securent entitlement management solution v 3.1 ga€¦ · the securent entitlement management...
TRANSCRIPT
Securent Entitlement Management Solution
v 3.1 GA
Installation & Configuration Guide
September 2007
Part No. 31-INSTALLGUIDE-2
Copyright Copyright © 2006-2007 Securent, Inc. All Rights Reserved.
Restricted Rights This software and documentation is subject to and made available only pursuant to the terms of the Securent Inc. License Agreement and may be used or copied only in accordance with the terms of that agreement. It is against the law to copy the software except as specifically allowed in the agreement. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from Securent, Inc. THE SOFTWARE AND DOCUMENTATION ARE PROVIDED .AS IS. WITHOUT WARRANTY OF ANY KIND INCLUDING WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. FURTHER, Securent DOES NOT WARRANT, GUARANTEE, OR MAKE ANY REPRESENTATIONS REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR WRITTEN MATERIAL IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY, OR OTHERWISE.
Content
Contents
Securent Overview.....................................................................................................1 Minimum System Requirements .............................................................................2
Minimum Hardware Requirements for Server Machine.............................................2 Minimum Software Requirements for Server Machine..............................................2 Minimum Database Requirements ........................................................................2
Common Installation steps..........................................................................................4
Installing Securent PAP and PDP on Windows.................................................................5
Installing Securent PAP and PDP on Linux ...................................................................11
Installing Securent PAP and PDP on Solaris..................................................................17
Installing Securent PAP on Windows ...........................................................................23
Installing Securent PAP on Linux................................................................................28
Installing Securent PAP on Solaris ..............................................................................34
Installing Securent PDP on Windows...........................................................................39
Installing Securent PDP on Linux................................................................................44
Installing Securent PDP on Solaris..............................................................................50
JMS Configuration for PAP PDP Database Separation.....................................................56 JMS Configuration for ActiveMQ Server ...............................................................57 JMS Configuration for Servers other than ActiveMQ ..............................................58
Verifying the Securent PAP-PDP Installation.................................................................60
Updating Securent License ........................................................................................63
Troubleshooting Securent Installation .........................................................................64
Using Connection Pools.............................................................................................67 Setting up WebLogic Connection Pool for PAP .........................................................67 Setting up WebLogicConnectionPool for PDP...........................................................68 Setting up WebSphere Connection Pool .................................................................69
Installing EMS as a Windows Service on Windows 2003.................................................72
Deployment of war files in application server ...............................................................75
Appendix 1 - Sample config.xml.................................................................................78
Appendix 2 - Sample pap-config.xml ..........................................................................79
Appendix 3 - Sample pdp-config.xml ..........................................................................82
Proprietary and Confidential iii
Installation and Configuration Guide
Introduction This document provides a step-by-step procedure for installing and configuring Securent Entitlement Management Solution v 3.1GA components on Linux, Solaris, and Windows server machines.
Securent Overview The Securent Entitlement Management Solution (EMS) consists of the following components:
The Policy Decision Point (PDP), also called the Securent Entitlement Engine, evaluates application-specific authorization policies. PDPs connect with existing information repositories, for example, LDAP, AD, and databases.
The Policy Administration Point (PAP), also called the Securent Administration Console, provides central administration, management and monitoring of entitlement policies with delegation and integration with an Entitlement Repository.
The Policy Enforcement Point (PEP), also called the Securent Agent, enforces entitlement policy decisions that are made by the PDP.
Fig 1: Securent deployment diagram
PEP PEP
The Securent_installer (the distribution) is used to install the PAP and PDP only. The third component, PEP (an agent), is embedded into the application for which the entitlement solution is sought.
The installation is done purely on the user’s discretion. Appropriate arrangements are made within the installer for the user to choose whether PAP and PDP are installed together in a single server or separately in individual servers.
Proprietary and Confidential 1
Installation and Configuration Guide
Installing Securent Software Minimum System Requirements This section lists system requirements for different components of the Securent EMS.
Minimum Hardware Requirements for Server Machine The following minimum system hardware configuration is necessary to install and deploy Securent PAP and PDP:
500 MHz
1GB RAM
40 GB Hard Disk
CD-ROM Drive (Internal)
10/100 Mbps Network Card
512 MB minimum space
Minimum Software Requirements for Server Machine The following minimum system software configuration is necessary to install and deploy Securent PAP and PDP:
Component Requirement
Operating System Linux or Solaris or Windows 2000/NT/XP with SP1 or above
Software Java Development Kit 1.4.x. , 3.0
Application Server Apache Tomcat 5.x WebLogic Server 8.1/9.2/10.0 SP4 WebSphere 6.1
Minimum Database Requirements The following minimum database system software configuration is necessary to install and deploy Securent PAP and PDP:
Component Requirement
Database Server Oracle 9i or 10g, MS-SQL Server2000, MS-SQL Server2005
Minimum Space Required 2 GB of user table space 2 GB of temporary table space
Schema / user for Securent A DB user with below mentioned privileges should be created prior to installation.
Proprietary and Confidential 2
Installation and Configuration Guide
Oracle DB Privileges
The following Oracle database privileges are required for the Securent DB-Schema:
• CREATE SESSION
• ALTER SESSION
• UNLIMITED TABLESPACE
• CREATE TABLE
• CREATE CLUSTER
• CREATE SYNONYM
• CREATE VIEW
• CREATE SEQUENCE
• CREATE DATABASE LINK
• CREATE PROCEDURE
• CREATE TRIGGER
• CREATE TYPE
• CREATE OPERATOR
• CREATE INDEXTYPE
Proprietary and Confidential
3
Installation and Configuration Guide
Common Installation steps Installation process does following activities:
1. Creates the Securent home directory (Securent installation directory) & update the configuration files.
2. Creates DB objects (tables, functions, etc) & populate the bootstrap data & a sample application.
3. If installer has embedded Tomcat, Tomcat is installed.
4. PDP & PAP WAR files are deployed on embedded Tomcat. These files are also available for deployment on the alternate servlet containers.
Following are the common steps across all the environments for PAP and PDP installation. These steps are also valid for the individual PAP or PDP installation.
1. Unzip SecurentInstaller_3.1_Windows.zip/SecurentInstaller_3.1_Linux.tar.gz file in your system.
For Solaris / Linux installation:
♦ Extract the tar file by using the following command:
gunzip -v SecurentInstaller_3.1_SunOs.tar.gz
♦ When this command is run, the SecurentInstaller_3.1_SunOs.tar file is created in the specified extraction folder.
♦ Unzip this tar file to extract Securent-3.1 by using the following command:
tar -xvf SecurentInstaller_3.1_SunOs.tar
2. Change directories to the location: Securent-v3.1/bin
3. DB password is configured in encrypted format in configuration files. To get an encrypted password, run the following command:
For windows:encryptor.bat JAVA_HOME Password For Solaris/Linux: encryptor.sh JAVA_HOME Password
where JAVA_HOME is replaced with the corresponding folder path for JAVA_HOME and Password is replaced with the chosen DB password. When this command is executed, an encrypted password is displayed. You must copy this encrypted password in the Password parameter of the database properties in the configure.properties file as explained in the following steps.
Proprietary and Confidential
4
Installation and Configuration Guide
Installing Securent PAP and PDP on Windows To install Securent v 3.1 on a Windows machine:
1. Follow steps 1 through 3 in the common installation steps section.
2. Edit the configure.properties file and update the following parameters:
♦ Relative paths are not supported. Use forward slash '/' for specifying the file locations instead of using backward slash '\’.
♦ Specify the path to User_install_directory.
Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:
USER_INSTALL_DIR=C:/Securent-v3.1
♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.
♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.
♦ Update the Securent.DB_Selection= parameter by specifying the database name.
- For Oracle, mention Securent.DB_Selection= Oracle
- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i
- For MS SQL Server 2000, mention
Securent.DB_Selection= mssql
♦ Update the following database variable settings for PAP:
─ SECURENT.PAPDB_URL = with the corresponding database URL
─ SECURENT.PAPDB_USR = with the corresponding username
─ SECURENT.PAPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib
Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PAPDB_USR=username
Proprietary and Confidential
5
Installation and Configuration Guide
SECURENT.PAPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ Update the following database variable settings for PDP:
─ SECURENT.PDPDB_URL = with the corresponding database URL
─ SECURENT.PDPDB_USR = with the corresponding username
─ SECURENT.PDPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ Update the following database variable settings for XACML log:
─ SECURENT.XACMLDB_URL = with the corresponding database URL
─ SECURENT.XACMLDB_USR = with the corresponding username
─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.
Update the following properties to enable JMS for PAP-PDP database separation:
─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.
Proprietary and Confidential
6
Installation and Configuration Guide
• SECURENT.JMSURL = JMS Server URL
• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class
• SECURENT.JMSUSERNAME = JMS user name
• SECURENT.JMSPASSWORD = JMS User Password
• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds
• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class
Example:
SECURENT.JMSURL= tcp://131.107.0.68:61616
SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory
SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER
SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
SECURENT.JMSRECONNECTINTERVAL= 100000
SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory
─ Update JNDI_ENABLE= tag to ‘true’ if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (which is optional).
• SECURENT. JNDIUSERNAME= JNDI User Name
• SECURENT. JNDIPASSWORD= JNDI User Password
Example:
SECURENT.JNDIUSERNAME= jndiUserName
SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
─ Update REPLY_TOPIC= tag with the reply topic name.
3. Set JAVA_HOME from the command prompt.
4. Run configure.bat file. If you are using WebSphere server, then instead of running this file you must run configurews_ear.bat.
5. Run createtables.bat file. This bat should not be run while upgrading the existing version to a higher version. See Note 1 for upgradation details.
Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.
For ex, If you are currently using Securent EMS V 3.0, instead of running createtables.bat file, upgrade your Securent application software from version 3.0 to 3.1GA by running the Migration-v3.0-3.1GA.sql file in your corresponding database client.
Proprietary and Confidential
7
Installation and Configuration Guide
Following migration scripts are available for Securent EMS v3.1:
DB-Type Migration Type Migration Scripts
v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL
v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL
v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL
Oracle
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL
v 3.0 to v 3.1GA Migartionv3.0-3.1GA.SQL
v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
After the migration is finished, run templateloader.bat file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.
Note 2: Do not run the templateloader.bat file when the installation is fresh, because createtables.bat is run while installing Securent for the first time. This file must be run only when migration is required.
(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting Securent Installation” section.)
6. Execute the database procedures in the following way:
- To execute the procedure in Oracle 9i, open the Oracle client and run pap.sql and pdp.sql files from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in Oracle 10g, open the Oracle client and run the pap_wrapped.sql and pdp_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql and pdp.sql file from …/Securent-v3.1/db/scripts/mssql folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.
7. Deploy the PAP and PDP WAR files by starting the application server using one of the following methods:
Proprietary and Confidential
8
Installation and Configuration Guide
♦ Prepackaged Tomcat:
If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.bat file from .../Securent-v3.1/bin folder.
♦ External Tomcat:
- Edit the Tomcat_home/bin/catalina.bat file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>
- Copy securent.war and PDP.war files from the dist folder to the application folder and deploy these files.
- Start the server using startsecurentgui.bat file from .../Securent-v3.1/bin folder.
♦ WebLogic:
If you are using the BEA WebLogic Server:
- Edit startWLS.bat file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.
For example, -DSECURENT_HOME=D:/securent-v31
- Copy securent.war and pdp.war files from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.
- Open the WebLogic console in your web browser and deploy securent.war and pdp.war files. (Refer How to deploy war files in WebLogic Server)
- Start the server by running startWLS.bat
Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.
(See Appendix1 for a sample config.xml file with the added parameter.)
♦ WebSphere 6.1:
If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.bat file and follow these deployment instructions:
- Login to Websphere Administrative Console
- Expand Servers from the navigation and click on Application Servers
- Click on the name of the server link. Ex: Server1
- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition
- In Process Definition page Select Java Virtual Machine from Additional Properties.
- In the Java Virtual Machine Select Custom Properties from Additional Properties
- In the Customer Properties select New button
Proprietary and Confidential
9
Installation and Configuration Guide
- In the Configuration tab specify the name, value and description
Ex: Name: SECURENT_HOME
Value: D:/Securent-v31
Description: Not mandatory
- Restart the WebSphere server
- Deploy SecurentEMS.ear file (Refer How to deploy .ear files in WebSphere server)
♦ ServletExec 5.0:
If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:
Note: Make sure the Default Web Site is running under IIS where ServletExec is installed
- Login to ServletExec Administrative Console
- Click options link under Virtual Machine in the left NAV
- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)
For ex: -DSECURENT_HOME=D:\Securent-v31
- Click Submit
- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine
- Open ServletExec Administrative Console in the new browser window
- Deploy securent.war and pdp.war files (Refer How to deploy war files in ServletExec server)
This process installs PAP and PDP on your system. After completing this step, you can access the Securent Administration Console application through a web browser.
If the server throws any exception at this stage, see the “Troubleshooting Securent Installation” section.
8. Verify whether the PAP and PDP are installed successfully. See the “Verifying the Securent PAP-PDP Installation” section.
