refer How to deploy .ear files in WebSphere server)

♦ ServletExec 5.0:

If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:

Note: Make sure the Default Web Site is running under IIS where ServletExec is installed

- Login to ServletExec Administrative Console

- Click options link under Virtual Machine in the left NAV

- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)

For ex: -DSECURENT_HOME=D:\Securent-v31

- Click Submit

- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine

- Open ServletExec Administrative Console in the new browser window

- Deploy securent.war and pdp.war files (Refer How to deploy war files in ServletExec server)

This process installs PAP and PDP on your system. After completing this step, you can access the Securent Administration Console application through a web browser.

If the server throws any exception at this stage, see the “Troubleshooting Securent Installation” section.

8. Verify whether the PAP and PDP are installed successfully. See the “Verifying the Securent PAP-PDP Installation” section.

9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.

For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.


10


Installing Securent PAP and PDP on Linux Use this procedure to install PAP and PDP to run in a single server. Necessary arrangements are made within configure.properties file to accommodate properties and parameters of PAP and PDP to install both of these components in a single shot. At the end of the installation process, a database table is created with default application group, application, its resources and roles in the PAP.


2. Edit configure.properties file and update the following parameters:

♦ Relative paths are not supported. Use '/' for specifying the file locations instead of using '\’























11































─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true.


12


Provide the JMS Server related information by setting the following properties.



• SECURENT.JMSUSERNAME = JMS User Name




Example:







─ Update JNDI_ENABLE= tag to true if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (It’s optional).



Example:





4. Run configure.sh file. If you are using WebSphere server, then instead of running this file you must run configurews_ear.sh.

5. Run createtables.sh file. This bat should not be run while upgrading, see Note 1 below for upgrade details.


For ex, if you are currently using Securent EMS V 3.0, instead of running createtables.sh file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.


13








Oracle






After the migration is finished, run templateloader.sh file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.

Note 2: Do not run templateloader.sh file when the installation is fresh, because createtables.sh is run while installing Securent for the first time. This file must be run only when migration is required.

(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting the Securent Installation” section.)


- To execute the procedure in Oracle 9i, open the Oracle client and run pap.sql and pdp.sql files from /Securent-v3.1/db/scripts/oracle folder.

If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.



- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql and pdp.sql file from /Securent-v3.1/db/scripts/mssql folder.




14



If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.sh file from .../Securent-v3.1/bin folder.


- Edit the Tomcat_home/bin/catalina.sh file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>


- Start the server using startsecurentgui.sh file from .../Securent-v3.1/bin folder.

♦ WebLogic:


- Edit startWLS.sh file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.




- Start the server by running startWLS.sh



♦ WebSphere 6.1:

If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.sh file and follow these deployment instructions:









15















- Click Submit










16


Installing Securent PAP and PDP on Solaris Use this procedure to install PAP and PDP to run on a single server. Necessary arrangements are made within the configure.properties file to accommodate properties and parameters of PAP and PDP to install both of these components in a single shot. At the end of the installation process, a database table is created with default application group, application, its resources and roles in the PAP.

To install Securent v 3.1 on a Solaris machine:
























17

































─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared


18


repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.







Example:










Example:





4. Run configure.sh file. If you are using WebSphere server, then instead of running this file you must run configurews_ear.sh.




19









Oracle






After the migration is completed, run templateloader.sh file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.

After the migration is finished, run the templateloader.sh file from the /Securent-v3.1/bin folder to load the latest templates into Securent DB.

Note 2: Do not run the templateloader.sh file when the installation is fresh, because createtables.sh is run while installing Securent for the first time. This file must be run only when migration is required.



- To execute the procedure in Oracle 9i, open the Oracle client and run the pap.sql and pdp.sql file from the /Securent-v3.1/db/scripts/oracle folder.

If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.



- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql and pdp.sql file from the /Securent-v3.1/db/scripts/mssql folder.


20










♦ WebLogic:









♦ WebSphere 6.1:







21


















- Click Submit






8. Verify whether the PAP and PDP are installed successfully. See the “Verifying Securent PAP-PDP Installation” section.




22


Installing Securent PAP on Windows To install Securent V3.1 PAP on a Windows machine:





























23























Example:








24





Example:





4. Run configure.bat file.

5. Run createtables.bat file. This bat should not be run while upgrading, see Note 1 below for upgrade details.


For ex, If you are currently using Securent EMS V 3.0, instead of running createtables.bat file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.







Oracle






After the migration is finished, run templateloader.bat file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.

Note 2: Do not run templateloader.bat file when the installation is fresh, because createtables.bat is run when installing Securent for the first time. This file must be run only when migration is required.


25




- To execute the procedure in Oracle 9i, open the Oracle client and run the pap.sql file from the /Securent-v3.1/db/scripts/oracle folder.

If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml (see Appendix2) file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.

- To execute the procedure in Oracle 10g, open the Oracle client and run the pap_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.

If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pap_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.

- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql file from the /Securent-v3.1/db/scripts/mssql folder.







- Copy securent.war file from the dist folder to the application folder and deploy these files.


♦ WebLogic:




- Copy securent.war file from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.

- Open the WebLogic console in your web browser and deploy securent.war file. (Refer How to deploy war files in WebLogic Server)


26





♦ WebSphere 6.1:














- Deploy securent.war file (Refer How to deploy war files in WebSphere server)








- Click Submit




27


- Deploy securent.war file (Refer How to deploy war files in ServletExec server)

This process installs PAP on your system. After completing this step, you can access the Securent Administration Console application through a web browser.





