COMP11:Best practices for Deploying AppServer and WebSpeed - PowerPoint PPT Presentation

About This Presentation
Title:

COMP11:Best practices for Deploying AppServer and WebSpeed

Description:

Check using the user-id and limit access to programs. Make sure they ... Set up SQL-92 Database security to minimise ODBC/JDBC access by using the GRANT command ... – PowerPoint PPT presentation

Number of Views:182
Avg rating:3.0/5.0
Slides: 55
Provided by: downlo6
Category:

less

Transcript and Presenter's Notes

Title: COMP11:Best practices for Deploying AppServer and WebSpeed


1
COMP-11 Best practices for Deploying AppServer
and WebSpeed
Doug Merrett
Senior Solution EngineerProgress Software UK
2
Agenda
  • AppServer and WebSpeed components
  • Sample deployments
  • Security
  • Network
  • Machines
  • Progress Infrastructure
  • Application
  • Database
  • Summary

3
Generic OpenEdge Server Architecture
OpenEdge Server Host
Progress ExplorerorManagement Utilities
AdminServer
Client Process
ubroker.properties
NameServer
OpenEdgeServerBroker
Text Editor, MERGEPROPorConfiguration Utilities
OpenEdgeServerAgents/Servers
4
WebSpeed OpenEdge Server Architecture
OpenEdge Server Host
Progress ExplorerorManagement Utilities
AdminServer
WebSpeedMessenger
ubroker.properties
NameServer
WebSpeedBroker
Text Editor, MERGEPROPorConfiguration Utilities
WebSpeedAgents
5
AppServer OpenEdge Server Architecture
OpenEdge Server Host
Progress ExplorerorManagement Utilities
AdminServer
Any Client,AIA,AIA/Sor WSA
ubroker.properties
NameServer
AppServerBroker
Text Editor, MERGEPROPorConfiguration Utilities
AppServerServers
6
General Round Trip for a Request
NameServer
Client
Broker
Agents or Servers
7
General Round Trip for a Request
  • Step 0 Broker sends details to NameServer
  • Step 1 Client requests Service from NameServer
  • Step 2 NameServer responds with Broker details
  • Step 3 Client connects to Broker and requests a
    Server to handle the request
  • Step 4 Broker responds with Servers details
  • Step 5 Client connects with Server and
    passes request information
  • Step 6 Server sends response

8
Agenda
  • AppServer and WebSpeed components
  • Sample deployments
  • Security
  • Network
  • Machines
  • Progress Infrastructure
  • Application
  • Database
  • Summary

9
Sample Deployment Development
Development Server
Web Server WebSpeed Messenger
Web.PL .R
WebSpeed
Developers PC
Common.PL .R
Dev Tools
AppServer
AppServ.PL .R
Database
10
Sample Deployments Production Intranet
Production Server
Web Server WebSpeed Messenger
Web.PL
WebSpeed
Users PC
Common.PL
GUI/Char Client or Browser
AppServer
AppServ.PL
Database
11
Sample Deployments Production Internet
DMZ
Internal Network
InternetName Server
Internet
Web Server
WebSpeed Broker
WebSpeed Messenger
WebSpeed Agents
Protocol TCP
Protocol UDP
12
Agenda
  • AppServer and WebSpeed components
  • Sample deployments
  • Security
  • Network
  • Machines
  • Progress Infrastructure
  • Application
  • Database
  • Summary

13
Network Security
  • The reason for network security is to keep the
    bad guys out, but still allow access from the
    public internet
  • Data travelling over the internet may need to be
    protected from being read and/or modified
  • Remember that nothing is 100 secure, all we can
    do is make it as hard as possible to break our
    security

14
Network Security Border patrol
  • The first line of defence is the Firewall

Firewalls
15
Network Security SSL
  • SSL (Secure Socket Layer) a protocol to encrypt
    TCP/IP traffic over a network
  • Used correctly, all the communications between
    the client and the server are encrypted and will
    not be able to be broken
  • Commonly used on Web sites that take credit card
    details
  • SSL will slow down performance due to the
    overhead of encrypting and decrypting
  • In a reasonable timeframe any encryption can
    be broken, it just depends on how long you wish
    to wait!