9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.
For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.
Proprietary and Confidential
10
Installation and Configuration Guide
Installing Securent PAP and PDP on Linux Use this procedure to install PAP and PDP to run in a single server. Necessary arrangements are made within configure.properties file to accommodate properties and parameters of PAP and PDP to install both of these components in a single shot. At the end of the installation process, a database table is created with default application group, application, its resources and roles in the PAP.
1. Follow steps 1 through 3 in the common installation steps section.
2. Edit configure.properties file and update the following parameters:
♦ Relative paths are not supported. Use '/' for specifying the file locations instead of using '\’
♦ Specify the path to User_install_directory.
Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:
USER_INSTALL_DIR=C:/Securent-v3.1
♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.
♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.
♦ Update the Securent.DB_Selection= parameter by specifying the database name.
- For Oracle, mention Securent.DB_Selection= Oracle
- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i
- For MS SQL Server 2000, mention
Securent.DB_Selection= mssql
♦ Update the following database variable settings for PAP:
─ SECURENT.PAPDB_URL = with the corresponding database URL
─ SECURENT.PAPDB_USR = with the corresponding username
─ SECURENT.PAPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib
Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
Proprietary and Confidential
11
Installation and Configuration Guide
SECURENT.PAPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ Update the following database variable settings for PDP:
─ SECURENT.PDPDB_URL = with the corresponding database URL
─ SECURENT.PDPDB_USR = with the corresponding username
─ SECURENT.PDPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ Update the following database variable settings for XACML log:
─ SECURENT.XACMLDB_URL = with the corresponding database URL
─ SECURENT.XACMLDB_USR = with the corresponding username
─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.
Update the following properties to enable JMS for PAP-PDP database separation:
─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true.
Proprietary and Confidential
12
Installation and Configuration Guide
Provide the JMS Server related information by setting the following properties.
• SECURENT.JMSURL = JMS Server URL
• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class
• SECURENT.JMSUSERNAME = JMS User Name
• SECURENT.JMSPASSWORD = JMS User Password
• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds
• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class
Example:
SECURENT.JMSURL= tcp://131.107.0.68:61616
SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory
SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER
SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
SECURENT.JMSRECONNECTINTERVAL= 100000
SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory
─ Update JNDI_ENABLE= tag to true if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (It’s optional).
• SECURENT. JNDIUSERNAME= JNDI User Name
• SECURENT. JNDIPASSWORD= JNDI User Password
Example:
SECURENT.JNDIUSERNAME= jndiUserName
SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
─ Update REPLY_TOPIC= tag with the reply topic name.
3. Set JAVA_HOME from the command prompt.
4. Run configure.sh file. If you are using WebSphere server, then instead of running this file you must run configurews_ear.sh.
5. Run createtables.sh file. This bat should not be run while upgrading, see Note 1 below for upgrade details.
Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.
For ex, if you are currently using Securent EMS V 3.0, instead of running createtables.sh file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.
Proprietary and Confidential
13
Installation and Configuration Guide
Following migration scripts are available for Securent EMS v3.1:
DB-Type Migration Type Migration Scripts
v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL
v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL
v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL
Oracle
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL
v 3.0 to v 3.1GA Migartionv3.0-3.1GA.SQL
v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
After the migration is finished, run templateloader.sh file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.
Note 2: Do not run templateloader.sh file when the installation is fresh, because createtables.sh is run while installing Securent for the first time. This file must be run only when migration is required.
(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting the Securent Installation” section.)
6. Execute the database procedures in the following way:
- To execute the procedure in Oracle 9i, open the Oracle client and run pap.sql and pdp.sql files from /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in Oracle 10g, open the Oracle client and run the pap_wrapped.sql and pdp_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql and pdp.sql file from /Securent-v3.1/db/scripts/mssql folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.
7. Deploy the PAP and PDP WAR files by starting the application server using one of the following methods:
Proprietary and Confidential
14
Installation and Configuration Guide
♦ Prepackaged Tomcat:
If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ External Tomcat:
- Edit the Tomcat_home/bin/catalina.sh file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>
- Copy securent.war and PDP.war files from the dist folder to the application folder and deploy these files.
- Start the server using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ WebLogic:
If you are using the BEA WebLogic Server:
- Edit startWLS.sh file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.
For example, -DSECURENT_HOME=D:/securent-v31
- Copy securent.war and pdp.war files from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.
- Open the WebLogic console in your web browser and deploy securent.war and pdp.war files. (Refer How to deploy war files in WebLogic Server)
- Start the server by running startWLS.sh
Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.
(See Appendix1 for a sample config.xml file with the added parameter.)
♦ WebSphere 6.1:
If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.sh file and follow these deployment instructions:
- Login to Websphere Administrative Console
- Expand Servers from the navigation and click on Application Servers
- Click on the name of the server link. Ex: Server1
- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition
- In Process Definition page Select Java Virtual Machine from Additional Properties.
- In the Java Virtual Machine Select Custom Properties from Additional Properties
- In the Customer Properties select New button
Proprietary and Confidential
15
Installation and Configuration Guide
- In the Configuration tab specify the name, value and description
Ex: Name: SECURENT_HOME
Value: D:/Securent-v31
Description: Not mandatory
- Restart the WebSphere server
- Deploy SecurentEMS.ear file (Refer How to deploy .ear files in WebSphere server)
♦ ServletExec 5.0:
If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:
Note: Make sure the Default Web Site is running under IIS where ServletExec is installed
- Login to ServletExec Administrative Console
- Click options link under Virtual Machine in the left NAV
- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)
For ex: -DSECURENT_HOME=D:\Securent-v31
- Click Submit
- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine
- Open ServletExec Administrative Console in the new browser window
- Deploy securent.war and pdp.war files (Refer How to deploy war files in ServletExec server)
This process installs PAP and PDP on your system. After completing this step, you can access the Securent Administration Console application through a web browser.
If the server throws any exception at this stage, see the “Troubleshooting Securent Installation” section.
8. Verify whether the PAP and PDP are installed successfully. See the “Verifying the Securent PAP-PDP Installation” section.
9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.
For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.
Proprietary and Confidential
16
Installation and Configuration Guide
Installing Securent PAP and PDP on Solaris Use this procedure to install PAP and PDP to run on a single server. Necessary arrangements are made within the configure.properties file to accommodate properties and parameters of PAP and PDP to install both of these components in a single shot. At the end of the installation process, a database table is created with default application group, application, its resources and roles in the PAP.
To install Securent v 3.1 on a Solaris machine:
1. Follow steps 1 through 3 in the common installation steps section.
2. Edit configure.properties file and update the following parameters:
♦ Relative paths are not supported. Use '/' for specifying the file locations instead of using '\’
♦ Specify the path to User_install_directory.
Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:
USER_INSTALL_DIR=C:/Securent-v3.1
♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.
♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.
♦ Update the Securent.DB_Selection= parameter by specifying the database name.
- For Oracle, mention Securent.DB_Selection= Oracle
- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i
- For MS SQL Server 2000, mention
Securent.DB_Selection= mssql
♦ Update the following database variable settings for PAP:
─ SECURENT.PAPDB_URL = with the corresponding database URL
─ SECURENT.PAPDB_USR = with the corresponding username
─ SECURENT.PAPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib
Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin
SECURENT.PAPDB_USR=username
Proprietary and Confidential
17
Installation and Configuration Guide
SECURENT.PAPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ Update the following database variable settings for PDP:
─ SECURENT.PDPDB_URL = with the corresponding database URL
─ SECURENT.PDPDB_USR = with the corresponding username
─ SECURENT.PDPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ Update the following database variable settings for XACML log:
─ SECURENT.XACMLDB_URL = with the corresponding database URL
─ SECURENT.XACMLDB_USR = with the corresponding username
─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.
Update the following properties to enable JMS for PAP-PDP database separation:
─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared
Proprietary and Confidential
18
Installation and Configuration Guide
repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.
• SECURENT.JMSURL = JMS Server URL
• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class
• SECURENT.JMSUSERNAME = JMS User Name
• SECURENT.JMSPASSWORD = JMS User Password
• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds
• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class
Example:
SECURENT.JMSURL= tcp://131.107.0.68:61616
SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory
SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER
SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
SECURENT.JMSRECONNECTINTERVAL= 100000
SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory
─ Update JNDI_ENABLE= tag to true if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (It’s optional).
• SECURENT. JNDIUSERNAME= JNDI User Name
• SECURENT. JNDIPASSWORD= JNDI User Password
Example:
SECURENT.JNDIUSERNAME= jndiUserName
SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
─ Update REPLY_TOPIC= tag with the reply topic name.
3. Set JAVA_HOME from the command prompt.
4. Run configure.sh file. If you are using WebSphere server, then instead of running this file you must run configurews_ear.sh.
5. Run createtables.sh file. This bat should not be run while upgrading, see Note 1 below for upgrade details.
Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.
Proprietary and Confidential
19
Installation and Configuration Guide
For ex, if you are currently using Securent EMS V 3.0, instead of running createtables.sh file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.
Following migration scripts are available for Securent EMS v3.1:
DB-Type Migration Type Migration Scripts
v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL
v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL
v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL
Oracle
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL
v 3.0 to v 3.1GA Migartionv3.0-3.1GA.SQL
v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
After the migration is completed, run templateloader.sh file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.
After the migration is finished, run the templateloader.sh file from the /Securent-v3.1/bin folder to load the latest templates into Securent DB.
Note 2: Do not run the templateloader.sh file when the installation is fresh, because createtables.sh is run while installing Securent for the first time. This file must be run only when migration is required.
(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting Securent Installation” section.)
6. Execute the database procedures in the following way:
- To execute the procedure in Oracle 9i, open the Oracle client and run the pap.sql and pdp.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in Oracle 10g, open the Oracle client and run the pap_wrapped.sql and pdp_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql and pdp.sql file from the /Securent-v3.1/db/scripts/mssql folder.
Proprietary and Confidential
20
Installation and Configuration Guide
If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.
7. Deploy the PAP and PDP WAR files by starting the application server using one of the following methods:
♦ Prepackaged Tomcat:
If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ External Tomcat:
- Edit the Tomcat_home/bin/catalina.bat file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>
- Copy securent.war and PDP.war files from the dist folder to the application folder and deploy these files.
- Start the server using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ WebLogic:
If you are using the BEA WebLogic Server:
- Edit startWLS.sh file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.
For example, -DSECURENT_HOME=D:/securent-v31
- Copy securent.war and pdp.war files from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.
- Open the WebLogic console in your web browser and deploy securent.war and pdp.war files. (Refer How to deploy war files in WebLogic Server)
- Start the server by running startWLS.sh
Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.
(See Appendix1 for a sample config.xml file with the added parameter.)
♦ WebSphere 6.1:
If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.sh file and follow these deployment instructions:
- Login to Websphere Administrative Console
- Expand Servers from the navigation and click on Application Servers
- Click on the name of the server link. Ex: Server1
- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition
Proprietary and Confidential
21
Installation and Configuration Guide
- In Process Definition page Select Java Virtual Machine from Additional Properties.
- In the Java Virtual Machine Select Custom Properties from Additional Properties
- In the Customer Properties select New button
- In the Configuration tab specify the name, value and description
Ex: Name: SECURENT_HOME
Value: D:/Securent-v31
Description: Not mandatory
- Restart the WebSphere server
- Deploy SecurentEMS.ear file (Refer How to deploy .ear files in WebSphere server)
♦ ServletExec 5.0:
If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:
Note: Make sure the Default Web Site is running under IIS where ServletExec is installed
- Login to ServletExec Administrative Console
- Click options link under Virtual Machine in the left NAV
- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)
For ex: -DSECURENT_HOME=D:\Securent-v31
- Click Submit
- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine
- Open ServletExec Administrative Console in the new browser window
- Deploy securent.war and pdp.war files (Refer How to deploy war files in ServletExec server)
This process installs PAP and PDP on your system. After completing this step, you can access the Securent Administration Console application through a web browser.
If the server throws any exception at this stage, see the “Troubleshooting Securent Installation” section.
8. Verify whether the PAP and PDP are installed successfully. See the “Verifying Securent PAP-PDP Installation” section.
9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.
For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.
Proprietary and Confidential
22
Installation and Configuration Guide
Installing Securent PAP on Windows To install Securent V3.1 PAP on a Windows machine:
1. Follow steps 1 through 3 in the common installation steps section.
2. Edit configure.properties file and update the following parameters:
♦ Relative paths are not supported. Use '/' for specifying the file locations instead of using '\’
♦ Specify the path to User_install_directory.
Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:
USER_INSTALL_DIR=C:/Securent-v3.1
♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.
♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.
♦ Update the Securent.DB_Selection= parameter by specifying the database name.
- For Oracle, mention Securent.DB_Selection= Oracle
- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i
- For MS SQL Server 2000, mention
Securent.DB_Selection= mssql
♦ Update the following database variable settings for PAP:
─ SECURENT.PAPDB_URL = with the corresponding database URL
─ SECURENT.PAPDB_USR = with the corresponding username
─ SECURENT.PAPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib
Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
Proprietary and Confidential
23
Installation and Configuration Guide
♦ Update the following database variable settings for XACML log:
─ SECURENT.XACMLDB_URL = with the corresponding database URL
─ SECURENT.XACMLDB_USR = with the corresponding username
─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.
