Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Subscriber Edge Services Manager

Release Notes for Cisco Subscriber Edge Services Manager 3.1.9

Downloads

Table Of Contents

Release Notes for the Cisco Subscriber Edge Services Manager, Release 3.1(9)

Contents

Introduction

SESM Deployment Options

SESM Application Suite

System Requirements

Hardware Supported

SESM Platforms

Cisco Platforms with the SSG

Software Compatibility

Captive Portal Compatibility

Port-bundle Host Key Compatibility

Complete ID Compatibility

New Features

New Features for RADIUS and SPE Mode

New Features for SPE Mode

Installation Notes

Obtaining a License Number

Obtaining Cisco SESM Software Files

SSG, RADIUS Server, and LDAP Server Status During Installation

Upgrade Information

Installing SPE Schema Extensions in LDAP Mode

Upgrading from SESM Release 3.1(3), 3.1(5) or 3.1(7)

Preserving Customizations

Migrating an SESM Release 3.1(3), 3.1(5) or 3.1(7) Web Portal Application

Upgrading from SESM Release 3.1(1)

Migrating an SESM Release 3.1(1) Web Portal Application

Uninstalling a Previous Installation

Important Notes

Modifying Java Server Pages

Recommended Java Runtime Environment

JMX Management Console

Server Hardware

Sun ONE (iPlanet) Directory Server 5.0 Fails to Remove Attribute

JDK Home Settings

Caveats

Documentation Updates

Cisco Subscriber Edge Services Manager Web Developer Guide

SESM Class Libraries and Tag Library Descriptor Files

Cisco Subscriber Edge Services Manager SDK Platform Programmer Guide

Cisco Subscriber Edge Services Manager Application Management Guide

Configuring Logon Values for the Application Manager

SSG MBean

Cisco Subscriber Edge Services Manager Deployment Guide

Summary of Administrative Access to NDS

Cisco Subscriber Edge Services Manager Installation Guide

Hardware Platform Requirements

Cisco Subscriber Edge Services Manager Web Portal Guide

Related Documentation

Obtaining Documentation

World Wide Web

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center


Release Notes for the Cisco Subscriber Edge Services Manager, Release 3.1(9)

May 2003

These release notes contain important information regarding the Cisco Subscriber Edge Services Manager (Cisco SESM) Release 3.1(9).

Note For information about obtaining a license number, see the "Obtaining a License Number" section.

Contents

These release notes discuss the following topics:

Introduction

System Requirements

New Features

Installation Notes

Upgrade Information

Important Notes

Caveats

Documentation Updates

Obtaining Documentation

Obtaining Technical Assistance

Introduction

Cisco SESM provides service selection and connection management in broadband and mobile wireless environments. Cisco SESM provides the end user (the subscriber) with a web portal for accessing multiple services. The ISPs and NAPs deploying Cisco SESM can customize the content of the web pages and thereby control the subscriber experience.

SESM Deployment Options

SESM Release 3.1(9) supports the following deployment options:

RADIUS—In this deployment, the SESM web application and SSG query a RADIUS database for authentication and authorization information.

SPE—In this deployment, the Cisco Subscriber Policy Engine (SPE) provides the libraries and directory schema extensions that enable queries to an LDAP directory for authentication and authorization information.

Demo—In Demo mode, the SESM web application simulates the actions of an SESM application without using an SSG, RADIUS server, or LDAP directory.

SESM Application Suite

SESM Release 3.1(9) includes the following sample web portal applications that can be installed and configured for demonstration purposes or used as a starting point for customizations:

New World Service Provider (NWSP) portal—A comprehensive example of most features offered by the SESM web development kit.

Wireless Access Protocol (WAP) portal—An application designed specifically for deployment in the mobile wireless industry.

Personal Digital Assistant (PDA) portal—An application with web pages formatted for a PDA device.

You can optionally install the following applications to configure the SESM captive portal solution:

Captive Portal application—A gateway application between the SSG and other applications in a captive portal solution. The default configuration for this application redirects subscriber browsers to either the Message Portal application or the NWSP application.

Message Portal application—SESM portal application that produces sample greetings and advertising pages to demonstrate SESM captive portal features.

The SESM software includes the following additional supporting applications:

Cisco Distributed Administration Tool (CDAT)—A web-based interface that is used to create and maintain the subscriber, service, and policy information used by SESM and the Service Selection Gateway (SSG) in an SPE/LDAP mode deployment.

RADIUS Data Proxy (RDP) server—A RADIUS server that can proxy profile requests or use the SPE components to query the LDAP directory for profile information.

Web Services Gateway (WSG) application—Provides a Simple Objects Access Protocol (SOAP)-based interface that allows third-party web portals and subscriber management systems to integrate with the SESM and SSG solution.

Application Management—Java Management Extensions (JMX) based application management for all solution components.

Additional software components bundled in the Cisco SESM installation package are:

J2EE management components.

SPE component—For SESM running in SPE mode, this component provides the interface between SESM applications and the SPE directory.

System Requirements

This section describes hardware and software requirements for SESM deployments.

Hardware Supported

You can deploy SESM using the following platforms and SSG devices.

SESM Platforms

SESM applications can run on any platform that supports the Java Runtime Environment (JRE). Verified platforms are shown in Table 1.

Table 1 Verified Platforms

Platform
Specifications

Solaris

Sun Ultra10 or Sun E250 (or later version)

Solaris Version 8 (or later version) operating system

Windows

Pentium III (or equivalent) processor

The earliest supported OS is Windows NT Version 4.0, Service Pack 5 (or later version)

Linux

Red Hat Linux Version 8

SuSE Linux Version 7.3


Cisco Platforms with the SSG

Cisco SESM works with any router running Cisco IOS software with the Cisco Service Selection Gateway. The following devices, when they are running the Cisco IOS Release 12.2.(4)B or later with SSG enabled, work with SESM Release 3.1(9):

Cisco 6400 Universal Access Concentrator (UAC)

Cisco 7200 series high-performance multifunction routers

Cisco 7400 series Internet routers

Software Compatibility

The following SESM features require support on the SSG:

Captive portal

Port-bundle host key

Complete ID

Captive Portal Compatibility

To use the captive portal feature in SESM to support unauthenticated user redirections:

The SSG device must be running Cisco IOS Release 12.2(2)B or later, or Release 12.1(5)DC1 or later.

