Title: Best practices for Deploying AppServer and WebSpeed
1Best practices for Deploying AppServer and
WebSpeed
Doug Merrett
Senior Solution Engineer EMEAProgress Software
2Agenda
- AppServer and WebSpeed components
- Sample deployments
- Security
- Network
- Machines
- Progress Infrastructure
- Application
- Database
- Summary
3Generic OpenEdge Server Architecture
OpenEdge Server Host
Progress ExplorerorManagement Utilities
AdminServer
Client Process
ubroker.properties
NameServer
OpenEdgeServerBroker
Text Editor, MERGEPROPorConfiguration Utilities
OpenEdgeServerAgents/Servers
4WebSpeed OpenEdge Server Architecture
OpenEdge Server Host
Progress ExplorerorManagement Utilities
AdminServer
WebSpeedMessenger
ubroker.properties
NameServer
WebSpeedBroker
Text Editor, MERGEPROPorConfiguration Utilities
WebSpeedAgents
5AppServer OpenEdge Server Architecture
OpenEdge Server Host
Progress ExplorerorManagement Utilities
AdminServer
Any Client,AIA,AIA/Sor WSA
ubroker.properties
NameServer
AppServerBroker
Text Editor, MERGEPROPorConfiguration Utilities
AppServerServers
6General Round Trip for a Request
NameServer
Client
Broker
Agents or Servers
7General Round Trip for a Request
- Step 0 Broker sends details to NameServer
- Step 1 Client requests Service from NameServer
- Step 2 NameServer responds with Broker details
- Step 3 Client connects to Broker and requests a
Server to handle the request - Step 4 Broker responds with Servers details
- Step 5 Client connects with Server and
passes request information - Step 6 Server sends response
8Agenda
- AppServer and WebSpeed components
- Sample deployments
- Security
- Network
- Machines
- Progress Infrastructure
- Application
- Database
- Summary
9Sample Deployment Development
Development Server
Web Server WebSpeed Messenger
Web.PL .R
WebSpeed
Developers PC
Common.PL .R
Dev Tools
AppServer
AppServ.PL .R
Database
10Sample Deployments Production Intranet
Production Server
Web Server WebSpeed Messenger
Web.PL
WebSpeed
Users PC
Common.PL
GUI/Char Client or Browser
AppServer
AppServ.PL
Database
11Sample Deployments Production Internet
DMZ
Internal Network
InternetName Server
Internet
Web Server
WebSpeed Broker
WebSpeed Messenger
WebSpeed Agents
Protocol TCP
Protocol UDP
12Agenda
- AppServer and WebSpeed components
- Sample deployments
- Security
- Network
- Machines
- Progress Infrastructure
- Application
- Database
- Summary
13Network Security
- The reason for network security is to keep the
bad guys out, but still allow access from the
public internet - Data travelling over the internet may need to be
protected from being read and/or modified - Remember that nothing is 100 secure, all we can
do is make it as hard as possible to break our
security
14Network Security Border patrol
- The first line of defence is the Firewall
Firewalls
15Network Security SSL
- SSL (Secure Socket Layer) a protocol to encrypt
TCP/IP traffic over a network - Used correctly, all the communications between
the client and the server are encrypted and will
not be able to be broken - Commonly used on Web sites that take credit card
details - SSL will slow down performance due to the
overhead of encrypting and decrypting
- In a reasonable timeframe any encryption can
be broken, it just depends on how long you wish
to wait!