Update the following properties to enable JMS for PAP-PDP database separation:
─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.
• SECURENT.JMSURL = JMS Server URL
• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class
• SECURENT.JMSUSERNAME = JMS User Name
• SECURENT.JMSPASSWORD = JMS User Password
• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds
• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class
Example:
SECURENT.JMSURL= tcp://131.107.0.68:61616
SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory
SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER
SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
SECURENT.JMSRECONNECTINTERVAL= 100000
SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory
Proprietary and Confidential
24
Installation and Configuration Guide
─ Update JNDI_ENABLE= tag to true if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (It’s optional).
• SECURENT. JNDIUSERNAME= JNDI User Name
• SECURENT. JNDIPASSWORD= JNDI User Password
Example:
SECURENT.JNDIUSERNAME= jndiUserName
SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
─ Update REPLY_TOPIC= tag with the reply topic name.
3. Set JAVA_HOME from the command prompt.
4. Run configure.bat file.
5. Run createtables.bat file. This bat should not be run while upgrading, see Note 1 below for upgrade details.
Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.
For ex, If you are currently using Securent EMS V 3.0, instead of running createtables.bat file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.
Following migration scripts are available for Securent EMS v3.1:
DB-Type Migration Type Migration Scripts
v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL
v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL
v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL
Oracle
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL
v 3.0 to v 3.1GA Migartionv3.0-3.1GA.SQL
v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
After the migration is finished, run templateloader.bat file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.
Note 2: Do not run templateloader.bat file when the installation is fresh, because createtables.bat is run when installing Securent for the first time. This file must be run only when migration is required.
Proprietary and Confidential
25
Installation and Configuration Guide
(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting Securent Installation” section.)
6. Execute the database procedures in the following way:
- To execute the procedure in Oracle 9i, open the Oracle client and run the pap.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml (see Appendix2) file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in Oracle 10g, open the Oracle client and run the pap_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pap_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql file from the /Securent-v3.1/db/scripts/mssql folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.
7. Deploy the PAP and PDP WAR files by starting the application server using one of the following methods:
♦ Prepackaged Tomcat:
If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.bat file from .../Securent-v3.1/bin folder.
♦ External Tomcat:
- Edit the Tomcat_home/bin/catalina.bat file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>
- Copy securent.war file from the dist folder to the application folder and deploy these files.
- Start the server using startsecurentgui.bat file from .../Securent-v3.1/bin folder.
♦ WebLogic:
If you are using the BEA WebLogic Server:
- Edit startWLS.bat file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.
For example, -DSECURENT_HOME=D:/securent-v31
- Copy securent.war file from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.
- Open the WebLogic console in your web browser and deploy securent.war file. (Refer How to deploy war files in WebLogic Server)
Proprietary and Confidential
26
Installation and Configuration Guide
- Start the server by running startWLS.bat
Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.
(See Appendix1 for a sample config.xml file with the added parameter.)
♦ WebSphere 6.1:
If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.bat file and follow these deployment instructions:
- Login to Websphere Administrative Console
- Expand Servers from the navigation and click on Application Servers
- Click on the name of the server link. Ex: Server1
- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition
- In Process Definition page Select Java Virtual Machine from Additional Properties.
- In the Java Virtual Machine Select Custom Properties from Additional Properties
- In the Customer Properties select New button
- In the Configuration tab specify the name, value and description
Ex: Name: SECURENT_HOME
Value: D:/Securent-v31
Description: Not mandatory
- Restart the WebSphere server
- Deploy securent.war file (Refer How to deploy war files in WebSphere server)
♦ ServletExec 5.0:
If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:
Note: Make sure the Default Web Site is running under IIS where ServletExec is installed
- Login to ServletExec Administrative Console
- Click options link under Virtual Machine in the left NAV
- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)
For ex: -DSECURENT_HOME=D:\Securent-v31
- Click Submit
- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine
- Open ServletExec Administrative Console in the new browser window
Proprietary and Confidential
27
Installation and Configuration Guide
- Deploy securent.war file (Refer How to deploy war files in ServletExec server)
This process installs PAP on your system. After completing this step, you can access the Securent Administration Console application through a web browser.
If the server throws any exception at this stage, see the “Troubleshooting Securent Installation” section.
8. Verify whether the PAP and PDP are installed successfully. See the “Verifying the Securent PAP-PDP Installation” section.
9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.
For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.
Installing Securent PAP on Linux To install Securent V3.1 PAP on a Linux machine:
1. Follow steps 1 through 3 in the common installation steps section.
2. Edit configure.properties file and update the following parameters:
♦ Relative paths are not supported. Use '/' for specifying the file locations instead of using '\’
♦ Specify the path to User_install_directory.
Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:
USER_INSTALL_DIR=C:/Securent-v3.1
♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.
♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.
♦ Update the Securent.DB_Selection= parameter by specifying the database name.
- For Oracle, mention Securent.DB_Selection= Oracle
- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i
- For MS SQL Server 2000, mention
Securent.DB_Selection= mssql
♦ Update the following database variable settings for PAP:
─ SECURENT.PAPDB_URL = with the corresponding database URL
─ SECURENT.PAPDB_USR = with the corresponding username
─ SECURENT.PAPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
Proprietary and Confidential
28
Installation and Configuration Guide
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib
Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ Update the following database variable settings for XACML log:
─ SECURENT.XACMLDB_URL = with the corresponding database URL
─ SECURENT.XACMLDB_USR = with the corresponding username
─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.
Update the following properties to enable JMS for PAP-PDP database separation:
─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.
• SECURENT.JMSURL = JMS Server URL
• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class
• SECURENT.JMSUSERNAME = JMS User Name
Proprietary and Confidential
29
Installation and Configuration Guide
• SECURENT.JMSPASSWORD = JMS User Password
• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds
• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class
Example:
SECURENT.JMSURL= tcp://131.107.0.68:61616
SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory
SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER
SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
SECURENT.JMSRECONNECTINTERVAL= 100000
SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory
─ Update JNDI_ENABLE= tag to true if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (It’s optional).
• SECURENT. JNDIUSERNAME= JNDI User Name
• SECURENT. JNDIPASSWORD= JNDI User Password
Example:
SECURENT.JNDIUSERNAME= jndiUserName
SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
─ Update REPLY_TOPIC= tag with the reply topic name.
3. Set JAVA_HOME from the command prompt.
4. Run configure.sh file.
5. Run createtables.sh file. This bat should not be run while upgrading, see Note 1 below for upgrade details.
Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.
For ex, if you are currently using Securent EMS V 3.0, instead of running createtables.sh file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.
Proprietary and Confidential
30
Installation and Configuration Guide
Following migration scripts are available for Securent EMS v3.1:
DB-Type Migration Type Migration Scripts
v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL
v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL
v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL
Oracle
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL
v 3.0 to v 3.1GA Migartionv3.0-3.1GA.SQL
v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
After the migration is finished, run templateloader.sh file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.
Note 2: Do not run templateloader.sh file when the installation is fresh, because createtables.sh is run while installing Securent for the first time. This file must be run only when migration is required.
(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting Securent Installation” section.)
6. Execute the database procedures in the following way:
- To execute the procedure in Oracle 9i, open the Oracle client and run the pap.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml (see Appendix2) file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in Oracle 10g, open the Oracle client and run the pap_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pap_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql file from the /Securent-v3.1/db/scripts/mssql folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.
7. Deploy the PAP WAR files by starting the application server using one of the following methods:
Proprietary and Confidential
31
Installation and Configuration Guide
♦ Prepackaged Tomcat:
If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ External Tomcat:
- Edit the Tomcat_home/bin/catalina.sh file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>
- Copy securent.war file from the dist folder to the application folder and deploy these files.
- Start the server using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ WebLogic:
If you are using the BEA WebLogic Server:
- Edit startWLS.sh file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.
For example, -DSECURENT_HOME=D:/securent-v31
- Copy securent.war file from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.
- Open the WebLogic console in your web browser and deploy securent.war file. (Refer How to deploy war files in WebLogic Server)
- Start the server by running startWLS.sh
Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.
(See Appendix1 for a sample config.xml file with the added parameter.)
♦ WebSphere 6.1:
If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.sh file and follow these deployment instructions:
- Login to Websphere Administrative Console
- Expand Servers from the navigation and click on Application Servers
- Click on the name of the server link. Ex: Server1
- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition
- In Process Definition page Select Java Virtual Machine from Additional Properties.
- In the Java Virtual Machine Select Custom Properties from Additional Properties
- In the Customer Properties select New button
- In the Configuration tab specify the name, value and description
Proprietary and Confidential
32
Installation and Configuration Guide
Ex: Name: SECURENT_HOME
Value: D:/Securent-v31
Description: Not mandatory
- Restart the WebSphere server
- Deploy securent.war file (Refer How to deploy war files in WebSphere server)
♦ ServletExec 5.0:
If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:
Note: Make sure the Default Web Site is running under IIS where ServletExec is installed
- Login to ServletExec Administrative Console
- Click options link under Virtual Machine in the left NAV
- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)
For ex: -DSECURENT_HOME=D:\Securent-v31
- Click Submit
- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine
- Open ServletExec Administrative Console in the new browser window
- Deploy securent.war file (Refer How to deploy war files in ServletExec server)
This process installs PAP and PDP on your system. After completing this step, you can access the Securent Administration Console application through a web browser.
If the server throws any exception at this stage, see the “Troubleshooting Securent Installation” section.
8. Verify whether the PAP and PDP are installed successfully. See the “Verifying the Securent PAP-PDP Installation” section.
9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.
For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.
Proprietary and Confidential
33
Installation and Configuration Guide
Installing Securent PAP on Solaris To install Securent V3.1 PAP on a Solaris machine:
1. Follow steps 1 through 3 in the common installation steps section.
2. Edit configure.properties file and update the following parameters:
♦ Relative paths are not supported. Use '/' for specifying the file locations instead of using '\’
♦ Specify the path to User_install_directory.
Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:
USER_INSTALL_DIR=C:/Securent-v3.1
♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.
♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.
♦ Update the Securent.DB_Selection= parameter by specifying the database name.
- For Oracle, mention Securent.DB_Selection= Oracle
- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i
- For MS SQL Server 2000, mention
Securent.DB_Selection= mssql
♦ Update the following database variable settings for PAP:
─ SECURENT.PAPDB_URL = with the corresponding database URL
─ SECURENT.PAPDB_USR = with the corresponding username
─ SECURENT.PAPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib
Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PAPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PAPDB_USR=username
SECURENT.PAPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
Proprietary and Confidential
34
Installation and Configuration Guide
♦ Update the following database variable settings for XACML log:
─ SECURENT.XACMLDB_URL = with the corresponding database URL
─ SECURENT.XACMLDB_USR = with the corresponding username
─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.
Update the following properties to enable JMS for PAP-PDP database separation:
─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.
• SECURENT.JMSURL = JMS Server URL
• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class
• SECURENT.JMSUSERNAME = JMS User Name
• SECURENT.JMSPASSWORD = JMS User Password
• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds
• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class
Example:
SECURENT.JMSURL= tcp://131.107.0.68:61616
SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory
SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER
SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
SECURENT.JMSRECONNECTINTERVAL= 100000
SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory
Proprietary and Confidential
35
Installation and Configuration Guide
─ Update JNDI_ENABLE= tag to true if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (It’s optional).
• SECURENT. JNDIUSERNAME= JNDI User Name
• SECURENT. JNDIPASSWORD= JNDI User Password
Example:
SECURENT.JNDIUSERNAME= jndiUserName
SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
─ Update REPLY_TOPIC= tag with the reply topic name.
3. Set JAVA_HOME from the command prompt.
4. Run configure.sh file.
5. Run createtables.sh file. This bat should not be run while upgrading, see Note 1 below for upgrade details.
Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.
For ex, If you are currently using Securent EMS V 3.0, instead of running createtables.sh file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.
Following migration scripts are available for Securent EMS v3.1:
DB-Type Migration Type Migration Scripts
v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL
v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL
v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL
Oracle
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL
v 3.0 to v 3.1GA Migartionv3.0-3.1GA.SQL
v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
After the migration is finished, run templateloader.sh file from /Securent-v3.1/bin folder to load the latest templates into Securent DB.
Note 2: Do not run templateloader.sh file when the installation is fresh, because createtables.sh is run while installing Securent for the first time. This file must be run only when migration is required.
Proprietary and Confidential
36
Installation and Configuration Guide
(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting the Securent Installation” section.)
6. Execute the database procedures in the following way:
- To execute the procedure in Oracle 9i, open the Oracle client and run the pap.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml (see Appendix2) file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in Oracle 10g, open the Oracle client and run the pap_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pap_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in MS SQL Server, open the MS SQL client and run pap.sql file from the /Securent-v3.1/db/scripts/mssql folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.