Installing Securent PAP on Linux To install Securent V3.1 PAP on a Linux machine:



















28































29





Example:










Example:





4. Run configure.sh file.





30








Oracle
















7. Deploy the PAP WAR files by starting the application server using one of the following methods:


31








♦ WebLogic:









♦ WebSphere 6.1:











32














- Click Submit










33


Installing Securent PAP on Solaris To install Securent V3.1 PAP on a Solaris machine:





























34























Example:








35





Example:








For ex, If you are currently using Securent EMS V 3.0, instead of running createtables.sh file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.







Oracle









36


(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting the Securent Installation” section.)








7. Deploy the PAP WAR files by starting the application server using one of the following methods:







♦ WebLogic:








37




♦ WebSphere 6.1:






















- Click Submit





38



If the server throws any exception at this stage, see the “Troubleshooting the Securent Installation” section.




Installing Securent PDP on Windows To install Securent V3.1 PDP on a Windows machine:





















39






























40




Example:










Example:





4. Run configure.bat file.

5. Run createtables.bat file. This bat should not be run while upgrading, see Note 1 below for upgrade details.


For ex, if you are currently using Securent EMS V 3.0, instead of running createtables.bat file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.


41








Oracle








- To execute the procedure in Oracle 9i, open the Oracle client and run pdp.sql file from the /Securent-v3.1/db/scripts/oracle folder.

If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pdp_config.xml (see Appendix 3) file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.

- To execute the procedure in Oracle 10g, open the Oracle client and run the pdp_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.

If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pdp_config.xml file to give effect to PAP-PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.

- To execute the procedure in MS SQL Server, open the MS SQL client and run pdp.sql file from the /Securent-v3.1/db/scripts/mssql folder.


7. Deploy the PDP WAR files by starting the application server using one of the following methods:




42




- Copy pdp.war file from the dist folder to the application folder and deploy these files.


♦ WebLogic:




- Copy pdp.war file from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.

- Open the WebLogic console in your web browser and deploy pdp.war file. (Refer How to deploy war files in WebLogic Server)




♦ WebSphere 6.1:















43


- Deploy pdp.war file (Refer How to deploy war files in WebSphere server)








- Click Submit



- Deploy pdp.war file (Refer How to deploy war files in ServletExec server)

This process installs PDP on your system.





Installing Securent PDP on Linux To install Securent V3.1 PDP on a Linux machine:









44


































45












Example:










Example:








46










Oracle








- To execute the procedure in Oracle 9i, open the Oracle client and run the pdp.sql file from the /Securent-v3.1/db/scripts/oracle folder.

If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.






47









♦ WebLogic:









♦ WebSphere 6.1:








48

















- Click Submit










49


Installing Securent PDP on Solaris To install Securent V3.1 PDP on a Solaris machine:





























50























Example:








51





Example:















Oracle








- To execute the procedure in Oracle 9i, open the Oracle client and run the pdp.sql file from the /Securent-v3.1/db/scripts/oracle folder.


52


If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.





7. Deploy the PDP WAR files by starting the application server using one of the following methods:







♦ WebLogic:









53



♦ WebSphere 6.1:






















- Click Submit








54





55


JMS Configuration for PAP PDP Database Separation PAP-PDP Database Separation Securent’s PAP and PDP components can be deployed in either the Shared Mode or in the Non-Shared Mode. In the Shared Mode of deployment, both PAP and PDP components interact with each other by using common database instance. In case the database instance is down, then both the components can not function. In Non-Shared Mode of deployment, PAP and PDP components access separate database instances. They still interact with each other using Java Messaging System (JMS) and thus are loosely coupled with each other. This mechanism removes the dependence of both the components on a common database instance. Following diagram shows the Non-Shared Mode of operation between PAP and PDP components.

The Non-Shared Model works as follows: 1. PAP uses a database instance, for example: PAP-DB. 2. PDP uses a different database instance, for example: PDP-DB. 3. Whenever an event is initiated in PAP, it publishes the information to the Topics

within the JMS Server. 4. PDP components subscribe for these Topics. 5. PDPs receive the Topics information from the JMS Server and store it in the PDP-

DB.


56


Note: In case PAP component fails in storing its event’s information to PAP-DB, then it does not publish that information as a Topic to the JMS Server. Thus, the database operation and the publishing operation, together behave as a single transaction, that is, either both the transactions are successful or none of the transaction is successful. Securent supports configuring JMS for servers like ActiveMQ, Tibco and WebLogic JMS. The Securent installer comes up with a pre-pack ActiveMQ environment. Thus the configuration section is divided into two sections:

- JMS Configuration for ActiveMQ Server - JMS Configuration for other Servers

JMS Configuration for ActiveMQ Server 1. Start JMS Server by running activemq.bat from the folder ../incubator-activemq-

4.0.2/bin.

2. Open pap_config.xml from the folder: .../SECURENT_HOME/Config and make the following modification:

♦ Update <jms> tag as given below:

<jms>

<env> <url>tcp://131.107.0.68:61616</url> <connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory> <username>ActiveMQConnection.DEFAULT_USER</username> <password>ActiveMQConnection.DEFAULT_PASSWORD</password> <replyTopic>replyTopicName</replyTopic> </env> <reconnect_interval>100000</reconnect_interval> <useJndi>false</useJndi> <jndi>

<providerUrl>tcp://131.107.0.68:61616</providerUrl> <providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory> <jndiUserName></jndiUserName> <jndiPassword></jndiPassword>

</jndi> </jms> <url> - Set this to the URL and Port of the host machine where the JMS Server is running <username> - Set this to JMS username <password> - Set this to the encrypted password <replyTopic> - Set this to the name of the topic which reports the PAP whether any of the PDP is down <reconnect_interval> - Set this to the time interval (in milliseconds) after which the PAP and PDP will try to re-establish the JMS connection, in case the JMS Server is down. <useJndi> - Set this tag to false if you are using ActiveMQ.

