OpenEdge system administrators can securely deploy new ABL applications to production PAS for OpenEdge instances without having users experience any downtime. A secure ABL application deployment to a production instance requires a securely deployed Tomcat Manager, as well as other security considerations, that are described in this topic.

Note: The best practice is to not deploy applications to an online instance. However, there may be circumstances when this is required. If you enable this capability, ensure that you secure your instance.
To enable secure the online deployment of new ABL applications:
  1. Deploy Tomcat Manager.

    To deploy ABL applications online, you need to use Tomcat Manger features. For security reasons, Tomcat Manager is not deployed, by default, on production servers.

    To deploy Tomcat Manager:
    proenv> pasman deploy -I instance-name $DLC/extras/manager.war
  2. Secure the Tomcat Manager remote address valve.
    To maintain the security of your PAS for OpenEdge instance, do not enable remote administration on a production server. When you enable Tomcat Manager to allow online deployment of ABL applications, limit access to Tomcat Manager to localhost requests. Specify the localhost requests using the remote address valve configuration in instance-name/webapps/manager/META-INF/context.xml, as shown:
    <!--
Remove the comment markers from around the Valve below to limit access to 
the manager application to clients connecting from localhost 
-->
<!-- 
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->

    The remote address valve compares the IP address of the client that submitted the request against one or more regular expressions, and either allows the request to continue or refuses to process the request from the client.

    Note: With IPv6 addresses, the format of the IP address this valve processes depends on the API that was used to obtain it. If the address was obtained from a Java socket using the Inet6Address class, then its format is x:x:x:x:x:x:x:x. That is, the IP address for the localhost is 0:0:0:0:0:0:0:1 instead of the more widely used ::1. Consult your access logs for the actual value.
  3. Employ additional security recommendations.

    Using Tomcat Manager, or other management applications, requires you to carefully secure your environment. Because the Tomcat Manager application allows for web applications to be deployed remotely, it can be targeted by attackers. This is often due to publicly accessible Tomcat instances that have weak passwords and have the Manager application enabled. If the Manager application is enabled, then follow these security guidelines:

    • Ensure that any users allowed to access the Tomcat Manager application have strong passwords.
    • Change the default username and password.
    • Use roles to limit deployment capabilities to authorized users.
    • Use LockOutRealm (enabled by default) that prevents brute force attacks against user passwords. Do not disable LockOutRealm.
    • Use file system security to protect the web application configuration, and use the PAS for OpenEdge security configuration files.
  4. Deploy the ABL web application.

    After Tomcat Manager is enabled and secured, you can use the PASMAN command to deploy an ABL application. When you deploy a web application that requires tailoring to a running PAS for OpenEdge instance, a restart is normally required to load that web application's context. For an online deployment, you can use the -l (lowercase L) option to load the context of the application on a running server without restarting the server.

    To deploy an oeabl.war based web application:
    proenv> pasman deploy -I instance-name -l -u myuid:mypwd -v $DLC/extras/oeabl.war ABLapp-name
    Note: Tomcat Manager (manager.war) must already be deployed for the -l switch to work. If Tomcat Manager is not deployed, then you are prompted to restart the instance. For production instances, you must deploy the Tomcat Manager before you can use this switch. Also note that the -l switch can be used only in conjunction with the -u parameter.