7. Deploy the PAP WAR files by starting the application server using one of the following methods:
♦ Prepackaged Tomcat:
If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ External Tomcat:
- Edit the Tomcat_home/bin/catalina.sh file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>
- Copy securent.war file from the dist folder to the application folder and deploy these files.
- Start the server using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ WebLogic:
If you are using the BEA WebLogic Server:
- Edit startWLS.sh file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.
For example, -DSECURENT_HOME=D:/securent-v31
- Copy securent.war file from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.
- Open the WebLogic console in your web browser and deploy securent.war file. (Refer How to deploy war files in WebLogic Server)
- Start the server by running startWLS.sh
Proprietary and Confidential
37
Installation and Configuration Guide
Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.
(See Appendix1 for a sample config.xml file with the added parameter.)
♦ WebSphere 6.1:
If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.sh file and follow these deployment instructions:
- Login to Websphere Administrative Console
- Expand Servers from the navigation and click on Application Servers
- Click on the name of the server link. Ex: Server1
- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition
- In Process Definition page Select Java Virtual Machine from Additional Properties.
- In the Java Virtual Machine Select Custom Properties from Additional Properties
- In the Customer Properties select New button
- In the Configuration tab specify the name, value and description
Ex: Name: SECURENT_HOME
Value: D:/Securent-v31
Description: Not mandatory
- Restart the WebSphere server
- Deploy securent.war file (Refer How to deploy war files in WebSphere server)
♦ ServletExec 5.0:
If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:
Note: Make sure the Default Web Site is running under IIS where ServletExec is installed
- Login to ServletExec Administrative Console
- Click options link under Virtual Machine in the left NAV
- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)
For ex: -DSECURENT_HOME=D:\Securent-v31
- Click Submit
- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine
- Open ServletExec Administrative Console in the new browser window
- Deploy securent.war file (Refer How to deploy war files in ServletExec server)
Proprietary and Confidential
38
Installation and Configuration Guide
This process installs PAP and PDP on your system. After completing this step, you can access the Securent Administration Console application through a web browser.
If the server throws any exception at this stage, see the “Troubleshooting the Securent Installation” section.
8. Verify whether the PAP and PDP are installed successfully. See the “Verifying the Securent PAP-PDP Installation” section.
9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.
For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.
Installing Securent PDP on Windows To install Securent V3.1 PDP on a Windows machine:
1. Follow steps 1 through 3 in the common installation steps section.
2. Edit configure.properties file and update the following parameters:
♦ Relative paths are not supported. Use '/' for specifying the file locations instead of using '\’
♦ Specify the path to User_install_directory.
Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:
USER_INSTALL_DIR=C:/Securent-v3.1
♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.
♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.
♦ Update the Securent.DB_Selection= parameter by specifying the database name.
- For Oracle, mention Securent.DB_Selection= Oracle
- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i
- For MS SQL Server 2000, mention
Securent.DB_Selection= mssql
♦ Update the following database variable settings for PDP:
─ SECURENT.PDPDB_URL = with the corresponding database URL
─ SECURENT.PDPDB_USR = with the corresponding username
─ SECURENT.PDPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
Proprietary and Confidential
39
Installation and Configuration Guide
Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib
Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ Update the following database variable settings for XACML log:
─ SECURENT.XACMLDB_URL = with the corresponding database URL
─ SECURENT.XACMLDB_USR = with the corresponding username
─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.
Update the following properties to enable JMS for PAP-PDP database separation:
─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.
• SECURENT.JMSURL = JMS Server URL
• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class
• SECURENT.JMSUSERNAME = JMS User Name
• SECURENT.JMSPASSWORD = JMS User Password
Proprietary and Confidential
40
Installation and Configuration Guide
• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds
• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class
Example:
SECURENT.JMSURL= tcp://131.107.0.68:61616
SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory
SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER
SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
SECURENT.JMSRECONNECTINTERVAL= 100000
SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory
─ Update JNDI_ENABLE= tag to true if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (It’s optional).
• SECURENT. JNDIUSERNAME= JNDI User Name
• SECURENT. JNDIPASSWORD= JNDI User Password
Example:
SECURENT.JNDIUSERNAME= jndiUserName
SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
─ Update REPLY_TOPIC= tag with the reply topic name.
3. Set JAVA_HOME from the command prompt.
4. Run configure.bat file.
5. Run createtables.bat file. This bat should not be run while upgrading, see Note 1 below for upgrade details.
Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.
For ex, if you are currently using Securent EMS V 3.0, instead of running createtables.bat file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.
Proprietary and Confidential
41
Installation and Configuration Guide
Following migration scripts are available for Securent EMS v3.1:
DB-Type Migration Type Migration Scripts
v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL
v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL
v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL
Oracle
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL
v 3.0 to v 3.1GA Migartionv3.0-3.1GA.SQL
v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting Securent Installation” section.)
6. Execute the database procedures in the following way:
- To execute the procedure in Oracle 9i, open the Oracle client and run pdp.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pdp_config.xml (see Appendix 3) file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in Oracle 10g, open the Oracle client and run the pdp_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pdp_config.xml file to give effect to PAP-PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in MS SQL Server, open the MS SQL client and run pdp.sql file from the /Securent-v3.1/db/scripts/mssql folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.
7. Deploy the PDP WAR files by starting the application server using one of the following methods:
♦ Prepackaged Tomcat:
If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.bat file from .../Securent-v3.1/bin folder.
Proprietary and Confidential
42
Installation and Configuration Guide
♦ External Tomcat:
- Edit the Tomcat_home/bin/catalina.bat file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>
- Copy pdp.war file from the dist folder to the application folder and deploy these files.
- Start the server using startsecurentgui.bat file from .../Securent-v3.1/bin folder.
♦ WebLogic:
If you are using the BEA WebLogic Server:
- Edit startWLS.bat file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.
For example, -DSECURENT_HOME=D:/securent-v31
- Copy pdp.war file from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.
- Open the WebLogic console in your web browser and deploy pdp.war file. (Refer How to deploy war files in WebLogic Server)
- Start the server by running startWLS.bat
Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.
(See Appendix1 for a sample config.xml file with the added parameter.)
♦ WebSphere 6.1:
If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.bat file and follow these deployment instructions:
- Login to Websphere Administrative Console
- Expand Servers from the navigation and click on Application Servers
- Click on the name of the server link. Ex: Server1
- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition
- In Process Definition page Select Java Virtual Machine from Additional Properties.
- In the Java Virtual Machine Select Custom Properties from Additional Properties
- In the Customer Properties select New button
- In the Configuration tab specify the name, value and description
Ex: Name: SECURENT_HOME
Value: D:/Securent-v31
Description: Not mandatory
- Restart the WebSphere server
Proprietary and Confidential
43
Installation and Configuration Guide
- Deploy pdp.war file (Refer How to deploy war files in WebSphere server)
♦ ServletExec 5.0:
If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:
Note: Make sure the Default Web Site is running under IIS where ServletExec is installed
- Login to ServletExec Administrative Console
- Click options link under Virtual Machine in the left NAV
- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)
For ex: -DSECURENT_HOME=D:\Securent-v31
- Click Submit
- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine
- Open ServletExec Administrative Console in the new browser window
- Deploy pdp.war file (Refer How to deploy war files in ServletExec server)
This process installs PDP on your system.
If the server throws any exception at this stage, see the “Troubleshooting the Securent Installation” section.
8. Verify whether the PAP and PDP are installed successfully. See the “Verifying the Securent PAP-PDP Installation” section.
9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.
For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.
Installing Securent PDP on Linux To install Securent V3.1 PDP on a Linux machine:
1. Follow steps 1 through 3 in the common installation steps section.
2. Edit configure.properties file and update the following parameters:
♦ Relative paths are not supported. Use '/' for specifying the file locations instead of using '\’
♦ Specify the path to User_install_directory.
Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:
USER_INSTALL_DIR=C:/Securent-v3.1
♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.
Proprietary and Confidential
44
Installation and Configuration Guide
♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.
♦ Update the Securent.DB_Selection= parameter by specifying the database name.
- For Oracle, mention Securent.DB_Selection= Oracle
- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i
- For MS SQL Server 2000, mention
Securent.DB_Selection= mssql
♦ Update the following database variable settings for PDP:
─ SECURENT.PDPDB_URL = with the corresponding database URL
─ SECURENT.PDPDB_USR = with the corresponding username
─ SECURENT.PDPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib
Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ Update the following database variable settings for XACML log:
─ SECURENT.XACMLDB_URL = with the corresponding database URL
─ SECURENT.XACMLDB_USR = with the corresponding username
─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.XACMLDB_USR=username
Proprietary and Confidential
45
Installation and Configuration Guide
SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.
Update the following properties to enable JMS for PAP-PDP database separation:
─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.
• SECURENT.JMSURL = JMS Server URL
• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class
• SECURENT.JMSUSERNAME = JMS User Name
• SECURENT.JMSPASSWORD = JMS User Password
• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds
• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class
Example:
SECURENT.JMSURL= tcp://131.107.0.68:61616
SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory
SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER
SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
SECURENT.JMSRECONNECTINTERVAL= 100000
SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory
─ Update JNDI_ENABLE= tag to true if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (It’s optional).
• SECURENT. JNDIUSERNAME= JNDI User Name
• SECURENT. JNDIPASSWORD= JNDI User Password
Example:
SECURENT.JNDIUSERNAME= jndiUserName
SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
─ Update REPLY_TOPIC= tag with the reply topic name.
3. Set JAVA_HOME from the command prompt.
4. Run configure.sh file.
5. Run createtables.sh file. This bat should not be run while upgrading, see Note 1 below for upgrade details.
Proprietary and Confidential
46
Installation and Configuration Guide
Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.
For ex, if you are currently using Securent EMS V 3.0, instead of running createtables.sh file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.
Following migration scripts are available for Securent EMS v3.1:
DB-Type Migration Type Migration Scripts
v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL
v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL
v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL
Oracle
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL
v 3.0 to v 3.1GA Migartionv3.0-3.1GA.SQL
v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting Securent Installation” section.)
6. Execute the database procedures in the following way:
- To execute the procedure in Oracle 9i, open the Oracle client and run the pdp.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pdp_config.xml file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in Oracle 10g, open the Oracle client and run the pdp_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pdp_config.xml file to give effect to PAP-PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in MS SQL Server, open the MS SQL client and run pdp.sql file from the /Securent-v3.1/db/scripts/mssql folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.
Proprietary and Confidential
47
Installation and Configuration Guide
7. Deploy the PAP and PDP WAR files by starting the application server using one of the following methods:
♦ Prepackaged Tomcat:
If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ External Tomcat:
- Edit the Tomcat_home/bin/catalina.sh file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>
- Copy pdp.war file from the dist folder to the application folder and deploy these files.
- Start the server using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ WebLogic:
If you are using the BEA WebLogic Server:
- Edit startWLS.sh file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.
For example, -DSECURENT_HOME=D:/securent-v31
- Copy pdp.war file from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.
- Open the WebLogic console in your web browser and deploy pdp.war file. (Refer How to deploy war files in WebLogic Server)
- Start the server by running startWLS.sh
Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.
(See Appendix1 for a sample config.xml file with the added parameter.)
♦ WebSphere 6.1:
If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.sh file and follow these deployment instructions:
- Login to Websphere Administrative Console
- Expand Servers from the navigation and click on Application Servers
- Click on the name of the server link. Ex: Server1
- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition
- In Process Definition page Select Java Virtual Machine from Additional Properties.
Proprietary and Confidential
48
Installation and Configuration Guide
- In the Java Virtual Machine Select Custom Properties from Additional Properties
- In the Customer Properties select New button
- In the Configuration tab specify the name, value and description
Ex: Name: SECURENT_HOME
Value: D:/Securent-v31
Description: Not mandatory
- Restart the WebSphere server
- Deploy pdp.war file (Refer How to deploy war files in WebSphere server)
♦ ServletExec 5.0:
If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:
Note: Make sure the Default Web Site is running under IIS where ServletExec is installed
- Login to ServletExec Administrative Console
- Click options link under Virtual Machine in the left NAV
- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)
For ex: -DSECURENT_HOME=D:\Securent-v31
- Click Submit
- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine
- Open ServletExec Administrative Console in the new browser window
- Deploy pdp.war file (Refer How to deploy war files in ServletExec server)
This process installs PDP on your system.
If the server throws any exception at this stage, see the “Troubleshooting the Securent Installation” section.
8. Verify whether the PAP and PDP are installed successfully. See the “Verifying the Securent PAP-PDP Installation” section.
9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.
For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.
Proprietary and Confidential
49
Installation and Configuration Guide
Installing Securent PDP on Solaris To install Securent V3.1 PDP on a Solaris machine:
1. Follow steps 1 through 3 in the common installation steps section.
2. Edit configure.properties file and update the following parameters:
♦ Relative paths are not supported. Use '/' for specifying the file locations instead of using '\’
♦ Specify the path to User_install_directory.
Note: This is useful while using “prepack” Tomcat only. You must specify an absolute path, for example:
USER_INSTALL_DIR=C:/Securent-v3.1
♦ Update DOMAIN_NAME= by specifying your own domain name (if any) or set it to “Default Domain”. You can use a space in your domain name. For example, “Securent Domain”.