♦ Set the <shared-repository> tag to false. This will set the ground for PAP-PDP database separation

♦ In the <handlers> tag, edit the <handlerName> as given below:


57


<handlers> <common-properties> <sessionuser>superuser</sessionuser> <sessionpassword>admin</sessionpassword> </common-properties>

<handler name="JMSSYNCHandler" enabled="true" type="*.*" application="Prime group:Prime portal">

<impl>net.securent.jms.PAPHandler</impl> </handler> </handlers>

3. Save and close the pap_config file after the modifications are done. 4. Start the PAP server. 5. Open Securent Administration Console in your browser. 6. Go to Home > Administer Entitlement > Administer > Entitlement Server and

register an Entitlement Server (PDP). 7. Open pdp_config.xml from ../SECURENT_HOME/Config/pdp folder and make the

following modification: ♦ Set the <shared-repository> tag to false. ♦ Update the <pdpserver> tag with the name of the entitlement server registered in

step 6 above. ♦ In the <jms> tag, set the JMS URL host and port to the machine IP where the JMS

Server is running. 8. Restart the PAP server and the PDP server. 9. In the PAP console, go to Home > Administer Entitlement > Administer > Application

and update an existing application by associating it with the PDP created in Step 6 above.

This completes the JMS configuration process in ActiveMQ server.

JMS Configuration for Servers other than ActiveMQ If you are using your own JMS server other than ActiveMQ (e.g. Tibco or WebLogic JMS), you must connect this to Securent server with the help of JNDI by setting the <useJndi> parameter to true. All the configuration steps will be same as mentioned above except updating the <jms> tag in step 2. Update the JMS tag of pap_config.xml from the config folder and make the following modification:

Sample <jms> tag of pap_config.xml

<jms> <env>

<url>tcp://131.107.0.68:61616</url> <connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory> <username>ActiveMQConnection.DEFAULT_USER</username> <password>ActiveMQConnection.DEFAULT_PASSWORD</password> <replyTopic>replyTopicName</replyTopic>

</env> <reconnect_interval>100000</reconnect_interval> <useJndi>true</useJndi>


58


<jndi> <jndiProviderUrl>tcp://131.107.0.68:61616</providerUrl> <providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory> <jndiUserName></jndiUserName> <jndiPassword></jndiPassword>

</jndi> </jms>

− <reconnect_interval> - Set this to the time interval (in milliseconds) after

which the PAP and PDP will try to re-establish the JMS connection, in case the JMS Server is down.

− <replyTopic> - If you are using your own JMS server other than ActiveMQ and want to read the JMS properties through JNDI, then set it to true. This will invalidate the previous JMS properties updated in the <env> tag except the value for <connectionFactory> tag.

− <useJndi> - Set this tag to true. − In the <jndi> tag, update the <jndiProviderUrl> and <providerCtxFactory>

parameters with your own URL and Context Factory respectively. Also mention the JNDI username and password if any.

Save the config file after modification are done.


59


Verifying the Securent PAP-PDP Installation To quickly verify whether the PAP and PDP have been installed successfully, use the procedures in this section.

Verifying PAP Installation

1. Open your web browser and type the following URL:

http://host:port/securent

where you need to replace the host name and port number arguments in the URL with the correct values corresponding to where you have deployed the Securent Administration Console. For Administrator login, the default User ID and password are superuser and admin respectively.

If you get the Securent Home screen (as shown below) displaying the Prime group and Prime portal as default application group and application respectively, the PAP is considered to be installed successfully.

Verifying PDP Installation

2. After login, go to Home > Delegated Administration > Entitlement Server. Initially, the list of Entitlement Servers is empty by default.

3. Click Add. The Create Entitlement Server page is displayed.


60


4. Enter the following details:

- Name of the entitlement server.

- Description of the new entitlement server.

- Check No for In Process Entitlement Server.

- Enter the PDP Server details, for example, host URL and port number.

- Check HTTP as the transport protocol.

- Check Local as Authentication Type.

- Enter the server username and password.

- Click Create.

This creates the required PDP and the List of Entitlement Servers will include the same (as shown).


61


5. Copy the End Point URL of the newly created PDP, paste it in a new browser instance, and click Go.

If the PDPService screen is displayed (as shown below), the PDP is considered to be installed successfully.

For further information on using the administration console, see the Securent Quick Start Guide or the Securent User Guide.


62



Updating Securent License Securent license is granted on a component basis. If the license expires you must update the license files of individual components e.g. license-pap.xml for PAP and license-pdp.xml for PDP. If the validity period is lapsed, Securent Inc. will provide the updated license files upon request.

To reactivate the license:

1. Replace ../SECURENT_HOME/config/license-pap.xml file and ../SECURENT_HOME/config/pdp/license-pdp.xml file with the updated ones.

2. Restart the server.

This renews the Securent license with the prescribed validity period.



Troubleshooting Securent Installation

This section contains solutions to problems you might be encounter while installing Securent-v3.1.

1. While installing Securent, can I use any slashes, that is, forward and

backward slash? No. You must use only the Forward slash ‘/’ while defining any folder path during installation irrespective of the operating system. For example: While running startsecurentgui.sh, if you get the following message: "The JAVA_HOME environment variable is not defined correctly This environment variable is needed to run this program" it may because of the slash type you use while updating properties.

