COMP11:Best practices for Deploying AppServer and WebSpeed - PowerPoint PPT Presentation

About This Presentation

Title:

COMP11:Best practices for Deploying AppServer and WebSpeed

Description:

Check using the user-id and limit access to programs. Make sure they ... Set up SQL-92 Database security to minimise ODBC/JDBC access by using the GRANT command ... – PowerPoint PPT presentation

Number of Views:182

Avg rating:3.0/5.0

Slides: 55

Provided by: downlo6

Category:

more less

Transcript and Presenter's Notes

Title: COMP11:Best practices for Deploying AppServer and WebSpeed

1
COMP-11 Best practices for Deploying AppServer
and WebSpeed
Doug Merrett
Senior Solution EngineerProgress Software UK
2
Agenda

AppServer and WebSpeed components
Sample deployments
Security
Network
Machines
Progress Infrastructure
Application
Database
Summary

3
Generic OpenEdge Server Architecture
OpenEdge Server Host
Progress ExplorerorManagement Utilities
AdminServer
Client Process
ubroker.properties
NameServer
OpenEdgeServerBroker
Text Editor, MERGEPROPorConfiguration Utilities
OpenEdgeServerAgents/Servers
4
WebSpeed OpenEdge Server Architecture
OpenEdge Server Host
Progress ExplorerorManagement Utilities
AdminServer
WebSpeedMessenger
ubroker.properties
NameServer
WebSpeedBroker
Text Editor, MERGEPROPorConfiguration Utilities
WebSpeedAgents
5
AppServer OpenEdge Server Architecture
OpenEdge Server Host
Progress ExplorerorManagement Utilities
AdminServer
Any Client,AIA,AIA/Sor WSA
ubroker.properties
NameServer
AppServerBroker
Text Editor, MERGEPROPorConfiguration Utilities
AppServerServers
6
General Round Trip for a Request
NameServer
Client
Broker
Agents or Servers
7
General Round Trip for a Request

Step 0 Broker sends details to NameServer
Step 1 Client requests Service from NameServer
Step 2 NameServer responds with Broker details
Step 3 Client connects to Broker and requests a
Server to handle the request
Step 4 Broker responds with Servers details
Step 5 Client connects with Server and
passes request information
Step 6 Server sends response

8
Agenda

AppServer and WebSpeed components
Sample deployments
Security
Network
Machines
Progress Infrastructure
Application
Database
Summary

9
Sample Deployment Development
Development Server
Web Server WebSpeed Messenger
Web.PL .R
WebSpeed
Developers PC
Common.PL .R
Dev Tools
AppServer
AppServ.PL .R
Database
10
Sample Deployments Production Intranet
Production Server
Web Server WebSpeed Messenger
Web.PL
WebSpeed
Users PC
Common.PL
GUI/Char Client or Browser
AppServer
AppServ.PL
Database
11
Sample Deployments Production Internet
DMZ
Internal Network
InternetName Server
Internet
Web Server
WebSpeed Broker
WebSpeed Messenger
WebSpeed Agents
Protocol TCP
Protocol UDP
12
Agenda

AppServer and WebSpeed components
Sample deployments
Security
Network
Machines
Progress Infrastructure
Application
Database
Summary

13
Network Security

The reason for network security is to keep the
bad guys out, but still allow access from the
public internet
Data travelling over the internet may need to be
protected from being read and/or modified
Remember that nothing is 100 secure, all we can
do is make it as hard as possible to break our
security

14
Network Security Border patrol

The first line of defence is the Firewall

Firewalls
15
Network Security SSL

SSL (Secure Socket Layer) a protocol to encrypt
TCP/IP traffic over a network
Used correctly, all the communications between
the client and the server are encrypted and will
not be able to be broken
Commonly used on Web sites that take credit card
details
SSL will slow down performance due to the
overhead of encrypting and decrypting

In a reasonable timeframe any encryption can
be broken, it just depends on how long you wish
to wait!