♦ Update JAVA_HOME= by specifying the folder path to the Java home directory.
♦ Update the Securent.DB_Selection= parameter by specifying the database name.
- For Oracle, mention Securent.DB_Selection= Oracle
- If Oracle is selected you must mention the version in Oracle_Version= tag. For ex. if you use Oracle 9i, then evaluate the tag as Oracle_Version=9i
- For MS SQL Server 2000, mention
Securent.DB_Selection= mssql
♦ Update the following database variable settings for PDP:
─ SECURENT.PDPDB_URL = with the corresponding database URL
─ SECURENT.PDPDB_USR = with the corresponding username
─ SECURENT.PDPDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
Note: If you are using Oracle Thick Driver, set ORACLE_HOME – to /usr/oracle/oracle/product/10.2.0/db_1LD_LIBRARY_PATH - $ORACLE_HOME\lib
Make sure that your Path variable should contain $ORACLE_HOME\lib:$ORACLE_HOME\bin
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.PDPDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.PDPDB_USR=username
SECURENT.PDPDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
Proprietary and Confidential
50
Installation and Configuration Guide
♦ Update the following database variable settings for XACML log:
─ SECURENT.XACMLDB_URL = with the corresponding database URL
─ SECURENT.XACMLDB_USR = with the corresponding username
─ SECURENT.XACMLDB_PWD = with the encrypted password generated in the step # 3 in the common installation steps section.
For example, if you are using Oracle, the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:oracle:thin:@131.107.0.10:1521:devbdb
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=uKoPsYGLxkY=
If you are using MS SQL Server 2000/2005 the DB-details are updated as shown in the following examples:
SECURENT.XACMLDB_URL=jdbc:sqlserver://host:1433;databaseName=dbname;SelectMethod=cursor
SECURENT.XACMLDB_USR=username
SECURENT.XACMLDB_PWD=sZ/jQxr8QQNEq6iEZjvEnQ==
♦ If you wish to use separate database for PAP & PDP, follow this step, else skip this step.
Update the following properties to enable JMS for PAP-PDP database separation:
─ Set SHARED_REPOSITORY to false if you want PAP and PDP to have different database (non-shared repository), else set it to true for a shared repository. The <sharedrepository> tag of pap_config.xml (see Appendix2) and pdp_config.xml (see Appendix 3) will be dynamically updated with this value. As a result, if you set this tag to true, then the <sharedrepository> tag in the above mentioned files will be updated to true. Provide the JMS Server related information by setting the following properties.
• SECURENT.JMSURL = JMS Server URL
• SECURENT.JMSCONNECTIONFACTORY = JMS Connection Factory class
• SECURENT.JMSUSERNAME = JMS User Name
• SECURENT.JMSPASSWORD = JMS User Password
• SECURENT.JMSRECONNECTINTERVAL = JMS Reconnect Interval in milliseconds
• SECURENT.JMSPROVIDERCTXFACTORY = JMS Provider Context Factory Class
Example:
SECURENT.JMSURL= tcp://131.107.0.68:61616
SECURENT.JMSCONNECTIONFACTORY=org.apache.activemq.ActiveMQConnectionFactory
SECURENT.JMSUSERNAME= ActiveMQConnection.DEFAULT_USER
SECURENT.JMSPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
SECURENT.JMSRECONNECTINTERVAL= 100000
SECURENT.JMSPROVIDERCTXFACTORY=org.apache.activemq.jndi.ActiveMQInitialContextFactory
Proprietary and Confidential
51
Installation and Configuration Guide
─ Update JNDI_ENABLE= tag to true if you are using JNDI to read JMS configuration properties. You may provide the following authentication details for JNDI connection (It’s optional).
• SECURENT. JNDIUSERNAME= JNDI User Name
• SECURENT. JNDIPASSWORD= JNDI User Password
Example:
SECURENT.JNDIUSERNAME= jndiUserName
SECURENT.JNDIPASSWORD= dQh1QLrLMfnDulySruPVDpfLSgm3Mw==
─ Update REPLY_TOPIC= tag with the reply topic name.
3. Set JAVA_HOME from the command prompt.
4. Run configure.sh file.
5. Run createtables.sh file. This bat should not be run while upgrading, see Note 1 below for upgrade details.
Note 1: If you are already using an older version of Securent EMS and wish to upgrade to Securent EMS v 3.1, you can do so by migrating the database from your older (existing) version to the latest version. To do this, open your corresponding database client and run the appropriate migration script from …/Securent-v3.1/migrate folder.
For ex, if you are currently using Securent EMS V 3.0, instead of running createtables.sh file, upgrade your Securent application software from version 3.0 to 3.1 by running the Migration-v3.0-3.1.sql file in your corresponding database client.
Following migration scripts are available for Securent EMS v3.1:
DB-Type Migration Type Migration Scripts
v 1.4.3 to v 3.1GA Migartionv1.4.3-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1 GA.SQL
v 3.0 to v 3.1 Migartionv3.0-3.1 GA.SQL
v 3.0.1 to v 3.1 GA Migartionv3.0.1-3.1GA.SQL
Oracle
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
v 1.5 to v 3.1GA Migartionv1.5-3.1GA.SQL
v 3.0 to v 3.1GA Migartionv3.0-3.1GA.SQL
v 3.0.1 to v 3.1GA Migartionv3.0.1-3.1GA.SQL MSSQL
v 3.1EA to v 3.1 GA Migartionv3.1EA-3.1GA.SQL
(If you get any error at this stage, see issue No-10 & 11 in the “Troubleshooting Securent Installation” section.)
6. Execute the database procedures in the following way:
- To execute the procedure in Oracle 9i, open the Oracle client and run the pdp.sql file from the /Securent-v3.1/db/scripts/oracle folder.
Proprietary and Confidential
52
Installation and Configuration Guide
If you are not using a shared repository, run dbutility.sql to enable JMS server. Before running these files you must update pap_config.xml and pdp_config file to give effect to PAP PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in Oracle 10g, open the Oracle client and run the pdp_wrapped.sql file from the /Securent-v3.1/db/scripts/oracle folder.
If you are not using a shared repository, run dbutility_wrapped.sql to enable JMS server. Before running these files you must update pdp_config.xml file to give effect to PAP-PDP database separation. Refer JMS Configuration to know how the <jms> tags of these files are updated.
- To execute the procedure in MS SQL Server, open the MS SQL client and run pdp.sql file from the /Securent-v3.1/db/scripts/mssql folder.
If you are not using a shared repository, run dbutility.sql to enable JMS server. Refer JMS Configuration to know how the <jms> tags of these files are updated.
7. Deploy the PDP WAR files by starting the application server using one of the following methods:
♦ Prepackaged Tomcat:
If you are using a prepackaged Tomcat application server, WAR files are deployed during above installation steps. WAR files are copied in the SECURENT_HOME\external\apache-tomcat-5.5.17\webapps directory. Thus, no separate deployment is required. You can directly start the Securent EMS by using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ External Tomcat:
- Edit the Tomcat_home/bin/catalina.sh file by appending the JAVA_OPTS variable with -DSECURENT_HOME=<folder path of Securent-v3.1>
- Copy pdp.war file from the dist folder to the application folder and deploy these files.
- Start the server using startsecurentgui.sh file from .../Securent-v3.1/bin folder.
♦ WebLogic:
If you are using the BEA WebLogic Server:
- Edit startWLS.sh file from WL_Home/User_Projects/Domains/<Domain Name> folder by setting JAVA_OPTIONS to the folder path of Securent-v3.1.
For example, -DSECURENT_HOME=D:/securent-v31
- Copy pdp.war file from SECURENT_HOME/dist folder to WL_Home/User_Projects/Domains/<Domain Name>/Application folder.
- Open the WebLogic console in your web browser and deploy pdp.war file. (Refer How to deploy war files in WebLogic Server)
- Start the server by running startWLS.sh
Note: If you are using WebLogic v 9.2, open config.xml file from $BEA_HOME/user_projects/domains/DOMAIN_NAME/config folder and update the <security-configuration> tag by adding the <enforce-valid-basic-auth-credentials> parameter set to false.
Proprietary and Confidential
53
Installation and Configuration Guide
(See Appendix1 for a sample config.xml file with the added parameter.)
♦ WebSphere 6.1:
If you are using WebSphere, start the server by running ../WebSphere/AppServer/bin/startServer.sh file and follow these deployment instructions:
- Login to Websphere Administrative Console
- Expand Servers from the navigation and click on Application Servers
- Click on the name of the server link. Ex: Server1
- Go to Configuration tab and select Java and Process Management from Server Infrastructure section and select Process Definition
- In Process Definition page Select Java Virtual Machine from Additional Properties.
- In the Java Virtual Machine Select Custom Properties from Additional Properties
- In the Customer Properties select New button
- In the Configuration tab specify the name, value and description
Ex: Name: SECURENT_HOME
Value: D:/Securent-v31
Description: Not mandatory
- Restart the WebSphere server
- Deploy pdp.war file (Refer How to deploy war files in WebSphere server)
♦ ServletExec 5.0:
If you are using ServletExec with IIS, start the server by running IIS Admin service from the Control Panel > Administrative Tools > Services and follow these deployment instructions:
Note: Make sure the Default Web Site is running under IIS where ServletExec is installed
- Login to ServletExec Administrative Console
- Click options link under Virtual Machine in the left NAV
- In the Java Virtual Machine Options page, enter the following value in the blank text field -DSECURENT_HOME=(Securent installation folder name)
For ex: -DSECURENT_HOME=D:\Securent-v31
- Click Submit
- Restart the IIS Admin service from the Control Panel > Administrative Tools > Services from your machine
- Open ServletExec Administrative Console in the new browser window
- Deploy pdp.war file (Refer How to deploy war files in ServletExec server)
This process installs PDP on your system.
If the server throws any exception at this stage, see the “Troubleshooting the Securent Installation” section.
8. Verify whether the PAP and PDP are installed successfully. See the “Verifying the Securent PAP-PDP Installation” section.
Proprietary and Confidential
54
Installation and Configuration Guide
9. Licensing Info: As per the licensing agreement you are subjected to use Securent Application with a limited validity period. Refer Updating Securent License in case the validity period is lapsed.
For further information on using the administration console, see the Securent Entitlement Management Solution v 3.1 Quick Start Guide or the Securent Entitlement Management Solution v 3.1 User Guide.
Proprietary and Confidential
55
Installation and Configuration Guide
JMS Configuration for PAP PDP Database Separation PAP-PDP Database Separation Securent’s PAP and PDP components can be deployed in either the Shared Mode or in the Non-Shared Mode. In the Shared Mode of deployment, both PAP and PDP components interact with each other by using common database instance. In case the database instance is down, then both the components can not function. In Non-Shared Mode of deployment, PAP and PDP components access separate database instances. They still interact with each other using Java Messaging System (JMS) and thus are loosely coupled with each other. This mechanism removes the dependence of both the components on a common database instance. Following diagram shows the Non-Shared Mode of operation between PAP and PDP components.
The Non-Shared Model works as follows: 1. PAP uses a database instance, for example: PAP-DB. 2. PDP uses a different database instance, for example: PDP-DB. 3. Whenever an event is initiated in PAP, it publishes the information to the Topics
within the JMS Server. 4. PDP components subscribe for these Topics. 5. PDPs receive the Topics information from the JMS Server and store it in the PDP-
DB.
Proprietary and Confidential
56
Installation and Configuration Guide
Note: In case PAP component fails in storing its event’s information to PAP-DB, then it does not publish that information as a Topic to the JMS Server. Thus, the database operation and the publishing operation, together behave as a single transaction, that is, either both the transactions are successful or none of the transaction is successful. Securent supports configuring JMS for servers like ActiveMQ, Tibco and WebLogic JMS. The Securent installer comes up with a pre-pack ActiveMQ environment. Thus the configuration section is divided into two sections:
- JMS Configuration for ActiveMQ Server - JMS Configuration for other Servers
JMS Configuration for ActiveMQ Server 1. Start JMS Server by running activemq.bat from the folder ../incubator-activemq-
4.0.2/bin.
2. Open pap_config.xml from the folder: .../SECURENT_HOME/Config and make the following modification:
♦ Update <jms> tag as given below:
<jms>
<env> <url>tcp://131.107.0.68:61616</url> <connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory> <username>ActiveMQConnection.DEFAULT_USER</username> <password>ActiveMQConnection.DEFAULT_PASSWORD</password> <replyTopic>replyTopicName</replyTopic> </env> <reconnect_interval>100000</reconnect_interval> <useJndi>false</useJndi> <jndi>
<providerUrl>tcp://131.107.0.68:61616</providerUrl> <providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory> <jndiUserName></jndiUserName> <jndiPassword></jndiPassword>
</jndi> </jms> <url> - Set this to the URL and Port of the host machine where the JMS Server is running <username> - Set this to JMS username <password> - Set this to the encrypted password <replyTopic> - Set this to the name of the topic which reports the PAP whether any of the PDP is down <reconnect_interval> - Set this to the time interval (in milliseconds) after which the PAP and PDP will try to re-establish the JMS connection, in case the JMS Server is down. <useJndi> - Set this tag to false if you are using ActiveMQ.
