Most settings in the configuration file are site-dependent, not machine- or environment- (DEV, QA, STAGE, PRODUCTION) specific. However, there are a few things in the file that may vary from Policy Server to Policy Server or between environments.
New at Version 4, APS supports define macros. These are simply replacement values that can be defined once, anywhere in the file, then used as many times as necessary, by referencing a name, rather than a value.
To define such a macro, for example, use the following syntax:
define X Y
After this definition, anywhere that <X> appears will be replaced with Y. For example:
define LDAP_SERVER 127.0.0.1 LDAP Writeback Server=<LDAP_SERVER>
In this case, the actual value used for the LDAP write back Server setting will be 127.0.0.1
This is incredibly useful for separating environment-specific settings, reducing the errors which occur when an APS.cfg file is copied from one environment to another (such as DEV to QA to PROD). For example:
define CPW_SERVER myserver.security.com Failure Redirect=http://<CPW_SERVER>/Failure.htm
Macro names are not case sensitive. If a macro is referenced, but not defined, APS will look into the process environment variables for a match on the macro name. If one is found, its value will be used as the value of the macro. If no matching environment variable is found, the reference is left intact.
Macros are processed during file load. They are not evaluated per user, so there is little performance impact.
Macros take effect only from the point where they are defined forward into the file.
If a macro has the same name (case-insensitive) as a previously defined macro, the new value replaces the old one from that point down.
Define macros can also be used with user classes and overrides (explained in the next section) to make definitions environment independent:
define LDAP_SUFFIX o=dev.Airius.com
@Admin=IsInGroup("cn=Admin,<LDAP_SUFFIX>")
When the file is promoted into QA, only the DEFINE line needs to change.
Comment checking is performed after macro expansion, so the following method can be used to make conditional (not overridden) settings:
define NO_MAIL ## <NO_MAIL>Server=127.0.0.1
When NO_MAIL is set to a comment character, the setting is turned off. If NO_MAIL has no value (blank), then the mail server setting is valid. A very useful environment-specific setting (don't send email in DEV). Note that if NO MAIL is undefined (does not appear as a macro), an error would result.
Define macros need not be stated in the APS Configuration File. They can also be defined in a separate file called APS-Macros.cfg located on the same directory as the APS.cfg file.
However, the external macro file will not automatically be loaded. It will only be loaded when the Use External Macros keyword is used in the APS.cfg file. Note that the external macro file can be loaded more than once (which might be useful if you want to change a value temporarily). It requires explicit loading in order to maintain backward compatibility.
For example, the APS.cfg file might contain:The external macro file can be extremely useful. It allows a site to define machine-specific settings externally to the APS.CFG file. Thus, as an APS.cfg file is copied between Policy Servers, either from environment to environment (DEV to QA, for example) or within an environment, settings can "adapt" to the proper machine.
@QA_Users=<QA_DEF>
In the DEV and QA environments, the APS-Macros.cfg file might contain:
define QA_DEF IsInGroup("cn=QA,o=Airius.com")
Whereas, in the production environment, the APS-Macros.cfg file might contain:
define QA_DEF FALSE
Another example, used with multiple Policy Servers within the same environment, might be (in the APS.cfg file):
LDAP Writeback Server={<USE_WRITEBACK>}127.0.0.1
On a policy server that directly accesses the master, the APS-Macros.cfg file would contain:
define USE_WRITEBACK TRUE
On a policy server that does not access the master by default, the APS-Macros.cfg file might contain:
define USE_WRITEBACK FALSE
Note that macros can be defined anywhere in this file, but it is most useful (and avoids confusion) if they are defined at the top of the file.
|
Copyright © 2014 CA.
All rights reserved.
|
|