2. While installing PAP and PDP individually, can I give same path for

User_Install_Directory in both the cases?

No. If you do so, the existing files will be overwritten with the new files on every new installation. For this purpose, you must specify two different locations for the User_Install_Directory while installing Securent PAP and PDP individually.

3. Can I run the Securent server on the default port even if it is preoccupied

with any other application? If not, then what is the procedure for changing the port number?

No. When the default port is busy and you try to run the Securent Server in the same port, you will get the following error message: “SEVERE: Error initializing endpoint java.net.BindException: Address already in use: JVM_Bind:8080” In this case, you must change the default port number in the Server.xml file located in the Securent-v3.1/external/Jakarta-tomcat5.0.x/conf folder.

4. Can I run the Migrate file more than once?

No. You cannot run the migratation file available in the Securent Installer more than once. If you do, all the existing data will be corrupted.

5. Is it necessary to set JAVA_HOME before starting the installation

process?

Yes. You must set JAVA_HOME before starting the Securent installation process.

6. While running encryptor.sh, I get the following message: “.../encryptor.sh: Permission denied” What is the solution?

To get the permission, go to the application bin folder (i.e. Securent-v3.1/ bin) and run the following command: chmod +x encryptor.sh



7. While running configure.sh, I get the following message:

“../external/ant/bin/ant: Permission denied” What is the solution?

Step 1: Go to the bin folder (that is, Securent-v3.1/external/ant/bin) and run the following command: dos2unix ant ant This replaces the old ant file with a new ant file in the same location.

Step 2: Go the same bin folder and run the following command: chmod +x ant

8. What should be done if dataload fails after running createtables.bat or

createtables.sh?

For Windows, go to the SECURENT_HOME/bin folder and run the following code in the command prompt: java -cp SECURENT_HOME/lib/securent-v3.1.jar;SECURENT_HOME/lib/classes12.jar net.securent.util.db.DataLoader SECURENT_HOME

For Linux and Solaris, go to the Securent-v3.1/bin folder and run the following code: java -cp SECURENT_HOME/lib/securent-v3.1.jar:SECURENT_HOME/lib/classes12.jar net.securent.util.db.DataLoader SECURENT_HOME

where, SECURENT_HOME is to be replaced with the absolute path of the unzipped Securent-V3.1 folder. For example, if SECURENT_HOME is opt/Securent-V3.1, then for Windows, run the following piece of code: java -cp opt/Securent-V3.1/lib/securent-v3.1.jar;opt/Securent-V3.1/lib/classes12.jar net.securent.util.db.DataLoader opt/Securent-V3.1

9. While running startsecurentgui.sh, I get the following message:

“ ../external/jakarta-tomcat-5.0.9/bin/startup.sh: Permission denied" What is the solution?

Step 1: Go to the appropriate folder (that is, ../external/jakarta-tomcat-5.0.9/bin) and run the following command: chmod +x startup.sh

Step 2: Even after running the same file again, you may get the following error message: “Cannot find ../external/jakarta-tomcat-5.0.9/bin/catalina.sh”

Go to bin folder and run the following command:

dos2unix catalina.sh catalina.sh This will change the Catalina.sh from DOS mode to Unix mode.



Step 3: Again run startsecurentgui.sh. If you get the following message: “The JAVA_HOME environment variable is not defined correctly. This environment variable is needed to run this program.” Change all backward slashes (\) to forward slashes (/).

10. I get the following error during dataload in MS SQL Server 2000 while loading templates: “java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC]The DBMS returned an unspecified error”

How do I overcome this error?

This error happens only when you are trying to do dataload in MS SQL Server 2000 SP4. To overcome this issue, run templateloader-v15.sql in the /Securent-v3.1/db/scripts/mssql folder. It will load all the required templates.

11. While installing Securent using Oracle thick driver, I get the ‘UnsatisfiedLinkError’ during dataload: Caused by: java.lang.UnsatisfiedLinkError: no ocijdbc8 in java.library.path at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1491) at java.lang.Runtime.loadLibrary0(Runtime.java:788) at java.lang.System.loadLibrary(System.java:834) at oracle.jdbc.oci8.OCIDBAccess.logon(OCIDBAccess.java:228) at oracle.jdbc.driver.OracleConnection.<init>(OracleConnection.java:246) at oracle.jdbc.driver.OracleDriver.getConnectionInstance(OracleDriver.ja va:365) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:260)

How do I overcome this error?

If you are using Oracle thick driver, you may get the above-mentioned error after running createtables.bat(sh) and also during the server startup. Following steps must be taken to overcome this error:

For Windows: - Set ORACLE_HOME= <to the directory where Oracle is installed> - Set LD_LIBRARY_PATH=<ORACLE_HOME>/lib For Linux/Solaris: - export ORACLE_HOME= <to the directory where Oracle is installed> - export LD_LIBRARY_PATH=<ORACLE_HOME>/lib



Using Connection Pools Considered to be one of the best practices for a steady increase in performance of any application running in WebLogic or WebSphere server, Securent highly recommends using Connection Pool for a better performance and an effective EMS.

In Securent, you can create connection pool for PAP as well as PDP. As a first step to create connection pool in PAP, you need to create the Connection Pool followed by updating the <properties> tag of pap_config.xml file. Similarly, in PDP side, you must update the <properties> tag of pdp_config.xml file.

