Try OpenEdge Now
skip to main content
Administration Guide
Server security : Development server and production server security issues
 

Development server and production server security issues

The Progress Application Server (PAS) for OpenEdge is a Web application server that is available as either a development server or a production server product.
The difference between a development server and a production server is largely a matter of security. Typically, a server in a development environment allows unrestricted access to and control by a user or group of users. A production server, on the other hand, is configured to restrict access to authorized users and to limit control to system administrators. For example, in a development environment anyone might be allowed to shut down the server, whereas, in a production environment, only an administrator with appropriate privileges would be allowed to stop a running server.
Some of the security customizations in the production server version of PAS for OpenEdge are:
*Removal of manager and host-manager Web applications — These are default Tomcat applications that enable remote online administration. These applications are archived in the $CATALINA_HOME/extras directory and can be redeployed to enable their functionality.
*Replacement of the default Tomcat webapps/ROOT application — Replaced by a ROOT application that specifically supports Progress applications, including application security. The Tomcat ROOT application is archived in the $CATALINA_HOME/extras directory.
*Auto-deployment turned off by default — Prevents the deployment of WAR files that are maliciously or erroneously copied to the server. If turned on, the server automatically deploys any new or updated WAR files in its Web application directory. (Note however that the server will automatically unpack WAR files when they are legitimately deployed using TCMAN or standard Tomcat utilities.)
*Shutdown port disabled for UNIX — Prevents unauthorized stopping of the server.
Note that a shutdown port is optional for servers running on UNIX systems. However, you must specify a shutdown port when you create a server that runs on Windows systems. The TCMAN utility supports specifying shutdown ports with the –s option to the create action.
*JMX remote access not enabled — Although PAS includes JMX and JConsole support for server management, the default is for local access only.
*Web crawler filtering enabled — Prevents server being overloaded by sessions initiated by web crawlers.
Note: In PAS for OpenEdge, a ROOT application that specifically supports OpenEdge application security replaces the default Tomcat ROOT application. The Tomcat ROOT application is archived in the $CATALINA_HOME/extras directory.