16Network Security Progress specific
- Only install AIA, AIA/S, WSA or WebSpeed
Messenger on a machine the DMZ - Do not use standard ports or names for the Name
Server, Broker and Agents/Servers - Delete the WSBROKER1, ASBROKER1, NS1, etc
- Re-create the appropriate brokers, using
non-standard ports - Dont use port 5162 for the Name Server or call
it NS1 for example
17Network Security Progress specific (cont)
- If you need the WebSpeed Messenger, AIA or WSA go
to the www.progress.com/openedge/support web
page, click on the download link on the bottom
right of the page - Use your usual ESD login or if required, there is
an option to register for downloading Deployment
Components
18Network Security Progress specific (cont)
- These components are on the OpenEdge media, so
just use the control codes and serial number from
the Download Centre if you have the CD for the
required platform
19Agenda
- AppServer and WebSpeed components
- Sample deployments
- Security
- Network
- Machines
- Progress Infrastructure
- Application
- Database
- Summary
20Machine Security
- Limit physical access to the machine
- Minimise services running
- Change userid from root/administrator to stop
people guessing the login id - Windows 2000http//support.microsoft.com/kb/32005
3 - Windows 2003http//support.microsoft.com/kb/81610
9 - Windows XPhttp//support.microsoft.com/kb/555441
21Machine Security (cont)
- Implement password security routines that force
regular changes and also enforce strong passwords
(alpha-numeric) - Regularly check machine logs for intrusion
attempts (Firewall, DMZ server and Internal
server) - Apply the vendor patches (after thorough testing)
- Create users and groups that have limited access
via the operating system to the Progress and
application directories
22Agenda
- AppServer and WebSpeed components
- Sample deployments
- Security
- Network
- Machines
- Progress Infrastructure
- Application
- Database
- Summary
23Progress Infrastructure Generic
- Remove .R and .PL files from the DLC directory
that are not required to run your application - Remove the proDebugEnable, _debugEnable,
proDebugConfig and _debugConfig commands from the
DLC/bin directory of your production machine - Use SSL with OpenEdge 10 to communicate between
Progress components
24Progress Infrastructure Generic (cont)
- This diagram comes from the Core Business
Services manual in OpenEdge 10.1B and shows the
communication streams of the OpenEdge environment
that can be secured with the SSL protocol
25Progress Infrastructure Generic (cont)
26Progress Infrastructure Generic (cont)
- Use AdminServerPlugins.properties to hide the
AdminPort from the ps -ef command
Policy for the AdminServer itself. This
group is processed by both the jvmStart tool
and the AdminServer bootstrap. ... The
following additional properties are allowed for
this group only port - port where the
AdminServer process resides adminport -
Communication port between the AdminServer and
databases PluginPolicy.Progress.AdminServer
classpathC\DLC101B/java/ext/jmxri.jar, ...
jvmargs pluginclasspath!value-ofclasspath
27Progress Infrastructure Generic (cont)
- Use the requireusername and admingroup to start
the AdminServer
gtproadsv -start -requireusername -admingroup
Administrators OpenEdge Release 10.1B as of Wed
Jan 10 122131 EST 2007 gtwtbman -start -name
Exchange2007 OpenEdge Release 10.1B as of Wed Jan
10 122131 EST 2007 Connecting to Progress
AdminServer using rmi//localhost20931/Chimera
(8280) Searching for Exchange2007
(8288) Connecting to Exchange2007 (8276) User
not authenticated (8304)
28Progress Infrastructure Generic (cont)
- Rename the WSA and AIA files to remove them from
the URL. Makes it harder for hackers to find out
what you are - WSA and AIA
- Rename the directory to change it from WSA or AIA
- Modify the WEB.XML files to suit
29Progress Infrastructure Generic (cont)
- Rename the WebSpeed Messenger files to remove
them from the URL. Makes it harder for hackers
to find out what you are - WebSpeed Messenger
- Windows, see the cgiip.wsc file in
C\inetpub\scripts for information (do not use
.wsc, choose another extension) - Unix/Linux, just rename the messenger example
script wspd_cgi.sh
30Progress Infrastructure AppServer
- Make the AppServer Broker run without DEBUG
31Progress Infrastructure WebSpeed
- Make the WebSpeed Broker run in PRODUCTION mode
32Progress Infrastructure WebSpeed (cont)
- Make the WebSpeed Broker run without DEBUG
33Progress Infrastructure WebSpeed (cont)
Remove the Generated by Webspeed Message (OE10)
... / Output any pending messages / IF
available-messages(?) THEN output-messages("al
l", ?, "Messages"). IF CAN-DO
("text/html,text/x-server-parsed-html",output-co
ntent-type) THEN OUT "nnlt!--
Generated by Webspeed http//www.webspeed.
com/ --gtn"U. OUTPUT WEBSTREAM CLOSE. ...
34Progress Infrastructure WebSpeed (cont)
- Minimize access to the WebSpeed Messenger
Administration tool
35Progress Infrastructure WebServices Adapter
- Minimize access to the WebServices Adapter
Administration tool
36Agenda
- AppServer and WebSpeed components
- Sample deployments
- Security
- Network
- Machines
- Progress Infrastructure
- Application
- Database
- Summary
37Application Security Generic
- Use RCODEKEY and DBAUTHKEY to limit which .Rs
can run against the database - CLIENT-PRINCIPAL object
- Program defensively
- Make sure it fails in a secure manner
- Never accept parameters from a user without
verification
38Application Security WebSpeed
- Modify WEB-DISP.P to
- Check using the user-id and limit access to
programs - Make sure they are logged on
- Remove access to DEBUG, PING and RESET
- Pass parameters in an encrypted manner
- Reconnect to the database if not connected
39Application Security WebSpeed (cont)
Old WEB-DISP.P code
... AppProgram (IF AppProgram "debug"U THEN
"webutil/debug.p"U ELSE (IF
AppProgram "ping"U THEN "webutil/ping.p"U
ELSE (IF AppProgram "reset"U
THEN "webutil/reset.p"U ELSE
AppProgram))). RUN run-web-object IN
web-utilities-hdl (AppProgram) NO-ERROR. ...