Below given are steps to create connection pools in WebLogic as well as WebSphere server:

Setting up WebLogic Connection Pool for PAP Below given are the steps to be taken to set up WebLogic connection pool for PAP:

I. Create connection pool in WebLogic

1. Go to the WebLogic console

2. Expand the "Services" tree available on left side pane.

3. In the Services Tree, expand the "JDBC" tree.

4. In the JDBC tree, click "Connection Pools".

5. Click "Configure a new JDBC Connection Pool" and then select Database Type as Oracle from the list and select the appropriate Database Driver from the list.

6. Click on the button "Continue" then you should be able to see "Define connection properties" window.

7. Give values for all the fields and press the button "Continue".

8. Click on the button "Test Driver Configuration".

9. Click on the button "Create and deploy".

10. Click on the name of the connection pool on left side pane, which you have created in the step 7.

11. Click on "Connections" tab.

12. Set appropriate values for all the fields and click on "Show" button to view Advanced options.

13. Make sure that "Supports Local Transaction" is enabled. Click on the button "Apply".

14. Click on the link "Data Sources" which is available under "JDBC" tree on left side pane.

15. Click on the link "Configure a new JDBC Datasource" and give the name and JNDI name for the data source and press the button "Continue".

16. Select Pool Name as the Connection Pool that is created in step 7 and press the button "Continue".

17. Select the servers on which you want to deploy this JDBC Data Source and press the button "Create".

II. Update <properties> tag of pap_config.xml

You must update SECURENT_HOME/config/pap/pap_config.xml (see Appendix2) file in order to make use of the above-created WebLogic Connection Pool. Consider the following connection pool tag of a sample pap_config file:

 <securent>

<db name="default"> <impl>net.securent.util.db.WebLogicConnectionPool</impl> <properties>

<db-type>oracle</db-type> <initial-context-factory>weblogic.jndi.WLInitialContextFactory</initial-context-factory> <context-provider-url>t3://131.107.0.97:9000</context-provider-url> <context-username>weblogic</context-username> <context-password>++7XL4YWJ/FEq6iEZjvEnQ==</context-password> <datasource-jndi>SampleJNDI</datasource-jndi> <poolName>Default Domain</poolName>

</properties> </securent>

18. Replace the value of the <impl> tag with "net.securent.util.db.WebLogicConnectionPool"

19. Update <properties> tag parameters with the following values:

<context-provider-url> refers to the URL where the WebLogic server is running with the connectionpool

<context-username> refers to the username of the domain where the server is running

<context-password> refers to the encrypted password of domain

<datasource-jndi> refers to the JNDI name of the WebLogic connectionpool, which is created in the step 15 above

<poolName> refers to the domain name created in Securent PAP

20. Save and close the pap_config file

III. Restart the WebLogic server by running

Setting up WebLogic Connection Pool for PDP The process of creating connectionpool is same as mentioned in case of PAP. Below given updates must be made in <properties> tag of the pdp_config.xml:

Update <properties> tag of pdp_config.xml

You must update SECURENT_HOME/config/pdp/pdp_config.xml (see Appendix 3) file in order to make use of the above-created WebLogic Connection Pool.

<!—sample Config file for PDP--> <securent>

<db authEnable="true">



<impl>net.securent.util.db.WebLogicConnectionPool</impl> <properties>

<db-type>oracle</db-type> <initial-context-factory>weblogic.jndi.WLInitialContextFactory</initial-context-factory> <context-provider-url>t3://131.107.0.97:9000</context-provider-url> <context-username>weblogic</context-username> <context-password>++7XL4YWJ/FEq6iEZjvEnQ==</context-password> <datasource-jndi>SampleJNDI</datasource-jndi> <poolName>Default Domain</poolName>

</properties> </securent>

Update <properties> tag parameters with the following values:

<context-provider-url> refers to the URL where the WebLogic server is running with the connectionpool

<context-username> refers to the username of the domain where the server is running

<context-password> refers to the encrypted password of domain

<datasource-jndi> refers to the JNDI name of the WebLogic connection pool, which is created in the step 15 above

<poolName> refers to the domain name created in Securent PAP

Setting up WebSphere Connection Pool Below given are the steps to be taken to set up WebSphere connection pool for PAP:

I. Create connection pool in WebSphere

1. Login to the WebSphere console

2. Go to Resources > JDBC > Datasource in the left navigation pane.

3. Click New.

4. Specify the Datasource and JNDI name. It is important to note that the JNDI name mentioned in this field must be similar to the one mentioned in configure.properties file. Click Next.

5. Select Create New JDBC Provider and click Next.

6. Select the Database from the list. The provider will be Oracle JDBC Provider.

7. Select Connection pool datasource from the Implementation Type dropdown.

8. Click Next.

9. Enter the directory path for ojdbc.jar file e.g. …/oracle/ora92/jdbc/lib and click Next.

10. Enter the JDBC URL same as mentioned in the configure.properties file and click Next.

11. Verify the summary and click Finish. This creates the specified datasource.

12. Provide the database credentials (e.g. username and password) in the following ways:

a) Create a username. To do this:

- Go to JDBC > Datasource in the console and click on the newly created datasource.

- In the new screen click Custom properties located top-left. Click New to create a new name value pair.

- Enter the name value pair such as

Name – user

Value – username (i.e. the database username)

- Click OK.

b) Create a password in the similar way.

13. After creating the username and password for the connection pool, click Save to save the settings done.

14. To test whether the connection pool has been created successfully, select the new datasource and click Test Connection. The result will be displayed on the top of the screen.