16
Network Security Progress specific
  • Only install AIA, AIA/S, WSA or WebSpeed
    Messenger on a machine the DMZ
  • Do not use standard ports or names for the Name
    Server, Broker and Agents/Servers
  • Delete the WSBROKER1, ASBROKER1, NS1, etc
  • Re-create the appropriate brokers, using
    non-standard ports
  • Dont use port 5162 for the Name Server or call
    it NS1 for example

17
Network Security Progress specific (cont)
  • If you need the WebSpeed Messenger, AIA or WSA go
    to the www.progress.com/openedge/support web
    page, click on the download link on the bottom
    right of the page
  • Use your usual ESD login or if required, there is
    an option to register for downloading Deployment
    Components

18
Network Security Progress specific (cont)
  • These components are on the OpenEdge media, so
    just use the control codes and serial number from
    the Download Centre if you have the CD for the
    required platform

19
Agenda
  • AppServer and WebSpeed components
  • Sample deployments
  • Security
  • Network
  • Machines
  • Progress Infrastructure
  • Application
  • Database
  • Summary

20
Machine Security
  • Limit physical access to the machine
  • Minimise services running
  • Change userid from root/administrator to stop
    people guessing the login id
  • Windows 2000http//support.microsoft.com/kb/32005
    3
  • Windows 2003http//support.microsoft.com/kb/81610
    9
  • Windows XPhttp//support.microsoft.com/kb/555441

21
Machine Security (cont)
  • Implement password security routines that force
    regular changes and also enforce strong passwords
    (alpha-numeric)
  • Regularly check machine logs for intrusion
    attempts (Firewall, DMZ server and Internal
    server)
  • Apply the vendor patches (after thorough testing)
  • Create users and groups that have limited access
    via the operating system to the Progress and
    application directories

22
Agenda
  • AppServer and WebSpeed components
  • Sample deployments
  • Security
  • Network
  • Machines
  • Progress Infrastructure
  • Application
  • Database
  • Summary

23
Progress Infrastructure Generic
  • Remove .R and .PL files from the DLC directory
    that are not required to run your application
  • Remove the proDebugEnable, _debugEnable,
    proDebugConfig and _debugConfig commands from the
    DLC/bin directory of your production machine
  • Use SSL with OpenEdge 10 to communicate between
    Progress components

24
Progress Infrastructure Generic (cont)
  • This diagram comes from the Core Business
    Services manual in OpenEdge 10.1B and shows the
    communication streams of the OpenEdge environment
    that can be secured with the SSL protocol

25
Progress Infrastructure Generic (cont)
  • Change Broker Owners

26
Progress Infrastructure Generic (cont)
  • Use the requireusername and admingroup to start
    the AdminServer

gtproadsv -start -requireusername -admingroup
Administrators OpenEdge Release 10.1B as of Wed
Jan 10 122131 EST 2007 gtwtbman -start -name
Exchange2007 OpenEdge Release 10.1B as of Wed Jan
10 122131 EST 2007 Connecting to Progress
AdminServer using rmi//localhost20931/Chimera
(8280) Searching for Exchange2007
(8288) Connecting to Exchange2007 (8276) User
not authenticated (8304)
27
Progress Infrastructure Generic (cont)
  • Rename the WSA and AIA files to remove them from
    the URL. Makes it harder for hackers to find out
    what you are
  • WSA and AIA
  • Rename the directory to change it from WSA or AIA
  • Modify the WEB.XML files to suit

28
Progress Infrastructure Generic (cont)
  • Rename the WebSpeed Messenger files to remove
    them from the URL. Makes it harder for hackers
    to find out what you are
  • WebSpeed Messenger
  • Windows, see the cgiip.wsc file in
    C\inetpub\scripts for information (do not use
    .wsc, choose another extension)
  • Unix/Linux, just rename the messenger example
    script wspd_cgi.sh

29
Progress Infrastructure AppServer
  • Make the AppServer Broker run without DEBUG

30
Progress Infrastructure WebSpeed
  • Make the WebSpeed Broker run in PRODUCTION mode

31
Progress Infrastructure WebSpeed (cont)
  • Make the WebSpeed Broker run without DEBUG

32
Progress Infrastructure WebSpeed (cont)
Remove the Generated by Webspeed Message (OE10)
... / Output any pending messages / IF
available-messages(?) THEN output-messages("al
l", ?, "Messages"). IF CAN-DO
("text/html,text/x-server-parsed-html",output-co
ntent-type) THEN OUT "nnlt!--
Generated by Webspeed http//www.webspeed.
com/ --gtn"U. OUTPUT WEBSTREAM CLOSE. ...
33
Progress Infrastructure WebSpeed (cont)
  • Minimize access to the WebSpeed Messenger
    Administration tool

34
Progress Infrastructure WebServices Adapter
  • Minimize access to the WebServices Adapter
    Administration tool

35
Agenda
  • AppServer and WebSpeed components
  • Sample deployments
  • Security
  • Network
  • Machines
  • Progress Infrastructure
  • Application
  • Database
  • Summary

36
Application Security Generic
  • Use RCODEKEY and DBAUTHKEY to limit which .Rs
    can run against the database
  • CLIENT-PRINCIPAL object
  • Program defensively
  • Make sure it fails in a secure manner
  • Never accept parameters from a user without
    verification

