To reduce the attack surface and improve security posture, remove unused AdminServer plugins that rely on Remote Method Invocation (RMI). During the startup, the AdminServer loads only those plugins listed in the AdminServerPlugins.properties file. If a plugin is not listed in the file, it is not loaded.

Some plugins, such as OracleDataServer and MSSDataServer, load only if you have a valid license. However, other plugins may load by default even if you do not need them. Removing unused plugin entries from the AdminServerPlugins.properties file prevents unnecessary plugins from loading and reduces the risk of RMI misuse.

To remove the unused RMI plugins, perform the following steps using a dedicated, minimally privileged service account:
  1. Navigate to the location where the AdminServerPlugins.properties file is placed.
    • On Windows, go to: %DLC%\properties\AdminServerPlugins.properties
    • On Linux, go to: $DLC/properties/AdminServerPlugins.properties
  2. Open the AdminServerPlugins.properties file.
  3. Review the list of configured plugins and identify the plugins that are not used in your environment.
  4. Remove entries for unused RMI-based plugins.
  5. Save the file and restart AdminServer to apply the changes.

AdminServer plugins

The following table summarizes AdminServer plugins, including their purpose, dependency relationships, and RMI usage. Use this table to identify which plugins can be excluded from the AdminServerPlugins.properties file to reduce the attack surface without impacting required functionality.

Plugin Name Purpose/OpenEdge Dependencies Plugin Dependency Uses RMI Interface
UBPropMgr Unified broker property—Manages the ubroker.properties file. You cannot remove this plugin. System Yes
DatabaseAgent Database agent—Manages the database agent connections and agent.properties file. System Yes
OracleDataServer Oracle DataServer—Manages Oracle DataServer process and property configuration. It loads only with a valid Oracle DataServer license. System and UBPropMgr Yes
NameServer NameServer—Used exclusively with OracleDataServer and MSSDataServer plugins to load balance multi-brokered OracleDataServer or MSSDataServer connections. System and UBPropMgr Yes
RemoteCommander Enables AdminServer command line tool (ORAMAN, DBMAN, NSMAN, and so on) functionality. You cannot remove this plugin. System Yes
MSSDataServer MS SQL DataServer—Manages MS SQL DataServer and property configuration. System and UBPropMgr Yes
Database Database—Enables AdminServer to start and monitor OpenEdge databases. System and DatabaseAgent Yes
System Provides core functionality to the AdminServer and operating-system level access. You cannot remove this plugin as all other plugins require it. None No
PAS Progress Application Server for OpenEdge—Supports OpenEdge Management. The plugin loads only if a PAS for OpenEdge license is installed. You can remove it if PAS for OpenEdge and OpenEdge Management are not in use. None No
StsKey Provides Secure Token Service (STS) key management for the local AdminServer. This plugin is only required when using Authentication Gateway. None No
ActiveMQS Enables remote access for OpenEdge Management communications. Management No
Management Plugin for OpenEdge Management. System No
Replication Provides support for replication for AdminServer-managed OpenEdge databases that have replication enabled. The plugin loads only if a valid database replication license is installed. SMDatabase No
SMDatabase Provides support for scripted management of OpenEdge databases. DatabaseAgent and Database No
Note:

  • The OpenEdge dependencies listed in the table are generalized. The specific OpenEdge component dependencies for an activated plugin depend on the operations you perform with that plugin.

  • Each plugin defined in the AdminServerPlugins.properties file includes a dependency property that specifies a list of other plugins that must be started before starting that particular plugin. Therefore, you cannot remove a plugin if another plugin depends on it. For example, if you keep the OracleDataServer plugin, you must also retain the UBPropMgr plugin because the OracleDataServer plugin depends on it.

  • The NameServer RMI plugin is required only in rare cases when a load balancer is needed to manage multiple brokered DataServer plugin instances simultaneously across a client base. If you use multiple DataServer plugin instances to broker client connections but do not require load balancing, you can remove the NameServer plugin regardless of how you manage your DataServer plugins.