II. Update <properties> tag of pap_config.xml

You must update SECURENT_HOME/config/pap/pap_config.xml (see Appendix2) file in order to make use of the above-created WebSphere Connection Pool. Consider the following connection pool tag of a sample pap_config file:

 <securent>

<db name="default"> <impl>net.securent.util.db.WebSphereConnectionPool</impl> <properties>

<db-type>oracle</db-type> <initial-context-factory>com.ibm.websphere.naming.WsnInitialContextFactory</initial-context-factory> <context-provider-url>iiop://131.107.0.105:2809</context-provider-url> <context-username>securent</context-username> <context-password>uYgp9FZIEnREq6iEZjvEnQ==</context-password> <datasource-jndi>WSJNDI</datasource-jndi> <poolName>Default Domain</poolName>

<properties> </securent>

15. Replace the value of the <impl> tag with "net.securent.util.db.WebSphereConnectionPool"

16. Update the <properties> tag in the following way:

- Update the <db-type> tag to oracle.

- Update the initial context factory

- Update <context-provider-url> refers to the URL where the WebSphere server is running with the connection pool

- <context-username> refers to the username of the domain where the server is running

- <context-password> refers to the encrypted password of domain



- <datasource-jndi> refers to the JNDI name of the WebSphere connection pool, which is created in the step 13 above

- <poolName> refers to the domain name created in Securent PAP

17. Save and close the config file

III. Restart the WebSphere server



72

Installing EMS as a Windows Service on Windows 2003 For monitoring purposes, you may want to run the Entitlement Management Server as a windows service. To do this, we need to use the Tomcat installer to create the windows service and then configure the service startup. Step 1: Download Tomcat 5.x (For example, download apache-tomcat-5.5.23.exe from the following URL: http://mirror.olnevhost.net/pub/apache/tomcat/tomcat-5/v5.5.23/bin/apache-tomcat-5.5.23.exe) Step 2: Install Tomcat by following the instructions displayed in the installation shield. Step 3: After the installation is done, copy securent.war and pdp.war files from <SECURENT_HOME>/dist folder to <APACHE_HOME>/webapp folder Step 4: Click Start > All Programs > Apache Tomcat > Configure Tomcat

Step 5: Go to Java Tab and add new line to the bottom (see the highlighted section in the below given screenshot)

http://mirror.olnevhost.net/pub/apache/tomcat/tomcat-5/v5.5.23/bin/apache-tomcat-5.5.23.exe

http://mirror.olnevhost.net/pub/apache/tomcat/tomcat-5/v5.5.23/bin/apache-tomcat-5.5.23.exe



73

Step 7: Fire up the Apache Tomcat Service

Step 8: Access the Securent URL



74



75

Deployment of war files in application server Deployment of .war files in WebLogic 8.1

To deploy securent.war:

- Start WebLogic by executing the script startWebLogic.cmd.

- Open the Administrative Console in your browser.

- After successfully logging in, expand the Deployments node, and then select Web Application Module.

- Select Deploy a new Web Application Module...

- Select the link upload your file(s).

- Click Browse to select securent.war file. Once you have selected the file, click the Upload button.

- Select the check box on securent.war and click the Target Module button.

- The Identity Name is the securent Servlet Context. Select Deploy to complete the deployment. A dialog box appears.

- In the dialog, once the Status of the last action says Success you are ready to test your deployment.

To deploy pdp.war:

- Start WebLogic by executing the script startWebLogic.cmd.

- Open the Administrative Console in your browser.

- After successfully logging in, expand the Deployments node, and then select Web Application Module.

- Select Deploy a new Web Application Module...

- Select the link upload your file(s).

- Click Browse to select pdp.war file. Once you have selected the file, click the Upload button.

- Select the check box on pdp.war and click the Target Module button.

- The Identity Name is the pdp Servlet Context. Select Deploy to complete the deployment. A dialog box appears.

- In the dialog, once the Status of the last action says Success you are ready to test your deployment.

Deployment of .ear files in WebSphere 6.1 To deploy SecurentEMS.ear:

- Open WebSphere console in the new browser window

- After login to the console, go to Home > Application > Install New Applications.

- Select local file system option and click Browse

- Browse SecurentEMS.ear from the SECURENT_HOME/dist folder.

- Click Next in the Select installation options page



76

- Select SecurentEMS.ear checkbox and click Next button in the Map modules to servers page

- Click Finish in the Summary page

- Click Save to save the changes to the master configuration

- In the Enterprise Applications page, Select securent_ear checkbox and click Start to start the Securent EMS

Deployment of .war files in WebSphere 6.1 To deploy securent.war:

- Open WebSphere console in the new browser window

- After login to the console, go to Home > Application > Install New Applications.

- Select local file system option and click Browse

- Browse securent.war from the SECURENT_HOME/dist folder.

- Enter /securent in the Context root field and click Next button

- Click Next button in the Select installation options page

- Select securent.war checkbox and click Next button in the Map modules to servers page



- In the Enterprise Applications page, Select securent_war checkbox and click Start to start the Securent EMS

To deploy pdp.war:

- Go to Home > Application > Install New Applications.

- Select Local file system option and click Browse

- Browse pdp.war from the SECURENT_HOME/dist folder.