The SSG TCP redirect feature must be configured appropriately.

To use the captive portal feature in SESM to support service redirections, initial logon redirections, and advertising redirections:

The SSG device must be running Cisco IOS Release 12.2(4)B or later, or Release 12.1(5)DC1 or later.

The SSG TCP redirect feature must be configured appropriately.

Port-bundle Host Key Compatibility

To use the port-bundle host key feature:

The SSG device must be running Cisco IOS Release 12.2(2)B or later.

The SSG host key feature must be configured appropriately.

The host key feature can be enabled and disabled on both the SESM and SSG products to ensure backwards compatibility.

Complete ID Compatibility

To use the complete ID feature for portal location awareness and branding, the SSG device must be running Cisco IOS Release 12.3(1)T or the X train for Cisco IOS Release 12.2(8)B.

New Features

This section describes new features in SESM Release 3.1(9) for both RADIUS and SPE mode, and SPE mode only.

New Features for RADIUS and SPE Mode

New user interfaces for CDAT management and configuration screens—This affects:

Screens used for general administration tasks

Screens used to control JMX MBean parameters

RDP domain support—The RDP has been enhanced to accommodate a separate server for accounting. It has also been enhanced to handle RADIUS usernames with @<domain.name> and is able to send these requests to different RADIUS servers.

Enhanced Captive Portal—The Captive Portal application enables unauthenticated subscribers greater leveraging of SSG 12.2(16)B features. The enhanced Captive Portal application also supports redirection for both HTTP and HTTPS.

Message Authenticator support—Support for origin and integrity authentication for all RADIUS packets generated and accepted by SESM applications.

Framed IP address support—Support for requests from the web portal and WSG applications to the SSG to include the remote IP address of a request. This optional address is included in the Framed IP Address field. This enables the RADIUS load balancing devices to direct requests using the value of the Framed IP Address field.

Bulk Upload of SSG Mappings—Support for uploading a complete set of client IP configuration data to SSG mappings in the CDAT. A CDAT web page is displayed that requires authentication credentials, the location of the files to be uploaded, and the web portal instance that the configuration data will be applied to. Once applied, the new mappings only apply to new sessions, and any existing sessions are not affected.

Web proxy support—The SESM Release 3.1(9) Captive Portal application includes features that handle subscribers with a web-proxy configured in their browsers.

PAC file emulation. In Release 3.1(9), the Captive Portal application can recognize the PAC file request and respond with its own example PAC file as a substitute.

Web proxy notification page. In Release 3.1(9), the Captive Portal application can recognize the difference between a proxy request and a non-proxy or regular HTTP request. You can configure the SESM Captive Portal application to react to proxy requests by redirecting the browser to a customized message page.

Web-Proxy support. In Release 3.1(9), when the Captive Portal application recognizes that an unauthenticated subscriber has a web proxy configured, it captures the browser and proxies a login page to the browser. After authenticating and connecting to services on the SSG, the subscriber might have access to the configured web proxy and request connection to it.

New Features for SPE Mode

User self registration—This applies to the NWSP when deployed in SPE/LDAP mode:

New link on account logon page allows new users to create accounts for themselves, then log in in the standard way.

Once new users are logged in, they have access to standard SPE/LDAP mode self-care features and can select from a range of services.

Installation Notes

The following sections highlight some important installation information.

See the Cisco Subscriber Edge Services Manager Installation Guide for complete installation instructions.

Obtaining a License Number

The SESM installation program provides for two types of installation:

Evaluation—You can install SESM using a RADIUS mode evaluation option or an SPE mode evaluation option. The evaluation options do not require a license number and do not have an expiration period. An evaluation installation provides full software functionality.

Licensed—You need a license number before deploying SESM in a production environment.

A license number is available on the License Certificate that is shipped with a purchased product. If you have purchased the product but have not yet received the CD-ROM and License Certificate, you can choose the evaluation option during installation. However, be sure to reinstall the SESM software using your license number when you receive the certificate.

The license number is important when you are requesting technical support for SESM from Cisco. After installation, the license number and the software version in the licensenum.txt file appear under the installation directory.

Obtaining Cisco SESM Software Files

You can download the SESM software from the Cisco.com web site or copy it from the SESM product CD-ROM. Cisco SESM software is contained in the following packages.

For Sun platforms: sesm-3.1.9-pkg-sol.tar

For Linux platforms: sesm-3.1.9-pkg-linux.tar

For Windows platforms: sesm-3.1.9-pkg-win32.zip

If you purchased a contract that allows you to obtain the SESM software from Cisco.com, follow these procedures:

Step 1 Open a web browser and go to:

http://www.cisco.com

Step 2 Click the Login button. Enter your Cisco user ID and password.

To access the Cisco images from the CCO Software Center, you must have a valid Cisco user ID and password. See your Cisco account representative if you need help.

Step 3 Click Technical Support.

Step 4 In the pop-up window, click Software Center.

Step 5 Click Web Software.

Step 6 Click Cisco Subscriber Edge Services Manager.

Step 7 Download the appropriate image based on the platform you intend to use for hosting the SESM web application.

SSG, RADIUS Server, and LDAP Server Status During Installation

The SSG, LDAP directory, and RADIUS components do not need to be installed and configured before you execute the Cisco SESM installation program. However, the installation program prompts you for configuration information about these components, such as IP addresses, ports, shared secrets, and other information required for the SESM components to communicate with them. You should know these values before you perform the installation. Otherwise, you will need to reconfigure the solution later.