♦ Set the <shared-repository> tag to false. This will set the ground for PAP-PDP database separation
♦ In the <handlers> tag, edit the <handlerName> as given below:
Proprietary and Confidential
57
Installation and Configuration Guide
<handlers> <common-properties> <sessionuser>superuser</sessionuser> <sessionpassword>admin</sessionpassword> </common-properties>
<handler name="JMSSYNCHandler" enabled="true" type="*.*" application="Prime group:Prime portal">
<impl>net.securent.jms.PAPHandler</impl> </handler> </handlers>
3. Save and close the pap_config file after the modifications are done. 4. Start the PAP server. 5. Open Securent Administration Console in your browser. 6. Go to Home > Administer Entitlement > Administer > Entitlement Server and
register an Entitlement Server (PDP). 7. Open pdp_config.xml from ../SECURENT_HOME/Config/pdp folder and make the
following modification: ♦ Set the <shared-repository> tag to false. ♦ Update the <pdpserver> tag with the name of the entitlement server registered in
step 6 above. ♦ In the <jms> tag, set the JMS URL host and port to the machine IP where the JMS
Server is running. 8. Restart the PAP server and the PDP server. 9. In the PAP console, go to Home > Administer Entitlement > Administer > Application
and update an existing application by associating it with the PDP created in Step 6 above.
This completes the JMS configuration process in ActiveMQ server.
JMS Configuration for Servers other than ActiveMQ If you are using your own JMS server other than ActiveMQ (e.g. Tibco or WebLogic JMS), you must connect this to Securent server with the help of JNDI by setting the <useJndi> parameter to true. All the configuration steps will be same as mentioned above except updating the <jms> tag in step 2. Update the JMS tag of pap_config.xml from the config folder and make the following modification:
Sample <jms> tag of pap_config.xml
<jms> <env>
<url>tcp://131.107.0.68:61616</url> <connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory> <username>ActiveMQConnection.DEFAULT_USER</username> <password>ActiveMQConnection.DEFAULT_PASSWORD</password> <replyTopic>replyTopicName</replyTopic>
</env> <reconnect_interval>100000</reconnect_interval> <useJndi>true</useJndi>
Proprietary and Confidential
58
Installation and Configuration Guide
<jndi> <jndiProviderUrl>tcp://131.107.0.68:61616</providerUrl> <providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory> <jndiUserName></jndiUserName> <jndiPassword></jndiPassword>
</jndi> </jms>
− <reconnect_interval> - Set this to the time interval (in milliseconds) after
which the PAP and PDP will try to re-establish the JMS connection, in case the JMS Server is down.
− <replyTopic> - If you are using your own JMS server other than ActiveMQ and want to read the JMS properties through JNDI, then set it to true. This will invalidate the previous JMS properties updated in the <env> tag except the value for <connectionFactory> tag.
− <useJndi> - Set this tag to true. − In the <jndi> tag, update the <jndiProviderUrl> and <providerCtxFactory>
parameters with your own URL and Context Factory respectively. Also mention the JNDI username and password if any.
Save the config file after modification are done.
Proprietary and Confidential
59
Installation and Configuration Guide
Verifying the Securent PAP-PDP Installation To quickly verify whether the PAP and PDP have been installed successfully, use the procedures in this section.
Verifying PAP Installation
1. Open your web browser and type the following URL:
http://host:port/securent
where you need to replace the host name and port number arguments in the URL with the correct values corresponding to where you have deployed the Securent Administration Console. For Administrator login, the default User ID and password are superuser and admin respectively.
If you get the Securent Home screen (as shown below) displaying the Prime group and Prime portal as default application group and application respectively, the PAP is considered to be installed successfully.
Verifying PDP Installation
2. After login, go to Home > Delegated Administration > Entitlement Server. Initially, the list of Entitlement Servers is empty by default.
3. Click Add. The Create Entitlement Server page is displayed.
Proprietary and Confidential
60
Installation and Configuration Guide
4. Enter the following details:
- Name of the entitlement server.
- Description of the new entitlement server.
- Check No for In Process Entitlement Server.
- Enter the PDP Server details, for example, host URL and port number.
- Check HTTP as the transport protocol.
- Check Local as Authentication Type.
- Enter the server username and password.
- Click Create.
This creates the required PDP and the List of Entitlement Servers will include the same (as shown).
Proprietary and Confidential
61
Installation and Configuration Guide
5. Copy the End Point URL of the newly created PDP, paste it in a new browser instance, and click Go.
If the PDPService screen is displayed (as shown below), the PDP is considered to be installed successfully.
For further information on using the administration console, see the Securent Quick Start Guide or the Securent User Guide.
Proprietary and Confidential
62
Installation and Configuration Guide
Proprietary and Confidential 63
Updating Securent License Securent license is granted on a component basis. If the license expires you must update the license files of individual components e.g. license-pap.xml for PAP and license-pdp.xml for PDP. If the validity period is lapsed, Securent Inc. will provide the updated license files upon request.
To reactivate the license:
1. Replace ../SECURENT_HOME/config/license-pap.xml file and ../SECURENT_HOME/config/pdp/license-pdp.xml file with the updated ones.
2. Restart the server.
This renews the Securent license with the prescribed validity period.
Installation and Configuration Guide
Proprietary and Confidential 64
Troubleshooting Securent Installation
This section contains solutions to problems you might be encounter while installing Securent-v3.1.
1. While installing Securent, can I use any slashes, that is, forward and
backward slash? No. You must use only the Forward slash ‘/’ while defining any folder path during installation irrespective of the operating system. For example: While running startsecurentgui.sh, if you get the following message: "The JAVA_HOME environment variable is not defined correctly This environment variable is needed to run this program" it may because of the slash type you use while updating properties.
2. While installing PAP and PDP individually, can I give same path for
User_Install_Directory in both the cases?
No. If you do so, the existing files will be overwritten with the new files on every new installation. For this purpose, you must specify two different locations for the User_Install_Directory while installing Securent PAP and PDP individually.
3. Can I run the Securent server on the default port even if it is preoccupied
with any other application? If not, then what is the procedure for changing the port number?
No. When the default port is busy and you try to run the Securent Server in the same port, you will get the following error message: “SEVERE: Error initializing endpoint java.net.BindException: Address already in use: JVM_Bind:8080” In this case, you must change the default port number in the Server.xml file located in the Securent-v3.1/external/Jakarta-tomcat5.0.x/conf folder.
4. Can I run the Migrate file more than once?
No. You cannot run the migratation file available in the Securent Installer more than once. If you do, all the existing data will be corrupted.
5. Is it necessary to set JAVA_HOME before starting the installation
process?
Yes. You must set JAVA_HOME before starting the Securent installation process.
6. While running encryptor.sh, I get the following message: “.../encryptor.sh: Permission denied” What is the solution?
To get the permission, go to the application bin folder (i.e. Securent-v3.1/ bin) and run the following command: chmod +x encryptor.sh
Installation and Configuration Guide
Proprietary and Confidential 65
7. While running configure.sh, I get the following message:
“../external/ant/bin/ant: Permission denied” What is the solution?
Step 1: Go to the bin folder (that is, Securent-v3.1/external/ant/bin) and run the following command: dos2unix ant ant This replaces the old ant file with a new ant file in the same location.
Step 2: Go the same bin folder and run the following command: chmod +x ant
8. What should be done if dataload fails after running createtables.bat or
createtables.sh?
For Windows, go to the SECURENT_HOME/bin folder and run the following code in the command prompt: java -cp SECURENT_HOME/lib/securent-v3.1.jar;SECURENT_HOME/lib/classes12.jar net.securent.util.db.DataLoader SECURENT_HOME
For Linux and Solaris, go to the Securent-v3.1/bin folder and run the following code: java -cp SECURENT_HOME/lib/securent-v3.1.jar:SECURENT_HOME/lib/classes12.jar net.securent.util.db.DataLoader SECURENT_HOME
where, SECURENT_HOME is to be replaced with the absolute path of the unzipped Securent-V3.1 folder. For example, if SECURENT_HOME is opt/Securent-V3.1, then for Windows, run the following piece of code: java -cp opt/Securent-V3.1/lib/securent-v3.1.jar;opt/Securent-V3.1/lib/classes12.jar net.securent.util.db.DataLoader opt/Securent-V3.1
9. While running startsecurentgui.sh, I get the following message:
“ ../external/jakarta-tomcat-5.0.9/bin/startup.sh: Permission denied" What is the solution?
Step 1: Go to the appropriate folder (that is, ../external/jakarta-tomcat-5.0.9/bin) and run the following command: chmod +x startup.sh
Step 2: Even after running the same file again, you may get the following error message: “Cannot find ../external/jakarta-tomcat-5.0.9/bin/catalina.sh”
Go to bin folder and run the following command:
dos2unix catalina.sh catalina.sh This will change the Catalina.sh from DOS mode to Unix mode.
Installation and Configuration Guide
Proprietary and Confidential 66
Step 3: Again run startsecurentgui.sh. If you get the following message: “The JAVA_HOME environment variable is not defined correctly. This environment variable is needed to run this program.” Change all backward slashes (\) to forward slashes (/).
10. I get the following error during dataload in MS SQL Server 2000 while loading templates: “java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC]The DBMS returned an unspecified error”
How do I overcome this error?
This error happens only when you are trying to do dataload in MS SQL Server 2000 SP4. To overcome this issue, run templateloader-v15.sql in the /Securent-v3.1/db/scripts/mssql folder. It will load all the required templates.
11. While installing Securent using Oracle thick driver, I get the ‘UnsatisfiedLinkError’ during dataload: Caused by: java.lang.UnsatisfiedLinkError: no ocijdbc8 in java.library.path at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1491) at java.lang.Runtime.loadLibrary0(Runtime.java:788) at java.lang.System.loadLibrary(System.java:834) at oracle.jdbc.oci8.OCIDBAccess.logon(OCIDBAccess.java:228) at oracle.jdbc.driver.OracleConnection.<init>(OracleConnection.java:246) at oracle.jdbc.driver.OracleDriver.getConnectionInstance(OracleDriver.ja va:365) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:260)
How do I overcome this error?
If you are using Oracle thick driver, you may get the above-mentioned error after running createtables.bat(sh) and also during the server startup. Following steps must be taken to overcome this error:
For Windows: - Set ORACLE_HOME= <to the directory where Oracle is installed> - Set LD_LIBRARY_PATH=<ORACLE_HOME>/lib For Linux/Solaris: - export ORACLE_HOME= <to the directory where Oracle is installed> - export LD_LIBRARY_PATH=<ORACLE_HOME>/lib
Installation and Configuration Guide
Proprietary and Confidential 67
Using Connection Pools Considered to be one of the best practices for a steady increase in performance of any application running in WebLogic or WebSphere server, Securent highly recommends using Connection Pool for a better performance and an effective EMS.
In Securent, you can create connection pool for PAP as well as PDP. As a first step to create connection pool in PAP, you need to create the Connection Pool followed by updating the <properties> tag of pap_config.xml file. Similarly, in PDP side, you must update the <properties> tag of pdp_config.xml file.
Below given are steps to create connection pools in WebLogic as well as WebSphere server:
Setting up WebLogic Connection Pool for PAP Below given are the steps to be taken to set up WebLogic connection pool for PAP:
I. Create connection pool in WebLogic
1. Go to the WebLogic console
2. Expand the "Services" tree available on left side pane.
3. In the Services Tree, expand the "JDBC" tree.
4. In the JDBC tree, click "Connection Pools".
5. Click "Configure a new JDBC Connection Pool" and then select Database Type as Oracle from the list and select the appropriate Database Driver from the list.
6. Click on the button "Continue" then you should be able to see "Define connection properties" window.
7. Give values for all the fields and press the button "Continue".
8. Click on the button "Test Driver Configuration".
9. Click on the button "Create and deploy".
10. Click on the name of the connection pool on left side pane, which you have created in the step 7.
11. Click on "Connections" tab.
12. Set appropriate values for all the fields and click on "Show" button to view Advanced options.
13. Make sure that "Supports Local Transaction" is enabled. Click on the button "Apply".
14. Click on the link "Data Sources" which is available under "JDBC" tree on left side pane.
15. Click on the link "Configure a new JDBC Datasource" and give the name and JNDI name for the data source and press the button "Continue".