16
Network Security Progress specific

Only install AIA, AIA/S, WSA or WebSpeed
Messenger on a machine the DMZ
Do not use standard ports or names for the Name
Server, Broker and Agents/Servers
Delete the WSBROKER1, ASBROKER1, NS1, etc
Re-create the appropriate brokers, using
non-standard ports
Dont use port 5162 for the Name Server or call
it NS1 for example

17
Network Security Progress specific (cont)

If you need the WebSpeed Messenger, AIA or WSA go
to the www.progress.com/openedge/support web
page, click on the download link on the bottom
right of the page
Use your usual ESD login or if required, there is
an option to register for downloading Deployment
Components

18
Network Security Progress specific (cont)

These components are on the OpenEdge media, so
just use the control codes and serial number from
the Download Centre if you have the CD for the
required platform

19
Agenda

AppServer and WebSpeed components
Sample deployments
Security
Network
Machines
Progress Infrastructure
Application
Database
Summary

20
Machine Security

Limit physical access to the machine
Minimise services running
Change userid from root/administrator to stop
people guessing the login id
Windows 2000http//support.microsoft.com/kb/32005
3
Windows 2003http//support.microsoft.com/kb/81610
9
Windows XPhttp//support.microsoft.com/kb/555441

21
Machine Security (cont)

Implement password security routines that force
regular changes and also enforce strong passwords
(alpha-numeric)
Regularly check machine logs for intrusion
attempts (Firewall, DMZ server and Internal
server)
Apply the vendor patches (after thorough testing)
Create users and groups that have limited access
via the operating system to the Progress and
application directories

22
Agenda

AppServer and WebSpeed components
Sample deployments
Security
Network
Machines
Progress Infrastructure
Application
Database
Summary

23
Progress Infrastructure Generic

Remove .R and .PL files from the DLC directory
that are not required to run your application
Remove the proDebugEnable, _debugEnable,
proDebugConfig and _debugConfig commands from the
DLC/bin directory of your production machine
Use SSL with OpenEdge 10 to communicate between
Progress components

24
Progress Infrastructure Generic (cont)

This diagram comes from the Core Business
Services manual in OpenEdge 10.1B and shows the
communication streams of the OpenEdge environment
that can be secured with the SSL protocol

25
Progress Infrastructure Generic (cont)

Change Broker Owners

26
Progress Infrastructure Generic (cont)

Use the requireusername and admingroup to start
the AdminServer

gtproadsv -start -requireusername -admingroup
Administrators OpenEdge Release 10.1B as of Wed
Jan 10 122131 EST 2007 gtwtbman -start -name
Exchange2007 OpenEdge Release 10.1B as of Wed Jan
10 122131 EST 2007 Connecting to Progress
AdminServer using rmi//localhost20931/Chimera
(8280) Searching for Exchange2007
(8288) Connecting to Exchange2007 (8276) User
not authenticated (8304)
27
Progress Infrastructure Generic (cont)

Rename the WSA and AIA files to remove them from
the URL. Makes it harder for hackers to find out
what you are
WSA and AIA
Rename the directory to change it from WSA or AIA
Modify the WEB.XML files to suit

28
Progress Infrastructure Generic (cont)

Rename the WebSpeed Messenger files to remove
them from the URL. Makes it harder for hackers
to find out what you are
WebSpeed Messenger
Windows, see the cgiip.wsc file in
C\inetpub\scripts for information (do not use
.wsc, choose another extension)
Unix/Linux, just rename the messenger example
script wspd_cgi.sh

29
Progress Infrastructure AppServer

Make the AppServer Broker run without DEBUG

30
Progress Infrastructure WebSpeed

Make the WebSpeed Broker run in PRODUCTION mode

31
Progress Infrastructure WebSpeed (cont)

Make the WebSpeed Broker run without DEBUG

32
Progress Infrastructure WebSpeed (cont)
Remove the Generated by Webspeed Message (OE10)
... / Output any pending messages / IF
available-messages(?) THEN output-messages("al
l", ?, "Messages"). IF CAN-DO
("text/html,text/x-server-parsed-html",output-co
ntent-type) THEN OUT "nnlt!--
Generated by Webspeed http//www.webspeed.
com/ --gtn"U. OUTPUT WEBSTREAM CLOSE. ...
33
Progress Infrastructure WebSpeed (cont)