In the case of the LDAP directory, it is advantageous to install the Cisco SESM solution when the directory is running and to have update rights to the directory. The installation program can install required extensions to the LDAP directory.

If you are installing the demo, the installation program does not prompt you for configuration information about SSGs, SPE databases, or RADIUS servers.

Upgrade Information

This section contains information about upgrading from previous releases of the software.

Installing SPE Schema Extensions in LDAP Mode

If you are upgrading from an earlier SESM release, you must install the new SPE schema extensions, using the SESM software installation program. Ensure that the following steps are performed:

Step 1 Export your data

Step 2 Reinstall the directory

Step 3 Install the new SPE schema extensions

Step 4 Import your data

Upgrading from SESM Release 3.1(3), 3.1(5) or 3.1(7)

This section provides information on upgrading from SESM Release 3.1(3), 3.1(5) or 3.1(7) to SESM Release 3.1(9).

Preserving Customizations

To preserve your previous SESM installation, including changes to configuration files and customized web applications, install SESM Release 3.1(9) in a different directory from previous installations.

To reuse the same installation directory, perform the following steps:

Step 1 Ensure that a backup copy of your previous SESM installation is stored in a safe location.

Step 2 Uninstall the previous release of SESM using instructions in the "Uninstalling a Previous Installation" section.

Step 3 Install the current release of SESM.

Step 4 Migrate the SESM Release 3.1(3), 3.1(5) or 3.1(7) set of configuration files to SESM Release 3.1(9). Use either of the following methods:

When the application is running, use the Agent View to update attributes to the values used in the previous installation. Be sure to use the apply and store operations to persist the new values across application restarts.

When the application is not running, edit the XML files, updating attribute values to the values used in the previous installation.

Step 5 Migrate your web portal applications to the new installation, as described in the following section.

Migrating an SESM Release 3.1(3), 3.1(5) or 3.1(7) Web Portal Application

To migrate an SESM Release 3.1(3), 3.1(5) or 3.1(7) web portal application to SESM Release 3.1(9), perform the following steps:

Note Before you begin this procedure, ensure that a backup copy of your entire SESM web application is stored in a safe location.

Step 1 Install the SESM Release 3.1(9) software. For information on installing the software, see the Cisco Subscriber Edge Services Manager Installation Guide.

Step 2 Copy the NWSP web application in \install_dir\nwsp to \install_dir\mywebapp, where \install_dir is the location in which you installed SESM Release 3.1(9), and mywebapp is the name of your SESM web application. This creates an SESM web application named mywebapp under \install_dir.

Step 3 Copy these files from the install location of the SESM Release 3.1(9) software.

a. In \install_dir\jetty\bin, copy startNWSP.sh to startMYWEBAPP.sh. Edit the startMYWEBAPP.sh file and replace APP=nwsp with APP=mywebapp. (For an SESM installation on a Windows platform, the suffix of the start file is .cmd.)

b. In \install_dir\jetty\config, copy nwsp.jetty.xml to mywebapp.jetty.xml. Edit the mywebapp.jetty.xml file and replace nwspkeystore with mywebappkeystore. Also, replace any comments that refer to NWSP.

c. In \install_dir\jetty\config, copy mywebappkeystore from your previous installation into this directory.

d. In \install_dir\jetty\config, copy nwsp.web-jetty.xml to mywebapp.web-jetty.xml.

Step 4 Verify the previous steps by starting the web application mywebapp in Demo mode.

a. In the /jetty/bin directory, run the start script. For example, on UNIX:

startMYWEBAPP.sh -mode Demo

b. Log in to the web application using the user name golduser and the password cisco. You should be able to use the SESM web application in Demo mode.

c. Stop the server.

Note To update the directory structure for a SESM web application, you usually must update only the contents of the WEB-INF subdirectory with the customizations for your web application. Step 5 overwrites almost the entire web application directory structure with the old web application directory. You then update certain files.

If your web application consists of minimal changes to the NWSP web application components, it may be more appropriate for you to leave the new SESM web application directory as is, and then overwrite only certain subdirectories from the previous SESM directory structure, such as the pages and images directories. If web.xml has been customized, then follow the instructions in the Step 12 for updating this file.

Step 5 Copy the following directories (and all directories and files under them) from your previous SESM web application into the \install_dir\mywebapp location of the SESM Release 3.1(9) software.

docroot

docs

Step 6 In the install location of the SESM Release 3.1(9) software, rename the docroot directory to webapp.

Step 7 Install a second copy of the SESM Release 3.1(9) software into a location different from where you installed the first copy.

Step 8 From the second SESM install location, copy the following files into the corresponding SESM Release 3.1(9) location of your web application:

webapp\WEB-INF\lib\com.cisco.sesm.i18nl10n.jar

webapp\WEB-INF\lib\com.cisco.sesm.logging.jar

webapp\WEB-INF\lib\com.cisco.sesm.model.jar

webapp\WEB-INF\lib\com.cisco.sesm.platform.jar

webapp\WEB-INF\lib\com.cisco.sesm.radius.jar

webapp\WEB-INF\lib\com.cisco.sesm.types.jar

webapp\WEB-INF\lib\com.cisco.sesm.util.jar

webapp\WEB-INF\lib\com.cisco.sesm.webapps.jar

webapp\WEB-INF\lib\com.cisco.sesm.dess.jar

webapp\WEB-INF\lib\com.cisco.sesm.auth.jar

webapp\WEB-INF\lib\com.cisco.sesm.authentication.jar

webapp\WEB-INF\lib\com.cisco.sesm.gsal.jar

webapp\WEB-INF\lib\com.cisco.sesm.protect.jar

webapp\WEB-INF\lib\com.cisco.sesm.jakarta-regexp1.2.jar

webapp\WEB-INF\lib\com.cisco.sesm.log4j-1.2.6.jar

webapp\WEB-INF\lib\com.cisco.sesm.appmgmt.remotemgmt.jar

webapp\WEB-INF\lib\jsp.jar

webapp\WEB-INF\lib\*.tld

For deployments in which a WAR file will be created, copy these additional files:

webapp\WEB-INF\lib\com.cisco.contextlib.jar

webapp\WEB-INF\lib\nitrusri.jar

webapp\WEB-INF\lib\nitrustools.jar

For SPE/LDAP mode deployments only, copy these additional files:

webapp\WEB-INF\lib\dess.jar

webapp\WEB-INF\lib\auth.jar

webapp\WEB-INF\lib\authentication.jar

webapp\WEB-INF\lib\protect.jar

Step 9 Depending on whether your web application contains customized versions of the JSP pages in the webapp\decorators directory, do one of the following:

