By industry definition, the classic AppServer does not meet security requirements and best practices. For example, you would never deploy a classic AppServer as an Internet server. Whatever security an OpenEdge application has is from the diligent efforts of the OpenEdge developers who have written the tools and installation processes around it.

PAS for OpenEdge provides two products:

  • An unsecured Development server product
  • A secured Production server product

The two PAS for OpenEdge products are almost identical, with the differences being the security of the configuration. The goal for PAS for OpenEdge in the production server product is to meet 95% of the recommended security best practices for an Apache Tomcat server. The remaining 5% is something either the production administrator is required to do according to the company's policies, or the developer does based on the constraints imposed by their application.

The following is a summary of the Production server product's security configuration:

  • Removal of the ABL compiler, preventing any unauthorized source code access
  • Removal of all remote administration web applications that can be targeted by intruders
  • Core server configuration with removal of unsecured debug features, such as auto-deployment
  • UNIX directory and file permission settings
  • Additional security valves (in other words, server request filters)
  • Full administrative capabilities through secure local utilities, such as command-line tools and JMX access

For more information, see Development vs production instances.