Secure Online Deployment of a New ABL Application

OpenEdge administrators can securely deploy new ABL applications to production PAS for OpenEdge servers without having users experience any downtime. This requires deploying and securing Tomcat Manager, as well as other security considerations, that are detailed in the sections that follow.

Note: The best practice is to not deploy applications to an online server. However, there may be circumstances where this is required. If you choose to enable this capability, ensure that you appropriately secure your server.

Deploying Tomcat Manager

Online deployment of ABL applications requires functionality provided by the Tomcat Manager. The Tomcat Manager is a web application that provides administrative access for configuring instances and deploying applications. For security reasons, the Tomcat Manager is not deployed by default on production servers.

To deploy Tomcat Manager, use the following command:

Securing Tomcat Manager

To maintain the security of your PAS for OpenEdge instance, do not enable remote administration on a production server. Therefore, when you enable Tomcat Manager to allow online deployment of ABL applications, you should limit access to the Tomcat Manager to only localhost requests. This is done using the remote address valve configuration in PASOE_Instance/webapps/manager/META-INF/context.xml, as shown:

The Remote Address Valve compares the IP address of the client that submitted a request against one or more regular expressions, and allows the request to continue or refuses to process the request from the client. The syntax for regular expressions is different than that for standard wildcard matching. Tomcat uses the java.util.regex package. Please consult the Java documentation for details of the expressions supported.

Note: There is a caveat when using this valve with IPv6 addresses. The format of the IP address that this valve processes depends on the API that was used to obtain it. If the address was obtained from a Java socket using the Inet6Address class, its format is x:x:x:x:x:x:x:x. That is, the IP address for localhost is 0:0:0:0:0:0:0:1 instead of the more widely used ::1. Consult your access logs for the actual value.

Other Security Considerations

Use of the Tomcat Manager or other applications require careful security configuration. Since the Tomcat Manager application allows for remote deployment of web applications, it can be targeted by attackers. This is often due to weak passwords and publicly accessible Tomcat instances with the Manager application enabled. If the Manager application is enabled, then follow these security guidelines:

Ensure that any users permitted to access the Tomcat Manager application have strong passwords.

Use the LockOutRealm (enabled by default) that prevents brute force attacks against user passwords. Do not disable LockOutRealm.

Use file system security to protect the web application configuration and the PAS for OpenEdge security configuration files.

Deploying an ABL Application

Once the Tomcat Manager is enabled and secured, you can use the pasman or tcman command to deploy an ABL application. When deploying a web application that requires tailoring to a running PAS for OpenEdge server, a server restart is normally required to load that web applications context. For online deployment, you can use the -l (lowercase L) option to load the context of the application on a running server without requiring a server restart.

Here is an example of deploying an oeabl.war based web application:

proenv> pasman deploy -I PASOE_Instance -a yourABLapp -l -u myuid:mypwd -v PASOE_Home/extras/oeabl.war

Note: The Tomcat Manager (manager.war) must already be deployed for the -l switch to work. If the Tomcat Manager is not deployed, you are prompted to restart the instance. For production instances, you have to deploy the Tomcat Manager first before you can use this switch. Also note that the -l switch can be used only in conjunction with the -u parameter.