If your web application does not contain customized JSP pages in webapp\decorators, copy all files in webapp\decorators from the second SESM Release 3.1(9) install location into the webapp\decorators directory at the SESM Release 3.1(9) location of your web application.

If your web application does contain customized JSP pages in webapp\decorators, do the following:

a. Use a diff utility to compare your web application's files in webapp\decorators with the same files in the second SESM Release 3.1(9) install location.

b. Copy all files in webapp\decorators from the second SESM Release 3.1(9) install location into the corresponding SESM Release 3.1(9) location (webapp\decorators) of your web application.

c. Using the diff output from step a, replicate any customizations in all files in webapp\decorators of your SESM Release 3.1(9) web application.

Step 10 In the SESM Release 3.1(9) location that contains your web application, change the name of the webapp\WEB-INF\web.xml file to web.xml.OLD. The file web.xml is the web application's deployment descriptor file.

Step 11 Do one of the following depending on whether you have updated jsp.jar file (using the precompile.sh script).

If you have updated the jsp.jar file, copy the WEB-INF\web.xml from the second SESM install location to web.xml.

If you have not updated the jsp.jar file, copy the webapp\WEB-INF\web.recompile.xml file from the second SESM install location into the corresponding SESM Release 3.1(9) location that contains your web application, and rename the file web.xml.

Tip The web.recompile.xml file causes the web application's JSP pages to be used rather than any precompiled JSP pages. The web server compiles each JSP page the first time the JSP page is requested after the web application is started. For information on how to use precompiled JSP pages, see the Cisco Subscriber Edge Services Manager Web Developer Guide.

Step 12 If your SESM web application's deployment descriptor file (web.xml) is customized in any way, modify the deployment descriptor file that you created in Step 10 so that it includes those customizations. For example, the number or order of user-shape dimensions that your web application uses may be different from the number or order found in the standard web.xml or web.recompile.xml file.

Step 13 In the mywebapp\config\ directory of the SESM Release 3.1(9) location, rename the file nwsp.xml to mywebapp.xml.

Step 14 In the mywebapp\config\ directory of the SESM Release 3.1(9) location, change the attribute values in mywebapp.xml file so that their values are identical to the values used in your previous SESM installation. Use either of the following methods:

a. When the application is running, use the Agent View to update attributes to the values used in the previous installation. Be sure to use the apply and store operations to persist the new values across application restarts.

b. When the application is not running, edit the mywebapp.xml file, updating attribute values to the values used in the previous SESM installation.

Step 15 After you successfully complete this procedure, you can optionally delete the files that are associated with the second SESM Release 3.1(9) installation.

Searches for Java Classes. The deployer should be aware that the SESM web portals are, by default, run in a mode that is compliant with the Java 2, Enterprise Edition (J2EE) specification. This mode is controlled by the following line in the Jetty container MBean configuration file (for example, \install_dir\jetty\config\nwsp.jetty.xml): 

<Set name="classLoaderJava2Compliant">TRUE</Set>

The preceding line has the following effects on how the web server searches for classes from JAR files:

If classLoaderJava2Compliant is set to TRUE, classes from any JAR files in the \web_app_name\webapp\WEB-INF\lib directory are used after classes from any JAR files in the system CLASSPATH. This mode is compliant with J2EE.

If classLoaderJava2Compliant is set to FALSE, classes from any JAR files in the \web_app_name\webapp\WEB-INF\lib directory are used before classes from any JAR files in the system CLASSPATH. This mode is compliant with the Java 2 Servlet Specification.

Upgrading from SESM Release 3.1(1)

This section provides information on upgrading from SESM Release 3.1(1) to SESM Release 3.1(9).

Migrating an SESM Release 3.1(1) Web Portal Application

Significant improvements and changes were made to the JSP pages and other web components of the SESM web application (New World Service Provider) starting with Release 3.1(3) including:

The SESM web components that accomplish decoration were re-engineered.

The Java code for interactions with the SESM model was moved from the JSP pages to the SESM control servlets. This change should minimize the modifications to the JSP pages as the SESM model evolves in the future.

Implementing these changes required that numerous Java classes and methods be deprecated for SESM Release 3.1(3). In subsequent SESM releases, these classes and methods were removed.

Because of this extensive redesign, it is not practical to use JSP pages that were developed for SESM Release 3.1(1). After SESM 3.1(3), these JSP pages would need to be modified so as to replace use of the deprecated classes and methods that have now been removed. This task would be achieved by referring to the Javadoc included in the SESM installation.