16. Select Pool Name as the Connection Pool that is created in step 7 and press the button "Continue".
17. Select the servers on which you want to deploy this JDBC Data Source and press the button "Create".
Installation and Configuration Guide
Proprietary and Confidential 68
II. Update <properties> tag of pap_config.xml
You must update SECURENT_HOME/config/pap/pap_config.xml (see Appendix2) file in order to make use of the above-created WebLogic Connection Pool. Consider the following connection pool tag of a sample pap_config file:
<!--Config file for PAP--> <securent>
<db name="default"> <impl>net.securent.util.db.WebLogicConnectionPool</impl> <properties>
<db-type>oracle</db-type> <initial-context-factory>weblogic.jndi.WLInitialContextFactory</initial-context-factory> <context-provider-url>t3://131.107.0.97:9000</context-provider-url> <context-username>weblogic</context-username> <context-password>++7XL4YWJ/FEq6iEZjvEnQ==</context-password> <datasource-jndi>SampleJNDI</datasource-jndi> <poolName>Default Domain</poolName>
</properties> </securent>
18. Replace the value of the <impl> tag with "net.securent.util.db.WebLogicConnectionPool"
19. Update <properties> tag parameters with the following values:
<context-provider-url> refers to the URL where the WebLogic server is running with the connectionpool
<context-username> refers to the username of the domain where the server is running
<context-password> refers to the encrypted password of domain
<datasource-jndi> refers to the JNDI name of the WebLogic connectionpool, which is created in the step 15 above
<poolName> refers to the domain name created in Securent PAP
20. Save and close the pap_config file
III. Restart the WebLogic server by running
Setting up WebLogic Connection Pool for PDP The process of creating connectionpool is same as mentioned in case of PAP. Below given updates must be made in <properties> tag of the pdp_config.xml:
Update <properties> tag of pdp_config.xml
You must update SECURENT_HOME/config/pdp/pdp_config.xml (see Appendix 3) file in order to make use of the above-created WebLogic Connection Pool.
<!—sample Config file for PDP--> <securent>
<db authEnable="true">
Installation and Configuration Guide
Proprietary and Confidential 69
<impl>net.securent.util.db.WebLogicConnectionPool</impl> <properties>
<db-type>oracle</db-type> <initial-context-factory>weblogic.jndi.WLInitialContextFactory</initial-context-factory> <context-provider-url>t3://131.107.0.97:9000</context-provider-url> <context-username>weblogic</context-username> <context-password>++7XL4YWJ/FEq6iEZjvEnQ==</context-password> <datasource-jndi>SampleJNDI</datasource-jndi> <poolName>Default Domain</poolName>
</properties> </securent>
Update <properties> tag parameters with the following values:
<context-provider-url> refers to the URL where the WebLogic server is running with the connectionpool
<context-username> refers to the username of the domain where the server is running
<context-password> refers to the encrypted password of domain
<datasource-jndi> refers to the JNDI name of the WebLogic connection pool, which is created in the step 15 above
<poolName> refers to the domain name created in Securent PAP
Setting up WebSphere Connection Pool Below given are the steps to be taken to set up WebSphere connection pool for PAP:
I. Create connection pool in WebSphere
1. Login to the WebSphere console
2. Go to Resources > JDBC > Datasource in the left navigation pane.
3. Click New.
4. Specify the Datasource and JNDI name. It is important to note that the JNDI name mentioned in this field must be similar to the one mentioned in configure.properties file. Click Next.
5. Select Create New JDBC Provider and click Next.
6. Select the Database from the list. The provider will be Oracle JDBC Provider.
7. Select Connection pool datasource from the Implementation Type dropdown.
8. Click Next.
9. Enter the directory path for ojdbc.jar file e.g. …/oracle/ora92/jdbc/lib and click Next.
10. Enter the JDBC URL same as mentioned in the configure.properties file and click Next.
11. Verify the summary and click Finish. This creates the specified datasource.
12. Provide the database credentials (e.g. username and password) in the following ways:
a) Create a username. To do this:
Installation and Configuration Guide
Proprietary and Confidential 70
- Go to JDBC > Datasource in the console and click on the newly created datasource.
- In the new screen click Custom properties located top-left. Click New to create a new name value pair.
- Enter the name value pair such as
Name – user
Value – username (i.e. the database username)
- Click OK.
b) Create a password in the similar way.
13. After creating the username and password for the connection pool, click Save to save the settings done.
14. To test whether the connection pool has been created successfully, select the new datasource and click Test Connection. The result will be displayed on the top of the screen.
II. Update <properties> tag of pap_config.xml
You must update SECURENT_HOME/config/pap/pap_config.xml (see Appendix2) file in order to make use of the above-created WebSphere Connection Pool. Consider the following connection pool tag of a sample pap_config file:
<!--Config file for PAP--> <securent>
<db name="default"> <impl>net.securent.util.db.WebSphereConnectionPool</impl> <properties>
<db-type>oracle</db-type> <initial-context-factory>com.ibm.websphere.naming.WsnInitialContextFactory</initial-context-factory> <context-provider-url>iiop://131.107.0.105:2809</context-provider-url> <context-username>securent</context-username> <context-password>uYgp9FZIEnREq6iEZjvEnQ==</context-password> <datasource-jndi>WSJNDI</datasource-jndi> <poolName>Default Domain</poolName>
<properties> </securent>
15. Replace the value of the <impl> tag with "net.securent.util.db.WebSphereConnectionPool"
16. Update the <properties> tag in the following way:
- Update the <db-type> tag to oracle.
- Update the initial context factory
- Update <context-provider-url> refers to the URL where the WebSphere server is running with the connection pool
- <context-username> refers to the username of the domain where the server is running
- <context-password> refers to the encrypted password of domain
Installation and Configuration Guide
Proprietary and Confidential 71
- <datasource-jndi> refers to the JNDI name of the WebSphere connection pool, which is created in the step 13 above
- <poolName> refers to the domain name created in Securent PAP
17. Save and close the config file
III. Restart the WebSphere server
Installation and Configuration Guide
Proprietary and Confidential
72
Installing EMS as a Windows Service on Windows 2003 For monitoring purposes, you may want to run the Entitlement Management Server as a windows service. To do this, we need to use the Tomcat installer to create the windows service and then configure the service startup. Step 1: Download Tomcat 5.x (For example, download apache-tomcat-5.5.23.exe from the following URL: http://mirror.olnevhost.net/pub/apache/tomcat/tomcat-5/v5.5.23/bin/apache-tomcat-5.5.23.exe) Step 2: Install Tomcat by following the instructions displayed in the installation shield. Step 3: After the installation is done, copy securent.war and pdp.war files from <SECURENT_HOME>/dist folder to <APACHE_HOME>/webapp folder Step 4: Click Start > All Programs > Apache Tomcat > Configure Tomcat
Step 5: Go to Java Tab and add new line to the bottom (see the highlighted section in the below given screenshot)
Installation and Configuration Guide
Proprietary and Confidential
73
Step 7: Fire up the Apache Tomcat Service
Step 8: Access the Securent URL
Installation and Configuration Guide
Proprietary and Confidential
74
Installation and Configuration Guide
Proprietary and Confidential
75
Deployment of war files in application server Deployment of .war files in WebLogic 8.1
To deploy securent.war:
- Start WebLogic by executing the script startWebLogic.cmd.
- Open the Administrative Console in your browser.
- After successfully logging in, expand the Deployments node, and then select Web Application Module.
- Select Deploy a new Web Application Module...
- Select the link upload your file(s).
- Click Browse to select securent.war file. Once you have selected the file, click the Upload button.
- Select the check box on securent.war and click the Target Module button.
- The Identity Name is the securent Servlet Context. Select Deploy to complete the deployment. A dialog box appears.
- In the dialog, once the Status of the last action says Success you are ready to test your deployment.
To deploy pdp.war:
- Start WebLogic by executing the script startWebLogic.cmd.
- Open the Administrative Console in your browser.
- After successfully logging in, expand the Deployments node, and then select Web Application Module.
- Select Deploy a new Web Application Module...
- Select the link upload your file(s).
- Click Browse to select pdp.war file. Once you have selected the file, click the Upload button.
- Select the check box on pdp.war and click the Target Module button.
- The Identity Name is the pdp Servlet Context. Select Deploy to complete the deployment. A dialog box appears.
- In the dialog, once the Status of the last action says Success you are ready to test your deployment.
Deployment of .ear files in WebSphere 6.1 To deploy SecurentEMS.ear:
- Open WebSphere console in the new browser window
- After login to the console, go to Home > Application > Install New Applications.
- Select local file system option and click Browse
- Browse SecurentEMS.ear from the SECURENT_HOME/dist folder.
- Click Next in the Select installation options page
Installation and Configuration Guide
Proprietary and Confidential
76
- Select SecurentEMS.ear checkbox and click Next button in the Map modules to servers page
- Click Finish in the Summary page
- Click Save to save the changes to the master configuration
- In the Enterprise Applications page, Select securent_ear checkbox and click Start to start the Securent EMS
Deployment of .war files in WebSphere 6.1 To deploy securent.war:
- Open WebSphere console in the new browser window
- After login to the console, go to Home > Application > Install New Applications.
- Select local file system option and click Browse
- Browse securent.war from the SECURENT_HOME/dist folder.
- Enter /securent in the Context root field and click Next button
- Click Next button in the Select installation options page
- Select securent.war checkbox and click Next button in the Map modules to servers page
- Click Finish in the Summary page
- Click Save to save the changes to the master configuration
- In the Enterprise Applications page, Select securent_war checkbox and click Start to start the Securent EMS
To deploy pdp.war:
- Go to Home > Application > Install New Applications.
- Select Local file system option and click Browse
- Browse pdp.war from the SECURENT_HOME/dist folder.
- Enter /pdp in the Context root field and click Next
- In the Select installation options page, click Next
- Select pdp.war checkbox and click Next in the Map modules to servers page
- Click Finish in the Summary page
- Click Save to save the changes to the master configuration
- In the Enterprise Applications page, Select pdp_war checkbox and click Start to start the PDP
Deployment of .war files in ServletExec 5.0 To deploy securent.war:
- In the Manage Web Applications page, click Add Web Applications
- Enter the following values in the Add a Web Application page
Application Name=securent
URL Context Path=/securent/
Installation and Configuration Guide
Proprietary and Confidential
77
Location= SECURENT_HOME\external\apache-tomcat-5.5.17\webapps\securent
- Click Submit
To deploy pdp.war:
- In the Manage Web Applications page, click Add Web Applications
- In the Add a Web Application page, enter the following values
Application Name=pdp
URL Context Path=/pdp/
Location= SECURENT_HOME\external\apache-tomcat-5.5.17\webapps\pdp
- Click Submit
Installation and Configuration Guide
Proprietary and Confidential
78
Appendix 1 – Sample config.xml In this sample config.xml file which is located in $BEA_HOME/user_projects/ domains/DOMAIN_NAME/config, the <security-configuration> tag must be updated by adding the <enforce-valid-basic-auth-credentials> parameter (highlighted section). <?xml version="1.0" encoding="UTF-8"?> <domain xsi:schemaLocation="http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd" xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<name>securentdomain</name> <domain-version>9.2.0.0</domain-version> <security-configuration xmlns:xacml="http://www.bea.com/ns/weblogic/90/security/xacml">
<name>securentdomain</name> <realm> <sec:authentication-provider xsi:type="wls:default-authenticatorType"/> <sec:authentication-provider xsi:type="wls:default-identity-asserterType"> <sec:active-type>AuthenticatedUser</sec:active-type> </sec:authentication-provider> <sec:role-mapper xsi:type="xacml:xacml-role-mapperType"/> <sec:authorizer xsi:type="xacml:xacml-authorizerType"/> <sec:adjudicator xsi:type="wls:default-adjudicatorType"/> <sec:credential-mapper xsi:type="wls:default-credential-mapperType"/> <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"/> <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder> <sec:name>myrealm</sec:name> </realm> <default-realm>myrealm</default-realm> <credential-encrypted>WsHLCKdCW3ZYs9vKlrDC</credential-encrypted> <node-manager-username>weblogic</node-manager-username> <node-manager-password-encrypted>{3DES}EJN/p+=</node-manager-password-encrypted> <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
</security-configuration> <server>
<name>AdminServer</name> <listen-address/>
</server> <embedded-ldap>
<name>securentdomain</name> <credential-encrypted>{3DES}v4Osc8ejylefF/khW/Uze8yqiSmpvILaW+pg3wD4aDA=</credential-encrypted>
</embedded-ldap> <configuration-version>9.2.0.0</configuration-version> <admin-server-name>AdminServer</admin-server-name>
</domain>
Installation and Configuration Guide
Proprietary and Confidential
79
Appendix 2 - Sample pap_config.xml Important tags to be updated within the installation process are highlighted in the below given sample code.
