Secure online deployment of a new ABL application

OpenEdge system administrators can securely deploy new ABL applications to production PAS for OpenEdge instances without having users experience any downtime. Secure ABL application deployment to a production instance requires a securely-deployed Tomcat Manager, as well as other security considerations, that are detailed in this topic.

1. Deploy Tomcat Manager.

   Online deployment of ABL applications requires functionality provided by the Tomcat Manager. For security reasons, the Tomcat Manager is not deployed by default on production servers.

   To deploy Tomcat Manager, use the following command:

   proenv> pasman.[sh|bat] deploy -I instance-name $DLC/extras/manager.war

2. Secure the Tomcat Manager Remote Address Valve.
   To maintain the security of your PAS for OpenEdge instance, do not enable remote administration on a production server. Therefore, when you enable Tomcat Manager to allow online deployment of ABL applications, you should limit access to the Tomcat Manager to only localhost requests. Specify the localhost requests using the remote address valve configuration in instance-name/webapps/manager/META-INF/context.xml, as shown:

   <!--
   Remove the comment markers from around the Valve below to limit access to 
   the manager application to clients connecting from localhost 
   -->
   <!-- 
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
   allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
   -->

   The Remote Address Valve compares the IP address of the client that submitted a request against one or more regular expressions, and allows the request to continue or refuses to process the request from the client.

   Note: With IPv6 addresses, the format of the IP address this valve processes depends on the API that was used to obtain it. If the address was obtained from a Java socket using the Inet6Address class, its format is x:x:x:x:x:x:x:x. That is, the IP address for localhost is 0:0:0:0:0:0:0:1 instead of the more widely used ::1. Consult your access logs for the actual value.
3. Follow the additional security recommendations.

   Use of the Tomcat Manager or other management applications require careful security configuration. Since the Tomcat Manager application allows for remote deployment of web applications, it can be targeted by attackers. This is often due to weak passwords and publicly accessible Tomcat instances with the Manager application enabled. If the Manager application is enabled, follow these security guidelines:

   • Ensure that any users permitted to access the Tomcat Manager application have strong passwords.
   • Change the default tomcat user with tomcat password.
   • Use roles to limit deploy capabilities to authorized users.
   • Use the LockOutRealm (enabled by default) that prevents brute force attacks against user passwords. Do not disable LockOutRealm.
   • Use file system security to protect the web application configuration and the PAS for OpenEdge security configuration files.
4. Deploy the ABL web application.

   Once the Tomcat Manager is enabled and secured, you can use the PASMAN command to deploy an ABL application. When deploying a web application that requires tailoring to a running PAS for OpenEdge instance, a restart is normally required to load that web applications context. For online deployment, you can use the -l (lowercase L) option to load the context of the application on a running server without requiring a server restart.

   Here is an example of deploying an oeabl.war based web application:

   proenv> pasman.[sh|bat] deploy -I instance-name -l -u myuid:mypwd -v $DLC/extras/oeabl.war ABLapp-name

   Note: The Tomcat Manager (manager.war) must already be deployed for the -l switch to work. If the Tomcat Manager is not deployed, you are prompted to restart the instance. For production instances, you have to deploy the Tomcat Manager first before you can use this switch. Also note that the -l switch can be used only in conjunction with the -u parameter.