37
Application Security WebSpeed
  • Modify WEB-DISP.P to
  • Check using the user-id and limit access to
    programs
  • Make sure they are logged on
  • Remove access to DEBUG, PING and RESET
  • Pass parameters in an encrypted manner
  • Reconnect to the database if not connected

38
Application Security WebSpeed (cont)
Old WEB-DISP.P code
... AppProgram (IF AppProgram "debug"U THEN
"webutil/debug.p"U ELSE (IF
AppProgram "ping"U THEN "webutil/ping.p"U
ELSE (IF AppProgram "reset"U
THEN "webutil/reset.p"U ELSE
AppProgram))). RUN run-web-object IN
web-utilities-hdl (AppProgram) NO-ERROR. ...
39
Application Security WebSpeed (cont)
New SECURE-WEB-DISP.P code
... vGUID get-field ("GUID"). find first tState
where tState.GUIDField vGUID. if not available
tState then AppProgram "logon.r". else if not
can-find (tProgs where tProgs.UsersID
tState.UsersID and tProgs.ProgID
AppProgram) then AppProgram
"invalidprogram.r". RUN run-web-object IN
web-utilities-hdl (AppProgram) NO-ERROR. ...
40
Application Security AppServer
  • Use the CONNECT or STARTUP procedure to set the
    available programs via the EXPORT method on the
    SESSION handle

41
Application Security AppServer (cont)
Client Code for connecting to the AppServer
DEFINE VARIABLE hAppSrv AS HANDLE
NO-UNDO. DEFINE VARIABLE lOK AS LOGICAL
NO-UNDO. CREATE SERVER hAppSrv. lOK
hAppSrvCONNECT ("-AppService inventory",
"FRED",
"MYPASSWORD"). ... RUN XXX.P ON
hAppSrv. ... hAppSrvDISCONNECT ()
NO-ERROR. DELETE OBJECT hAppSrv NO-ERROR.
42
Application Security AppServer (cont)
Server Code in CONNECT.P
DEFINE INPUT PARAMETER pUserID AS
CHARACTER. DEFINE INPUT PARAMETER pPassWd AS
CHARACTER. DEFINE INPUT PARAMETER pASInfo AS
CHARACTER. find first tUsers where
tUsers.UsersID pUserID and
tUsers.PassWd pPassWd
no-lock no-error. if available tUsers then
SESSIONEXPORT (tUsers.AllowedProgsList). else
RETURN ERROR "Invalid UserId and/or Password".
43
Agenda
  • AppServer and WebSpeed components
  • Sample deployments
  • Security
  • Network
  • Machines
  • Progress Infrastructure
  • Application
  • Database
  • Summary

44
Database Security
  • This is the last line of defence
  • Hopefully all the other techniques have managed
    to stop the intruders

45
Database Security (cont)
  • Encryption
  • Individual fields via the ENCRYPT function
  • Entire Database via operating system filesystem
  • Linux dm-crypt and others
  • Solaris zfs (one day)
  • IBM Cant find a reference
  • HP Cant find a reference
  • Windows Many solutions
  • Hardware Device
  • Seagate Momentus 5400 FDE.2

46
Database Security (cont)
  • CAN-READ, CAN-WRITE, etc
  • Compile time security
  • Dynamic queries use these fields, so may cause
    issues
  • Disallow the Blank userid
  • Use File system permissions on Database files to
    minimise access to users

47
Database Security (cont)
  • If not needed, do not install SQL-92 Database
    facilities
  • Set up SQL-92 Database security to minimise
    ODBC/JDBC access by using the GRANT command
  • GRANT SELECT ON customer TO dbuser2

48
Agenda
  • AppServer and WebSpeed components
  • Sample deployments
  • Security
  • Network
  • Machines
  • Progress Infrastructure
  • Application
  • Database
  • Summary

49
In Summary
  • Always deploy for the Internet or Extranet using
    a Firewall and DMZ
  • Secure your machines, application and network
  • Turn off Development in WebSpeed

50
Questions?
51
Relevant Exchange Sessions
  • INT-10 Understanding the AppServer, Inside-out
  • COMP-1 Securing your web application against
    hackers
  • DB-14 OpenEdge Database Run-Time Security
    Revealed
  • DEV-4 OpenEdge in an LDAP World

52
For More Information, go to
  • Documentation
  • OpenEdge Getting Started Core Business Services
  • Security and authentication
  • OpenEdge Revealed Achieving Server Control with
    Fathom Management
  • OpenEdge Application Server Administration

53
For More Information, go to
  • Progress Software Knowledgebase
  • 19533 Running WebSpeed in Production Mode
  • P22658 The new DATABASES environment variable
    for WebSpeed

54
Thank you foryour time
Write a Comment
User Comments (0)
About PowerShow.com