- Enter /pdp in the Context root field and click Next

- In the Select installation options page, click Next

- Select pdp.war checkbox and click Next in the Map modules to servers page



- In the Enterprise Applications page, Select pdp_war checkbox and click Start to start the PDP

Deployment of .war files in ServletExec 5.0 To deploy securent.war:

- In the Manage Web Applications page, click Add Web Applications

- Enter the following values in the Add a Web Application page

Application Name=securent

URL Context Path=/securent/



77

Location= SECURENT_HOME\external\apache-tomcat-5.5.17\webapps\securent

- Click Submit

To deploy pdp.war:

- In the Manage Web Applications page, click Add Web Applications

- In the Add a Web Application page, enter the following values

Application Name=pdp

URL Context Path=/pdp/

Location= SECURENT_HOME\external\apache-tomcat-5.5.17\webapps\pdp

- Click Submit



78

Appendix 1 – Sample config.xml In this sample config.xml file which is located in $BEA_HOME/user_projects/ domains/DOMAIN_NAME/config, the <security-configuration> tag must be updated by adding the <enforce-valid-basic-auth-credentials> parameter (highlighted section). <?xml version="1.0" encoding="UTF-8"?> <domain xsi:schemaLocation="http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd" xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<name>securentdomain</name> <domain-version>9.2.0.0</domain-version> <security-configuration xmlns:xacml="http://www.bea.com/ns/weblogic/90/security/xacml">

<name>securentdomain</name> <realm> <sec:authentication-provider xsi:type="wls:default-authenticatorType"/> <sec:authentication-provider xsi:type="wls:default-identity-asserterType"> <sec:active-type>AuthenticatedUser</sec:active-type> </sec:authentication-provider> <sec:role-mapper xsi:type="xacml:xacml-role-mapperType"/> <sec:authorizer xsi:type="xacml:xacml-authorizerType"/> <sec:adjudicator xsi:type="wls:default-adjudicatorType"/> <sec:credential-mapper xsi:type="wls:default-credential-mapperType"/> <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"/> <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder> <sec:name>myrealm</sec:name> </realm> <default-realm>myrealm</default-realm> <credential-encrypted>WsHLCKdCW3ZYs9vKlrDC</credential-encrypted> <node-manager-username>weblogic</node-manager-username> <node-manager-password-encrypted>{3DES}EJN/p+=</node-manager-password-encrypted> <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

</security-configuration> <server>

<name>AdminServer</name> <listen-address/>

</server> <embedded-ldap>

<name>securentdomain</name> <credential-encrypted>{3DES}v4Osc8ejylefF/khW/Uze8yqiSmpvILaW+pg3wD4aDA=</credential-encrypted>

</embedded-ldap> <configuration-version>9.2.0.0</configuration-version> <admin-server-name>AdminServer</admin-server-name>

</domain>

79

Appendix 2 - Sample pap_config.xml Important tags to be updated within the installation process are highlighted in the below given sample code.

<?xml version="1.0" encoding="UTF-8"?>  <securent> <db name="default"> <impl>net.securent.util.db.ConnectionPool</impl> <properties> <db-type>oracle</db-type> <username>hbhatt</username> <password>uKoPsYGLxkY=</password> <url>jdbc:oracle:thin:@131.107.0.20:1521:securent</url> <driver>oracle.jdbc.driver.OracleDriver</driver> <maxconnections>20</maxconnections> <maxconnectiontime>120</maxconnectiontime> <idleconnectiontime>300</idleconnectiontime> <poolName>Default Domain</poolName> <eventenable> <value>true</value> </eventenable> </properties> </db> <jms> <env> <url>tcp://131.107.0.68:61616</url> <connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory> <username>ActiveMQConnection.DEFAULT_USER</username>

<password>c6p96kuD91p3Gwazl0JnE652dQh1QLrLMfnDulySruPVD3Mw==</password> <replyTopic>replyTopicName2</replyTopic> </env> <reconnect_interval>100000</reconnect_interval> <useJndi>false</useJndi> <jndi> <providerUrl>tcp://131.107.0.68:61616</providerUrl>

<providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory>

<jndiUserName></jndiUserName> <jndiPassword></jndiPassword> </jndi> </jms> <shared_repository>true</shared_repository> <handlers> <common-properties> <sessionuser>superuser</sessionuser> <sessionpassword>admin</sessionpassword> </common-properties> <handler name="JMSSYNCHandler" enabled="false" type="*.*"> <impl>net.securent.jms.PAPHandler</impl> <properties> </properties> </handler> </handlers> <authentication type="db" class="net.securent.util.db.DBAuthenticator"> <properties refer="false" name="default"> <!-- If Authentication type is 'sso' then One property is required with name has

80

‘request' or 'session' with any value. In case of sso then refer,name attributes of properties tag will not be considered. For this the implemenrtation class is 'net.securent.util.db.SSOAuthenticator'. Ex.

<property name="request">sm_user</property>-->   <property name="db-type">oracle</property> <property name="username">hbhatt</property> <property name="password" encrypted="true">uKoPsYGLxkY=</property> <property name="url">jdbc:oracle:thin:@131.107.0.20:1521:securent</property> <property name="driver">oracle.jdbc.driver.OracleDriver</property> </properties> </authentication> <usermgr> <implclass> net.securent.kernel.usermanager.db.DBUserMgr </implclass> </usermgr>  <encryption> <implementors>  <crypt> net.securent.util.auth.encryptor.DefaultCryptEncryptor </crypt> </implementors> </encryption> <dao-configuration>config/dao_config.xml</dao-configuration> <xacml-log type="db"> <db refer="true" name="default"> <properties> <db-type>oracle</db-type> <username>hbhatt</username> <password>uKoPsYGLxkY=</password>



81

<url>jdbc:oracle:thin:@131.107.0.20:1521:securent</url> <driver>oracle.jdbc.driver.OracleDriver</driver> </properties> </db> </xacml-log> </securent>

82

Appendix 3 - Sample pdp_config.xml Important tags to be updated within the installation process are highlighted in the below given sample code.

