OpenEdge Manager is a Java web application that provides a REST API for remote administration of the OpenEdge web applications and multi-session agents. OpenEdge Manager duplicates the administration API supported by the JMX interface from Tomcat, but it uses JSON input/output payloads instead. The oemanager.war file is required to use REST APIs to manage and monitor ABL applications and the PAS for OpenEdge instances on which they are hosted.

However, if you use either Tomcat Manager or OpenEdge Manager for remote administration, Progress strongly recommends that you take the following actions to ensure the security of the PAS for OpenEdge instance and deployed web applications:

  1. Limit access to the Tomcat Manager and OpenEdge Management endpoint URLs that enable management of the PAS for OpenEdge instance.
  2. Change the default passwords for the Tomcat server.

Limit access to URLs used for management

You control access to the endpoint URLs of the Tomcat Manager or OpenEdge Manager web applications that are used for remote management of a PAS for OpenEdge instance by means of the Remote Address Valve class. You configure the Remote Address Valve on Tomcat Manager or OpenEdge Manager by specifying one or more Java RegEx (java.util.regex) expressions. When a client attempts to access a Tomcat Manager or OpenEdge Manager endpoint URL, the IP address of that client is evaluated against the RegEx expressions to determine whether the client request can continue or be refused.

To configure the Remote Address Valve for a Manager or OpenEdge Manager endpoint URL:

  1. Open the following file in a text editor:
    CATALINA_BASE/webapps/[manager|oemanager]/META-INF/context.xml
  2. Uncomment, if necessary, the <Valve> element that specifies the RemoteAddrValve class, and specify a Java RegEx expression for the allow property that limits access to only the permitted IPv4/IPv6 localhost address.

    For example:

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
       allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>

Note the following:

  • Remember to use Java RegEx expressions when you need to adjust the allow property values.
  • By default, the deny property is disabled. Consequently, you can control access simply by means of the allow property, and the denyStatus HTTP response status code that is used when rejecting a denied request is 403.
  • When you configure the RemoteAddrValve class correctly, the HTTP-403 status code is returned when an unauthorized client attempts to access the /manager or /oemanager endpoints.

Change the default passwords

Changing the default passwords in Tomcat involves two separate procedures:

  • Updating the PAS for OpenEdge instance in the CATALINA_BASE/conf/tomcat-users.xml file
  • Updating the administrator credentials in the OpenEdge Management Console

To change the default passwords:

  1. Create a backup of the following files:
    • CATALINA_BASE/conf/server.xml
    • CATALINA_BASE/conf/tomcat-users.xml
  2. Open CATALINA_BASE/conf/server.xml in a text editor.
  3. Disable the default UserDatabase realm definition by specifying the off value. For example:
    <!-- feature:begin:UserDatabase:off
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
            resourceName="UserDatabase" />
 feature:end:UserDatabase:off -->
  4. Create and enable a new feature definition for UserDatabase that uses the CredentialHandler class. For example:
    <!-- feature:begin:UserDatabase-pbkdf2:on -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
            resourceName="UserDatabase" >
          <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"
               algorithm="PBKDF2WithHmacSHA512"
               iterations="10000"
               saltLength="16"
               keyLength="256" />
        </Realm>
<!--     feature:end:UserDatabase-pbkdf2:on -->

    In the preceding example:

    • pbkdf2 is FIPS compliant and is also the strongest that Tomcat currently supports.
    • The more iterations that you specify slows the speed with which passwords are calculated.
  5. Save your changes to CATALINA_BASE/conf/server.xml.
  6. Change to the DLC/servers/pasoe/bin directory.
  7. Run the digest utility to generate a new user password. For example:
    digest -a PBKDF2WithHmacSHA512 -i 10000 -s 16 -k 256 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" password

    In the preceding example:

    • The parameters for generating the password need to exactly match those that are specified for the CredentialHelper class in server.xml.
    • The string password is a plain-text password.
  8. Allow the program a moment to run. Then observe the output, which should be displayed as <password>:<hash>.
  9. Open CATALINA_BASE/conf/tomcat-users.xml in an editor, and make the following changes:
    • Comment out any username definitions that are not to be used by your application or organization.
    • Update the tomcat user, or create a new username, providing the <hash> value from the previous step as the password.
    • Make sure that your target user definition has been provided the roles of "ROLE_PSCAdmin,ROLE_PSCOper,ROLE_PSCUser".
  10. Start (or restart) your PAS for OpenEdge instance to put all of the changes to the application's security into effect.

After you set the new password for the PAS for OpenEdge instance, you must update the OpenEdge Management Console with new administrator credentials.

To update the administrator credentials in the OpenEdge Management Console:

  1. Start the OpenEdge Management Console, if necessary.
  2. Under the Resources section, navigate to the PAS for OpenEdge instance.
  3. Select the Configuration tab from the menu on the left.
  4. Enter the new password, in plain text, in both the Tomcat manager password and OpenEdge manager password fields.

    If you change the administrator username, then update the respective login fields as well.

  5. Save your changes, then click Test Connection at the bottom of the page to confirm your changes.

    The updated passwords are encoded in the DLC/properties/pasmgr.properties file as tomcatMgrPassword and webPassword.

Best practice

As a sanity test, you can first try creating a hash of the default password tomcat and testing your OpenEdge Manager endpoint URL using the default credentials. This can ensure that the password you enter, using the prompt for credentials, performs as expected. Then hash a new password and update the tomcat-users.xml file, restart your PAS for OpenEdge instance, and confirm that the old password is rejected and that the new password is accepted.

Note: PAS for OpenEdge includes a lockout mechanism for accounts for which an incorrect password is entered too many times. By default, the lockout occurs after 5 incorrect passwords are entered. You can set the lockout value in the psc.as.realm.failureCount property in the CATALINA_BASE/conf/catalina.properties file. Because so many internal services attempt to use the default tomcat account, changing this password in the PAS for OpenEdge instance, but not in the calling programs, can cause the lockout mechanism to be triggered quickly; consequently, the account is locked out for 300 seconds. As a workaround, while you work on updating passwords elsewhere, you can temporarily change the failureCount property to a higher number and restart the PAS for OpenEdge instance. Then after you have changed all of the passwords for your default administrator account, restore this value to the default and restart the PAS for OpenEdge instance.