Instead of modifying the JSP pages, the recommended strategy for migrating an SESM Release 3.1(1) web application is to use the SESM Release 3.1(9) software and web components, including the JSP pages and deployment descriptor file in a sample web application like NWSP. Using this approach, you would typically do the following:

1. Recreate the customizations from your SESM Release 3.1(1) web application in the set of JSP pages in the SESM Release 3.1(9) NWSP. For this step, you might need to accomplish one or more of the following changes to the sample SESM Release 3.1(9) web application:

Modify the functionality of the web application

Customize the look and feel of web elements such as icons, images, background colors, and style sheets

Localize web elements

Code revised or new JSP-page dimension decorators for the user-shape mechanism

If you use Dreamweaver UltraDev or Dreamweaver MX and the templates provided with the sample NWSP web application, the HTML customizations can be accomplished more efficiently. For detailed information on customizing and developing an SESM Release 3.1(9) web application, see the Cisco Subscriber Edge Services Manager Web Developer Guide at:

http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_319/webdevgd/index.htm

2. Configure the SESM Release 3.1(9) web application deployment descriptor file (web.xml) as described in the Cisco Subscriber Edge Services Manager Web Developer Guide at:

http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_319/webdevgd/ch3_adv.htm

3. Configure the customized SESM Release 3.1(9) web application as described in the Cisco Subscriber Edge Services Manager Installation Guide at:

http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_319/instconf/05portal.htm

4. Precompile the finalized production JSP pages using the directions and script provided in the Cisco Subscriber Edge Services Manager Web Developer Guide.

Uninstalling a Previous Installation

Use the uninstall utility provided with the SESM product to remove a previous installation. The uninstall utility is located in the following directory: 

installDir

_uninst

   uninstall.bin or uninstall.exe

The uninstall utility does the following:

Lets you choose the components to uninstall.

Verifies the installation directory that is being uninstalled.

Uninstalls the SESM components. It does not remove the installation directory, only the contents under the installation directory.

After you run the uninstall utility, you can safely reinstall one or more SESM components into the same directory.

Note Do not uninstall SESM by manually deleting the contents of the installation directory. If you manually remove the contents of the directory and then attempt a reinstall into the same directory, the reinstall might not be complete.

Important Notes

The following sections describe some important considerations related to the Cisco SESM.

Modifying Java Server Pages

The SESM portal applications use precompiled JavaServer Pages (JSP). If you modify the JSP pages in one of the SESM portal applications, you must recompile the JSP pages before the changes are visible in the application. For information on recompiling, see the Cisco Subscriber Edge Services Manager Web Developer Guide.

Recommended Java Runtime Environment

The recommended JRE for SESM Release 3.1(9) is JRE Version 1.4.1_02, which is bundled with the SESM product.

JMX Management Console

The Sun example JMX server includes an HTML adaptor server that produces a web-based management console. The JMX HTML adaptor server forms the basis of the remote management and configuration support provided by the CDAT management application. For example, an administrator can make configuration changes and can have these changes persisted with this new support.

Note In an earlier release, we recommended that the JMX HTML adaptor server functionality be removed when deployed in a production environment.

Starting with SESM Release 3.1(5), the JMX HTML adaptor server is required if a deployer needs this feature as part of the CDAT management application.

To protect access to SESM application management consoles, the JMX interface prompts for a username and password. For additional security, the deployer could deploy the SESM application behind a firewall.

For information about configuring the login values for SESM application management consoles, see the Cisco Subscriber Edge Services Manager Application Management Guide.

Server Hardware

If you are using a Sun Ultra or Enterprise system, you must use Solaris Version 8 or later. For live deployments, we recommend using an Enterprise class server with hot-swappable components and load-balancing across multiple servers. The Cisco Content Services Switch 11000 (CSS 11000) is preferred for load balancing.

For Windows installations, we highly recommend that you use hardware that meets the Windows Hardware Compatibility List (HCL) guidelines set by Microsoft with at least 128 MB of RAM (256 MB of RAM is recommended). Memory requirements are influenced by login rates, the number of subscribers concurrently logged on, and the number of services the subscribers are subscribed to use. See the chapter "Running SESM Components," in the Cisco Subscriber Edge Services Manager Web Portal Guide for more details about memory requirements.

Sun ONE (iPlanet) Directory Server 5.0 Fails to Remove Attribute

A known problem in the Sun ONE Directory Server 5.0 affects the CDAT management application. The problem is that removing an attribute does not fully remove it. See Bug 554309 at this location:

http://docs.sun.com/source/816-5604-10/index.html

This issue has an impact on the CDAT management application in the following situation. If InetOrgPerson=UID and an administrator changes the value of the Poolname (CiscoDESSpoolName) or Primary Service (CiscoDESSprimaryService) attribute to null, an exception is thrown. After the exception, unexpected behavior occurs in the CDAT management application. The problem does not occur if the administrator changes Poolname or Primary Service to a value other than null.

The workarounds are:

Rather than attempting to change the attribute value for Poolname or Primary Service in CDAT to null, change the values to something other than null.

Apply the Sun ONE Directory Server 5.0 Service Patch 1

Upgrade to Sun ONE Directory Server 5.1

JDK Home Settings

The JVM used by the SESM applications is determined by the setting of the JDK_HOME variable in the SESM start scripts, for example .../jetty/bin/start.sh. However, the SESM start scripts give precedence to a JDK_HOME environment variable, if one is set.

Caveats

Table 2 describes known problems in SESM Release 3.1(9).

Table 2 Caveats in SESM Release 3.1(9) 

Category
Caveat
Description

General Issues

CSCdw50552

With a Netscape Version 4.7 browser, the following problems exist concerning the service list display area in the SESM application pages:

Service groups or mutually exclusive services cannot be collapsed.

When the subscriber has no subscribed services, the service list contains a white space where the Current Services folder should be.

Workaround: None

CSCuk32067

If the file tag from the Shape tag library (<shape:file name='...'/>) does not find the resource specified by the name attribute, the JSP page stops displaying. In some cases, a blank page is displayed. This is normally only an issue during development and testing, as all resources should be available in a production application.

Workaround: Replace the use of com.cisco.sesm.shape.taglib.FileTag with that of com.cisco.sesm.taglib.shape.ResourcePathTag. The ResourcePathTag is not used by default because it's increased functionality has an impact on performance.

