Progress Application Server production server customizations
Although it is based on Tomcat, the Progress Application Server (PAS) is a web application server that is configured to function as a production server. In contrast, the standard Tomcat product download is configured as a development server.
The difference between a development server and a production server is largely a matter of security. Typically, a server in a development environment allows unrestricted access to and control by a user or group of users. A production server, on the other hand, is configured to restrict access to authorized users and to limit control to system administrators. For example, in a development environment anyone might be allowed to shut down the server, whereas, in a production environment, only an administrator with appropriate privileges would be allowed to stop a running server.
Some of the security customizations that tailor PAS as a production server are:
Removal of manager and host-manager Web applications — These are default Tomcat applications that enable remote online administration. These applications are archived in the $CATALINA_HOME/extras directory and can be redeployed to enable their functionality.
Replacement of the default Tomcat webapps/ROOT application — Replaced by a ROOT application that specifically supports Progress applications, including application security. The Tomcat ROOT application is archived in the $CATALINA_HOME/extras directory.
Auto-deployment turned off by default — Prevents the deployment of WAR files that are maliciously or erroneously copied to the server. If turned on, the server automatically deploys any new or updated WAR files in its Web application directory. (Note however that the server will automatically unpack WAR files when they are legitimately deployed using TCMAN or standard Tomcat utilities.)
Shutdown port disabled for UNIX — Prevents unauthorized stopping of the server.
Note that a shutdown port is optional for servers running on UNIX systems. However, you must specify a shutdown port when you create a server that runs on Windows systems. The TCMAN utility supports specifying shutdown ports with the –s option to the create action.
JMX remote access not enabled — Although PAS includes JMX and JConsole support for server management, the default is for local access only.
Web crawler filtering enabled — Prevents server being overloaded by sessions initiated by web crawlers.
Note: Although the default PAS is a production server, you can, some tailoring, run PAS as a development server. You can, for example, enable remote administration by deploying the manager applications to an instance, start an instance with a shutdown port enabled, and so on.
Removal of manager and host-manager Web applications — These are default Tomcat applications that enable remote online administration. These applications are archived in the $CATALINA_HOME/extras directory and can be redeployed to enable their functionality.