Some of the security customizations on a production instance of PAS for OpenEdge are:
  • manager and host-manager web applications are undeployed by default—these are default Tomcat applications that enable remote online administration. These applications are archived in the $CATALINA_HOME/extras directory and can be redeployed to enable their functionality.
  • Replacement of the default Tomcat webapps/ROOT application—replaced with a ROOT application that specifically supports Progress applications including application security. The Tomcat ROOT application is archived in the $CATALINA_HOME/extras directory.
  • Auto-deployment turned off by default—prevents the deployment of WAR files that are maliciously or erroneously copied to the instance. If turned on, the instance automatically deploys any new or updated WAR files in its web application directory.
    Note: PAS for OpenEdge automatically unpacks WAR files when they are legitimately deployed using PASMAN or standard Tomcat utilities.
  • Shutdown port disabled for UNIX and Windows—prevents unauthorized stopping of the instance.
    Note: A shutdown port is optional for instances running on UNIX systems. However, you must specify a shutdown port when you create an instance that runs on Windows systems. The PASMAN utility supports specifying shutdown ports with the –s option to the create action.
  • Disabled JMX remote access—although PAS for OpenEdge includes JMX and JConsole support for instance management, the default is for local access only.
  • Web crawler filtering enabled—prevents instances from being overloaded by sessions initiated by web crawlers.
  • UNIX file system customizations—file permissions are initially only accessible and executable by ROOT users and groups. This is described in User and file permissions.