A security model in PAS for OpenEdge is not a mode or a switch. It is a predefined set of security‑related configuration properties and default values that determine how a PAS for OpenEdge product installation and its server instances are secured.

Security configurations are established during product installation, applied or overridden during PAS for OpenEdge instance creation, and can be further customized after instance creation to meet deployment‑specific security requirements.

This topic explains how security configurations are defined, how they are selected during instance creation, and how administrators can tailor them for their environment.

PAS for OpenEdge provides three security models—Development, Production, and PAS. You select the required security model when creating an instance using the -Z option, as shown in the following command.

pasman create -Z {dev | prod | pas} ...

The initial security model is set during PAS for OpenEdge installation based on the licenses entered (for example, Production/Development/Lite). If you do not specify -Z when creating an instance, the new instance inherits the PAS for OpenEdge installation’s security model.

A PAS for OpenEdge instance is either a development or a production instance. The About development and production instances and About licensing and installation guides describe the differences between the security models. The -Z switch on the create action determines the security model. You cannot change the selected security configuration baseline after creating an instance. However, administrators can modify individual security‑related configuration properties and permissions after instance creation to meet deployment‑specific security requirements.

Create a development instance

To create a development instance: 
proenv>pasman create -Z dev -f -p 8820 -P 8821 -s 8822 myDevInst
Where:
  • -Z dev creates a development instance.
  • -f deploys monitoring applications.
    Note: The -f option installs remote administration and monitoring web applications, including the Tomcat Manager (manager.war) and the OpenEdge Manager (oemanager.war). These web applications provide an alternative to local JMX access to the same functionality. If you use -f, you must secure the monitoring applications.

    For more information on securing monitoring applications, see Secure the Tomcat Manager and OpenEdge manager web applications.

  • -p sets the HTTP port number.
  • -P sets the HTTPS port number.
  • -s sets the shutdown (stop) port for the instance. On Windows, you must specify a shutdown port. On UNIX systems, shutdown ports are optional.
    Note: When a shutdown port is not required in your environment, you can disable it by setting the value to -1.

Create a production instance

To create a PAS for OpenEdge production instance: 

proenv>pasman create -Z prod -f -p 8830 -P 8831 -s 8832 myProdInst

To create a PAS for OpenEdge production instance that secures root application access:

proenv>pasman create -Z pas -f -p 8840 -P 8841 -s 8842 myProdInstNoAccess
Where:
  • -Z prod creates a production instance.
  • -Z pas creates a production security model instance where the default Tomcat ROOT application is not oeabl.war. Instead, noaccess.war is installed as the Tomcat ROOT application.
    Note: The primary use case for noaccess.war is to replace the default, required ROOT web application on the PAS for OpenEdge Tomcat server. This provides a web application that responds to any request with a 400 Bad Request because it is not associated with any ABL application. To start the instance, you must deploy a valid ABL application. This makes the PAS for OpenEdge instance a secured, blank canvas onto which existing ABL applications using OpenEdge Application Archive (OEAR) files can be deployed.

    For more information about OpenEdge Archive files, see Package an ABL application as an OpenEdge Application Archive.

    For more information, see the noaccess.README file included in the noaccess.war.

  • -f deploys monitoring applications.
    Note: The -f option installs remote administration and monitoring web applications, including the Tomcat Manager (manager.war) and the OpenEdge Manager (oemanager.war). These web applications provide an alternative to local JMX access to the same functionality. If you use -f, you must secure the monitoring applications.

    For more information on securing monitoring applications, see Secure the Tomcat Manager and OpenEdge manager web applications.

  • -p sets the HTTP port number.
  • -P sets the HTTPS port number.
  • -s sets the shutdown (stop) port for the instance. On Windows, you must specify a shutdown port. On UNIX systems, shutdown ports are optional.
    Note: When a shutdown port is not required in your environment, you can disable it by setting the value to -1.