CSCuk28056

When a subscriber with inherited Cisco AV Pairs from a user group creates a subaccount from the NWSP application, the subaccount does not inherit the parent's AV Pairs. If the parent account has a Local Cisco AV Pair, the subaccount inherits that AV Pair.

Workaround: After a subscriber creates a subaccount, an administrator must use CDAT to set the Cisco AV Pairs either in the subaccount or in the parent account.

CSCuk31287

A user group member is erroneously autoconnected to a service when the following conditions are true:

The user group has a subscribed service which is defined as auto-logon.

The service is a member of a service group, but the user is not subscribed to the service group.

When the user logs on, the service is autoconnected even though the user is not subscribed to the service group.

Workaround: Do not define services in a service group as auto-logon in a user group.

CSCuk32602

In a captive portal deployment, when an unauthenticated WAP subscriber tries to connect to a service, the authentication page appears. After authentication, the service list page appears and the subscriber is not connected to the original service as a non-WAP based subscriber would be.

Note If the WAP subscriber is already authenticated, this issue does not arise.

Workaround: The subscriber manually selects the service from the service list.

CSCuk34276

When deployed with a JRE, the NWSP application does not provide support for WAP or PDA devices. This support is only provided when the NWSP application is deployed with a full JDK.

Workaround: Deploy with the full JDK.

General Issues (continued)

CSCuk43787

Scenario: You have a a web-proxy configured in your browser, and you are subject to TCP Redirect on the SSG, which results in you being redirected to the SESM Captive Portal application.

If you request an HTTPS URL in your browser, then the redirection / proxy which should be performed by the Captive Portal application will fail.

Workaround: None

 

CSCuk45021

When trying to access the Status page on the NWSP in Demo mode, you are taken to the Messages page. A Null Pointer Exception is generated and displayed.

This does not occur on the NWSP in RADIUS or SPE mode.

Workaround: None

Installation Issues

CSCuk31428

During a custom installation, if you select only the RDP component, the installation program also selects the Jetty component. The Jetty component cannot be unselected, even though the RDP does not require it.

Workaround: Proceed as normal with the installation. The Jetty component has a very small footprint. Although it is installed, it does not have an impact on the operation of the RDP component.

CSCuk31431

During a custom installation in SPE/LDAP mode, if you deselect all of the choices and then reselect the Web Applications, the installation application correctly autoselects the Jetty component but does not autoselect the SPE component.

Workaround: If this sequence of events occurs, be sure to manually select the SPE component, as it is required for SPE/LDAP mode.

CSCuk43808

When installing SESM in SPE Mode (Typical, or Custom where the RDP is selected) in addition to the normal, documented, screen for RDP data, a second screen is displayed later during the installation.

The data requested by the second screen, RDP Host and RDP Port, is a repeat of that in the first RDP screen. Although the second screen is marked as optional, the correct data should be entered, otherwise after installation the RDP will not be configured correctly.

The RDP Host field has 2 purposes -

1. This is the address on which the RDP will listen for requests. If a request is received on a different address, as could happen when the server has more than 1 interface, it will not get a response. If it is required that the RDP responds to requests received on any address then enter 0.0.0.0

2. The address entered here will be reflected in the name listed in Application Management

Workaround: Ensure that the second screen is filled in with the correct information and is similar to that of the first screen. Or, alternatively these addresses can be modified post installation by manually editing the rdp.xml and/or AdapterFactoryInit.xml files.

Installation Issues (continued)

CSCuk31543

The silent install option does not perform correctly for the SESM applications, unless you intend to install in Demo mode. Configuration information for the web portal applications (NWSP, PDA, WAP) is not set, although the remaining applications and components (CDAT, RDP, Captive Portal, Message Portal) are configured as expected.

Workaround: The preferred workaround is to use the normal or console-based installation mode. An alternative workaround is to manually edit the incorrect configuration files:

applicationName/config/appName.xml

jetty/config/applicationName.jetty.xml

jetty/bin/startapplicationName.sh or jetty\bin\startapplicationName.cmd

CSCuk39878

The windows service scripts for do not function correctly. The services appear to install correctly, but they do not start up properly.

Workaround: None

CSCuk44588

The stop scripts are not working, for example stopNWSP.sh. This is due to an error in the start.sh script.

Workaround:

Edit .../jetty/bin/start.sh and insert the line indicated: 

$JAVA $SERVER -Xms64m -Xmx64m \

  -classpath $CLASSPATH \

  -Dinstall.root=$INSTALLDIR \

  -Djetty.home=$JETTYDIR \

  -Dapplication.home=$APPDIR \

  -Dapplication.portno=$PORTNO \

  -Dapplication.ssl.portno=$SSLPORTNO \

  -Dmanagement.portno=$MGMTPORTNO \

  $MODE \

  $JVMOPTIONS \

  com.cisco.sesm.jmx.Main \

  $CONFIG_FILES \

&                             <=== Add this line

 

CSCuk44745

SPE authentication fails if SESM is installed in SPE mode directly from a CD-ROM, when using iPlanet directory.

This is because the installer attempts to create a temporary file on the CD-ROM for modifications to the SPE. Although this is not possible, no installation errors occur unless logging is enabled during installation.

As a result, it is not possible to authenticate against the SPE after installation.

The same problem occurs if you run the installer from the hard disk but do not have write access to that location.

This problem affects all platforms.

Workaround: When installing SESM from a CD-ROM, it is recommended that the contents of the CD-ROM are copied to hard disk and the installer is run from there. Make sure that you have write access to the location of the install image.

Installation Issues (continued)

CSCuk44912

If you are installing SESM with NDS, you cannot choose a type of Password Encryption Algorithm. User passwords will only be stored SHA encrypted.

Workaround: None

 

CSCuk45704

The normal behavoir for extensions and modes is for the extension mechanism to override the modes mechanism. However, in release 3.1(9), in the case of service subscription changes, the modes mechanism is always used. A problem occurs if the mode does not match the extension configuration, which may happen if one of them is changed after install.

