External Security Administration Manager (ESAM) is an OpenEdge security control service that operates externally to the OpenEdge installation. ESAM centralizes governance and applies security policies without requiring code changes.

Platform availability

ESAM is only available on 64-bit Linux and 64-bit Windows platforms.

Roles and responsibilities

To effectively use ESAM, organizations can assign roles with defined responsibilities:

  • System Administrators—Install OpenEdge and configure secure installations.

  • OpenEdge ESAM Administrators(Optionally)—Manage runtime environments, set ESAM policies, and monitor audit logs to support security objectives.

Policy types

The following types of policies are available:

  • Global policy—A system-wide default security setting that applies to every OpenEdge installation on a machine. Use this to enforce consistent baseline rules, like how to handle unregistered installations across all environments.
  • Installation-level policies—A custom security setting for a single OpenEdge installation.
    • FIPS Mode—A policy that requires OpenEdge to use only FIPS 140-certified cryptographic modules. Enable this when you need to comply with strict regulatory or government encryption standards.

      For more information, see FIPS mode FAQ.

Installation

When you install OpenEdge, the ESAM installer runs automatically in silent mode. ESAM is a fixed and absolute file system space that can apply root and group authorities to protect OpenEdge installation artifacts and the integrity of the OpenEdge root install path, also known as DLC.

As the name implies, ESAM installs in a fixed directory, external to DLC, based on the operating system:

  • Linux:/etc/openedge.d
  • Windows: C:\Windows\System32\openedge.d
The following table lists the directories and descriptions of the files to manage, secure, and validate OpenEdge installations.
Directory Description
audit Contains the audit log file (oesec.log), which records administrative actions and policy violations. This log is essential for security monitoring and supports forensic analysis in the event of breaches or misconfiguration. Additional logs track ESAM registrations and migration activities. Access is restricted to System Administrators.
bin Contains the validation script, (valdlc.{bat|exe}), which verifies the integrity of the OpenEdge root installation path, DLC. Accessible to users.
conf Contains:
  • oesec.pol—Stores ESAM global policy configurations. These policies define actions when an OpenEdge installation is invalid or unregistered, checking compliance and mitigating runtime risks. For more details, see oesec.pol.readme. At present, the anonymous policy takes precedence if an OpenEdge installation is either not registered with ESAM or if usual ESAM operations are interrupted.
  • openedge.conf—Documents the safe space path for ESAM. Editing this file does not alter the configuration. Access is restricted to System Administrators.
install Contains uninstall scripts, a resources subdirectory used for uninstalling, and other related files.
lib Contains libraries to support ESAM.
Release
Contains:
  • conf and lib for the release.
  • GUID install specific directory with installation specific conf and lib, tailored for each installation. ESAM uses the GUID details to make the right policy decisions for a specific installation. If ESAM does not have a valid GUID, ESAM reverts to anonymous to help troubleshoot.
sbin Contains:
  • setdlc.{bat|exe}—Register or unregister the OpenEdge root install path (DLC) with ESAM. Without this script, installations cannot be securely linked to ESAM, leaving them exposed to unauthorized changes.
  • econv128.exe—OpenEdge installer utility that supports upgrades from older OpenEdge installations to ESAM enabled environments. Not intended for stand-alone use.
Access is restricted to OpenEdge ESAM Administrators and System Administrators.
Note: The oesec.dat file, located in openedge.d, stores all ESAM registration records for OpenEdge installations on the system and replaces the older oesec.reg (Linux) and Windows registry based storage prior to 13.0. This file holds the authoritative (“single source of truth”) metadata for an OpenEdge installation.

Backup dlc.ver

The dlc.ver file is required for OpenEdge registration. You cannot register or unregister an OpenEdge installation without this file. If dlc.ver is deleted or corrupted, registration fails unless you restore a backup. Access is limited to System Administrators. The directory is based on the operating system:

  • Linux:DLC/install/verify
  • Windows: DLC\install\verify

OpenEdge recommends creating a backup in a secure location in case you need to manually re-register an ESAM-managed OpenEdge installation. If this file is missing, ESAM reverts to anonymous mode.

For more information, see ESAM loads in anonymous mode unexpectedly .

Upgrade ESAM

During OpenEdge installations, the OpenEdge installer updates ESAM to the latest version while preserving existing configurations. Each upgrade adds a Release directory to openedge.d.