<?xml version="1.0" encoding="UTF-8"?> <!--Config file for Securent--> <securent> <db name="default"> <impl>net.securent.util.db.ConnectionPool</impl> <properties> <db-type>oracle</db-type> <username>hbhatt</username> <password>uKoPsYGLxkY=</password> <url>jdbc:oracle:thin:@131.107.0.20:1521:securent</url> <driver>oracle.jdbc.driver.OracleDriver</driver> <maxconnections>20</maxconnections> <maxconnectiontime>120</maxconnectiontime> <idleconnectiontime>300</idleconnectiontime> <poolName>Default Domain</poolName> <eventenable> <value>true</value> </eventenable> </properties> </db> <jms> <env> <url>tcp://131.107.0.68:61616</url> <connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory> <username>ActiveMQConnection.DEFAULT_USER</username>
<password>c6p96kuD91p3Gwazl0JnE652dQh1QLrLMfnDulySruPVD3Mw==</password> <replyTopic>replyTopicName2</replyTopic> </env> <reconnect_interval>100000</reconnect_interval> <useJndi>false</useJndi> <jndi> <providerUrl>tcp://131.107.0.68:61616</providerUrl>
<providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory>
<jndiUserName></jndiUserName> <jndiPassword></jndiPassword> </jndi> </jms> <shared_repository>true</shared_repository> <handlers> <common-properties> <sessionuser>superuser</sessionuser> <sessionpassword>admin</sessionpassword> </common-properties> <handler name="JMSSYNCHandler" enabled="false" type="*.*"> <impl>net.securent.jms.PAPHandler</impl> <properties> </properties> </handler> </handlers> <authentication type="db" class="net.securent.util.db.DBAuthenticator"> <properties refer="false" name="default"> <!-- If Authentication type is 'sso' then One property is required with name has
Installation and Configuration Guide
Proprietary and Confidential
80
‘request' or 'session' with any value. In case of sso then refer,name attributes of properties tag will not be considered. For this the implemenrtation class is 'net.securent.util.db.SSOAuthenticator'. Ex.
<property name="request">sm_user</property>--> <!-- If Authentication type is 'db' then db-type,username,password,url and driver property are required. Here these properties will not required when refer and name shold mention has 'true' and 'default', here is the sample of property. here impl class is net.securent.util.db.DBAuthenticator <property name="db-type">oracle</property> <property name="username">bprasad</property> <property name="password" encrypted="true">xiicLTdcE2g=</property> <property name="url">jdbc:oracle:thin:@131.107.0.20:1521:securent</property> <property name="driver">oracle.jdbc.driver.OracleDriver</property>--> <!-- If Authentication type is 'ldap' below mentioned properties are required has follows: In case of ldap then refer,name attributes of properties tag will not be considered If you are using the Sun One Directory Server Specify <ldap-type> as SunOne else you are using the Novell eDirectory Server Specify <ldap-type> as Novell else you are using the Active Directory Server Specify <ldap-type> as AD Place encrypted password by running encryptor.sh or encryptor.bat for <password> tag. here impl class is net.securent.util.db.LocalLDAPAuthenticator <property name="ldap-type">AD</property> <property name="ldapdn">dc=win2k-ad,dc=win2k-ad,dc=bodhtree,dc=co,dc=in</property>
<property name="userdn">cn=administrator,cn=users,dc=win2k-ad,dc=win2k-ad,dc=bodhtree,dc=co,dc=in</property>
<property name="password" encrypted="true">xiicLTdcE2g=</property> <property name="url">ldap://131.107.2.204</property> <property name="port">389</property> <property name="superuser-role">Test</property> --> <property name="db-type">oracle</property> <property name="username">hbhatt</property> <property name="password" encrypted="true">uKoPsYGLxkY=</property> <property name="url">jdbc:oracle:thin:@131.107.0.20:1521:securent</property> <property name="driver">oracle.jdbc.driver.OracleDriver</property> </properties> </authentication> <usermgr> <implclass> net.securent.kernel.usermanager.db.DBUserMgr </implclass> </usermgr> <!-- Encryption algorithm and implementor to be used by the password Encryption --> <encryption> <implementors> <!-- By Default We support only Crypt --> <crypt> net.securent.util.auth.encryptor.DefaultCryptEncryptor </crypt> </implementors> </encryption> <dao-configuration>config/dao_config.xml</dao-configuration> <xacml-log type="db"> <db refer="true" name="default"> <properties> <db-type>oracle</db-type> <username>hbhatt</username> <password>uKoPsYGLxkY=</password>
Installation and Configuration Guide
Proprietary and Confidential
81
<url>jdbc:oracle:thin:@131.107.0.20:1521:securent</url> <driver>oracle.jdbc.driver.OracleDriver</driver> </properties> </db> </xacml-log> </securent>
Installation and Configuration Guide
Proprietary and Confidential
82
Appendix 3 - Sample pdp_config.xml Important tags to be updated within the installation process are highlighted in the below given sample code.
<?xml version="1.0" encoding="UTF-8"?> <!--Config file for PDP--> <securent> <shared_repository>true</shared_repository> <pdpname>Entitlement</pdpname> <db authEnable="false" name="default"> <impl>net.securent.util.db.ConnectionPool</impl> <properties> <db-type>oracle</db-type> <username>hbhatt</username> <password>uKoPsYGLxkY=</password> <url>jdbc:oracle:thin:@131.107.0.20:1521:securent</url> <driver>oracle.jdbc.driver.OracleDriver</driver> <maxconnections>20</maxconnections> <maxconnectiontime>120</maxconnectiontime> <idleconnectiontime>300</idleconnectiontime> <poolName>Default Domain</poolName> <eventenable> <value>false</value> </eventenable> <!--sample Websphere connection pool properties
<initial-context-factory>com.ibm.websphere.naming.WsnInitialContextFactory</initial-context-factory>
<context-provider-url> iiop://localhost:2809</context-provider-url> <context-username>websphere</context-username> <context-password>++7XL4YWJ/FEq6iEZjvEnQ==</context-password> <datasource-jndi>SampleWebsphereJNDIForSecurentDomain</datasource-jndi> <poolName>Default Domain</poolName> End of websphere connection pool proepreties--> <!--<db-type>oracle</db-type> <initial-context-factory>weblogic.jndi.WLInitialContextFactory</initial-context-factory> <context-provider-url>t3://131.107.0.97:7001</context-provider-url> <context-username>weblogic</context-username> <context-password>weblogic</context-password> <datasource-jndi>SampleJNDIFromSecurentDomain</datasource-jndi> <poolName>Default Domain</poolName>--> </properties> </db> <jms> <env> <url>tcp://131.107.0.68:61616</url> <connectionFactory>org.apache.activemq.ActiveMQConnectionFactory</connectionFactory> <username>ActiveMQConnection.DEFAULT_USER</username>
<password>c6p96kuD91p3Gwazl0JnE652dQh1QLrySruPVDpfLSgm3Mw==</password> </env> <reconnect_interval>100000</reconnect_interval> <useJndi>false</useJndi> <jndi> <jndiName>jndiName</jndiName> <providerUrl>tcp://131.107.0.68:61616</providerUrl>
<providerCtxFactory>org.apache.activemq.jndi.ActiveMQInitialContextFactory</providerCtxFactory>
<jndiUserName></jndiUserName> <jndiPassword></jndiPassword> </jndi>
Installation and Configuration Guide
Proprietary and Confidential
83
</jms> <authentication enable="true" type="db" class="net.securent.util.db.PDPAuthenticator"> <properties refer="false" name="default"> <!-- If Authentication type is 'sso' then One property is required with name has 'request' or 'session' with any value. In case of sso then refer,name attributes of properties tag will not be considered For this the implemenrtation class is 'net.securent.util.db.SSOAuthenticator'. ex. <property name="request">sm_user</property>--> <!-- If Authentication type is 'db' then db-type,username,password,url and driver property are required. Here these properties will not required when refer and name shold mention has 'true' and 'default', here is the sample of property. here impl class is net.securent.util.db.DBAuthenticator for PAP and net.securent.util.db.PDPAuthenticator for PDP <property name="db-type">oracle</property> <property name="username">bprasad</property> <property name="password" encrypted="true">xiicLTdcE2g=</property> <property name="url">jdbc:oracle:thin:@131.107.0.20:1521:securent</property> <property name="driver">oracle.jdbc.driver.OracleDriver</property>--> <!-- If Authentication type is 'ldap' below mentioned properties are required has follows: In case of ldap then refer,name attributes of properties tag will not be considered If you are using the Sun One Directory Server Specify <ldap-type> as SunOne else you are using the Novell eDirectory Server Specify <ldap-type> as Novell else you are using the Active Directory Server Specify <ldap-type> as AD Place encrypted password by running encryptor.sh or encryptor.bat for <password> tag. here impl class is net.securent.util.db.LocalLDAPAuthenticator <property name="ldap-type">AD</property> <property name="ldapdn">dc=win2k-ad,dc=win2k-ad,dc=bodhtree,dc=co,dc=in</property> <property name="userdn">cn=administrator,cn=users,dc=win2k-ad,dc=win2k-ad,dc=bodhtree,dc=co,dc=in</property> <property name="password" encrypted="true">xiicLTdcE2g=</property> <property name="url">ldap://131.107.2.204</property> <property name="port">389</property> <property name="superuser-role">Test</property> --> <property name="db-type">oracle</property> <property name="username">hbhatt</property> <property name="password" encrypted="true">uKoPsYGLxkY=</property> <property name="url">jdbc:oracle:thin:@131.107.0.20:1521:securent</property> <property name="driver">oracle.jdbc.driver.OracleDriver</property> </properties> </authentication> <!-- Encryption algorithm and implementor to be used by the password Encryption --> <encryption> <implementors> <!-- By Default We support only Crypt --> <crypt>net.securent.util.auth.encryptor.DefaultCryptEncryptor</crypt> </implementors> </encryption> <xacml-parser> <impl>net.securent.util.pep.XacmlGenerator </impl> </xacml-parser> <dao-configuration>config/pdp/dao_config.xml</dao-configuration> <xacml-log> <enable logRequestResponse="false">false</enable> <log-impl>net.securent.pdp.xacmllog.DBXacmlLogWriter</log-impl> <db refer="true" name="default">
Installation and Configuration Guide
Proprietary and Confidential
84
<properties> <db-type>oracle</db-type> <username>john2</username> <password>XBKO7w9gh3vTFr8u41H9JQ==</password> <url>jdbc:oracle:thin:@131.107.0.20:1521:securent</url> <driver>oracle.jdbc.driver.OracleDriver</driver> </properties> </db> </xacml-log> <pdp attributeEnable="true" cloningCheckEnable="false" sorting="false"> <listeners> <listener> <enabled>true</enabled> <name>http</name> <listenerClass>net.securent.pdp.listener.http.HttpListener</listenerClass> <processorClass>net.securent.pdp.listener.http.HttpProcessor</processorClass> <parameters/> </listener> <listener> <enabled>false</enabled> <name>rmi</name> <listenerClass>net.securent.pdp.listener.rmi.RMIListener</listenerClass> <processorClass>net.securent.pdp.listener.rmi.RMIProcessor</processorClass> <parameters> <host>131.107.0.42</host> <port>10001</port> <jndiName>pdpObj</jndiName> </parameters> </listener> </listeners> </pdp> <pip> <attributesources> <!--The type value should be the same as in the PIP configuration--> <source> <type>database</type> <metadataImpl>net.securent.pip.db.DataBasePIPMetaData</metadataImpl> <attributeImpl>net.securent.pip.db.DBAttribute</attributeImpl> <attributeEvaluator>net.securent.pip.db.DBAttributeEvaluator</attributeEvaluator> </source> <source> <type>ldap</type> <metadataImpl>net.securent.pip.ldap.LDAPPIPMetaData</metadataImpl> <attributeImpl>net.securent.pip.ldap.LDAPAttribute</attributeImpl> <attributeEvaluator>net.securent.pip.ldap.LDAPAttributeEvaluator</attributeEvaluator> </source> <source> <type>Java</type> <metadataImpl>net.securent.pip.java.JavaPIPMetaData</metadataImpl> <attributeImpl>net.securent.pip.java.JavaAttribute</attributeImpl> <attributeEvaluator>net.securent.pip.java.JavaAttributeEvaluator</attributeEvaluator> </source> <source> <type>Webservice</type> <metadataImpl>net.securent.pip.webservice.WebservicePIPMetaData</metadataImpl> <attributeImpl>net.securent.pip.webservice.WebserviceAttribute</attributeImpl>
<attributeEvaluator>net.securent.pip.webservice.WebserviceAttributeEvaluator</attributeEvaluator>
</source> </attributesources> </pip> <!-- cacherefreshtype can be either 'all' or 'onlyupdated' --> <cache decisionCacheEnabled="false" cacherefreshtype="onlyupdated" provider="net.securent.pdp.cache.CacheProvider"
Installation and Configuration Guide
Proprietary and Confidential
85
implementor="net.securent.admin.sdk.cache.impl.JBossCache" eventProvider="net.securent.pdp.event.EventProvider"> <!--Time to live--> <type>TTL</type> <!--Interval in seconds--> <interval>200</interval> <!--INVALIDATE for cleaning up previous cache. UPDATE for updating existing resource decisions --> <refresh enable="false">update</refresh>
<!--The prefetch tag can be set to TRUE or FALSE.In case of TRUE all the decisions will be cached during the startup. Type must be either user or resource which is used for bulk updation -->
<prefetch enable="true" type="user" bulkUsersPerRequest="10"> <prefetchForApis> <api>isUserAccessAllowed</api> </prefetchForApis> </prefetch> <applications> <application>Prime group:Prime portal</application> </applications> <!-- PIP Caching true/false --> <pip cacheenabled="false"> <!-- interval for pip evaluation--> <cacheInterval>5</cacheInterval> <!-- Interval for pip Meta Data updation i.e converting the xml Data to java Objects --> <metaDataInterval>1</metaDataInterval> </pip> </cache> </securent>