Note:

TLS evolved from and superseded SSL. TLS is considered to be more efficient and secure than the older SSL. Even though TLS and SSL are separate and distinct protocols, the PAS for OpenEdge configuration process is the same for both.

In PAS for OpenEdge and in Tomcat, HTTPS port support is provided by the Transport Layer Security (TLS) implementation of the Java Secure Socket Extension (JSSE).

TLS is a standard protocol that implements the encryption required for HTTPS communication.

Note: By default, all Progress Application Server (PAS) for OpenEdge components support TLS 1.2, 1.3. The TLS version used for authentication over connections between Progress Application Server (PAS) for OpenEdge clients and servers is decided based on the following scenarios:

  • An unconfigured OpenEdge client uses the default (TLSv1.3,TLSv1.2) to establish a handshake to secure the connection between the OpenEdge client and OpenEdge server. In such scenario, TLSv1.3 takes precedence over TLSv1.2.

    If a secure connection is not established using TLSv1.3, the TLS connection falls back to TLSv1.2 to establish a connection.
  • If the OpenEdge client is configured with TLSv1.3, then the OpenEdge server establishes the connection using TLS 1.3.
  • If the OpenEdge client is configured with TLSv1.2, then the OpenEdge server establishes the connection using TLS 1.2.

PAS for OpenEdge allows you to specify an HTTPS port when you create an instance. The PASMAN utility supports specifying HTTPS ports with the -P option of the create action. For example, the following instance is created with an HTTP port of 8501 and an HTTPS port of 8601:

$: pasman create -p 8501 -P 8601 /psc/instance-name
Server instance acme1 created at /psc/acme1

The following is an overview of TLS configuration in PAS for OpenEdge:

TLS Configuration
Important:

On a production instance, you must replace the default TLS server certificate shipped with PAS for OpenEdge with a fully qualified certificate from a certificate authority (CA).

Instance access through HTTPS is dependent on having an TLS server certificate. To support initial configuration and testing, Progress includes a self-signed server certificate in a Java keystore. (A keystore is a file that contains the encrypted keys required for encoding and decoding information.) The Progress Software keystore is formatted according to the PKCS12 format and is maintained using the Java Keytool utility.

However, the default server certificate should only be used on a non-production instance, or as a temporary certificate for setting up TLS on a production instance. Using the default certificate on a fully functional and deployed production instance, is a serious security risk.