You can provide application deployment security by packaging your compiled OpenEdge application code (r-code) into a library which can be signed and verified. This type of library is known as an archive file and has a .apl file extension. A signed archive file ensures that the r-code has not been corrupted or compromised. An archive file is similar to a procedure library (.pl), but provides better security through code signing and validation. A signed archive file can be easily inspected and verified by third-party auditors to ensure applications pass security audits.

PROPACK and PROSIGN are command line tools used to create and digitally sign archive files. These tools produce a digitally signed distribution archive based on the Java JAR standard. The archive contains a manifest file for describing the meta information of the archive, including signature and validation policies, as well as custom information.

Progress recommends the use of archive files for deploying compiled OpenEdge code. Some enterprises may decide that packaging the r-code and validating it before deployment is enough. Other enterprises may want to have runtime validation of the packages when they are used by an ABL application. OpenEdge provides support for both use cases.

Restrictions

The following are not supported for archive files:
  • Executing a .p file in a library (that is, source code is not supported)
  • Multi-character file names (including Unicode) in libraries
  • Executing code in a library inside another library
  • WebClient (assembler, etc.)
  • ProxyGen
  • Memory-mapped archive files
  • Compressed r-code and image files inside archive files
  • Packages with multiple signers
  • Certificates with expiration dates
  • Multiple manifest digest signatures