<?xml version="1.0" encoding="UTF-8"?>  <securent> <shared_repository>true</shared_repository> <pdpname>Entitlement</pdpname> <db authEnable="false" name="default"> <impl>net.securent.util.db.ConnectionPool</impl> <properties> <db-type>oracle</db-type> <username>hbhatt</username> <password>uKoPsYGLxkY=</password> <url>jdbc:oracle:thin:@131.107.0.20:1521:securent</url> <driver>oracle.jdbc.driver.OracleDriver</driver> <maxconnections>20</maxconnections> <maxconnectiontime>120</maxconnectiontime> <idleconnectiontime>300</idleconnectiontime> <poolName>Default Domain</poolName> <eventenable> <value>false</value> </eventenable>   </properties> </db> <jms> <env> <url>tcp://131.107.0.68:61616</url> <connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory> <username>ActiveMQConnection.DEFAULT_USER</username>

<password>c6p96kuD91p3Gwazl0JnE652dQh1QLrySruPVDpfLSgm3Mw==</password> </env> <reconnect_interval>100000</reconnect_interval> <useJndi>false</useJndi> <jndi> <jndiName>jndiName</jndiName> <providerUrl>tcp://131.107.0.68:61616</providerUrl>

<providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory>

<jndiUserName></jndiUserName> <jndiPassword></jndiPassword> </jndi>

83

</jms> <authentication enable="true" type="db" class="net.securent.util.db.PDPAuthenticator"> <properties refer="false" name="default">    <property name="db-type">oracle</property> <property name="username">hbhatt</property> <property name="password" encrypted="true">uKoPsYGLxkY=</property> <property name="url">jdbc:oracle:thin:@131.107.0.20:1521:securent</property> <property name="driver">oracle.jdbc.driver.OracleDriver</property> </properties> </authentication>  <encryption> <implementors>  <crypt>net.securent.util.auth.encryptor.DefaultCryptEncryptor</crypt> </implementors> </encryption> <xacml-parser> <impl>net.securent.util.pep.XacmlGenerator </impl> </xacml-parser> <dao-configuration>config/pdp/dao_config.xml</dao-configuration> <xacml-log> <enable logRequestResponse="false">false</enable> <log-impl>net.securent.pdp.xacmllog.DBXacmlLogWriter</log-impl> <db refer="true" name="default">

84

<properties> <db-type>oracle</db-type> <username>john2</username> <password>XBKO7w9gh3vTFr8u41H9JQ==</password> <url>jdbc:oracle:thin:@131.107.0.20:1521:securent</url> <driver>oracle.jdbc.driver.OracleDriver</driver> </properties> </db> </xacml-log> <pdp attributeEnable="true" cloningCheckEnable="false" sorting="false"> <listeners> <listener> <enabled>true</enabled> <name>http</name> <listenerClass>net.securent.pdp.listener.http.HttpListener</listenerClass> <processorClass>net.securent.pdp.listener.http.HttpProcessor</processorClass> <parameters/> </listener> <listener> <enabled>false</enabled> <name>rmi</name> <listenerClass>net.securent.pdp.listener.rmi.RMIListener</listenerClass> <processorClass>net.securent.pdp.listener.rmi.RMIProcessor</processorClass> <parameters> <host>131.107.0.42</host> <port>10001</port> <jndiName>pdpObj</jndiName> </parameters> </listener> </listeners> </pdp> <pip> <attributesources>  <source> <type>database</type> <metadataImpl>net.securent.pip.db.DataBasePIPMetaData</metadataImpl> <attributeImpl>net.securent.pip.db.DBAttribute</attributeImpl> <attributeEvaluator>net.securent.pip.db.DBAttributeEvaluator</attributeEvaluator> </source> <source> <type>ldap</type> <metadataImpl>net.securent.pip.ldap.LDAPPIPMetaData</metadataImpl> <attributeImpl>net.securent.pip.ldap.LDAPAttribute</attributeImpl> <attributeEvaluator>net.securent.pip.ldap.LDAPAttributeEvaluator</attributeEvaluator> </source> <source> <type>Java</type> <metadataImpl>net.securent.pip.java.JavaPIPMetaData</metadataImpl> <attributeImpl>net.securent.pip.java.JavaAttribute</attributeImpl> <attributeEvaluator>net.securent.pip.java.JavaAttributeEvaluator</attributeEvaluator> </source> <source> <type>Webservice</type> <metadataImpl>net.securent.pip.webservice.WebservicePIPMetaData</metadataImpl> <attributeImpl>net.securent.pip.webservice.WebserviceAttribute</attributeImpl>

<attributeEvaluator>net.securent.pip.webservice.WebserviceAttributeEvaluator</attributeEvaluator>

</source> </attributesources> </pip>  <cache decisionCacheEnabled="false" cacherefreshtype="onlyupdated" provider="net.securent.pdp.cache.CacheProvider"

85

implementor="net.securent.admin.sdk.cache.impl.JBossCache" eventProvider="net.securent.pdp.event.EventProvider">  <type>TTL</type>  <interval>200</interval>  <refresh enable="false">update</refresh>



<prefetch enable="true" type="user" bulkUsersPerRequest="10"> <prefetchForApis> <api>isUserAccessAllowed</api> </prefetchForApis> </prefetch> <applications> <application>Prime group:Prime portal</application> </applications>  <pip cacheenabled="false">  <cacheInterval>5</cacheInterval>  <metaDataInterval>1</metaDataInterval> </pip> </cache> </securent>

securent entitlement management solution v 3.1 ga€¦ · the securent entitlement management...

Documents