Minimize access to the WebSpeed Messenger
Administration tool

34
Progress Infrastructure WebServices Adapter

Minimize access to the WebServices Adapter
Administration tool

35
Agenda

AppServer and WebSpeed components
Sample deployments
Security
Network
Machines
Progress Infrastructure
Application
Database
Summary

36
Application Security Generic

Use RCODEKEY and DBAUTHKEY to limit which .Rs
can run against the database
CLIENT-PRINCIPAL object
Program defensively
Make sure it fails in a secure manner
Never accept parameters from a user without
verification

37
Application Security WebSpeed

Modify WEB-DISP.P to
Check using the user-id and limit access to
programs
Make sure they are logged on
Remove access to DEBUG, PING and RESET
Pass parameters in an encrypted manner
Reconnect to the database if not connected

38
Application Security WebSpeed (cont)
Old WEB-DISP.P code
... AppProgram (IF AppProgram "debug"U THEN
"webutil/debug.p"U ELSE (IF
AppProgram "ping"U THEN "webutil/ping.p"U
ELSE (IF AppProgram "reset"U
THEN "webutil/reset.p"U ELSE
AppProgram))). RUN run-web-object IN
web-utilities-hdl (AppProgram) NO-ERROR. ...
39
Application Security WebSpeed (cont)
New SECURE-WEB-DISP.P code
... vGUID get-field ("GUID"). find first tState
where tState.GUIDField vGUID. if not available
tState then AppProgram "logon.r". else if not
can-find (tProgs where tProgs.UsersID
tState.UsersID and tProgs.ProgID
AppProgram) then AppProgram
"invalidprogram.r". RUN run-web-object IN
web-utilities-hdl (AppProgram) NO-ERROR. ...
40
Application Security AppServer

Use the CONNECT or STARTUP procedure to set the
available programs via the EXPORT method on the
SESSION handle

41
Application Security AppServer (cont)
Client Code for connecting to the AppServer
DEFINE VARIABLE hAppSrv AS HANDLE
NO-UNDO. DEFINE VARIABLE lOK AS LOGICAL
NO-UNDO. CREATE SERVER hAppSrv. lOK
hAppSrvCONNECT ("-AppService inventory",
"FRED",
"MYPASSWORD"). ... RUN XXX.P ON
hAppSrv. ... hAppSrvDISCONNECT ()
NO-ERROR. DELETE OBJECT hAppSrv NO-ERROR.
42
Application Security AppServer (cont)
Server Code in CONNECT.P
DEFINE INPUT PARAMETER pUserID AS
CHARACTER. DEFINE INPUT PARAMETER pPassWd AS
CHARACTER. DEFINE INPUT PARAMETER pASInfo AS
CHARACTER. find first tUsers where
tUsers.UsersID pUserID and
tUsers.PassWd pPassWd
no-lock no-error. if available tUsers then
SESSIONEXPORT (tUsers.AllowedProgsList). else
RETURN ERROR "Invalid UserId and/or Password".
43
Agenda

AppServer and WebSpeed components
Sample deployments
Security
Network
Machines
Progress Infrastructure
Application
Database
Summary

44
Database Security

This is the last line of defence
Hopefully all the other techniques have managed
to stop the intruders

45
Database Security (cont)

Encryption
Individual fields via the ENCRYPT function
Entire Database via operating system filesystem
Linux dm-crypt and others
Solaris zfs (one day)
IBM Cant find a reference
HP Cant find a reference
Windows Many solutions
Hardware Device
Seagate Momentus 5400 FDE.2

46
Database Security (cont)

CAN-READ, CAN-WRITE, etc
Compile time security
Dynamic queries use these fields, so may cause
issues
Disallow the Blank userid
Use File system permissions on Database files to
minimise access to users

47
Database Security (cont)

If not needed, do not install SQL-92 Database
facilities
Set up SQL-92 Database security to minimise
ODBC/JDBC access by using the GRANT command
GRANT SELECT ON customer TO dbuser2

48
Agenda