Workaround: Ensure that the mode configuration matches the extension configuration.

RDP Issues

CSCuk35196

If a subscriber has a Primary Service as a result of inheriting it from a User Group, the RDP does not pass the IP Pool associated with the Primary Service to the SSG.

Workaround: For IP Pool to be passed to the SSG, the IP Pool attribute must be defined in the Local RADIUS Attributes field of the CDAT management application at the User Group level.

CDAT Issues

CSCuk29592

If an administrator deletes a service from CDAT that is defined as an autoconnected service in a subscriber's profile, some service-related attributes might not be deleted from the directory. The problem occurs regardless of whether the subscriber is logged in or logged out. These redundant attributes do not have an impact on the subscriber.

Workaround: There is no impact in leaving these attributes in the directory, but administrators can manually remove the attributes if they wish.

CSCuk31892

CDAT cannot distinguish between local and inherited generic RADIUS attributes in a user profile when the user is a member of a group for which the generic attributes are defined.

Workaround: None

CSCuk30471

CDAT cannot distinguish between user and group pool names.

Workaround: None

CSCdv02447

When CDAT displays subaccounts, it displays group membership and not blocked roles.

Workaround: You can manipulate these values using an LDAP server administration tool such as ConsoleOne, or by using the appropriate NWSP application self-care feature to modify the roles of a subaccount.

CSCuk32178

In CDAT, the Service Filters attributes are not inherited by the user from a user group.

Workaround: If these attributes are required, they must be directly assigned to each user.

CDAT Issues (continued)

CSCuk43101

Within the SESM Application Management 'SSG' screen, it is only recommended to create and edit Subnet Attributes that have an Attribute type of 'IP' or 'SESSION_LOCATION'. Other valid Subnet Attributes are listed below, but these cannot be specified on a per-subnet basis because the 'Attribute Value' field is required to be 'IP'.

Workaround: To set any of the listed Attributes on a per-subnet basis, you are required to edit the appropriate application configuration file.

For example, if you wish to create a new mapping for the 192.168.2.0/24 client subnet and a SESSION_LOCATION attribute (or type 'london') within the NWSP web portal, you would add a line similar to the following: 

<Callname="setSubnetAttribute"><Arg>192.168.2.0</Arg><Arg>255.255.255.0</
Arg>

<Arg>SESSION_LOCATION</Arg><Arg>london</Arg></Call>

For these changes to take effect, save the configuration file and restart the application.

CSCuk44032

When a subscriber creates a sub-account with the NWSP SUB-ACCOUNTS page, then when that sub-accounts logs into NWSP, the First Name field in the MY ACCOUNT page will display the name prefixed with "cn=" or "uid=", depending on the LDAP directory used. This is purely a cosmetic error and does not affect the operation at all.

Workaround: This can be corrected by the sub-account user by simply updating the value of the field, or by an administration user via the CDAT application.

CSCuk44001

A user is not able to set the 'Country' field in the SESM 'My Account' page.

Workaround: None

Note This is only an issue where SESM is installed in SPE mode, using an LDAP directory as its datastore.

CSCuk44022

After a user has logged in to the SESM CDAT Directory Management application, they are unable to access the CDAT Help page. If they attempt to do so, they will see the following error reported in the browser: 

HTTP Error: 500 String index out of range: -1

RequestURI=/help

Workaround: None. For help with the CDAT Directory Management application, please refer to the online SESM Documentation.


Documentation Updates

This section includes new and updated information about SESM Release 3.1(9) that does not appear in the current SESM documentation set. The information contained in the following sections will appear in a future revision of the respective guides.

Cisco Subscriber Edge Services Manager Web Developer Guide

Note The instructions in the Cisco Subscriber Edge Services Manager Web Developer Guide, on page 2-7 are no longer accurate. Replace the old instructions with the instructions in this section.

SESM Class Libraries and Tag Library Descriptor Files

To successfully compile the JSP pages for an SESM web application, the Java compiler must be able to find the needed SESM-related class libraries and tag library descriptor (TLD) files:

Table 3 JAR Files for an SESM Web Application

JAR File
Description

com.cisco.sesm.appmgmt.remotemgmt.jar

Classes for remote management of SESM applications.

com.cisco.sesm.erp.jar

Classes for the Extensible Request Proxy framework, the foundation of the RADIUS Data Proxy (RDP).

com.cisco.sesm.jmx.jar

Classes for the SESM extensions to the Java Management Extensions (JMX) tools.

com.cisco.sesm.i18nl10n.jar

Classes for internationalization and localization.

com.cisco.sesm.logging.jar

Classes for the SESM logging utilities.

com.cisco.sesm.model.jar

Classes for the SESM core model and associated functionality.

com.cisco.sesm.platform.jar

Classes for the platform framework for extensions.

com.cisco.sesm.radius.jar

Classes for the RADIUS-related functionality.

com.cisco.sesm.types.jar

Classes for some SESM types.

com.cisco.sesm.util.jar

Classes for the SESM utilities.

com.cisco.sesm.webapps.jar

Classes for the SESM decorators and controllers, and tag libraries.

jsp.jar

Classes for the SESM precompiled JSP pages.

dess.jar
auth.jar
authentication.jar
gsal.jar
protect.jar
jakarta-regexp1.2.jar
log4j-1.2.6.jar

Classes for using Security Policy Engine (SPE). These files are needed only for SESM web applications that will be deployed in SPE mode.


With two exceptions, the SESM-related JAR files reside in the install_dir\web_app_name\webapp\WEB-INF\lib directory, where install_dir is the directory where the SESM software is installed, and web_app_name is a directory where a sample SESM web application, such as NWSP, is installed. The two exceptions are:

com.cisco.sesm.erp.jar resides in the install_dir\libs\erp\lib directory.

com.cisco.sesm.jmx.jar resides in the install_dir\libs\jmx\lib directory.