40Application Security WebSpeed (cont)
New SECURE-WEB-DISP.P code
... vGUID get-field ("GUID"). find first tState
where tState.GUIDField vGUID. if not available
tState then AppProgram "logon.r". else if not
can-find (tProgs where tProgs.UsersID
tState.UsersID and tProgs.ProgID
AppProgram) then AppProgram
"invalidprogram.r". RUN run-web-object IN
web-utilities-hdl (AppProgram) NO-ERROR. ...
41Application Security AppServer
- Use the CONNECT or STARTUP procedure to set the
available programs via the EXPORT method on the
SESSION handle
42Application Security AppServer (cont)
Client Code for connecting to the AppServer
DEFINE VARIABLE hAppSrv AS HANDLE
NO-UNDO. DEFINE VARIABLE lOK AS LOGICAL
NO-UNDO. CREATE SERVER hAppSrv. lOK
hAppSrvCONNECT ("-AppService inventory",
"FRED",
"MYPASSWORD"). ... RUN XXX.P ON
hAppSrv. ... hAppSrvDISCONNECT ()
NO-ERROR. DELETE OBJECT hAppSrv NO-ERROR.
43Application Security AppServer (cont)
Server Code in CONNECT.P
DEFINE INPUT PARAMETER pUserID AS
CHARACTER. DEFINE INPUT PARAMETER pPassWd AS
CHARACTER. DEFINE INPUT PARAMETER pASInfo AS
CHARACTER. find first tUsers where
tUsers.UsersID pUserID and
tUsers.PassWd pPassWd
no-lock no-error. if available tUsers then
SESSIONEXPORT (tUsers.AllowedProgsList). else
RETURN ERROR "Invalid UserId and/or Password".
44Agenda
- AppServer and WebSpeed components
- Sample deployments
- Security
- Network
- Machines
- Progress Infrastructure
- Application
- Database
- Summary
45Database Security
- This is the last line of defence
- Hopefully all the other techniques have managed
to stop the intruders
46Database Security (cont)
- Encryption
- Individual fields via the ENCRYPT function
- Entire Database via operating system filesystem
- Linux dm-crypt and others
- Solaris zfs (one day)
- IBM Cant find a reference
- HP Cant find a reference
- Windows Many solutions
- Hardware Device
- Seagate Barracuda FDE 3.5 1Tb 7200rpm
- Seagate Momentus 5400.4 2.5 250Gb
47Database Security (cont)
- CAN-READ, CAN-WRITE, etc
- Compile time security
- Dynamic queries use these fields, so may cause
issues - Disallow the Blank userid
- Use File system permissions on Database files to
minimise access to users
48Database Security (cont)
- If not needed, do not install SQL-92 Database
facilities - Set up SQL-92 Database security to minimise
ODBC/JDBC access by using the GRANT command - GRANT SELECT ON customer TO dbuser2
49Agenda
- AppServer and WebSpeed components
- Sample deployments
- Security
- Network
- Machines
- Progress Infrastructure
- Application
- Database
- Summary
50In Summary
- Always deploy for the Internet or Extranet using
a Firewall and DMZ - Secure your machines, application and network
- Turn off Development in WebSpeed
51Questions?
52Relevant Exchange Sessions
- INT-10 Understanding the AppServer, Inside-out
- COMP-1 Securing your web application against
hackers - DB-14 OpenEdge Database Run-Time Security
Revealed - DEV-4 OpenEdge in an LDAP World
53For More Information, go to
- Documentation
- OpenEdge Getting Started Core Business Services
- Security and authentication
- OpenEdge Revealed Achieving Server Control with
Fathom Management - OpenEdge Application Server Administration
54For More Information, go to
- Progress Software Knowledgebase
- 19533 Running WebSpeed in Production Mode
- P22658 The new DATABASES environment variable
for WebSpeed
55Thank you foryour time