Release 10.1A: OpenEdge Application Server:
Administration

Security considerations for Web service administration

The WSA acts as an intermediary between the AppServer and clients that access the service over the Internet. Thus, an application session involves two distinct connections, each of which is configured separately with respect to security.

The first connection is Internet-based between the WSA and the client. See the "Enabling the WSA for HTTPS client connections" section for information about making this connection secure. In brief, the following conditions must be met:

The client must use HTTPS protocol to send requests.
The WSA must be HTTPS-enabled; that is, it must be configured to accept HTTPS requests from clients (via the JSE or Web server).
A private key and a Web server digital certificate must be installed on the Web server, and the Web server must be configured for SSL support.

The second connection is via AppServer protocol between the deployed service and the AppServer. For this connection to be secure, the following conditions must be met:

You must obtain and install public key certificates for the WSA host machine.
The service must send SSL requests to the AppServer that is to process the client requests. To configure the service to send SSL requests, you set the value of the appServiceProtocol property to AppServerS or AppServerDCS. You set this property, either for a specific service or as the default for services deployed to a given WSA instance, by using the Progress Explorer or by manually editing the WebServiceFriendlyName.props file or the default.props file. (Note that this property applies to deployed services, not to the WSA itself; for more information on configuring WSA security, see Chapter 7, " Web Services Adapter Security Configurations.")
The AppServer must be SSL-enabled, meaning that it accepts SSL requests from the WSA (or other clients). You set the property sslEnable=1 by checking the Enable SSL Client Connections box in the SSL General properties category in the Progress Explorer, or by manually editing the ubroker.properties file. You must also obtain and install a server private key and public key certificate and set additional SSL server properties. See the "SSL-enabled AppServer operation" section for more information.

For more information on SSL support in OpenEdge, including configuring and operating a Web service as a client of an SSL-enabled AppServer, see OpenEdge Getting Started: Core Business Services .

SSL-related service properties

You can set the following properties, either as defaults for services deployed to a given WSA instance or as properties of a specific service:

appServiceProtocol — Assign a value of AppServerS or AppServerDCS to support SSL communication with the AppServer.
noHostVerify — Controls whether the WSA compares the host name of the connecting AppServer with the Common Name specified in the server digital certificate.
noSessionReuse — Controls whether the service requests reuse of the session ID for successive connections to the same AppServer.

For more information about these and other service properties, see Appendix A "Reference to Progress 4GL Web Service Properties."