In addition, there are three non-SESM-related JAR files in the following locations:

javax.servlet.jar resides in the install_dir\jetty\lib directory.

org.apache.jasper.jar resides in the install_dir\jetty\lib directory.

crimson.jar resides in the install_dir\redist\jaxp\lib directory.

To compile the class for an SESM web portal software component, the CLASSPATH environment variable must be set to the needed directory path (for example, \install_dir\web_app_name\webapp\WEB-INF\lib to tell the Java compiler the location of the SESM class libraries.

The Cisco SESM software also includes a set of TLD files for the SESM tag libraries. Each TLD file is an XML file describing a tag library. The TLD files reside in the install_dir\web_app_name\webapp\WEB-INF directory and are as follows:

iterator.tld

localization.tld

navigator.tld

shape.tld

For more information on the TLD files and using a tag library, see the "Configuring a Tag Library" section on page A-1.

Cisco Subscriber Edge Services Manager SDK Platform Programmer Guide

Note This section provides information about SPE related JAR files that is not in the Cisco Subscriber Edge Services Manager SDK Platform Programmer Guide. This information should be added to Table 1-3, JAR Files for an SESM Web Application, on page 1-5.

Table 4 JAR Files for an SESM Web Application

JAR File
Description

dess.jar
auth.jar
authentication.jar
gsal.jar
protect.jar
jakarta-regexp1.2.jar
log4j-1.2.6.jar

Classes for using Security Policy Engine (SPE). These files are needed only for SESM web applications that will be deployed in SPE mode.


Note This section provides information about non-SESM related JAR files that is not in the Cisco Subscriber Edge Services Manager SDK Platform Programmer Guide. This information should be added to the section on page 1-5, SESM Class Libraries.

In addition, there are three non-SESM-related JAR files in the following locations:

javax.servlet.jar resides in the install_dir\jetty\lib directory.

org.apache.jasper.jar resides in the install_dir\jetty\lib directory.

crimson.jar resides in the install_dir\redist\jaxp\lib directory.

Cisco Subscriber Edge Services Manager Application Management Guide

Note This section provides information about the SSG MBean attributes that are not in the Cisco Subscriber Edge Services Manager Application Management Guide. This information should be added to the empty section on page 3-6, Configuring Logon Values for the Application Manager.

Configuring Logon Values for the Application Manager

To access the Application Manager, you must enter a user ID and password.

1. User ID—Enter a user ID that you want to have access to the Application Manager. The default value is MgmtUser.

2. Password—Enter a password that will be required to access the Application Manager. The default is MgmtPassword.

Note This section provides information about the SSG MBean attributes that are not in the Cisco Subscriber Edge Services Manager Application Management Guide. This information should be added to the section on page 7-5, SESM Application Logging and Debugging.

SSG MBean

The SSG MBean configures the SSG connections.

Table 5 SSG MBean Attributes 

Attribute Name
Explanation

SSGIPPolicy Class

The class name of the SSGIPPolicy to use to determine the SSG IP address for a session. If not set, the identity mapping is used.

Installed default: com.cisco.sesm.ssg.DefaultSSGIPPolicy

attributeDescriptions

An array describing the SSG configuration. For example:

java.lang.String[0] = 10.52.199.172[255.255.255.252]IP=10.52.199.83

java.lang.String[1] = 0.0.0.0[0.0.0.0]THROTTLE=20

java.lang.String[2] = 0.0.0.0[0.0.0.0]TIMEOUTSECS=10

java.lang.String[3] = 0.0.0.0[0.0.0.0]SECRET=cisco

java.lang.String[4] = 0.0.0.0[0.0.0.0]MASK=255.255.255.255

java.lang.String[5] = 0.0.0.0[0.0.0.0]BUNDLE_LENGTH=0

java.lang.String[6] = 0.0.0.0[0.0.0.0]SEND_FRAMED_IP=false

java.lang.String[7] = 0.0.0.0[0.0.0.0]PORT=1812

java.lang.String[8] = 0.0.0.0[0.0.0.0]RETRIES=3

attributes

The attributes used internally by the persistence mechanism. For example:

Type Not Supported: [{10.52.199.172[255.255.255.252]={IP=10.52.199.83}, 0.0.0.0[0.0.0.0]={THROTTLE=20, TIMEOUTSECS=10, SECRET=cisco, MASK=255.255.255.255, BUNDLE_LENGTH=0, SEND_FRAMED_IP=false, PORT=1812, RETRIES=3}}]

generateMessageAuthenticators

Boolean type True or False. If True, message authenticators are generated for all requests according to RFC2689.

maxSSGs

The maximum number of SSGs that will be cached. This value is an integer.

numCloses

The total number of connections that have been closed. This value is an integer.

numExceptions

The total number IO exceptions handled during all requests. This value is an integer.

numOpens

The total number of connections that have been opened. This value is an integer.

numRejects

The total number of Access Rejects received. This value is an integer.

numRequests

The total number of requests made. This value is an integer.

numSSGs

The number of SSGs in the cache. This value is an integer.

numTimeouts

The total number of requests that have timed out. This value is an integer.

statistics

View the value of statistics.

throttle

The default maximum number of simultaneous requests allowed to an SSG. This value is an integer.


Cisco Subscriber Edge Services Manager Deployment Guide

Note The instructions in the Cisco Subscriber Edge Services Manager Deployment Guide, on page 4-2 are no longer accurate. Replace the old instructions with the instructions in this section.

Summary of Administrative Access to NDS

When you complete the procedures described here, the NDS directory is configured as follows:

The following SESM container exists in the NDS directory:

Tree name: sesm

Server context: ou=sesm.o=cisco

The following attribute on the SESM LDAP group object is set to true (required).

On NDS Version 8.5, the Allow Clear Text Passwords attribute

The following attribute on the SESM LDAP group object is set to false (required).

On NDS Version 8.7, the Require TLS for Simple Binds with Password attribute